[risks] Risks Digest 22.50

From: RISKS List Owner (riskoat_private)
Date: Sat Jan 18 2003 - 14:46:51 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.51"

    RISKS-LIST: Risks-Forum Digest  Saturday 18 January 2003  Volume 22 : Issue 50
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.50.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    CLU sees a growing 'surveillance monster' (NewsScan)
    Michelin to embed electronic ID tags in tires (Monty Solomon)
    Junked hard drives yield lots of personal data (NewsScan)
    Girl suffers burns after laptop explodes (Monty Solomon)
    Cash machine error goes unchecked (Tim Storer)
    Exchange/Outlook being "helpful" (Pete Carah)
    Equifax "security" (Yakov Shkolnikov)
    Lexmark DMCA lawsuit temporary restraining order (Monty Solomon)
    DMCA vs. The Garage Door Opener (Fred von Lohmann via Declan McCullagh)
    Re: Sophos "more viruses" warning: grain of saakolt? (Denis Haskin)
    REVIEW: "Building Secure Software", John Viega/Gary McGraw (Rob Slade)
    REVIEW: "Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner 
      (Rob Slade)
    REVIEW: "Web Security, Privacy and Commerce", Garfinkel/Spafford (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Thu, 16 Jan 2003 09:23:09 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: ACLU sees a growing 'surveillance monster'
    
    In a new report called "Bigger Monster, Weaker Chains," the American Civil 
    Liberties Union says that there is a rapidly growing "American Surveillance 
    Society" brought about by "a combination of lightning-fast technological 
    innovations and the erosion of privacy protections" threatening "to 
    transform Big Brother from an oft-cited but remote threat into a very real 
    part of American life." This "surveillance monster" includes, among other 
    things, cameras monitoring public spaces, proposals for databases filled 
    with personal information on U.S. citizens, and anti-terrorist legislation 
    allowing the government to demand that libraries turn over reading 
    histories of their patrons. Yet the report asserts that these monsters 
    don't even have to be real for them to be terrifying: "It is not just the 
    reality of government surveillance that chills free expression and the 
    freedom that Americans enjoy. The same negative effects come when we are 
    constantly forced to wonder whether we might be under observation." [AP/*USA 
    Today 16 Jan 2003; NewsScan Daily, 16 Jan 2003] 
      http://www.usatoday.com/tech/news/2003-01-16-privacy-threats_x.htm
    
    ------------------------------
    
    Date: Fri, 17 Jan 2003 03:09:56 -0500
    From: Monty Solomon <montyat_private>
    Subject: Michelin to embed electronic ID tags in tires
    
    Michelin plans to embed technology in its tires that would allow the tires
    to communicate wirelessly to the car, sending pressure readings, etc., to
    the dashboard computer, using an antenna and an integrated circuit the size
    of a match head.  Proponents of such RFID tags, which store, send and
    receive data through weak radio signals, believe they will one day replace
    bar codes and revolutionize the way that inventories are tracked and
    consumer products are designed once their price falls far enough.
    [Source: Reuters item 14 Jan 2003; PGN-ed]
      http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2045403
    
       [Also noted by Richard M. Smith]
    
    ------------------------------
    
    Date: Thu, 16 Jan 2003 09:23:09 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Junked hard drives yield lots of personal data
    
    MIT graduate students Simson Garfinkel and Abhi Shelat bought 158 hard
    drives at second hand computer stores and eBay over a two-year period, and
    found that more than half of those that were functional contained
    recoverable files, most of which contained "significant personal
    information." The data included medical correspondence, love letters,
    pornography and 5,000 credit card numbers. The investigation calls into
    question PC users' assumptions when they donate or junk old computers -- 51
    of the 129 working drives had been reformatted, and 19 of those still
    contained recoverable data. The only surefire way to erase a hard drive is
    to "squeeze" it -- writing over the old information with new data,
    preferably several times -- but few people go to the trouble. The findings
    of the study will be published in the IEEE Security & Privacy journal
    Friday. [AP 16 Jan 2003; Newsscan Daily, 16 Jan 2003
      http://apnews.excite.com/article/20030116/D7OJBBBG0.html
    
