[risks] Risks Digest 22.43

From: RISKS List Owner (riskoat_private)
Date: Mon Dec 16 2002 - 20:31:57 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.44"

    RISKS-LIST: Risks-Forum Digest  Monday 16 December 2002  Volume 22 : Issue 43
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.43.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Bad circuit crashed $150 million jet at Woomera (George Michaelson)
    Senate closes accidental anonymizer (Dave Stringer-Calvert)
    More on identity thieves strike eBay, whose policies make it worse (Elana)
    Australian ruling is raising worries (Monty Solomon)
    Moore's Law hits a leak (NewsScan)
    Paypal scam? (Dawn Cohen)
    Internet spam mogul can't take what he dishes out (Purkasz)
    Tower reports customer information "leak" (B Crook)
    Perils in switching to Yahoo (David Lazarus via Monty Solomon)
    Community security education contacts (Rob Slade)
    U.S. Army Research Office Calls For Odortype Detection Proposals (PGN)
    Re: Anti-worm "throttling" (Jeremy Epstein)
    The risks of RISKS (Donald A. Norman)
    REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon (Rob Slade)
    REVIEW: "Secured Computing", Carl F. Endorf (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Thu, 12 Dec 2002 09:39:15 +1000 (EST)
    From: George Michaelson <ggmat_private>
    Subject: Bad circuit crashed $150 million jet at Woomera
    
    A computer glitch has been blamed for July's disastrous launch of a Japanese
    supersonic jet model at South Australia's Woomera rocket range.  Japan's
    National Aerospace Laboratory says a design change caused the $150 million
    scale model's computer system to short-circuit.  Flight director Kimio
    Sakata says the autopilot then reset itself and caused the jet and rocket
    booster to separate during take-off.
       http://www.abc.net.au/news/justin/nat/newsnat-12dec2002-22.htm
    
      Hmm. sounds like bad design *processes* as much as a computer glitch...]
    
    ------------------------------
    
    Date: Wed, 11 Dec 2002 15:39:27 -0800
    From: Dave Stringer-Calvert <dave_scat_private>
    Subject: Senate closes accidental anonymizer
    
    Never let it be said that the United States Senate has done nothing for
    Internet privacy.  Network administrators for the U.S. government site
    www.senate.gov shut down an open proxy server over the weekend that for
    months had turned the site into a free Web anonymizer that could have
    allowed savvy surfers to launder their Internet connections so that efforts
    to trace them would lead to Capitol Hill.  A proxy server is normally a
    dedicated machine that sits between a private network and the outside world,
    passing internal users' Web requests out to the Internet.
      http://online.securityfocus.com/news/1780
    
    ------------------------------
    
    Date: 13 Dec 2002 06:05:23 -0800
    From: falcospavat_private (Elana Who?)
    Subject: Identity thieves strike eBay, whose policies make it worse
    
    We recently had an article in comp.risks titled "Identity thieves strike
    eBay".  Below, author Spider Robinson reports how he was victimized, plus
    details on the not-very-good way that eBay handled it, all which made the
    situation worse.  Mr. Robinson has been robbed by almost a thousand dollars
    because of it.
    
    http://www.theglobeandmail.com/servlet/ArticleNews/PEstory/TGAM/20021211/COSPIDER/Columnists/columnists/columnistsNational_temp/1/1/6/
    
    http://www.theglobeandmail.com/servlet/ArticleNews/PEstory/TGAM/
      20021211/COSPIDER/Columnists/columnists/columnistsNational_temp/1/1/6/
    
    ------------------------------
    
    Date: Mon, 16 Dec 2002 09:01:00 -0500
    From: Monty Solomon <montyat_private>
    Subject: Australian ruling is raising worries
    
