[risks] Risks Digest 22.37

From: RISKS List Owner (riskoat_private)
Date: Sat Nov 09 2002 - 11:15:02 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.38"

    RISKS-LIST: Risks-Forum Digest  Saturday 9 November 2002  Volume 22 : Issue 37
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.37.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Lynn Landes' analysis of the 2002 Elections (PGN)
    Quote on election integrity (Susan Marie Weber)
    Georgia election memory-card problem (Lillie Coney)
    Unsupervised biometric scanners more toys than serious security measures
     (c't via Markus Kuhn)
    U.S. Navy sites spring security leaks (Lillie Coney)
    Internet home banking unsafe (Erling Kristiansen)
    Driver killed in "computer-controlled" AirTrain (Daniel Norton)
    Man banned from driving after trusting in-car computer (Matthew Bloch)
    Small things add up (Bill Lamb)
    Re: 'British' spelling (Christopher Allen)
    Re: What if ... the pundits had nothing ... (Edward Reid)
    REVIEW: "Information Assurance", Joseph G. Boyce/Dan W. Jennings (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Fri, 8 Nov 2002 11:30:35 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Lynn Landes' analysis of the 2002 Elections
    
      [This item is included in its entirety with the permission of the author.]
    
    2002 Elections: Republican Voting Machines, 
         Election Irregularities, and "Way-Off" Polling Results
    By Lynn Landes, 8 Nov 2002
    
    "The Republicans will never give up their voting machines," said a top
    Republican party official to Charlie Matulka, the Democratic candidate for
    the U.S. Senate seat in Nebraska. This statement was in response to
    Charlie's very public protest against the conflict-of-interest inherent in
    the candidacy of Senator Chuck Hagel (R-NE). Hagel has held top executive
    positions (and still has investments) in companies that owned the machines
    that counted the vote in Nebraska this election and last.
    
    Republicans dominate the voting machine business. So, I expected the
    Republicans to take back the Senate... amid reports of voting machine
    "irregularities" in several states and polling results that didn't come
    close to election outcomes.  And with billions of dollars at stake, who
    could resist the temptation to tweak results? It's duck soup.
    
    Dr. Rebecca Mercuri, the nation's leading expert in voting machine
    technology, says, "Any programmer can write code that displays one thing on
    a screen, records something else, and prints yet another result." But they
    do make mistakes as we know from the multitude of reports in this election
    and past ones. Dr. Mercuri's real fear is that one day the "irregularities"
    will go away, as programmers learn their clandestine craft all too well.
    
    Then how can we tell if the "fix was in?"  An examination of exit polling
    and pre-election polling versus election results could raise a few red
    flags.
    
    We can't use Voter News Service (VNS) this year. VNS is a top-secret private
    consortium owned by ABC News, The Associated Press, CBS News, CNN, Fox News,
    and NBC News that has "projected" election night winners since 1964. VNS
    collapsed camp on election day due to technical problems... they said. Or
    was it the glare of publicity since the 2000 presidential election that
    brought the charade to an end? Questions have been raised since its
    inception, that VNS was a cover for election day vote rigging or other
    shenanigans. And it was strange that when VNS management made its
    announcement on Tuesday, they didn't make a big deal over how the shutdown
    affected the 64,000 temporary employees they claim they hired for this
    election.
    
    Anyway, that leaves us with pre-election polling to ponder. An intensive
    effort to review and interpret that data is currently underway by Bev Harris
    and her staff at Talion.com.
    
    Meanwhile, I called John Zogby of the highly respected Zogby International.
    I asked him if over the years he had noticed increased variation between
    pre-election predictions and election results.  Zogby said that he didn't
    notice any big problems until this year. Things were very different this
    time.  "I blew Illinois. I blew Colorado (and Georgia). And never in my life
    did I get New Hampshire wrong...but I blew that too." Or did he?
    
    This year might instead be a repeat of the 2000 presidential election, when
    the polls accurately predicted the winner (Gore), but the voting system in
    Florida collapsed under the weight of voting machine failure, election day
    chicanery, and outright disenfranchisement of thousands of black voters by
    Republican state officials.
    
    And for those who believed that the new election reform law does anything to
    protect the security of your vote...think again. The federal standards to be
    developed and implemented as a result of the new law will be VOLUNTARY. What
    Congress really did was to throw $2.65 billion dollars at the states, so
    that they could lavish it on a handful of private companies that are
    controlled by ultra-conservative Republicans, foreigners, and felons.
    
