[risks] Risks Digest 22.36

From: RISKS List Owner (riskoat_private)
Date: Thu Nov 07 2002 - 16:47:01 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.37"

    RISKS-LIST: Risks-Forum Digest  Thursday 7 November 2002  Volume 22 : Issue 36
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.36.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    CNN needs some fact-checkers on electronic-election article (Rebecca Mercuri)
    The 2002 general election (PGN)
    Dominant lottery vendor cracked (Conrad Heiney)
    Winning lottery tickets can be determined before purchase (Jeremy Epstein)
    Robot malpractice? (Paul Saffo)
    Computer problem caused fatal pipeline rupture (Paul Hirose)
    Opera confused about hemispheres (David Skillicorn)
    Set your clock to 1984 (Toby Gottfried)
    Scoping out the future (NewsScan)
    'British' spelling (Michael Bacon)
    NSF Trusted Computing Program (Carl E. Landwehr)
    REVIEW: "The Total CISSP Exam Prep Book", Peltier/Howard (Rob Slade)
    REVIEW: "Information Security", Donald L. Pipkin (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Wed, 6 Nov 2002 08:59:29 -0500
    From: "Rebecca Mercuri" <notableat_private>
    Subject: CNN needs some fact-checkers on electronic-election article 
    
    The 5 Nov 2002 article "Electronic elections: What about security?"
    (www.cnn.com/2002/TECH/ptech/11/05/touch.screen/index.html) on CNN.com by
    Jeordan Legon contains a number of factual errors and misrepresentations. To
    CNN's credit, they did attempt to contact me for an interview on 11/4 for
    that article, but their tight deadline should be no excuse for not getting
    the facts straight.
    
    The article states: "the voting software and hardware has to pass strict
    security standards imposed by the Federal Election Commission and the
    National Association of State Election Directors."  This is untrue.  ALL
    voting systems newly deployed for the 2002 election were inspected to the
    OBSOLETE 1990 FEC recommendations.  Even these were only adopted by 2/3 of
    of the States.  The 2002 standards must be adopted prior to use and it is
    unclear when (or in some States if) this will happen.
    
    Mark Beckstrand, a Sequoia Voting Systems VP, was quoted in the CNN article
    as saying: "Show me somebody who has gotten into our software. We haven't
    lost or misplaced or ever been accused of not having 100 percent accuracy."
    Well, first of all, experts, such as myself, are prevented from looking at
    Sequoia's equipment because it is sold under restrictive trade-secret
    agreements making it a felony if a purchaser (such as a County Board of
    Elections) provides it for internal inspection, except under court order.
    For a court case in Palm Beach County, we have tried for months to obtain a
    Sequoia machine (for which we have numerous affidavits from voters
    indicating problems) in order to perform an internal inspection, and have
    even offered to purchase a machine from the County outright, but so far have
    been barred from doing so.  It makes it really hard to show if their product
    has been tampered with, if it's a felony to inspect it.
    
    In addition to our case in Boca Raton, where there was an 8% "undervote"
    (votes missing compared with number of voters who signed in at the
    election), there are other instances of problems involving Sequoia
    equipment.  Susan Bernicker videotaped numerous Sequoia machines used in a
    Louisiana election that showed different names on the confirmation screen
    than the candidate buttons that were pressed.  Over in New Jersey in 2000, a
    brand new Sequoia machine turned up zeros for some candidates in a local
    election.  Elsewhere in Palm Beach Co. in March 2002, Sequoia systems
    registered a 3% undervote in an election where only 2 candidates were
    running in only 1 race.  It was conjectured (by Election Supervisor Theresa
    LePore) that people came to the polls and deliberately did not vote for one
    of the candidates, but this seems rather unlikely.
    
    Sequoia seems to have a short memory when it comes to court cases and
    missing votes.  There might be a good reason for this.  According to the San
    Francisco Business Times (11/19/2001), their Southern Regional Sales
    Manager, Phil Foster, was indicted in Louisiana for "conspiracy to commit
    money laundering and malfeasance" involving kickbacks to Jerry Fowler, the
    Louisiana state commissioner of elections, now serving a prison term for his
    involvement in a decade-long kickback scheme with Sequoia. Foster sold
    machines in Lousiana and Florida, and testified as a technical expert
    against Bernicker in her Baton Rouge case.
    