    ------------------------------
    
    Date: Fri, 17 Jan 2003 01:14:33 -0500
    From: Monty Solomon <montyat_private>
    Subject: Girl suffers burns after laptop explodes
    
    A 15-year-old girl suffered second-degree burns to her hands and thighs
    after the laptop she was using exploded.  [Source: Tim Richardson, *The
    Register*, 16 Jan 2003 ]
      http://www.theregister.co.uk/content/54/28899.html
    
    ------------------------------
    
    Date: Thu, 16 Jan 2003 13:19:30 +0000
    From: Tim Storer <twsat_private-and.ac.uk>
    Subject: Cash machine error goes unchecked
    
    A story widely reported in the UK news today (Thursday 16/1/2003) e.g.
    http://www.guardian.co.uk/uk_news/story/0,3604,875749,00.html
    and also
    http://www.telegraph.co.uk/news/main.jhtml?xml=/opinion/news/2003/01/16/ncash16
    
    regarding a family who discovered errors in a cash machine whose software
    had recently been upgraded.  They were able to obtain unlimited cash from
    the machine (some 135,000 pounds) by typing in random PIN numbers.
    
    An issue not included in all the reports was that the family allegedly 
    contacted the building society to report the error (this was reported in the 
    print edition of the Metro, a free newspaper supplied on the UKs public 
    transport infrastructure).  Only when the society failed to take action did 
    the family begin exploiting the error.
    
    The risk here (assuming the family did indeed report the fault) would be the 
    failure of the society to implement remedial action when notified of a 
    problem, perhaps due to a lack of procedure for handling such information.  
    This is quite apart from the clearly inadequate testing of the software added 
    to the cash machine in the first place.
    
    ------------------------------
    
    Date: Sat, 18 Jan 2003 11:40:15 -0800 (PST)
    From: Pete Carah <peteat_private>
    Subject: Exchange/Outlook being "helpful"
    
    I don't know if this has been covered before, but I have a
    correspondence going with someone who uses Exchange for his mail.
    
    I have a procmail filter that files mail containing an html tag (the opening
    html identifier, not just any html tag) in a box labelled spam, which I then
    peruse about weekly.  (and just discards any containing both an html and
    script tag...)
    
    1;0cHe complains that I don't answer him timely, and that he has configured his
    mailer to not send html.  This appears to be the case; his messages to me
    are not put in html form.
    
    The zinger here, is that my quoted message in his reply is in html form,
    identified as "converted from text/plain", (in the DTD line, I found the
    conversion having been done by the exchange server) "We're Microsoft, and
    we're here to help you"...
    
    I don't know if he can suppress that one, either; perhaps by not quoting my
    incoming message (which should be edited anyhow; I don't like postquotes
    since they tend to grow uncontrollably).
    
    ------------------------------
    
    Date: Sat, 18 Jan 2003 10:50:47 -0500 (EST)
    From: Yakov Shkolnikov <yshkolniat_private>
    Subject: Equifax "security"
    
    I sometimes wonder why some sites use 128 bit encryption. For example: I
    just ordered my credit report from Equifax (www.equifax.com).
    When I completed the order, it sent me to the order confirmation page
    with my username and password as clear text in the URL.  The next day
    I get a e-mail confirming my order with my password in plain text.  RISKS
    are obvious.
    
    ------------------------------
    
    Date: Thu, 9 Jan 2003 22:47:12 -0500
    From: "monty solomon" <montyat_private>
    Subject: Lexmark DMCA lawsuit temporary restraining order
    
    Lexmark lawsuit seeks to defend intellectual property rights while
    preserving customers' rights to choose
    
