[risks] Risks Digest 22.60

From: RISKS List Owner (riskoat_private)
Date: Mon Mar 03 2003 - 16:13:30 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.61"

    RISKS-LIST: Risks-Forum Digest  Monday 3 March 2003  Volume 22 : Issue 60
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.60.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Reversed 2002 election results in Alabama still unexplained (PGN)
    Computer error grounds Japanese flights (Eric De Mund)
    Japanese bullet trains still don't have dead-man switches (Joyce Scrivner)
    Electronically controlled failure of operating table (Patrik Reali)
    50,000 court records erased (David Kipping)
    Fake job listings on Net fostering identity theft (PGN)
    *Big* Red faces at Cornell over e-mail error (PGN)
    How to spam a closed mailing list (Andrew Lynch)
    New telemarketing tool makes caller ID fakery easy (Mathew)
    Lexmark wins injunction in DMCA case (David Becker via Monty Solomon)
    BSA Accuses OpenOffice ftp sites of piracy (Michael Weishaar)
    FCW: Group issues final biometrics report (PGN)
    Someone protecting patient data well (Richard A. O'Keefe)
    Error: Scientology critic fined for undeclared file (Roger Gonnet)
    REVIEW: "WiFi Security", Stewart S. Miller (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Thu, 27 Feb 2003 17:01:47 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Reversed 2002 election results in Alabama still unexplained
    
      [Thanks to Kim Alexander <kimalexat_private> for noting this item.]
    
    The Alabama governor's election in Nov 2003 was irrevocably impeded by an
    unexplained anomaly in the use of ES&S optical-scan voting equipment in
    Baldwin County, which reversed the outcome of the election.  In this case,
    the printed results of votes produced in the Magnolia Springs precinct were
    accurate (when compared with the actual ballots), but the data on the
    cartridges used to tabulate the final results electronically was seriously
    in error.  Unfortunately for the candidate who should have won based on the
    acknowledged correct results, the erroneous electronic totals (in which
    about 6,300 votes for that candidate were missing) were accepted as
    official.  The official loser "ultimately abandoned his challenge after it
    became clear that he would not be able to get the statewide vote recount he
    had sought."  Thus, the candidate with the most votes was declared the
    loser.  Three months after the election, it is still unclear why the cassette
    was missing so many votes disappeared, blamed on a "computer glitch" --
    possibly a "power surge at the precinct, static electricity, or something
    else".  [Source: Brendan Kirby, Voting snafu answers elusive, *The Mobile
    Register*, 28 Jan 2003; PGN-ed]
      http://www.al.com/news/mobileregister/index.ssf
      ?/xml/story.ssf/html_standard.xsl?/base/news/104374962627050.xml
    
    This case in Alabama is just one more example of why incontrovertible audit
    trails are essential -- especially when electronic results can so easily be
    either accidentally incorrect or fraudulently tampered.  In the even less
    perspicuous case of all-electronic elections, a voter-verified ballot image
    is ever-more essential.  See an article by Henry Norr in today's *San
    Francisco Chronicle*
      http://www.sfgate.com/cgi-bin/article.cgi
      ?file=/chronicle/archive/2003/03/03/BU122767.DTL&type=tech
    as well as David Dill's Web site and petition at 
      http://verify.stanford.edu/evote.html
    and Rebecca Mercuri's Web site 
      http://www.notablesoftware.com/evote.html
    plus the many items in previous issues of RISKS relating to the general
    problem of election integrity and accountability.  This kind of problem 
    is really getting out of hand, and deserves your closer attention.
    (If you cannot find the *Chron* column, I put a copy up on my Web site:
      http://www.csl.sri.com/neumann )
    PGN
    
    ------------------------------
    
    Date: Sun, 2 Mar 2003 21:11:10 -0800 (PST)
    From: Eric De Mund <eadat_private>
    Subject: Computer error grounds Japanese flights
    
    As seen on Slashdot.  http URLs verified (9:00pm PST, 02 Mar 2003):
    
    Computer Error Grounds Japanese Flights
        http://slashdot.org/article.pl?sid=03/03/02/2123253
    
    Posted by timothy[1] on Sunday March 02, @04:50PM
    from the presumption-junction dept.
    
    zephiros[2] writes "Mainichi Daily News reports[3] that a "computer glitch"
    in Tokyo air traffic control systems resulted in the cancellation of 203
    flights this weekend. At 7am Saturday, the error "caused the names of
    airlines and flight numbers to disappear from radar screens." A Japan
    Times[4] article suggests the problem may be related to upgrades on a system
    which exchanges flight plans with the Defense Agency. Makes one wonder about
    the integration and maintenance risks of systems like CAPPS II[5]."
    