    I hope CNN can be encouraged to run a correction or follow-up on their
    article.  The public needs to know the rest of this story.
    
    ------------------------------
    
    Date: Wed, 6 Nov 2002 9:38:58 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: The 2002 general election
    
    In yesterday's voting, there were numerous irregularities, as usual --
    although perhaps fewer visible ones than had been anticipated.
    
    * Palm Beach and Broward in FL had reports of voters touching the screen for
    McBride and having the vote showing up for Bush.  The vendors and voting
    officials claim that that error was quickly "fixed".  Remember that "fix"
    has two meanings.  For example, check out the Matt Drudge report at
      http://www.drudgereport.com/
      http://www.drudgereport.com/vote1.htm
    
    * In Broward County, a programming error left out 34,000 votes, because the
    combination of early votes exceeded a preprogrammed maximum.  Also, 70,000
    absentee and Spanish-language ballots were missing from the reported
    turnout, although they were included in the vote totals.  These were later
    corrected.
    
    * In Houston, where the all-electronic voting machines have rotary dials
    instead of touch-screens, voters in five precincts had their attempts to
    vote a straight party ticket rejected.  (It happens to have been the
    Democratic ticket that was not accepted.)
    
    * In Georgia, newly using touch-screens, some voters reported their votes
    being recorded for other candidates.
    
    * In Pulaski County, Arkansas, half of the voters had not been assigned
    precincts after redistricting and were denied being able to vote despite
    having legitimate registration cards.
    
    * San Francisco failed to deliver enough ballots to several precincts, where
    voting continued until midnight.
    
    * In Nebraska, Charlie Matulka (a long-shot Democratic candidate) reports
    having been given a paper ballot already premarked for his Republican
    opponent.
    
    * In South Carolina, there were some reports of long waits in line.
    Elsewhere, people turned away from the polls in various places even with
    valid identification.  Also, reports of lever machines dropping votes.
    
    NOTE: Andrew Klossner sent in a correction on Andrew Morton's item in
    RISKS-22.35 on absentee voting in Oregon: the ballot he gets is just an
    unlabeled punch-card in which he has to punch out the chad for the desired
    holes.  (Same for me in Santa Clara County, California.  PGN)
    
    The general consensus among election officials and voters seems to be that
    the all-electronic machines are a great improvement, relatively easy to use,
    and inherently able to prevent overvotes.  The general consensus among
    knowledgeable computer security experts seems to be that almost all of the
    existing all-electronic systems could relatively easily be rigged by
    internal fraud in the software and external manipulation of the local
    polling-place configurations and could also be subject to undetected
    internal errors, because of an almost complete absence of meaningful audit
    trails and independent verification of the consistency of votes tabulated
    with votes cast.  Just because an all-electronic machine looks like it might
    be working, how do you *KNOW* it is doing the right thing?  From a RISKS
    perspective, a perceived potential lack of integrity is a serious obstacle
    to democracy.
    
    ------------------------------
    
    Date: Wed, 6 Nov 2002 10:45:47 -0800
    From: "Conrad Heiney" <conradat_private>
    Subject: Dominant lottery vendor cracked
    
    According to the *Wall Street Journal*, 6 Nov 2002, the world's dominant
    operator of national and state lotteries has warned of a possible compromise
    of its system for patching scratch-ticket winners.  The company referred to
    an "operational and technical issue" in which the bar code used on the
    ticket had been cracked. The article quotes an unnamed source who claims
    someone had "decoded the algorithm" for the bar codes.
    
    Setting aside the RISK of whichever algorithm they chose, and not knowing
    whether this was an inside job, it's interesting to contemplate what other
    technology based industries have become so thoroughly centralized that one
    crack can cause a worldwide mess like this.
    
    http://online.wsj.com/article/0,,SB1036548523995761668,00.html?mod=3Dhome_whats_news_us
    http://online.wsj.com/article/0,,SB1036548523995761668,00.html
      ?mod=3Dhome_whats_news_us
    
    Conrad Heiney <conradat_private>  http://fringehead.org
    
    ------------------------------
    
    Date: Wed, 6 Nov 2002 17:14:40 -0500
    From: "Jeremy Epstein" <jepsteinat_private>
    Subject: Winning lottery tickets can be determined before purchase
    
    According to http://money.cnn.com/2002/11/06/technology/gtech/index.htm,
    GTech (the largest lottery operator) has determined that the scratch-off
    lottery tickets can be determined before doing the scratch-off operation.
    "A corrupt ticket salesperson that knew the codes theoretically could pick
    out the winners on a sheet of tickets and cash them, selling only the losers
    to the general public."
    