    As a result of a Lexmark International, Inc. lawsuit against Static Control
    Components, Inc., for violation of the Copyright Act and the Digital
    Millennium Copyright Act, the federal district court in Lexington, Ky.,
    issued a temporary order - agreed to by Static Control - requiring Static
    Control to immediately cease making, selling, or otherwise trafficking in
    the "Smartek(TM)" microchip for the toner cartridges developed for the
    Lexmark T520/522 and T620/622 laser printers.  The order is in effect until
    Lexmark's motion for a preliminary injunction is heard by the Court.
    Lexmark's complaint alleges that the Smartek(TM) microchips incorporate
    infringing copies of Lexmark's copyrighted software and are being sold by
    Static Control to defeat Lexmark's technological controls, thereby allowing
    the unauthorized access to Lexmark's protected software programs and the
    unauthorized remanufacturing of Lexmark "Prebate(TM)" toner cartridges.
    [Source: PRNewswire-FirstCall, 9 Jan 2003; PGN-ed]
    
    http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-09-2003/0001869517
    ------------------------------
    
    Date: Wed, 15 Jan 2003 22:05:04 -0500
    From: Declan McCullagh <declanat_private>
    Subject: DMCA vs. The Garage Door Opener
    
    [I've copied the attorneys for the plaintiffs in case they wish to reply to
    Fred. For their reference: Politech is a moderated discussion forum
    populated by many members of the legal community, and I attempt to include
    all reasonable, well-stated views. --Declan]
    
    Date: Wed, 15 Jan 2003 18:48:21 -0800
    Subject: DMCA v garage door openers
    >From: Fred von Lohmann EFF <fredat_private>
    To: Declan McCullagh <declanat_private>
    
    In the latest bit of DMCA lunacy, copyright guru David Nimmer turned me onto
    a case that his firm is defending, where a garage door opener company (The
    Chamberlain Group) has leveled a DMCA claim (among other claims) against the
    maker of universal garage door remotes (Skylink).  Yet another case where
    the anti-circumvention provisions of the DMCA are being used to impede
    legitimate competition, similar to the Lexmark case. Not, I think, what
    Congress had in mind when enacting the DMCA.
    
    The Complaint:
      http://www.eff.org/IP/DMCA/20030113_chamberlain_v_skylink_complaint.pdf
    
    The Amended Complaint:
    http://www.eff.org/IP/DMCA/20030114_chamberlain_v_skylink_amd_complaint.pdf
    
    The Summary Judgment Motion:
      http://www.eff.org/IP/DMCA/20030113_chamerlain_v_skylink_motion.pdf
    
    Attorneys for Skylink are (both at the Orange County offices of Irell
    & Manella, a large law firm):
      "Nobles, Kimberley" <KNoblesat_private>
      "Greene, Andra" <AGreeneat_private>
    
    Fred von Lohmann, Senior Intellectual Property Attorney, 
    Electronic Frontier Foundation fredat_private  +1 (415) 436-9333 x123
    
    -----------------------------
    
    
    ------------------------------
    
    Date: Wed, 15 Jan 2003 21:16:29 -0500
    From: Denis Haskin <denisat_private>
    Subject: Re: Sophos "more viruses" warning: grain of salt? (RISKS-22.49)
     
    Shouldn't a warning that "Computer users will be plagued with a host of 
    new viruses this year" be taken with a grain of salt when it comes from 
    a company whose business is selling anti-virus software?
    
    ------------------------------
    
    Date: Thu, 16 Jan 2003 08:01:41 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Building Secure Software", John Viega/Gary McGraw
    
    BKBUSCSW.RVW   20021124
    
    "Building Secure Software", John Viega/Gary McGraw, 2002,
    0-201-72152-X, U$54.99/C$82.50
    %A   John Viega www.buildingsecuresoftware.com
    %A   Gary McGraw www.buildingsecuresoftware.com
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
    %D   2002
    %G   0-201-72152-X
    %I   Addison-Wesley Publishing Co.
    %O   U$54.99/C$82.50 416-447-5101 fax: 416-443-0948
    %O  http://www.amazon.com/exec/obidos/ASIN/020172152X/robsladesinterne
    %P   493 p.
    %T   "Building Secure Software: How to Avoid Security Problems the
          Right Way"
    
    The "right way" of the subtitle is, of course, designing and building
    a product correctly the first time.  The preface states that the book
    is concerned with broad principles of systems development, and so does
    not cover specialized topics such as code authentication and
    sandboxing.  It also points out that software vendors are effectively
    exempt from liability, and so have no reason to produce secure or
    reliable software.
    
