[risks] Risks Digest 22.55

From: RISKS List Owner (riskoat_private)
Date: Wed Feb 12 2003 - 16:08:22 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.56"

    RISKS-LIST: Risks-Forum Digest  Weds 12 February 2003  Volume 22 : Issue 55
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.55.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Helsinki Health Department computer system down (Jesus Climent)
    Hospital computer changes patient status from discharged to deceased
      (Steven Tepper) 
    Medical records: Turning lemons into lemonade or doublespeak? (Richard Cook)
    Surplus computer in Kentucky held 'deleted' AIDS files (NewsScan)
    TETRA radios pose some risk to hospital equipment (Martyn Thomas)
    Boston artery errors cost over $1 billion (Monty Solomon)
    TurboTax -- more security problems (Jim Garrison)
    Stupid Security competition (Simon Davies)
    Gambling on mobile devices? You bet! (Monty Solomon)
    Senator Hagel of Nebraska ran his state's voting machines (Steven Hauser)
    Judge suspends Washington State phone privacy (Monty Solomon)
    BC Student reprograms ID card, steals thousands (Steve Summit)
    Theft of disk drive at ISM Canada (Bruce Hamilton)
    Feds charge 17 with stealing satellite TV signals (Monty Solomon)
    Ex-hacker Mitnick's site vandalized (PGN)
    The non-paperless electronic office (Dick Mills)
    Password complexity (Jacob Palme)
    REVIEW: "PC Fear Factor", Alan Luber (Rob Slade)
    REVIEW: "Mastering Network Security", Chris Brenton/Cameron Hunt (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 11 Feb 2003 13:36:17 +0100
    From: Jesus Climent <jesus.climentat_private>
    Subject: Helsinki Health Department computer system down
    
    A new data system named Pegasos has forced doctors in Helsinki to ask
    patients to remember their case history and to take hand notes.  The fact
    that doctors cannot get any historical data forces them to spend m= ore time
    writing (*sigh*) the data and reviewing the past treatments.  As a
    conclusion, computers can, instead of speeding up the process, slow it down.
      [Source: http://www.helsinki-hs.net/news.asp?id=3D20030206IE8]
    
    Jesus Climent | Unix SysAdm | Helsinki, Finland | pumuki.hispalinux.es
    
    ------------------------------
    
    Date: Wed, 12 Feb 2003 12:08:03 -0800
    From: greep <greepat_private>
    Subject: Hospital computer changes patient status from discharged to deceased
    
    http://www.baselinemag.com/article2/0,3959,880881,00.asp
    
       Eighty-five hundred people at St. Mary's Mercy [in Grand Rapids,
       Michigan] thought they were still alive. But the hospital's
       computers were telling them they were not.
       ...
    
       It turns out St. Mary's Mercy had recently completed an upgrade of
       its patient-management software system...  A "mapping error" in the
       conversion process resulted in the hospital assigning a disposition
       code of "20"--which meant expired--instead of "01," which meant
       the patient had been discharged.
    
       Worse, that errant data wasn't sent just to the shocked patients but
       to their insurance companies as well as the local Social Security
       office, which helps determine whether elderly or disabled patients are
       eligible for Medicare. Obviously, once a patient is dead,
       Medicare--assuming its electronic-records system is accurate--isn't
       going to make any payments on bills for future medical services or
       medication.
    
    ------------------------------
    
    Date: Mon, 10 Feb 2003 09:23:24 -0600
    From: "Richard Cook" <ri-cookat_private>
    Subject: Medical records: Turning lemons into lemonade or doublespeak?
    
    One remarkable aspect of techno-enthusiasm is the willingness to recast
    failure as a form of success.  A long piece in CIO Magazine, "Off the
    Charts" describes a failure of the electronic medical record system as
    evidence of the value of the system itself.  The piece describes a chip
    failure (burned out Alpha processor) that went on to generate a 20-minute
    delays in viewing medical records in the system at the University of
    Illinois medical center.  According to the Christopher Koch, the author, the
    fact that "angry calls streamed into IS" from physicians (who had
    conveniently forgotten that there was a "read-only database that had been
    built for such emergencies") serves as prima facie evidence that the system
    is valuable.  No mention is made of whether patient care was impeded or if
    missing information contributed to accidents during the interval.
      [http://www.cio.com/archive/020103/eva_charts_content.html]
    
    If a small failure marks a favorable climate, perhaps a full fledged 
    catastrophe marks real success?
    