    A number of concerned First Amendment advocates say a landmark libel
    decision by the Australian High Court may have the effect of erecting a
    fence on the borderless information frontier opened up by Internet
    technology.  The 10 Dec 2002 ruling concluded that an Australian
    businessman, Joseph Gutnick, could sue Dow Jones for defamation in Australia
    based on a Barron's magazine story that emanated from the company's computer
    servers in New Jersey. Although, as attorney Harvey Silverglate explains,
    defamation cases have traditionally been brought ''in the jurisdiction where
    the speech is uttered or published or where you targeted it,'' the ruling
    effectively expanded that jurisdiction in the online world to where a story
    can be downloaded.  The case involves a ''United States media publication
    which is really focused on United States markets and United States
    investors'' and ''a journalist who operated completely out of the United
    States,'' says Stuart Karle, a Dow Jones associate general counsel. ''This
    dramatically changes how you can communicate within this country.''
    [Source: Mark Jurkowitz, *The Boston Globe*, 16 Dec 2002]
    http://www.boston.com/dailyglobe2/350/business/Australian_ruling_is_raising_worries+.shtml
    
      [All sorts of implications.  PGN]
    
    ------------------------------
    
    Date: Thu, 12 Dec 2002 09:20:13 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Moore's Law hits a leak
    
    Intel chairman Andy Grove warned participants at the International Electron
    Devices Meeting this week that electrical current leakage from inactive
    processors poses a major challenge to the continued viability of Moore's Law
    (which predicts the doubling of transistor densities every couple of
    years). "Current is becoming a major factor and a limiter on how complex we
    can build chips," said Grove, who added that his company's engineers "just
    can't get rid of power leakage." As chips become more powerful, leakage
    rates increase, and while the industry is accustomed to low-level leakage
    rates, high-end chips made up of a billion transistors may leak between 60
    and 70 Watts of power, causing problems with cooling. Grove also warned that
    the trend of migrating chip manufacturing to Asian plants could shift the
    balance of power eastward. "It is easy to project that the independence
    becomes more one-sided, with an adverse impact on our educational system
    because so much of the university funding comes from industry. There is a
    spiral there in the wrong direction."  [Computerwire/The Inquirer 11 Dec
    2002; NewsScan Daily, 12 Dec 2002]
      http://www.theinquirer.net/?article=6677
    
    Copyright 2002. NewsScan Daily (R) is a publication of NewsScan.com Inc.
    Reproduced in RISKS with permission.
    
    ------------------------------
    
    Date: Fri, 13 Dec 2002 17:13:31 -0500
    From: "Dawn Cohen" <COHENDat_private>
    Subject: Paypal scam?
    
    I received an e-mail with the subject:
      "Paypal Alert: Please Update your current Billing Information"
    
    In that I don't have a paypal account, I was a little curious, and decided
    to investigate.  When I looked at the message, I saw what appears to be a
    scam:
    
      "Unfortunately today we have had some trouble with one of our computer
      systems. While the trouble appears to be minor, we are not taking the
      necessary precautions. We have decided to take the affected system offline
      and replace it with a new system. Unfortunately this has caused us to lose
      member data and information. Please follow the link=link below and log
      into your account to re-enter your information to be assured none of your
      prior information has been lost. Please Note: Account balances have not
      been affected."
    
    Then there is a link "Click Here To Begin the Account Process", with a link
    that goes (upon examination of the source HTML) to an IP address at some
    Autobahn Access Corporation.
    
    The message was very cleverly constructed, to use Paypal images (based on 
    their own urls)
      <A href=3D"https://www.paypal.com/" target=3D_blank><IMG height=3D35 
      alt=3DPayPal src=3D"http://www.paypal.com/images/email_logo.gif" width=3D25
      5 border=3D0></A>
    And it had a reply-to address of customerserviceat_private
    (They were careful to say in the message, though, "Please do not reply to 
    this e-mail.  Mail sent to this address cannot be answered.")
    
    ------------------------------
    
    Date: Thu, 12 Dec 2002 20:43:10 -0500
    From: PURKASZat_private
    Subject: Internet spam mogul can't take what he dishes out
    
    West Bloomfield (Michigan) bulk e-mailer Alan Ralsky, who just may be the
    world's biggest sender of Internet spam, is getting a taste of his own
    medicine.  Ever since I wrote a story on him a couple of weeks ago
    (www.freep.com/money/tech/mwend22_20021122.htm), he says he's been inundated
    with ads, catalogs and brochures delivered by the U.S. Postal Service to his
    brand-new $740,000 home.  It's all the result of a well-organized campaign
    by the anti-spam community, and Ralsky doesn't find it funny. ...
    [Source: Mike Wendland, *Detroit Free Press*, 6 Dec 2002]
    