    Chapter one is an introduction to software security, with an overview
    of related topics and considerations.  Managing software security
    risks, in chapter two, looks at good practices in the system
    development life cycle, the position of the security engineer in
    development, and standards.  The authors point out problems in common
    security "solutions," mostly dealing with authentication, in chapter
    three.  The common myths about the security of open and closed source
    systems are examined in chapter four.  Instead of a checklist of
    thousands of security items (that likely won't be of much use anyway),
    chapter five presents ten guiding principles which will probably catch
    most problems.  The list is not a panacea: the first principle is to
    secure the weakest link, and it takes lots of forethought to design
    this for type of factor in advance.  Auditing software, in chapter
    six, is more about security assessments being conducted at various
    stages in the process, for example, using attack trees at the design
    stage.
    
    The preface states that the book is divided into two parts, conceptual
    and implementation, and, although there is no formal division, this is
    probably the beginning of part two.  Chapter seven looks at buffers
    overflows, always and still the most common software security problem. 
    This book, it must be assumed, is written primarily for a programming
    audience, and yet the first part has presented concepts very clearly
    without necessarily getting into code examples.  At this point,
    however, the material is definitely written for advanced C (and
    specifically UNIX) programmers, and the basic concepts are sometimes
    hidden in the details.  Access control, primarily in UNIX systems,
    although with some mention of special capabilities in Windows NT, is
    the topic of chapter eight.  Chapter nine deals with race conditions,
    including the familiar "time of check versus time of use" problem,
    although most of the material is limited to file access concerns. 
    There is an excellent and thorough discussion of pseudo random number
    generation in chapter ten.  Applying cryptography, in chapter eleven,
    stresses the fact that you shouldn't "roll your own," helps out by
    reviewing publicly available cryptographic code libraries, and even
    examines the drawbacks of one-time pads.  Managing trust and input
    validation, in chapter twelve, emphasizes input concerns to the point
    that an important element is possibly buried: in the modern
    environment, you not only have to trust the goodwill of an entity, but
    also its ability to defend itself, so as not to become part of an
    attack against you.  Password authentication, in chapter thirteen,
    promotes randomly chosen passwords.  Given a work directed at
    programming I suppose this is understandable, but recent research has
    shown that "well chosen" passwords are as easy to remember as naive,
    and as secure as random.  Chapter fourteen is an overview of the basic
    aspects of database security, although it only touches on the more
    advanced topics of this specialized field.  Client-side security
    concentrates on copy protection and other anti-piracy measures in
    chapter fifteen.  Some means of establishing a connection through a
    firewall are examined in chapter sixteen.
    
    While I can understand and sympathize with the desire to give examples
    of specific code in dealing with implementation details, there are a
    number of major concepts covered in the latter part of the book which
    would have been more accessible to non-programmers had they been dealt
    with as tutorially as in the first part.  Still, the book has a great
    deal to teach programmers about security and reliability, and security
    professionals about the requirements of the development process.
    
    copyright Robert M. Slade, 2002   BKBUSCSW.RVW   20021124
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 18 Jan 2003
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner
    BKNTWSEC.RVW   20021106
    
    "Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner, 2002,
    0-13-046019-2, U$54.99/C$85.99
    %A   Charlie Kaufman ckaufmanat_private
    %A   Radia Perlman radiaat_private
    %A   Mike Speciner msat_private
    %C   One Lake St., Upper Saddle River, NJ   07458
    %D   2002
    %G   0-13-046019-2
    %I   Prentice Hall
    %O   U$54.99/C$85.99 201-236-7139 fax 201-236-7131 mfranzat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0130460192/robsladesinterne
    %P   713 p.
    %T   "Network Security: Private Communication in a Public World, 2e"
    
    For communications security, this is the text.  As well as solid
    conceptual background of cryptography and authentication, there is
    overview coverage of specific security implementations, including
    Kerberos, PEM (Privacy Enhanced Mail), PGP (Pretty Good Privacy),
    IPsec, SSL (Secure Sockets Layer), AES (Advanced Encryption Standard),
    and a variety of proprietary systems.  Where many security texts use
    only UNIX examples, this one gives tips on Lotus Notes, NetWare, and
    Windows NT.
    