    Sounds like the serial/code number isn't being encrypted or otherwise
    protected before being printed...
    
    ------------------------------
    
    Date: Wed, 06 Nov 2002 20:30:16 -0800
    From: Paul Saffo <psaffoat_private>
    Subject: Robot malpractice...
    
    http://www.sptimes.com/2002/10/30/TampaBay/Patient_dies_in_robot.shtml
    
    In an surgical operation to remove a cancerous kidney at St. Joseph's
    Hospital in St Petersburg, a three-armed da Vinci robot (made by Intuitive
    Surgical Inc.) was being controlled by an experienced doctor from a
    3-dimensional computer screen, 10 feet away.  The robot technology for
    cutting blood vessels is supposed to decrease bleeding, pain, and recovery
    time.  Unfortunately, the patient's aorta and another blood vessel were cut,
    and this went unnoticed for an hour and one-half.  Two days later, the
    patient died of complications.  The developer found no mechanical problems,
    and absolved the robot, which had been used successfully in 10 similar
    operations.  [Source: Patient dies in robot-aided surgery; Such robots are
    considered a major surgical breakthrough, but something went wrong, Graham
    Brink, *St. Petersburg Times*, 30 Oct 2002; PGN-ed]
    
      [Classical case.  The vendor absolves the technology, implicating the
      doctor.  Others blame the robot.  What about the doctor-machine interface?
      PGN]
    
    ------------------------------
    
    Date: Wed, 06 Nov 2002 06:43:40 GMT
    From: Paul Hirose <pshiroseat_private>
    Subject: Computer problem caused fatal pipeline rupture
    
    The NTSB (U.S. National Transportation Safety Board) has released its report
    on the pipeline accident at Bellingham, Washington, in June 1999. Three
    people were killed when a 16-inch pipeline ruptured and released about
    237,000 gallons of gasoline, which then ignited.
    
    One link in the chain of events leading to this accident was the pipeline
    company's SCADA (supervisory control and data acquisition) system. Just
    before the rupture, there was a pressure surge in the pipeline. This was a
    common occurrence, unrelated to the SCADA. But through rotten luck the surge
    hit right in the middle of an extreme slowdown in the SCADA computer. Since
    the SCADA controlled the pumps and valves along the pipeline, the control
    room operator was unable to relieve the pressure. Had the computer responded
    promptly to his commands, pressure probably would have remained within the
    pipeline's burst strength.
    
    A pair of DEC VAX computers (one active, one standby) ran the SCADA
    software. Investigators attempted to duplicate the system slowdown but were
    not successful. Nor were any flaws uncovered in the hardware or
    software. However, there were flaws in the company's computer procedures.
    
    1. All computer operators used the same login. The account had system
    administrator privileges, including unlimited authority to hog resources.
    
    2. Modifications to the SCADA historical database were performed on the same
    computer that was in control of the pipeline. Just before the SCADA became
    unresponsive, the system administrator had added some database records. That
    probably triggered the SCADA lockup, concludes the NTSB report.
    
    3. Although the system administrator monitored error logs to check the
    progress of his database work, and began to see errors 18 minutes before the
    rupture, he did not warn the pipeline control room or his
    supervisor. Instead, he left the computer room for about 15 minutes.
    
    4. Anyone with an account could log in to the SCADA through a dialup
    connection. However, the fact that the system troubles began shortly after
    the database modification, and stopped when the new records were deleted,
    suggested that an intruder was not to blame.
    
    In the wake of the accident, the pipeline company rectified these problems.
    