    Let's take a moment to look back rather than forward. In the last several
    decades the rich have gotten richer and the poor poorer. This is not a
    formula for a conservative groundswell. Yet both conservative Democrats and
    right wing Republicans have long enjoyed success at the polls. While, most
    of Europe still uses paper ballots, voting machines have been in America
    since 1889. The use of computers in voting technology began around
    1964. Today, less than 2% of the American electorate use hand-counted paper
    ballots.
    
    The question is...have elections in America been rigged to slowly, but
    surely shift power to the right? In the secretive world of voting machine
    companies, anything is possible.
    
    The sad fact is that the legitimacy of government in the United States will
    remain in question as long as over 98% of the vote is tabulated by machines
    that can be easily rigged, impossible to audit, and owned by a handful of
    private companies. Until we get rid of those voting machines, democracy in
    America may be a distant memory.
    
    Lynn Landes is a freelance journalist specializing in environment and
    election issues on www.EcoTalk.org. Lynn's been a radio show host, a regular
    commentator for a BBC radio program, and news reporter for DUTV in
    Philadelphia, PA.
    
    Lynn Landes, 217 S. Jessup Street, Philadelphia, PA 19107
    (215) 629-3553 / (215) 629-1446 (FAX)  lynnlandesat_private]
    
      [Lynn's writings often also run on alternative online media, such as
      www.CommonDreams.com.  She has a Web page for VotingSecurity at
      http://www.ecotalk.org/VotingSecurity.htm .  PGN]
    
    ------------------------------
    
    Date: Fri, 8 Nov 2002 23:13:36 -0800
    From: "SusanMarieWeber" <susanmarieweberat_private>
    Subject: Quote on election integrity
        
      The right to have the vote counted is infringed, and we have lost the
      integrity of our voting system, when the ease with which ballots can be
      manipulated is greater than the ease with which the manipulation can be
      detected.  (Kevin Craig, 2000) www.electionguardians.org
    
    [See: Broward vote total short by 104,000 in reporting glitch,
    Evan S. Benn and Elena Cabral, *Miami Herald*, 7 Nov 2002, for more on
    the Broward County bulleted item noted in RISKS-22.36.]
      http://www.miami.com/mld/miamiherald/news/politics/4461857.htm
    
    ------------------------------
    
    Date: Fri, 08 Nov 2002 10:22:35 -0500
    From: Lillie Coney <lillie.coneyat_private>
    Subject: Georgia election memory-card problem
    
    ELECTION 2002: 2,180 Fulton ballots found late,
    67 memory cards misplaced, but shouldn't change results,
    by Ty Tagami and Duane Stanford, *Atlanta Journal Constitution*, 8 Nov 2002
    
    Fulton County election officials said Thursday that memory cards from 67
    electronic voting machines had been misplaced, so ballots cast on those
    machines were left out of previously announced vote totals.  Fifty-six
    cards, containing 2,180 ballots, were located Thursday.  Eleven memory cards
    still were missing Thursday evening. If the cards could not be found, the
    votes would be retrieved from the voting machines, election officials said.
    [Bibb and Glynn Counties each had one card missing after the initial vote
    count, but the cards were located and counted the next day.][PGN-Excerpted]
    
    ------------------------------
    
    Date: Wed May 29, 2002  11:16:20 AM US/Pacific
    From: Markus Kuhn
    Subject: Unsupervised biometric scanners more toys than serious security measures
    
    An even more fatal blow to off-the-shelf *unsupervised* biometric
    identification products was given recently by three authors in an article in
    the well-respected German computer magazine c't:
    
      Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler: Körperkontrolle --
      Biometrische Zugangssicherungen auf die Probe gestellt.  c't 11/2002,
      Heise Verlag, ISSN 0724-8679, p 114-, 17 May 2002.
    