    Quote from [3]:
      "Computers are just no good," said one 51-year-old company manager 
      leaving [from Nagoya airport] for Sapporo. "I'm sure they're helpful, 
      but they're just too fragile."
    
    Excerpt from [4]:
      The troubled flight data-processing system at the ministry's[6] Tokyo Air
      Traffic Control Center in Tokorozawa, Saitama Prefecture, automatically
      transmits flight information to airports across Japan.  The system manages
      flight plans.
    
      The ministry said that early Saturday it partially replaced programs in
      the system that exchanges flight plans with the Defense Agency.  The
      system went down immediately after it was turned on following the
      replacement.
    
      A transport ministry official said it was too early to link the change to
      the failure.
           
      The air traffic center was forced to take alternative measures, which
      included telephoning airports to give flight information and inputting
      flight data manually.
    
      The system has a backup, but both systems went down at the same time,
      according to the ministry.
    
    Notes:
    1. http://www.monkey.org/~timothy/
    2. mailto:joseph%20at%20dreamlands.org
    3. http://mdn.mainichi.co.jp/news/archive/200303/01/
       20030301p2a00m0dm002000c.html
    4. http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20030302a1.htm
    5. http://www.privacyactivism.org/Item/48
    6. Land, Infrastructure and Transport Ministry at Tokyo's Haneda airport
    
    Eric De Mund <eadat_private>  Ixian Systems, Inc.  Mountain View, CA  
    http://www.ixian.com/ead/    
    
      [Also noted by David Kennedy, Naoki Yamamoto, and Bob Heuman -- who added: 
         "The risks should be obvious, even if the cost in this instance is
         not. How many times will we hear 'due to a reprogramming hiccup' and
         why were both the main system and the backup taken out of service???
         It is interesting how the press sensationalised it by throwing in
         security preparedness and nuclear arms, which are NOT direct risks from
         this incident."
      PGN]
    
    ------------------------------
    
    Date: Thu, 27 Feb 2003 07:01:33 -0600
    From: joyce scrivner <kscrivat_private>
    Subject: Japanese bullet trains still don't have dead-man switches
    
    A couple years ago, in RISKS-21.27, I noted a bullet train that ran without
    a driver.  This new item shows the driver can fall asleep and the train
    keeps running.  It stopped, but not before timing out.
    
    A bullet-train driver snoozed at the wheel for 8 minutes on 26 Feb 2003
    while the high-speed train ran at a speed of 270 kilometers per hour.
    Fortunately, because the driver had failed to push a confirmation button and
    apply the brakes manually, an automatic brake system stopped the train at
    the wrong location -- 100 meters short of the Okayama Station on the West
    Japan Railway.  Station workers found the drivers still asleep, as he had
    been ever since the Shin-Kurashiki Station.  [Source: *Mainichi Shimbun*, 
    27 Feb 2003; PGN-ed]
      http://mdn.mainichi.co.jp/news/20030227p2a00m0fp001000c.html
    
    ------------------------------ 
    
    Date: Sun, 2 Mar 2003 10:33:33 +0100
    From: "Patrik Reali" <realiat_private>
    Subject: Electronically controlled failure of operating table
    
    An article notes unexpected troubles while doing heart surgery at Derriford
    Hospital in Plymouth.  During the surgery, an electronically controlled
    operating table ("an up-to-date 50,000-pound [money, not weight] piece of
    equipment") began collapsing, causing the patient to "jolt forward".  The
    patient died three days later, but there is no evidence the two events are
    correlated.....
      http://www.timesonline.co.uk/article/0,,2-593995,00.html
    
    ------------------------------
    
    Date: Thu, 27 Feb 2003 12:03:55 -0700
    From: "David Kipping" <dkippingat_private>
    Subject: 50,000 court records erased
    
    A computer crash has erased nearly 50,000 local 3rd District Court cases ...
    in southwestern Idaho [Caldwell].  ... Third District Court Administrator
    Dan Kessler said staff members arrived Tuesday to learn the court's computer
    server dumped thousands of new court cases and countless updates to older
    ones.  ... "It's more than a mere glitch," Kessler said.  "We lost all of
    our database from March 5, 2002 to Feb 14, 2003."  [A lot of discussion of
    how difficult it is to conduct business without the records.]  ... John
    Peay, information systems chief for the Idaho Supreme Court said his office
    is to blame for an operator error when a technician was expanding the 3rd
    District court computer to improve response time.  As a result, both copies
    of the records were lost.  .... The hard drive was sent to California, where
    specialists may be able to recover some of the lost data.  [Excerpt from AP
    story, 20 Feb 2003]
    