    Executive summary and complete accident report are on line:
    http://www.ntsb.gov/publictn/2002/PAR0202.htm
    
    ------------------------------
    
    Date: Thu, 07 Nov 2002 08:54:44 +1100
    From: David Skillicorn <skillat_private>
    Subject: Opera confused about hemispheres
    
    This morning (local time), the web browser Opera is serving Australians with
    banner ads intended for Austria.
    
    The relatively small difference in syllables has been the cause of much
    misdirected physical mail over the years (puzzling to the Austrians who
    spell their country completely differently). Now the small difference
    between .au and .at seems to be causing the same problems in the cyberworld.
    
    ------------------------------
    
    Date: Wed, 6 Nov 2002 11:17:32 -0800
    From: "Toby Gottfried" <tobyat_private>
    Subject: Set your clock to 1984
    
    Along the lines of the FBI-bugs-libraries reference in RISKS 22:35
    http://catless.ncl.ac.uk/Risks/22.35.html#subj3
    there is also this article about cooperation between ISPs and the prying
    eyes of government on e-mail.
    http://www.thenation.com/docprint.mhtml?i=20021111&s=mejia20021030
    
    Looks like Orwell should have called his book "2004".
    
    ------------------------------
    
    Date: Thu, 07 Nov 2002 09:26:47 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Scoping out the future
    
    Yale computer scientist David Gelernter is glad that the Microsoft trial is
    behind us, because "operating systems are lapsing into senile irrelevance,"
    and we need to move on to the future. And what will the future be all about?
    "Every piece of digital information you own or share will appear (in the
    near future) in one universal structure" -- one to which you'll have access
    from any Net-connected computer anywhere. "I have time for only one screen
    in my life," says Gelernter. "That screen had better give me access to
    everything, everywhere." The universal structure, dubbed Scopeware, will be
    a narrative, 3D stream of electronic documents flowing through time.  "The
    future (where you store your calendar, reminders, plans) flows into the
    present (where you keep material you're working on right now) and on into
    the past (where every e-mail message and draft, digital photo, application,
    virtual Rolodex card, video and audio clip and Web bookmark is stored, in
    addition to all those calendar notes and reminders that used to be part of
    the future and have since flowed into the past to be archived forever)."
    [*The New York Times*, 7 Nov 2002; NewsScan Daily, 7 November 2002]
      http://partners.nytimes.com/2002/11/07/technology/circuits/07soft.html
    
    ------------------------------
    
    Date: Wed, 6 Nov 2002 06:48:00 -0000
    From: "Michael \(Streaky\) Bacon" <streaky.baconat_private>
    Subject: 'British' spelling (in "Software leaves ...,  RISKS-22.35)
    
    PGN, The RISK here is that of assuming 'British' spelling exists -- it is
    the Oxford ENGLISH Dictionary for spelling and the Queen's ENGLISH for
    pronunciation. <GRIN>
    
    Simply put, Britain comprises the 'home countries' of England, Northern
    Ireland, Scotland and Wales.  There are other island territories immediately
    offshore that are part of Britain (eg. the Scilly Isles) and others that are
    part of the United Kingdom but not of Britain (e.g., the Channel Islands).
    
    There is no 'British' language per se -- the (recent -- i.e., immediately
    pre-AD) native majority tongues of Great Britain were basically Celtic,
    French and Latin (by today's definitions) -- English arose as a combination
    of these and other, imported, languages.  Today, basically, the native Welsh
    language is Celtic, the native Scots language is Celtic, the native Irish
    language is Celtic, and the native English language is English -- except for
    Cornwall (a county) where their native language is Celtic.  The individual
    country variation of the Celtic language is frequently spoken in Wales and
    in the Highlands of Scotland (and in Cornwall).
    
    I was raised in Jersey (the Channel Island, not the State).  This is part of
    the United Kingdom, but not the European Union (confusing isn't it?) where I
    grew up speaking 'Jersey patois' (a form of Norman French) and English.
    