    An online English translation is now available on
      http://heise.de/ct/english/02/11/114/
    
    The team tested:
    
     * six products involving capacitive fingerprint scanners
       (Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom)
    
     * two optical (Cherry, Identix) fingerprint scanners
    
     * one thermal (IdentAlink FPS100U) fingerprint scanner (Atmel FCD4B14 sensor)
    
     * Authenticam by Panasonic
    
     * an iris scanner that is currently being marketed in the USA and is
       scheduled to enter the European market in the near future
    
     * FaceVACS- Logon, a technical solution for recognizing faces
       developed by the Dresdner Cognitec AG
    
    The authors "were able, aided by comparatively simple means, to outwit all
    the systems tested" and concluded that "the products in the versions made
    available to us were more of the nature of toys than of serious security
    measures" and that "business should not treat the security needs of its
    customers quite so thoughtlessly".
    
    It is worth stressing that none of the deception techniques used are really
    applicable in a *supervised* two-factor application, for example where a
    border control or social benefits officer watches someone using the finger
    or iris scanner in order to confirm the identity information stored in a
    presented smartcard. The relevance of these attacks to the discussion about
    the use of biometric features in a national identity infrastructure is
    unfortunately sometimes misrepresented. I am still convinced that both iris
    scanning and finger print recognition in a *supervised* scan can be made
    easily several orders of magnitude more reliable than human photo/face
    comparisons.
    
    What currently marketed sensors lack is a really robust detection technique
    for whether the detected signal comes from live human tissue, and this still
    looks very much like an open research problem. Parts of suitable solutions
    might be:
    
     * tests of various involuntary reactions that require significant effort to
       simulate, for example, is the iris pattern deforming correctly when the
       pupils contract because of illumination?
    
     * test whether the body part is functional, i.e. can the fingerprint be
       detected from a finger that is typing fluently on a keyboard or can the
       pupil inside the contracting iris read text at the same time?
    
     * is it possible to build low-cost spectrographic cameras/scanners that can
       distinguish materials and tissues by using hundreds instead of just three
       (red/green/blue) wavelength bands, etc.
    
    Markus G. Kuhn, Computer Laboratory, Univ. of Cambridge, UK  mkuhn at acm.org
    
    ------------------------------
    
    Date: Fri, 08 Nov 2002 11:48:24 -0500
    From: Lillie Coney <lillie.coneyat_private>
    Subject: U.S. Navy sites spring security leaks
    
    A French group known as Kitetoa discovered that files on several Navy Web
    sites and other sides running IBM's Lotus Domino software were easily
    accessible.  Exposed information included hundreds of trouble tickets since
    1989 for the Consolidated Automated Support System; a Naval Supply Systems
    Command site that enables Navy personnel to order commercial software and
    internally developed applications -- including records on who registered to
    use the system and their passwords.  The Navy apparently does not feel the
    information thus compromised was particularly sensitive, but has reportedly
    taken some systems off the Net and tighter security controls in others.
    [Source: Wired News, 6 Nov 2002; PGN-ed]
    
    Lillie Coney, Public Policy Coordinator, U.S. Ass'n for Computing Machinery
    Suite 510, 2120 L Street, NW, Washington, D.C. 20037  1-202-478-6124
    
    ------------------------------
    
    Date: Fri, 08 Nov 2002 22:13:48 +0100
    From: Erling Kristiansen <erling.kristiansenat_private>
    Subject: Internet home banking unsafe
    
    The 28 Oct 2002 edition on the programme "Netwerk" of the Dutch TV station
    NCRV ran an item on Internet home banking. The programme featured a person
    accessing his bank account via Internet, and another person with a laptop
    reading a clear-text transcript of the session.
    
    The programme was not very technical, but two hints were given that helped
    in finding out what was going on: The two persons "were colleagues" (in
    network terms: were on the same LAN), and the scenario was described as a
    "man in the middle" attack.  I know from own experience that the Dutch home
    banking system uses a secure web session. A challenge-response
    authentication device ("token" or e.dentifier) is used to authenticate the
    user, but this is not relevant to this discussion.
    
    Poking around a bit, I found several references to a vulnerability in
    Internet Explorer 5.0, 5.5 and 6.0. A good explanation can be found at
    http://www.thoughtcrime.org/ie-ssl-chain.txt
    
    I am not an expert in SSL and PKI and such matters. But, in brief, as I
    understand it, a certification Authority can delegate its authority to
    somebody else. This is designed to be safe, provided, of course, it is
    implemented properly. IE skips one step in its implementation of the
    procedure, essentially allowing somebody who can gain access to the data
    stream (e.g. by being on the same LAN or having access to a router somewhere
    along the path) to delegate the certification authority to himself. This, in
    turn gives the man-in-the-middle access to the data.  I am sure this
    description is not precise, but I hope it catches the essence of the attack.
    Otherwise, please read the referenced article.
    