    Chapter one is an introduction, with a brief primer on networking,
    some reasonable content on malware, and basic security models and
    concepts.
    
    Part one deals with cryptography.  The foundational concepts are
    covered in chapter one.  Symmetric encryption, in chapter three, is
    presented in terms of the operations of DES (Data Encryption
    Standard), IDEA (International Data Encryption Algorithm), and AES. 
    Chapter four details the major modes of DES.  The algorithms for a
    number of hash functions and message digests are described in chapter
    five.  Asymmetric algorithms, such as RSA (Rivest-Shamir-Adleman) and
    Diffie-Hellman, are explained in chapter six, although one could wish
    for just slightly more material, such as actual numeric computations,
    that might reach a wider audience.  The number theory basis of much of
    modern encryption is provided as well, in chapter seven.  More,
    including a tiny bit on elliptic curves, is given in chapter eight.
    
    Part two covers authentication.  The general problems are outlined in
    chapter nine.  Chapter ten looks at the traditional means of
    authenticating people: something you know, have, or are.  Various
    problems in handshaking are reviewed in chapter eleven.  Chapter
    twelve describes some strong protocols for passwords.
    
    Part three examines a number of security standards.  Kerberos gets two
    whole chapters, since we are provided with not only concepts but
    actual packets: version 4 in thirteen and 5 in fourteen.  PKI (Public
    Key Infrastructure) terms, components, and mechanisms are outlined in
    chapter fifteen.  The basic problems in real-time communications
    security are delineated in chapter sixteen.  Chapter seventeen
    examines the authentication and encryption aspects of IPsec, while
    chapter eighteen deals with key exchange packets.  SSL and TLS
    (Transport Layer Security) are described in chapter nineteen.
    
    Part four concentrates on electronic mail.  Chapter twenty lays out
    the major concerns and problems.  Chapter twenty one discusses PEM and
    S/MIME (Secure Multipurpose Internet Mail Extensions).  PGP is covered
    in chapter twenty two.
    
    Part five contains miscellaneous topics.  Chapter twenty three looks
    at firewalls, twenty four at a variety of specific security systems,
    and twenty five at Web issues.  Folklore, in chapter twenty six,
    briefly lists a number of simple "best practices" that aren't
    generally part of formal security literature.
    
    The explanations are thorough and well written, with a humour that
    illuminates the material rather than obscuring it.  The organization
    of the book may be a bit odd at times (the explanation of number
    theory comes only after the discussion of encryption that it
    supports), but generally makes sense.  (It is, sometimes, evident that
    later text has created chapters that are slightly out of place.)  The
    end of chapter "homework" problems are well thought out, and much
    better than the usual reading completion test.  If there is a major
    weakness in the book, it is that the level of detail seems to vary
    arbitrarily, and readers may find this frustrating.  Overall, though,
    this work provides a solid introduction and reference for network
    security related topics and technologies.
    
    copyright Robert M. Slade, 1996, 2002   BKNTWSEC.RVW   20021106
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Wed, 15 Jan 2003 08:03:00 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Web Security, Privacy and Commerce", Garfinkel/Spafford
    
    BKWBSPCM.RVW   20021106
    
    "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford,
    2002, 0-596-00045-6, U$44.95/C$67.95
    %A   Simson Garfinkel simsongat_private
    %A   Gene Spafford spafat_private
    %C   103 Morris Street, Suite A, Sebastopol, CA   95472
    %D   2002
    %G   0-596-00045-6
    %I   O'Reilly & Associates, Inc.
    %O   U$44.95/C$67.95 800-998-9938 707-829-0515 nutsat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0596000456/robsladesinterne
    %P   756 p.
    %T   "Web Security, Privacy and Commerce"
    
    Anyone who does not know the names Spafford and Garfinkel simply does
    not know the field of data security.  The authors, therefore, are well
    aware that data security becomes more complex with each passing week. 
    This is, after all, the second edition of what was originally
    published under the title "Web Security and Commerce," and, while it
    is still recognizable as such, the work is essentially completely re-
    written.  The authors note, in the Preface, that the book cannot hope
    to cover all aspects of Web security, and therefore they concentrate
    on those topics that are absolutely central to the concept, and/or not
    widely available elsewhere.  Works on related issues are suggested
    both at the beginning and end of the book.
    