    ------------------------------
    
    Date: Thu, 12 Dec 2002 12:52:49 -0500
    From: <bcrook0926at_private>
    Subject: Tower reports customer information "leak"
    
    Tower Records, a well known chain of record shops that does business in the
    US and the UK, recently suffered an embarrassing information leak due to
    amateurish Web programming. A Windows "Active Server Page" script, which
    allowed customers to check the status of their orders by entering their
    order numbers, was written so that it required no other identification from
    the user than the order numbers themselves -- which were assigned in
    sequence. Simply modifying a URL to contain an order number one greater or
    one less than that assigned to your own order would show you another
    customer's information. E-mail addresses, street addresses, phone numbers,
    and order information dating back to 1996 were exposed.  The chain reports
    that the hole was finally closed this week.
      http://www.extremetech.com/article2/0,3973,760739,00.asp
    
    ------------------------------
    
    Date: Fri, 13 Dec 2002 22:15:48 -0500
    From: Monty Solomon <montyat_private>
    Subject: Perils in switching to Yahoo (David Lazarus)
    
    David Lazarus, *San Francisco Chronicle*, 13 Dec 2002
    
    Pacific Bell may be taking on a new name, but it's still up to the same old
    tricks.  The company's customers were outraged when I wrote how Pac Bell,
    which now wants to be known by the moniker of its corporate parent, SBC,
    slipped an insert into recent bills advising that personal information will
    be shared with business partners unless the customer says otherwise.  ...
    That's not the half of it. For some services, Yahoo says it will request Pac
    Bell customers' Social Security number "and information about your assets."
    The online company says it will track DSL subscribers' Internet browsing and
    share personal information with "trusted partners." Such info will be used
    in part "to customize the advertising and content you see."  "Once you
    create an SBC Yahoo account and sign in to our services, you are not
    anonymous to us," Yahoo warns in surprisingly stark language.  ...
      http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2002/12/13/BU191399.DTL
    
    ------------------------------
    
    Date: Tue, 10 Dec 2002 16:22:55 -0800
    From: Rob Slade <rsladeat_private>
    Subject: Community security education contacts
    
    Many of us have known for years that education and heightened awareness are
    vital to improving the general information security situation.  It's been
    rather frustrating to try and promote the idea.  However, at long last there
    seems to be a groundswell of both interest in the topic, and work towards
    producing seminars and training.
    
    As a step in getting some cooperation going in terms of the production of
    security awareness seminars, I have started a mailing list and a Web page of
    contacts.  The mailing list is comsecedat_private: if you want to join
    send e-mail to comseced-subscribeat_private  The Web page is at
    http://victoria.tc.ca/techrev/comseced.htm or
    http://sun.soci.niu.edu/~rslade/comseced.htm.
    
    If you have curricula, materials, or ideas that you would be willing to
    share, please drop me a line or join the group.
    
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Mon, 16 Dec 2002 9:57:05 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: U.S. Army Research Office calls for odortype detection proposals
     
      <http://www.aro.army.mil/research/index.htm> 
    The U.S. Army Research Office (ARO) is soliciting proposals to determine
    whether genetically-determined odortypes may be used to identify specific
    individuals. The proposal also calls for development of the science and
    enabling technology to detect and identify specific individuals by such
    odortypes.  The Odortype Detection Program will leverage research that has
    demonstrated that the same set of genes that code for internal immune system
    self/non-self recognition in mice -- the Major Histocompatibility Complex
    (MHC) -- also code for individual odortype. Total funding for the research
    and development effort may be up to $3.2 million in 2003.
    http://www.biometritech.com/enews/121602c.htm
    
        [De-scent into the pits?  PGN]
    
    ------------------------------
    
    Date: Thu, 12 Dec 2002 23:45:25 -0500
    From: jeremy.epsteinat_private
    Subject: Re: Anti-worm "throttling"
    
    The HP paper you're referring to ("Throttling Viruses: Restricting
    propagation to defeat malicious mobile code" by Matthew Williamson,
    Hewlett-Packard Labs) was presented this week at the 18th Annual Computer
    Security Applications Conference, and won the best paper award.  Along with
    Paul Karger's Multics retrospective (discussed in previous issues of RISKS),
    it's made this year's ACSAC particularly interesting.
    