    I had an e-mail conversation with somebody from the TV programme, who
    confirmed that "indeed, it is a problem in IE". They did not say this in the
    programme because "the problem is the responsibility of the banks, not
    Microsoft". Apparently, their aim was to expose the banks.
    
    A few thoughts:
    
    It would seem that the problem affects not only home banking but any
    application using a secure web session.
    The exploit also highlights that security depends not only on good
    design, but also on proper implementation. You have to trust the
    software vendor. Do you??
    
    SPECULATION MODE ON
    Why is Microsoft reluctant to fix this bug that is present in 3
    consecutive versions of IE? In view of the nature of it, it cannot be
    that difficult to fix.
    Could it be that they do not want to fix it? Either because they want to
    exploit it themselves, or because somebody twisted their arm to provide
    a back door.
    SPECULATION MODE OFF
    
    It is, actually, a very well hidden back door that is not easily
    discovered unless you have access to the source code, or you know what
    you are looking for. I wonder how it was discovered.
    
    ------------------------------
    
    Date: Fri, 8 Nov 2002 11:22:40 -0500
    From: "Daniel Norton" <Danielat_private>
    Subject: Driver killed in "computer-controlled" AirTrain
    
    I wrote last year (RISKS-21.82) about my concerns of a computer-controlled
    train (the JFK AirTrain) being installed that would carry hundreds of
    passengers at speeds of over 60 miles per hour (95 kmh).
    
    A test run of the system on 27 Sep 2002 was under manual control with
    automatic speed regulators deliberately disabled.  The train was traveling
    about 55 miles per hour (90 kmh) when it approached a downhill curve, jumped
    the track, knocked away 150 feet (45m) of a concrete wall, and tore a gash
    in the front of the train.  Tons of concrete in the train -- used as ballast
    to simulate passengers -- slid along the floor and crushed the driver to
    death.
    
    As several pointed out in follow-ups to my post last year, the greater RISKS
    of train systems are human errors, and this recent tragedy seems to support
    that position.
    
      [Of course, in the JFK train test, the driver was posthumously blamed for
      going to fast.  Perhaps that was the speed they had asked him to reach, as
      part of the test?  And who is to blame for not realizing that the ballast
      should have been anchored down?  So, that's what testing is for?  A
      substitute for thoughtful design and operation?  PGN]
    
    ------------------------------
    
    Date: Sat, 9 Nov 2002 16:59:39 +0000
    From: Matthew Bloch <matthewat_private>
    Subject: Man banned from driving after trusting in-car computer
    
    A man was banned from driving for 6 months and fined £300 + £45 costs after
    being caught doing 92mph down the A64 in England.  "This will now mean
    commuter belt train travel for my client.  The ban will cause all sorts of
    problems for him at work", said his lawyer.  The reason he gave for speeding
    was that he was late for a business meeting in York, a large city in the
    North-East, which was caused by a navigation error.  After typing "York"
    into his in-car computer, it dutifully guided him to York, a small village
    on the opposite side of the country, North-West of Manchester.  The man
    claimed to be "very nervous" when he approached Manchester but trusted the
    navigation system when it claimed he was "10 miles from York".  "When he was
    driving down the M6 he began to have doubts that it was the right way", said
    his lawyer, "But he thought 'it must be right, it's a computer'".  [Source:
    *York Evening Press*, 9 Nov 2002]
    
    Or maybe he should read comp.risks more often.  Or a map of England :-)
    
    Matthew Bloch  Bytemark Computer Consulting Limited  +44 (0) 8707 455026
    http://www.bytemark.co.uk/
    
      [If the man had ever eaten Yorkshire Pudding not knowing where to find a
      York shire, he may have been pudding it mildly.  Terrier Hair Out! 
      (The last sentence is a memory test for long-time readers who were reading
      RISKS in May 1990.)  PGN]
    
    ------------------------------
    
    Date: Thu, 07 Nov 2002 23:31:49 -0600
    From: Bill Lamb <blamb@cox-internet.com>
    Subject: Small things add up
    
    My favorite risks are those little things in life that often seem silly
    simply because they are - no matter how cool and modern they appear.
    