    Richard I. Cook, MD, Associate Professor Clinical Anesthesia and Critical Care
    Univ. Chicago, 5841 S. Maryland Ave MC4028, Chicago, IL 60637 www.ctlab.org
    
    ------------------------------
    
    Date: Mon, 10 Feb 2003 09:15:21 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Surplus computer in Kentucky held 'deleted' AIDS files
    
    A state auditor found that at least one computer used by staffers counseling
    clients with AIDS or HIV was ready to be offered for sale to the public even
    though it still contained files of thousands of people. Auditor Ed Hatchett
    said: "This is significant data. It's a lot of information lots of names and
    things like sexual partners of those who are diagnosed with AIDS. It's a
    terrible security breach." Health Services Secretary Marcia Morgan, who has
    ordered an internal investigation of that breach, says the files were
    thought to have been deleted last year.  [AP/*USA Today* 7 Feb 2003;
    NewsScan Daily, 10 February 2003]
      http://www.usatoday.com/tech/news/2003-02-07-surplus-computer_x.htm
    
    ------------------------------
    
    Date: Tue, 11 Feb 2003 09:59:58 -0000
    From: "Martyn Thomas" <martyn@thomas-associates.co.uk>
    Subject: TETRA radios pose some risk to hospital equipment
    
    The new TETRA two-way radio system is being widely adopted by emergency
    services.  Because it is pulsed more slowly than GSM (17.6 Hz rather than
    217 Hz) the signal is harder to filter and causes a greater level of
    RFI.  For comparative tests on hospital equipment, see
      http://www.medical-devices.gov.uk/mda/mdawebsitev2.nsf/
      webvwSearchResults/37CE5B0D2F6E45C900256A99005B8734?OPEN
    
    ------------------------------
    
    Date: Sun, 9 Feb 2003 21:25:12 -0500
    From: Monty Solomon <montyat_private>
    Subject: Artery errors cost over $1 billion
    
    In the spring of 1997, David Beck of Bechtel/Parsons Brinckerhoff (the Big
    Dig's contracted managers) discovered that the entire 19,600-seat Fleet
    Center arena (whose own dig had begun in April 1993) was missing from the
    1994 design drawings for what was then only a $10.8-billion project.
    Instead, there was an obstacle-free area through which contractors were
    expected to lay utility lines.  Bechtel apparently failed to fix the problem
    before signing off on the final design drawings three years later, which
    (according to the headline) cost over $1 billion extra.  [PGN-ed from Raphael
    Lewis & Sean P. Murphy, *The Boston Globe*, 9 Feb 2003, First of 3 articles.]
    http://www.boston.com/dailyglobe2/040/nation/Artery_errors_cost_over_1b+.shtml
    
    ------------------------------
    
    Date: Thu, 06 Feb 2003 22:44:37 -0600
    From: Jim Garrison <jhgat_private>
    Subject: TurboTax -- more security problems (Re: RISKS-22.51)
    
    Apart from all the user uproar over TurboTax's activation scheme, the
    program has additional security problems.  TurboTax's online registration
    and update facility will work only if Windows' Internet security parameters
    are reduced to their lowest setting (when you do this Windows itself tells
    you this setting is NOT recommended).
    
    Access to online update is *required* because the distribution CDs are
    pressed before all tax forms are available and you MUST update the product
    in order to have the current forms for filing.
    
    My Win2K system is on an internal LAN behind a Linux firewall, and Intuit
    tech support initially blamed the problems on this configuration.  When I
    connected the Win2K system directly to the cable modem and reproduced the
    problem, they were forced to find the correct solution.
    
    There are several RISKS here:
    
    1) Telling people firewalls are a problem
    
    2) Extremely poor error handling -- Both registration and online update just
       hang forever, displaying an "in progress" dialog box.
    
    3) Writing code that requires the user to reduce Operating
       System security protections in order to use it.
    