    ------------------------------
    
    Date: Mon, 16 Dec 2002 10:03:49 -0600
    From: "Donald A. Norman" <donat_private>
    Subject: The risks of RISKS
    
    The RISK of RISKS:
    
    I've become paranoid over the past year, but legitimately. And it is
    wrecking my life.
    
    Because I was involved in a National Academies study of anti-terrorism, I
    examined how people defeated security systems. The security community --
    with some notable exceptions -- seems to think this is a technological
    problem: put in enough technology and the system is secure. I have always
    thought just the opposite: this is a social problem. Indeed, my belief is
    that "The more secure you make the system from a technological point of
    view, the less secure you are apt to have made it in reality."  Why? Because
    the technology gets in the way of work, and so the most dedicated workers
    will defeat the system in order that they can get their work done.  My
    studies of the cracker community and discussions with professional "red
    team" members simply reinforces the view.
    
    We are social beings: we work well in small, cooperative groups. Part of the
    benefits of our society is that we all help one another. We trust one
    another. The people who would deceive us understand this and manipulate it.
    
    Well, the social engineer takes advantage of all of this. I've just finished
    reading the book by Mitnick and Simon. I recommend it to everyone: it is
    scary. It tells how a few simple sounding (but very sophisticated) phone
    calls can get the sophisticated con artist almost anything. It gives very
    convincing examples.
    
      Mitnick, K. D., & Simon, W. L. (2002). The art of deception:
      controlling the human element of security. Indianapolis: Wiley.
    
    So now I am on guard. And guess what, I immediately spot spoofs. I get an
    e-mail stating that I have just signed up with American Express for
    bill-paying, so I should log on to this URL and set up my account.  Except
    that I didn't recall signing up, and the URL is not associated with American
    Express : it is "thevalidnetwork.com" . Sounded like a spoof to me. I call
    up American Express. They deny all knowledge of the site, but they also
    refuse to accept my complaint. "Not my department," said the woman, as she
    gave me a different phone number to call and hung up on me.  The man at the
    other phone number also confirmed that this was not a valid American Express
    site, and he wanted to report it, but it wasn't his responsibility either --
    the phone number he asked me to use was for the woman who refused to take
    it. He tried -- he was turned down too.
    
    So American Express claims this is not their site, but refuses to let me
    file a complaint.
    
    Then yesterday, I get a letter inviting me to a conference. Would I send my
    address and phone number, and also the phone numbers of anyone else I
    thought should be invited. The person said he had gotten my name from X, and
    said the conference was run by Consumers Reports. Well, the website he
    listed gave no hint of why I should trust this person -- he claimed to be a
    contractor. I checked with X, who said, no, he couldn't vouch for the
    person.  The letter said time was of the essence, but it came in over the
    weekend, so I couldn't call Consumer Reports to check.
    
    Both letters were perfect examples of Mitnick's illustrations of how to con
    people. They look legitimate, but if you examine them closely, the URLs are
    wrong, and although legitimate names are given, this is an emergency and the
    answer must be given now, after hours, when those legitimate-sounding names
    can't be checked.
    
    I now have discovered that both e-mails were legitimate. My financial advisor
    had signed me up for the bill payment scheme (he says we asked him to). The
    site was subcontracted by American Express to do this, but obviously, their
    phone support people don't know this.  As for the invitation, the person at
    Consumer Reports vouched for it.
    
    But what a life we have to lead: we can easily be conned by legitimate
    looking requests. And we might refuse to honor legitimate requests that
    could also be frauds.  Or, even if we accept them, we waste a lot of time
    checking them out -- a lot of our time and that of the people we have to
    bother to find out if it is real. And, along the way, I also discovered that
    even if we are recipients of a real fraud, it is very difficult to tell
    anyone. An amazing number of websites lack any contact information, any way
    of reporting problem. And even if you do report a problem, it is answered
    bizarrely.  I just reported over a website to Mindspring that their server
    seemed to be down. In reply I was told how to check the modem settings under
    Windows 98. That wasn't my complaint, I don't use a dial-up modem, and I
    don't run Windows 98. When I complained that the response was not relevant,
    I got instructions to check the wiring of my modem.
    