      [As I read this, the backup was a duplicate copy of the data on the server
      hard disk.  Apparently there was no other backup -- tape, CD, other
      server, etc.  The RISKS are obvious.  DK]
    
    ------------------------------
    
    Date: Fri, 28 Feb 2003 19:11:40 -0800 (PST)
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Fake job listings on Net fostering identity theft
    
    Monster.com (which claims to house 24.5 million resumes) sent out a
    "critical service message" to millions of job seekers, warning that bogus
    job postings are resulting in the illegal collection of personal information
    that could result in identity theft.  This is a problem that applies equally
    to CareerBuilder.com, HotJobs.com, and other job sites as well, although
    these others seem to be downplaying the risks.
    http://www.cnn.com/2003/TECH/internet/02/28/monster.theft.ap/index.html
    
    ------------------------------
    
    Date: Fri, 28 Feb 2003 10:38:02 -0500
    From: Peter Neumann <Neumannat_private>
    Subject: *Big* Red faces at Cornell over e-mail error
    
    Cornell University sent e-mail to 1,700 high-school students on 26 Feb 2003
    informing them that they had been accepted into the class of 2007.  However,
    almost 550 of these students had previously been informed in Dec 2003 that
    they had been rejected.  Shortly thereafter, the mistake was recognized,
    and followed by an "oops" e-mail, apologizing for the error.
    [Source: Karen W. Arenson, *The New York Times*, 28 Feb 2003; PGN-ed]
      http://www.nytimes.com/2003/02/28/education/28CORN.html
    
    ------------------------------
    
    Date: Sat, 1 Mar 2003 15:55:44 +0100
    From: "Andrew Lynch" <andrew.lynchat_private>
    Subject: How to spam a closed mailing list
    
    As a member of ACM SIGOPS, I am on their sigops-announce mailing list. Just
    now I received e-mail from that list with the subject "Rejected posting to
    SIGOPS-ANNOUNCEat_private", even though I have never posted to this list.
    
    The rejected mail claimed to be from sigops-announceat_private
    itself, but with an IP address that does not match my DNS server's entry for
    listserv.acm.org.
    
    The rejected mail was included in full and consisted of some HTML code with
    an IFRAME-embedded attachment containing a file named README.EXE disguised
    as Content-Type audio/x-wav.  Luckily my Unix mail program does not
    interpret HTML.  I hate to think what this might do in MS-Outlook and friends.
    
    The risk resulted from a combination of two things:
    
     (a) The (automatic?) rejection message from the list server contains a
         complete copy of the original mail.  
     (b) The original sender fakes his address to be that of the list itself.
    
    The result is that the list server happily sends the rejected message to the
    whole list (albeit with a different subject line).
    
    ------------------------------
    
    Date: Thu, 27 Feb 2003 20:31:16 -0500
    From: mathew <metaat_private>
    Subject: New telemarketing tool makes caller ID fakery easy
    
      Castel Inc., a maker of automated dialing technology, boasts that its
      DirectQuest software is immune to the TeleZapper, a $40 gadget designed to
      thwart sales calls by faking the tones of a disconnected number.
    
      Beverly, Mass.-based Castel has been mailing brochures to telemarketers
      and other prospective customers touting the software, which also includes
      a feature that lets salesmen transmit any phone number or text message to
      residents' caller ID displays.
    
      http://story.news.yahoo.com/news
    ?tmpl=story&ncid=528&e=5&cid=528&u=/ap/20030226/ap_on_hi_te/telemarketer_tool
    
    Obviously, no regular RISKS reader trusts caller ID at this point.  However,
    I suspect that enterprising criminals who purchase this $2,700
    caller-ID-faking equipment will get a healthy return on investment.
    
    ------------------------------
    
    Date: Thu, 27 Feb 2003 23:51:07 -0500
    From: Monty Solomon <montyat_private>
    Subject: Lexmark wins injunction in DMCA case
    
    Printer maker Lexmark International Group won a preliminary injunction on 27
    Feb 2003 in efforts to prevent a company from selling computer chips that
    allow toner cartridges to be recycled.  Judge Karl Forester of the
    U.S. District Court for the Eastern District of Kentucky issued the pretrial
    injunction against Static Control Components, a small Sanford, N.C.-based
    company that sells printer parts and other business supplies.  The order
    prohibits the company from selling its Smartek chip.  When installed in
    compatible Lexmark printers, the chips allow the printers to use cheaper
    recycled toner cartridges that would otherwise be rejected by the printer's
    sensors.  [Source: David Becker, CNET News.com, 27 Feb 2003]
      http://news.com.com/2100-1028-990501.html
    
    ------------------------------
    
    Date: Fri, 28 Feb 2003 08:57:38 -0600 (CST)
    From: michael.weishaarat_private
    Subject: BSA Accuses OpenOffice ftp sites of piracy
    
    It seems that some FTP sites that host OpenOffice are getting "cease and
    desist" e-mail from the BSA about their purported piracy of MS Office.
    Maybe their scripts should enhance their search criteria.  Imagine the
    consequences if the BSA (or some other IP watchdog) had the authority to
    shut down "piracy" sites.
    