    So. 'English spelling' - yes, 'British spelling' - no.
    With "tongue" slightly in cheek,  Michael (Streaky) Bacon
    
    ------------------------------
    
    Date: Tue, 5 Nov 2002 17:57:47 -0500
    From: "Landwehr, Carl E." <clandwehat_private>
    Subject: NSF Trusted Computing Program
    
    The next proposal deadline for NSF's continuing Trusted Computing program is
    Wednesday, December 4, 2002.  Links to the program announcement, as well as
    a summary description and list of the initial awards under NSF's Trusted
    Computing program can be found on NSF's web.  NSF has changed its Web
    infrastructure recently, so the direct URL for the Trusted Computing Program
    is a bit lengthy:
    
    http://www.cise.nsf.gov/div/ccr/fndg/display.cfm?pgm_pims_id=5158&pgm_supp_id=10091&loc=ccr&pub_id=5370
    
    http://www.cise.nsf.gov/div/ccr/fndg/display.cfm
      ?pgm_pims_id=5158&pgm_supp_id=10091&loc=ccr&pub_id=5370 [split]
    
    Alternatively you can visit:
    www.cise.nsf.gov
    and then select "funding opportunities" and then select "trusted computing".
    
    If you are in a position to conduct research in this area, I encourage you
    to consider submitting a proposal this year. NSF focuses on funding research
    at universities and not-for-profit organizations. I also hope you will
    consider helping me staff the review panels for the proposals that are
    submitted.  My warm thanks to all who proposed and who participated in the
    review process this past year.
    
    Carl Landwehr, Director, Trusted Computing Program  clandwehat_private
    National Science Foundation  1-703-292-8936  
    
    ------------------------------
    
    Date: Wed, 6 Nov 2002 04:34:19 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "The Total CISSP Exam Prep Book", Peltier/Howard
    
    BKTCIEPB.RVW   20020823
    
    "The Total CISSP Exam Prep Book", Thomas R. Peltier/Patrick D. Howard,
    2002, 0-8493-1350-3, U$59.95
    %A   Thomas R. Peltier
    %A   Patrick D. Howard
    %C   920 Mercer Street, Windsor, ON   N9A 7C2
    %D   2002
    %G   0-8493-1350-3
    %I   Auerbach Publications
    %O   U$59.95 800-950-1216 auerbachat_private ordersat_private
    %P   287 p.
    %T   "The Total CISSP Exam Prep Book: Practice Questions, Answers, and
          Test Taking Tips and Techniques"
    
    Both the preface and the back cover copy stress the assertion that "until
    now, [CISSP (Certified Information Systems Security Professional)
    candidates] were not afforded the luxury of studying a single, easy-to-use
    manual."  Despite the reservations that I may have about the quality of
    their works, this statement must surely be a shock to Shon Harris
    (cf. BKCISPA1.RVW), Mandy Andress (cf.  BKCISPEC.RVW), S. Rao Vallabhaneni
    (cf. BKCISPET.RVW), and Ronald Krutz and Russell Vines (cf. BKCISPPG.RVW)
    and Carl Endorf (wait for it).  (Well, I suppose that, technically,
    Vallabhaneni's is *two* books ...)
    
    It would be difficult to say that you could use this volume for study,
    either.  It doesn't actually have any tutorial material, other than some
    advice on how to write the exam.  Some of the tips are outdated, and most of
    the rest of the content is rather generic, such as the suggestion to eat a
    hearty breakfast before you go.  (I'd suggest that you go easy on the
    recommendation to drink lots of coffee before you head off: some of the
    proctors can be pretty sticky about letting you go to the washroom.)
    
    What it does have is ten chapters (one for each of the CBK [Common Body of
    Knowledge] domains) of twenty five "exam" questions each.  That's twenty
    five questions for physical security (the smallest domain) and twenty five
    questions for telecommunications (the largest).  The questions in the
    chapters have explanations of which answers are right and which are wrong.
    Then there is a sample "exam," and then the same exam with the answers.
    
    Sample exams are highly sought after: it makes sense to know the type and
    style of questions that you may encounter on the exam.  There is only one
    problem: (ISC)^2 doesn't hand out sample exams.  In fact, they guard the
    exam questions rather closely.  The sample exams at cccure.org are a staple
    in CISSP study groups, and there is a commercial outfit that will sell you a
    set that they have made up.
    
    Essentially, of course, this is what Peltier et al. have done.  So, the
    question is, how close are the sample questions in this book to the real
    thing.
    