    So consider the RISKS of RISKS.  We waste time every day deleting spam and
    backing up our systems. We waste time every week updating our virus controls
    and rescanning our computer systems. We no longer can trust the people we
    interact with, for social engineers take advantage of all that we have come
    to trust.  We are searched at work and when traveling. We have to watch what
    we say in public because it might be misinterpreted.  And there is nobody to
    complain to.
    
    Trust is rapidly leaving our society, and we all are worse off as a result.
    
    Don Norman, Prof. Computer Science, Northwestern University http://www.jnd.org
    and Nielsen Norman Group      http://www.nngroup.com  normanat_private
    
      [See Rob Slade's following item.  PGN]
    
    ------------------------------
    
    Date: Thu, 12 Dec 2002 08:00:51 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon
    
    BKARTDCP.RVW   20021028
    
    "The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002,
    0-471-23712-4, U$27.50/C$39.95/UK#19.95
    %A   Kevin D. Mitnick
    %A   William L. Simon
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   2002
    %G   0-471-23712-4
    %I   John Wiley & Sons, Inc.
    %O   U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448
    %O  http://www.amazon.com/exec/obidos/ASIN/0471237124/robsladesinterne
    %P   352 p.
    %T   "The Art of Deception: Controlling the Human Element of Security"
    
    Those in the security field know that Kevin Mitnick does not deserve the
    reputation he has gained as some kind of technical genius.  His gift was
    skill as a social engineer.  Stripped of the five dollar words, this means
    that he was a plain, old con man, cheat, or fraud.  In other words, this is
    a book about how to fool people.  Theoretically, the determined reader
    should be able to use the book to keep from being conned.
    
    In the preface, Mitnick would have us believe that, although he admits to
    being a fraud and deceiver, he was never a grifter.  He never harmed
    anybody, never obtained a material benefit, and was just curious to see if
    he could ride the buses for free (at the expense of the transit system) or
    make calls for free (at the expense of an MCI customer).  (The willing moral
    blindness of these assertions is possibly the most instructive part of the
    book: it is truly representative of large portions of the blackhat
    community.)  He would have us believe that he is a "changed person": one of
    the most sought- after computer security experts world-wide, and the world's
    most famous hacker.  Oh, and just in case the authorities are inclined to
    think that this book runs counter to the injunction that he not profit from
    the stories of his criminal exploits, the tales are all completely
    fictional.  Trust him.
    
    Part one is entitled "Behind the Scenes."  Chapter one states that people
    are security's weakest link.  This is a truism well known in the field, but
    the first account is really about insider fraud, while the remainder are
    generic fear-mongering.
    
    Part two describes the art of the attacker.  (At great length.)  Chapter two
    depicts escalation or enumeration through social engineering, and points out
    that sometimes innocuous information isn't.  There is a section on
    "preventing the con" at the end of each chapter: in this case we are told
    not to give out information, but not provided with any advice about
    authenticating callers.  Similarly, chapter three says that sometimes
    attackers just ask for access or information and says to verify callers, but
    doesn't say how.  Chapter four tells you to distrust everyone--which would
    probably be more damaging to society than social engineering.
    (Interestingly, yesterday a report came out about studies of "freeloading"
    in the animal kingdom, which notes that communities with too many non-
    contributing members tend not to survive.  By extension, only societies with
    an overwhelming majority of trustworthy members exist for any length of
    time.)  The prevention bit tells companies not to have people give credit
    card information over the phone, but stresses teaching employees about cons
    rather than policies.  At about this point the text, which is very
    repetitious, throws in some minor technical details.  This is enough to
    remind the professional that the book is designed for the naive user, with
    extremely lightweight analysis, and implications that would not be useful.
    There is more repetitive redundancy in chapter six, on the way to some
    useful information about fraudulent e-mail and really lousy data about
    viruses and malware, in chapter seven.  Chapters eight and nine are simply
    more of the same stories, which start to get very tedious.
    