    I visit a nearby convenience store daily. Over the past few years I have
    watched as the owners (a small regional chain) converted its cash register
    to a system that controlled the gas pumps, too.  It was a common practice
    and one that makes sense, I suppose.  Later, I watched as a new computerized
    register system was installed, one with so many buttons, bells and whistles
    that the store's constantly rotating staff found the system
    difficult-to-impossible to learn.  Still later, a new check system was
    added.  One writes a check, signs it, hands it to the clerk who then runs it
    through a machine and hands it back to you. I'm sure there is some very
    logical reason for this apparent silliness.  (I mean, why write a check if
    they're just going to give it back to you? I've watched countless people
    ask, "What do I do with it now?")  The latest change involved adding a
    credit/debit card unit to the computerized register system.  On the whole,
    you'd think all of this was pretty nifty. But not really.
    
    As I have watched all of this advancement taking place at the store, I have
    also noticed the lines and waits grow longer and longer.  For all the
    technology they've bought into, the time it takes to service a sale has gone
    up tremendously.
    
    Ever try finding and swiping the bar code of a Sunday newspaper on a crowded
    counter top? It can be a pain, so much so that the clerks now clip and keep
    one bar code and swipe the little slip of paper over the reader to avoid the
    hassle.
    
    Credit cards? Wait for clearance, then wait for the ticket to print out,
    then sign it and get your copy. (Why are those small printers so slow?)
    
    Checks? The same: clearance is slower by far than simply putting the check
    into the cash drawer like they used to.
    
    It's bad enough when all the systems work, but when one component fails for
    whatever reason, the poor clerks, who know nothing about the system, are
    left to try and try again as the rest of us grow impatient in line.
    
    Then today, the ultimate: the entire system died.  Nothing worked. At all.
    People were leaving left and right, but I braved the counter and told the
    clerk what I wanted.
    
    "Uh ... you have the exact change?" she asked.
    
    Digging in my pocket, I said, "How much is it?"
    
    You guessed it. She didn't know because few of the store's items are priced
    in English, only via the bar code. And only the computer knew those prices.
    And it wasn't working.
    
    Another example of humans outsmarting themselves.
    
      [Ah, yes.  We had a big storm.  Huge power outages, one still going 
      after 24 hours on Friday evening.  I just got back from dinner where
      the restaurant and a large surrounding area lost power; we were the last
      folks served from gas burners before the kitchen shut down because of no
      fans.  PGN]
    
    ------------------------------
    
    Date: Friday, November 08, 2002 4:39 PM
    From: "Christopher Allen" <cpcallenat_private>
    Subject: Re: 'British' spelling (RISKS-22.36)
    
     In comp.risks, Michael (Streaky) Bacon wrote:
    
    > I was raised in Jersey (the Channel Island, not the State).  This is part of
    > the United Kingdom, but not the European Union (confusing isn't it?)...
    
    I think you may be mistaken, and in any case it's actually a bit worse than
    that: Guernsey and Jersey *not* part of the United Kingdom but are
    dependencies of the Crown and so are, as I understand it, consequently
    considered to be part of Great Britain.  This puts them in a situation
    opposite that of Northern Ireland, which is part of the UK but not Great
    Britain.
    
    Furthermore, while it's true that the Channel Islands are not part of
    the EU, my partner - like many Channel Islanders - has an EU passport
    nonetheless, because of English ancestry.
    
    Risks?  Assuming that jurisdictions are necessarily concentric...  or that
    "The United Kingdom of Great Britain and Northern Ireland" actually includes
    all of Great Britain.
    
    See also: http://www.fotw.ca/flags/gb-dep.html
    
    Christopher Allen, Studio 10, 319 Archway Rd. London N6 5AA U.K.
    cpcallen-usenetat_private  http://ruah.dyndns.org/~cpcallen/
    
      [PGN adds Michael Bacon's response:
        "Mea culpa - I intended to type 'British Isles', it just came out as
        'United Kingdom' - sorry.  
        It seems that I suffered an even more severe bout of 'finger trouble',
        as I also intended to type 'Gaelic' but it came out as 'Celtic'."]  
    