    ------------------------------
    
    Date: Tue, 11 Feb 2003 02:19:35 +0000
    From: Simon Davies <s.g.daviesat_private>
    Subject: Stupid Security competition
    
    PRIVACY INTERNATIONAL, MEDIA RELEASE
    PRIVACY WATCHDOG LAUNCHES QUEST TO FIND THE
    WORLD'S MOST STUPID SECURITY MEASURE
    
    Global competition will identify absurd and pointless security requirements
    
    The human rights watchdog Privacy International today launched a competition
    to discover the world's most pointless, intrusive, annoying and self-serving
    security measures.  The "Stupid Security" award aims to highlight the
    absurdities of the security industry. Privacy International's director,
    Simon Davies, said his group had taken the initiative because of
    "innumerable" security initiatives around the world that had absolutely no
    genuine security benefit.  "The situation has become ridiculous" said Mr
    Davies. "Security has become the smokescreen for incompetent and robotic
    managers the world over.  I have stood for ages in a security line at an
    inconsequential office building and grilled relentlessly only to be given a
    security pass that a high school student could have faked. And I resent
    being forced to take off my shoes at an airport that can't even screen its
    luggage" he said.
    
    Even before 9/11, a whole army of bumbling amateurs has taken it upon
    themselves to figure out pointless, annoying, intrusive, illusory and just
    plain stupid measures to "protect" our security.
    
    It has become a global menace. From the nightclub in Berlin that demands the
    home address of its patrons, to the phone company in Britain that won't let
    anyone pay more than twenty pounds a month from a bank account, the world
    has become infested with bumptious administrators competing to hinder or
    harass us. And often for no good reason whatever.
    
    Unworkable security laws and illusory security measures do nothing to help
    issues of real public concern. They only hinder the public and intrude
    unnecessary into our private lives.
    
    Until 15 Mar 2003, Privacy International is calling for nominations to name
    and shame the worst offenders.
    
    The competition will be judged by a panel of well-known security experts,
    public policy specialists, privacy advocates and journalists.
    
    The competition is open to anyone. Nominations can be sent to
    stupidsecurityat_private Winners will be announced on 3 Apr 2003 at the
    13th Computers, Freedom & Privacy conference in New York.
    
    ------------------------------
    
    Date: Mon, 10 Feb 2003 13:44:01 -0500
    From: Monty Solomon <montyat_private>
    Subject: Gambling on mobile devices? You bet!
    
    Because the newest cell phones are essentially mini-PCs, with full operating
    systems, heavy-duty processor power, and high-resolution color screens, they
    are becoming better suited to remote gambling.
    
    "Certainly wireless is the next generation of e-gaming that is looking to
    take hold," says Nancy Chan-Palmateer of CryptoLogic, a Toronto-based
    Internet gambling software company.  The Internet gambling market is
    expected to bring in $5 billion this year for casinos and game operators.
    [Source: Chana R. Schoenberger, *Forbes*, 10 Feb 2003; PGN-ed]
      http://www.forbes.com/2003/02/10/cz_cs_0210gaming.html
    
        [Not surprisingly, this prompts your Moderator to note that today's
        all-electronic voting machines (without any voter-verified nonelectronic
        record of each vote) are essentially equivalent to Internet gambling on
        an unknown off-shore Web site.  "Trust us.  We're completely honest."
        PGN]
    
    ------------------------------
    
    Date: Mon, 10 Feb 2003 10:54:00 -0600 (CST)
    From: Steven Hauser <hause011at_private>
    Subject: Senator Hagel of Nebraska ran his state's voting machines
    
    Republican Senator Hagel was the CEO of the company that produced the voting
    machines that tallied his "upset" victory in Nebraska.  Go figure.
      http://www.thehill.com/news/012903/hagel.aspx
      http://www.theregister.co.uk/content/55/29247.html
    
    Steven Hauser  http://www.tc.umn.edu/~hause011/
    
      [The machines used at the time were apparently a version of the AIS
      DataMark mark-sense card system (now owned by ES&S) rather than 
      all-electronic systems.  PGN]
    
    ------------------------------
    
    Date: Tue, 11 Feb 2003 12:36:10 -0500
    From: Monty Solomon <montyat_private>
    Subject: Judge suspends Washington State phone privacy
    
    AP Online, 11 Feb 2003
    
    Washington state regulations to protect the privacy of telephone customer
    account information, some of the toughest in the country, have been
    suspended by a federal judge.  State regulations that were adopted in
    November [2002] and took effect in January [2003] required phone companies
    to obtain customer approval before selling calling records or using them to
    market anything but telecommunications services.
    
      But Verizon Communications Inc. of New York, which has about 1 million
      customers in Washington, sued the state, saying its Utilities and
      Transportation Commission overstepped its authority and infringed on the
      company's ability to speak to and serve customers.
    