    The answer, unfortunately, is not very.  Different people worked on the
    questions for different chapters, so the level of success varies.  (Security
    management has possibilities, telecommunications is rather ghastly.)
    Ultimately, though, these questions are not representative of what you will
    find on an actual CISSP exam.  Those familiar with Bloom's Taxonomy of
    questions will know that you progress from simple questions of fact through
    synthesis of multiple facts through analysis based on synthesis to a level
    of judgment or critical thinking.  Most of the questions a candidate will
    encounter on the CISSP exam are at the analytical or critical levels.  Too
    many of the questions found in most sample exams are at the simple factual
    level.  The questions in this current work do move beyond the simplistic,
    but they tend to turn on specific wording in some very weak references,
    rather than the principles and concepts encountered in the CISSP exam
    itself.  (Appendix A is a bibliography used in the creation of the
    questions, and it is a decidedly poor one.)  Some questions and answers are
    flatly wrong (planting malicious software is definitely *not* a passive
    attack).  Others may have some point to their creation but get confused.
    One question states that a certain answer is not correct because the
    technology is not an encryption algorithm, but the "correct" answer isn't an
    algorithm either.
    
    This book may give you a very rough idea of the types of questions you may
    encounter, and the range of topics you may need to know.  If you rely on it
    to prepare you for the exam, however, you may be in for a rude shock.
    
    copyright Robert M. Slade, CISSP, 2002   BKTCIEPB.RVW   20020823
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Thu, 7 Nov 2002 07:45:52 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Information Security", Donald L. Pipkin
    
    BKISPTGE.RVW   20020823
    
    "Information Security", Donald L. Pipkin, 2000, 0-13-017323-1,
    U$39.99/C$60.00
    %A   Donald L. Pipkin
    %C   One Lake St., Upper Saddle River, NJ   07458
    %D   2000
    %G   0-13-017323-1
    %I   Prentice Hall
    %O   U$39.99/C$60.00 +1-201-236-7139 fax: +1-201-236-7131
    %P   364 p.
    %T   "Information Security: Protecting the Global Enterprise"
    
    It takes quite a while to figure out what Pipkin is trying to do in this
    book.  Ultimately, there is coverage of some of the important basic concepts
    involved in information security.  However, the text as a whole is both
    confused and confusing.
    
    The prologue tells us that business is changing and chaotic, and that
    information is of prime importance.  The introduction takes a quick run
    through a few of the basic security concepts, with an emphasis on business
    continuity planning.
    
    Phase one of the book is entitled "Inspection," but the prologue lists some
    items of concern in risk analysis.  Chapter one, called "Resource
    Inventory," is concerned with data classification.  It touches on, but does
    not really discuss, the orthogonal nature of classification schemes when
    confidentiality, availability, and integrity must be considered.  The
    material is sparse, and, while there are some indications of forward
    references to later chapters, those chapters do not get down to practical
    details either.  Chapters two to six begin to examine the concepts of
    threats (concentrating, very poorly, on malicious software), loss analysis
    (many examples, little of substance), vulnerabilities, safeguards, and
    assessment.
    
    Phase two, on protection, seems to be trying to expand chapter five, but
    really just repeats prior material.  Concepts touched on include access,
    identification, authentication, authorization, and accountability.  Mixed in
    are the not-quite-related topics of availability, accuracy, confidentiality,
    and administration.
    
    Phase three looks at intrusion detection, with chapters on intrusion types,
    methods, process, and detection methods.  It isn't very useful.
    
    Phase four reviews incident response, but rather vaguely.
    
    Phase five concerns the post-mortem reflection.  The chapter on
    documentation has some useful material on the contents of after-action
    reports, but the rest of the content is unfocused and generic.
    
    It is not quite true to say that the book is unstructured: it has a
    structure, but either does not follow it, or does not usefully employ it.
    Those without a security background will find it hard to build a useful or
    working framework from the material in this book.  Those with such a
    background will eventually find that the parts of the book do fit neatly, if
    not logically, into the common framework.  However, those with such a
    background will have no need for this work.
    
    copyright Robert M. Slade, 2002   BKISPTGE.RVW   20020823
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.36
    ************************
    



    This archive was generated by hypermail 2b30 : Thu Nov 07 2002 - 17:50:26 PST