    A greatly expanded part one introduces the topic, and the various
    factors involved in Web security.  Chapter one is a very brief
    overview of Web security considerations and requirements, with some
    material on general security concepts and risk analysis.  The
    underlying architecture of the Web is examined in chapter two,
    although this is basically limited to Internet structures.  (While the
    material is quite informative, perhaps some examples of HTTP
    [HyperText Transfer Protocol] would add value.)  Cryptography is
    explained reasonably well in chapter three: there is no in-depth
    discussion of cryptographic algorithms, but these details can be
    readily found in other works.  Chapter four deals with cryptographic
    uses, and also with legal restrictions.  The concepts and limitations
    of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are
    given in chapter five, although the operational details are not
    covered.  Chapter six starts out with a general discussion of
    identification and authentication,but then gets bogged down in the
    details of using PGP (Pretty Good Privacy).  The coverage of digital
    certificates, in chapter seven, is likewise constricted by a
    dependence upon system technicalities.
    
    Part two concerns the user.  
    
    Chapter two looks at the various possible problems with browsers, not
    all of which are related to Web page programming.  Chapter eight looks
    analytically at the possible invasions of privacy that can occur on
    the Web.  Some non-technical techniques of protecting your privacy,
    such as good password choice, are described in chapter nine, with
    various technical means listed in chapter ten.  Chapter eleven reviews
    backups and some physical protection systems.  ActiveX and the
    limitations of authentication certificates, as well as plugins and
    Visual Basic, are thoroughly explored in chapter twelve.  Java
    security is only marginally understood by many "experts," and not at
    all by users, so the coverage in chapter thirteen is careful to point
    out the difference between safety, security, and the kind of security
    risks that can occur even if the sandbox *is* secure.
    
    Part three details technical aspects of securing Web servers.  Chapter
    fourteen looks at physical security and disaster recovery measures. 
    Traditional host security weaknesses are reviewed in chapter fifteen. 
    Rules for secure CGI (Common Gateway Interface) and API (Application
    Programmer Interface) programming are promulgated in chapter sixteen,
    along with tips for various languages.  More details on the server-
    side use of SSL is given in chapter seventeen.  Chapter eighteen looks
    at specific strengthening measures for Web servers.  You legal options
    for prosecuting a computer crime is reviewed in chapter nineteen.
    
    Commercial and societal concerns in regard to content are major areas
    in Web security, so part six reviews a number of topics related to
    commerce, as well as other social factors.  Chapter twenty discusses a
    number of technical access control technologies, by system.  Obtaining
    a client-side certificate is described in chapter twenty one. 
    Microsoft's Authenticode system is reviewed yet again in chapter
    twenty two.  Censorship and site blocking are carefully examined in
    chapter twenty three.  Privacy policies, systems, and legislation are
    reviewed in chapter twenty four.  Chapter twenty five looks at current
    non-cash payment systems, and the various existing, and proposed,
    digital payment systems for online commerce.  Having already studied
    criminal problems earlier, the book now turns to civil and
    intellectual property issues, such as copyright, in chapter twenty
    six.
    
    Although it has almost nothing to do with Web security as such, I very
    much enjoyed Appendix A, Garfinkel's recounting of the lessons learned
    in setting up a small ISP (Internet Service Provider).  (I suppose
    that this could be considered valid coverage of Web commerce.)  The
    other appendices are more directly related to the topic, including the
    SSL protocol, the PICS (Platform for Internet Content Selection)
    specification, and references.
    
    Although the material has been valuably expanded and updated, some of
    the new content is less worthwhile.  The extensive space given to
    specific products will probably date quickly, although the surrounding
    conceptual text will continue to provide helpful guidance.  Certainly
    for anyone dealing with Web servers or running ISPs, this is a
    reference to consider seriously.
    
    copyright Robert M. Slade, 1998, 2002   BKWBSPCM.RVW   20021106
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.50
    ************************
    



    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 15:33:13 PST