      U.S. District Judge Barbara J. Rothstein ruled Monday that Verizon had
      raised "serious questions" about the constitutionality of Washington's
      privacy rules, and granted a preliminary injunction blocking their
      enforcement while the case is pending.  ...
    
      http://finance.lycos.com/home/news/story.asp?story=31474529
    
    ------------------------------
    
    Date: Fri, 07 Feb 2003 15:54:53 -0500
    From: Steve Summit <scsat_private>
    Subject: BC Student reprograms ID card, steals thousands
    
    Like many colleges, Boston College has a multipurpose magstripe ID card
    which is used for identification, access, purchases at dining halls and the
    campus bookstore, and even local restaurants.  A BC student managed to
    reprogram his ID card with the ID numbers of other students, meaning that he
    could purchase meals, textbooks, etc. with his charges showing up on the
    bills of others.  Evidently he had (among other things) broken into the
    student center after hours and installed sniffing software on computers
    there so that he could obtain the information to reprogram his own card
    with.  A spokesman reassures us that the BC system has been "upgraded to
    prevent future breaches".
      http://digitalmass.boston.com/news/2003/02/07/bc_student.html .
    
    The RISKS of these multi-use cards have been known for some time;
    see for example Andre DeHon's 1995 paper at <http://www.ai.mit.edu/
    people/andre/mit_card/security_assessment/security_assessment.html>.
    It's reasonably interesting to see those fears being realized.
    
    ------------------------------
    
    Date: Wed, 12 Feb 2003 09:17:34 -0800
    From: bruce_hamiltonat_private
    Subject: Theft of disk drive at ISM Canada
    
    Yesterday I received a letter which read, in part:
    
      "Dear Valued Client,
    
      "I am writing to inform you that on January 29, 2003, ISM Canada, a
      subsidiary of IBM Canada Limited that provides client statement services
      to Investors Group, notified us that a significant proportion of our
      clients' 2002 third-quarter statement data was contained on a computer
      hard drive that went missing from their Regina, Saskatchewan offices. Some
      of our information was determined to be on the missing drive.
    
      "I understand the concern this may cause for you. Investors Group wishes
      to assure you that there is no ability for anyone to access your Investors
      Group accounts with this information.
    
      "The missing data is the same information that you see on your quarterly
      client statement, being your name and address, your Investors Group
      Consultant, the details of your Investors Group Plans and Accounts ... and
      any beneficiary designations you may have made. The missing data *does not
      include any of the confidential personal information typically involved in
      the misuse of personal data,* such as social insurance numbers, dates of
      birth, or banking information.
    
      "IBM Canada and ISM Canada have expressed their regret to you and to
      Investors Group, and have been working with us to ensure this matter is
      handled quickly and properly. ISM had previously notified Investors Group
      of a hard drive that was missing at the Regina facility, believed to
      contain a small amount of securely protected Investors Group data. They
      indicated that they were investigating the incident. Subsequently, on
      January 29th, ISM Canada advised Investors Group of the full extent of the
      missing data and that the local authorities were treating the incident as
      a theft."
    
    I checked my statement, and it's true that my SSN, DOB, etc., are not
    there. I don't know what the author means by "banking information" since the
    statement includes my name, account numbers, balances and previous quarter's
    balances. This makes it much easier to do social engineering, e.g. "I notice
    that my account #12345 is down 15%, so I'd like you to wire the remaining
    balance to ..."
    
    The double reassurance that the data is "securely protected" and that it's
    also not confidential is worrisome: if it truly were secure, we wouldn't
    care whether it was confidential.  I asked how the data was protected, and
    haven't heard back yet.  I *was* told that police have recovered the drive,
    and the thief's apparent intention was to get the drive, rather than the
    data on it.
    