    Part three is apparently supposed to help us detect intruders.  Chapter ten
    has a little useful advice about having termination procedures.  The major
    points in chapter eleven seem to be about all the people who have been mean
    to our poor Kevin.  Then it is back to the, by now extremely tiresome, con
    jobs for another three chapters.
    
    We are intended to believe that part four will help us protect ourselves and
    our companies against social engineering.  Chapter fifteen is an attempt to
    convince us that the book should be purchased for all employees.  (Nice try,
    Kev.)  There is an arbitrary, and oddly both generic and overly detailed,
    suggested security policy, in chapter sixteen.
    
    So.  Security professionals already know about social engineering.  It is
    unlikely in the extreme that even the most head down, don't-talk-
    to-the-users, socially maladept firewall administrator will learn very much
    from this book.  But, of course, this is not a trade paperback.  This is a
    hardback aimed at the mass market: the non-professionals.  Will they learn
    anything from it?  Well, it might be useful for teaching new tricks to those
    who like to con people (although fraudsters will likely be disappointed at
    the number of times it is assumed that they know how to reprogram DMS-100
    switches: don't try this at home).  The prevention sections, as noted, are
    big on "don't" and short on "how not to."
    
    Well, but the book can still be a fascinating read, can't it?  Sure.  If
    you're the type of person who finds humour in watching someone fall on his
    or her face.  Over and over and over and over and over and over and over and
    over and over and over again ...
    
    copyright Robert M. Slade, 2002   BKARTDCP.RVW   20021028
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
      [See Don Norman's previous item.  PGN]
    
    ------------------------------
    
    Date: Wed, 11 Dec 2002 08:12:25 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Secured Computing", Carl F. Endorf
    
    BKSCDCMP.RVW   20020905
    
    "Secured Computing", Carl F. Endorf, 2002, 1-55212-889-X,
    U$44.95/C$64.00
    %A   Carl F. Endorf etresearchat_private
    %C   Suite 6E, 2333 Government Street, Victoria, BC   V8T 4P4
    %D   2002
    %G   1-55212-889-X
    %I   Trafford Publishing
    %O   U$44.95/C$64.00 888-232-4444 FAX 250-383-6804 salesat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/155212889X/robsladesinterne
    %P   538 p.
    %T   "Secured Computing: CISSP Study Guide, Second Edition"
    
    Like Mandy Andress' book (cf. BKCISPEC.RVW), this concentrates on
    terminology, rather than the concepts that the CISSP exam actually tests
    for.  Like Krutz and Vines' book (cf. BKCISPPG.RVW), this obviously and
    slavishly follows the (ISC)^2 syllabus.  Unlike Shon Harris' book
    (cf. BKCISPA1.RVW), it doesn't provide much added value or explanation.
    
    It does offer a money back guarantee.  If, within six months of buying the
    book, you take the CISSP exam twice (at U$450 a pop) and fail both times,
    you get the price of the book back.  Less shipping and handling.  (Also, you
    might need to be careful when ordering the book.  The ISBN is identical for
    both the first and second editions.)
    
    Some of the errors in the first edition of the book have been corrected, but
    a few remain, such as the addition of a "strong star" property to the
    Bell-LaPadula security model.
    
    Since the work concentrates on jargon, there are glaring gaps in the
    coverage.  For example, the Law, Investigation, and Ethics domain has almost
    nothing to say about incident response, investigation, preservation of
    evidence, computer forensics, or interviewing.
    
    Added to the book in this second edition is a practice CISSP exam.  Although
    the structure of the questions appears to be similar to those you would see
    on a real exam, the answers, oddly enough, rely on nonstandard terminology.
    
    Approximately one third of the total material in the second edition is a
    reprint of the "Standard of Good Practice" document available from the
    Information Security Forum (www.securityforum.org).  While there is nothing
    wrong with the document, and it could be a useful aid to the practitioner,
    it isn't much of a help in studying for the CISSP.
    
    While this book might provide some assistance in exam prep, it is probably
    not a sufficient guide by itself.
    
    copyright Robert M. Slade, 2002   BKSCDCMP.RVW   20020905
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.43
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 14:23:48 PST