    ------------------------------
    
    Date: Fri, 8 Nov 2002 15:13:04 -0500
    From: Edward Reid <edwardreidat_private>
    Subject: Re: What if ... the pundits had nothing ... (RISKS 22.35)
    
    > Modern elections have [...] become opportunities for political analysts to
    > show off by projecting the results before the votes are counted
    
    Of course, much of this prediction is done by projecting from a few reported
    precincts. Pockets of sanity still exist, however. This from the Gadsden
    County Times, Quincy FL, 7 Nov 2002, p1:
    
      Shirley Knight, supervisor of elections [of Gadsden County],
      took much of the suspense out of the night, when she opted
      to wait until all of the votes were tabulated to release them,
      instead of releasing them as the precincts were counted.
    
      "I wanted to keep down any confusion," she said.
    
    ------------------------------
    
    Date: Fri, 8 Nov 2002 08:02:44 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Information Assurance", Joseph G. Boyce/Dan W. Jennings
    
    BKIAMOIS.RVW   20021012
    
    "Information Assurance", Joseph G. Boyce/Dan W. Jennings, 2002,
    0-7506-7327-3, U$44.99
    %A   Joseph G. Boyce
    %A   Dan W. Jennings
    %C   2000 Corporate Blvd. NW, Boca Raton, FL   33431
    %D   2002
    %G   0-7506-7327-3
    %I   Butterworth-Heinemann/CRC Press/Digital Press
    %O   U$44.99 800-272-7737 http://www.bh.com/bh/ dp-catalogat_private
    %P   261 p.
    %T   "Information Assurance: Managing Organizational IT Security
          Risks"
    
    The preface states that this book is distinct because 1) it covers concepts
    and principles (although how this could be a distinctive is somewhat lost on
    me: many of the chapters relate directly to six of the ten CBK [Common Body
    of Knowledge] domains), 2) it promotes a defence in depth strategy (hardly
    unusual in general security works), 3) it attempts to counter the perception
    of an antagonism between security and operations (fairly conventional), and
    4) it points out resources for added information (and how is that unique?)
    
    Part one covers the foundational concepts of an organizational IA
    (Information Assurance) program.  Chapter one defines IA in a way that makes
    it basically the same as any kind of information systems security, and
    offers vague thoughts on the importance of information.  There is a brief
    review of some basic security concepts (as well as some that are not quite
    central) in chapter two.  Defence in depth is also defined at this point:
    rather idiosyncratically, it is specified to be in opposition to "security
    by obscurity" and perimeter defence.
    
    Part two is supposed to look at determining the organization's current IA
    posture.  Chapter three purports to help ascertain an IA baseline, but is
    really just a list of possible security technologies.  determining security
    priorities, in chapter four, talks about data and resource classification,
    but much of it is vague philosophy, rather than practical advice.  While
    summarized in tables rather than text, chapter five's material on IA posture
    is just plain, old risk analysis.
    
    Part three is presumed to help establish a defence in depth strategy.  There
    is a basic introduction to policies in chapter six.  IA management, in
    chapter seven, is primarily more suited to system administration.  Chapter
    eight's look at IA architecture covers subjects and objects, but has no
    security models.  The text does review threats and various security
    technologies, and,very strangely, assumes that the OSI (Open Systems
    Interconnection) network model can be used as a security structure.
    Operational security administration, in chapter nine, recycles random
    concepts that have been presented earlier.  Configuration management is held
    to be software change control, and chapter nine also concentrates on
    "emergency" changes.  Chapter eleven's review of the system development life
    cycle is terse.  Chapter twelve, on contingency planning, is extremely
    terse, and suggests that you have a backup, UPS (Uninterruptible Power
    Supply) and a disaster recovery plan.  The material on training, in chapter
    thirteen, is both generic and short.  Policy compliance oversight is limited
    to intrusion detection systems, audit logs, and virus scanning, in chapter
    fourteen.  Chapter fifteen's look at incident response is basic and brief.
    Finally, chapter sixteen examines IA reporting--and suggests that you have a
    structure for it.
    
    This work is yet another attempt at a generic security guide.  It has no
    distinctives.  In fact, there are simple security guides for home users that
    do a better job of explaining the structure, process, and technologies.
    
    copyright Robert M. Slade, 2002   BKIAMOIS.RVW   20021012
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.37
    ************************
    



    This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 12:10:10 PST