    I'm curious about how somebody steals a disk drive from a presumably running
    system, but I'll be pesky about one question at a time.
    
    bruce_hamiltonat_private  Tel: +1 650 485 2818  Fax: +1 650 485 4917
    Agilent Technologies MS 24M-A, 3500 Deer Creek Road, Palo Alto CA 94303
    
    ------------------------------
    
    Date: Wed, 12 Feb 2003 01:44:52 -0500
    From: Monty Solomon <montyat_private>
    Subject: Feds charge 17 with stealing satellite TV signals
    
    Seventeen people allegedly involved in the theft of satellite TV signals
    were arrested after a year-long undercover FBI investigation, as part of the
    FBI's nationwide "Operation Decrypt".  Six of them were accused of violating
    the Digital Millennium Copyright Act, marking only the second grand jury
    indictment under that statute.  Losses for satellite broadcasters reportedly
    involved millions of dollars.  Source: Reuters, 11 Feb 2003; PGN-ed]
      http://finance.lycos.com/home/news/story.asp?story=31494999
    
    ------------------------------
    
    Date: Tue, 11 Feb 2003 10:16:54 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Ex-hacker Mitnick's site vandalized
    
    Twice in the past two weeks, online vandals broke into the Web server of
    former hacker Kevin Mitnick's security start-up, Defensive Thinking.
    [Source: Robert Lemos, Special to ZDNet News, 11 Feb 2003]
      http://zdnet.com.com/2100-1105-984084.html
        [As one correspondent noted this item, 
         ``As the credit card commercial says, 'Priceless.' ''
    
    ------------------------------
    
    Date: Sun, 9 Feb 2003 17:54:24 -0500
    From: "Dick Mills" <dmillsat_private>
    Subject: The non-paperless electronic office
    
    My laptop shares a messy desktop with the usually assortment of papers and
    pencils.  Yesterday I opened the CD tray, then shuffled around the desktop
    looking for the CD.  I found it and was just about to close the drawer when
    I noticed that a staple had fallen into the CD tray.
    
    Delicate electronics and paper do mix, sometimes not happily.
    
    ------------------------------
    
    Date: Wed, 5 Feb 2003 00:32:00 +0100
    From: Jacob Palme <jpalmeat_private>
    Subject: Password complexity
    
    Suppose you have an 8-digit decimal password. This means there are 100
    million possible combinations. You will on average need to try on average 50
    million times to find the right password by trial-and-error. Or, if you have
    the customary 3 tries before being forbidden access, the probability that
    you will get in by trial and error is 3/100 000 000.
    
    Suppose instead that you first have to pass one barrier with a 4-digit
    decimal password, and then pass a second barrier with a new 4-digit decimal
    password. You will then have to try on average 5 000 times on the first
    password, and then an average 5 000 time on the second password, or a total
    of on average 10 000 times. Or, if you have the customary 3 tries before
    being forbidden access in each step, you will have a probability of passing
    the first barrier of 3/10 000 and then a probability of passing the second
    barrier of 3/10 000. The probability of passing both barriers is then 9/100
    000 000.
    
    In summary: The 8-digit barrier requires 5000 times more trials than the two
    4-digit barriers to find the password, and the probability of success with
    the customary 3 allowed trials is three times higher with the two 4-digit
    passwords than with the single 8-digit password.
    
    I gave this example as a comment on the debate of whether one strong
    security measure is better than several weaker, or the reverse.
    
    Jacob Palme <jpalmeat_private> (Stockholm University and KTH)
    for more info see URL: http://www.dsv.su.se/jpalme/
    
    ------------------------------
    
    Date: Fri, 31 Jan 2003 08:02:55 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "PC Fear Factor", Alan Luber
    
    BKPCFRFC.RVW   20021219
    
    "PC Fear Factor", Alan Luber, 2003, 0-7897-2825-7,
    U$24.99/C$38.99/UK#17.99
    %A   Alan Luber www.alanluber.com
    %C   201 W. 103rd Street, Indianapolis, IN   46290
    %D   2003
    %G   0-7897-2825-7
    %I   Macmillan Computer Publishing (MCP)
    %O   U$24.99/C$38.99/UK#17.99 800-858-7674 infoat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0789728257/robsladesinterne
    %P   362 p.
    %T   "PC Fear Factor: The Ultimate PC Disaster Prevention Guide"
    
    The introduction states that the book is aimed at non-technical users, but
    doesn't further refine the purpose beyond saying that bad things happen to
    computers.  We are also told that a system administrator is really a risk
    manager (which may come as a surprise to a number of sysadmins), and that if
    you read this book you will never have to worry about computer disasters
    again.
    
    Even after reading chapter one I am not sure what the "root of all computer
    disasters" is, although I suppose that there is a fair chance that he means
    hard drives.  There is a lot of irrelevant detail about the physical
    operations of drives, and Luber also is obviously confused between old hard
    drive crashes (caused when the heads physically contacted the platter, which
    was spinning at high speed) and modern "crashes," generally caused by bad
    pointers or other data errors.  In chapter two, Luber recommends, with
    opinions, but not much in the way of proof or backup, a bunch of software.
    Chapter three offers us more opinions, this time about buying a PC.  Setting
    up a new PC is covered in chapter four.  Most of chapter five prints
    documentation for a couple of antivirus programs and a firewall.  A decent
    discussion of backup strategy, and more documentation of a backup program,
    is in chapter six.  A manual for another backup program is in chapter seven.
    Restoring a backup comes in chapter eight.  Chapter nine advises on
    maintenance.  Some hoary old myths about risky activities (using shareware,
    for example) are recycled in chapter ten.
    
    In one sense, Luber is right.  If you keep your data backed up, you will be
    able to recover from pretty much any kind of disaster.  On the other hand, I
    have said that in one sentence, and the book is over 300 pages long.
    
    copyright Robert M. Slade, 2002   BKPCFRFC.RVW   20021219
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Mon, 3 Feb 2003 08:19:32 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Mastering Network Security", Chris Brenton/Cameron Hunt
    
    BKMSNTSC.RVW   20021220
    
    "Mastering Network Security", Chris Brenton/Cameron Hunt, 2003,
    0-7821-4142-0, U$49.99/C$79.95/UK#37.99
    %A   Chris Brenton cbrentonat_private
    %A   Cameron Hunt camat_private
    %C   1151 Marina Village Parkway, Alameda, CA   94501
    %D   2003
    %G   0-7821-4142-0
    %I   Sybex Computer Books
    %O   U$49.99/C$79.95/UK#37.99 800-227-2346 infoat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/0782141420/robsladesinterne
    %P   490 p.
    %T   "Mastering Network Security, Second Edition"
    
    The introduction states that this book is aimed at systems administrators
    who are not security experts, but have some responsibility for ensuring the
    integrity of their systems.  That would seem to cover most sysadmins.
    However, whether the material in this work is at a suitable level for most
    sysadmins is open to question.  Now, to be fair to the authors, it seems
    that this second edition is a reissue, only marginally revised, of a book
    that was originally published seven years ago.  (Under most standard
    contracts, publishers have the right to do this, and authors can't do much
    about it.)  At that point, the material might have been pretty reasonable.
    Currently, it isn't.
    
    Chapter one discusses systems theory.  While the application of the text to
    network and security management is reasonably obvious in hypothetical terms,
    it is not at all clear in regard to direct operation in the real world.
    (This is particularly true for those who are not security professionals.)
    The systems development life cycle (SDLC) is covered in chapter two and,
    again, while it is an important topic, the relation to security is not made
    manifest.  The introduction to networking itself covers the OSI (Open
    Systems Interconnection) model, routing, and bits of TCP/IP, in chapter
    three.  One would have thought that this would have been old news to
    sysadmins.  The same is true of the material on transmission and network
    topology, in chapter four.  There is some mention of security issues, but
    the discussion is minimal.
    
    Chapter five has a reasonable overview of firewalls, although the
    terminology is not always standard.  Chapter six is documentation for the
    Cisco PIX firewall.  The information about intrusion detection systems, in
    chapter seven, provides good material on points often neglected by other
    works, and adds a guide to Snort.  The coverage of cryptography, in chapter
    eight, has a confusing structure.  Most of the material on virtual private
    networks consists of screen shots of Microsoft's RRAS (Routing and Remote
    Access Server), in chapter nine.
    
    Chapter ten relies on old concepts and technologies to discuss viruses and
    other malware.  Disaster prevention and recovery, in chapter eleven,
    concentrates on building redundancy and the VERITAS server based backup
    system.  A good deal of information about Windows, most of which may have
    some relevance to security, is in chapter twelve.  Some introductory, and
    some network, data about UNIX is available in chapter thirteen.  Chapter
    fourteen describes how information can be obtained about your system in
    order to mount an intrusion attack.  Some resources for security are
    mentioned in chapter fifteen.
    
    Overall, the book does provide a fair amount of information that would
    likely be of help to most network administrators in securing their systems
    and networks.  However, there is also a lot of detail that is not directly
    relevant to the task, some erroneous content, and not a few gaps.  While the
    original authors may have mastered their topic, the volume currently on
    offer does not reflect that.
    
    copyright Robert M. Slade, 2002   BKMSNTSC.RVW   20021220
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.55
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 17:07:42 PST