      [Maybe a browser string search on "MS" and "OFFICE" also results in women
      being asked to cease and desist if they are referred to as "MS." and
      happen to have the title "Corporate Executive OFFICEr".  PGN]
    
    Here is an excerpt of the e-mail, which was posted at 
    http://distribution.openoffice.org/servlets/ReadMsg?msgId=581265&listName=dev
    
    >> From: "Copyright Europe" <copyright-europeat_private>
    >> To: "Abuse" <network@uni-muenster.de>
    >> Sent: Wednesday, February 26, 2003 5:51 PM
    >> Subject: [NOC] Case ID 588853 - Notice of Claimed Infringement
    >> 
    >> Wednesday, February 26, 2003
    >> 
    >> Westfaelische Wilhelms - Universitaet
    >> Roentgenstr. 9-13
    >> Muenster, D-48149  DE  DE
    >> 
    >> Re: Unauthorized Distribution of the following copyrighted computer
    >> program(s):
    >> 
    >> Microsoft Office
    >> 
    >> Dear Sir/Madam:
    >> 
    >> The Business Software Alliance (BSA) has determined that the connection
    >> listed below, which appears to be using an Internet account under your
    >> control, is operating an FTP server to offer unlicensed copies or is 
    >> engaged in other unauthorized activities relating to copyrighted computer 
    >> programs published by the BSA's member companies.
    >> 
    >> Infringement Details:
    >> ------------------------------
    >> First Found: 24 Nov 2002 15:31:40 EST (GMT -500)
    >> Last Found: 24 Feb 2003 01:19:59 EST (GMT -500)
    >> IP Address: 128.176.191.21
    >> IP Port: 21
    >> Protocol: FTP
    >> FTP Login Name: anonymous
    >> FTP Login Password: guestat_private
    >> 
    >> What was located as infringing content:
    >> ------------------------------
    >> Filename: /mandrake_current/SRPMS/OpenOffice.org-1.0.1-9mdk.src.rpm
    >> (199,643kb)
    >> Filename:
    >> 
    /mandrake_current/i586/Mandrake/RPMS/OpenOffice.org-libs-1.0.1-9mdk.i586.rpm
    >> (35,444kb)
    >> 
    >> The above computer program(s) is/are being made available for copying,
    >> through downloading, at the above location without authorization from 
    >> the copyright owner(s).
    >> 
    >> Based upon BSA's representation of the copyright owners in anti-piracy
    >> matters, we have a good faith belief that none of the materials or
    >> activities listed above have been authorized by the rightholders, their
    >> agents, or the law.  BSA represents that the information in this
    >> notification is accurate and states, under penalty of perjury, that it 
    >> is authorized to act in this matter on behalf of the copyright owners 
    >> listed above.
    >> 
    >> We hereby give notice of these activities to you and request that you 
    >> take expeditious action to remove or disable access to the materials 
    >> described above, and thereby prevent the illegal reproduction and 
    >> distribution of pirated software via your company's network. As you 
    >> know, illegal on-line activities can result in 50 million people on 
    >> the Internet accessing and downloading a copyrighted product worldwide 
    >> without authorization - a highly damaging activity for the copyright holder.
    >> 
    >> We appreciate your cooperation in this matter. Please advise us 
    >> regarding what actions you take.
    >> 
    >> Please include the following CaseID in any response you send: Case ID 
    >> 588853
    >>
    >> Yours sincerely,
    >> 
    >> Corinna Beck
    >> Business Software Alliance
    >> 1150 18th St NW Suite 700
    >> Washington,DC 20036
    >> http://www.bsa.org
    >> E-mail: copyright-europeat_private
    
    ------------------------------
    
    Date: Thu, 27 Feb 2003 15:41:15 PST
    From: "Peter G. Neumann" <neumannat_private>
    Subject: FCW: Group issues final biometrics report
    
    [Source: Group issues final biometrics report Michael Hardy, *Federal
    Computer Week*, 25 Feb 2003; PGN-ed]
    
    The International Biometric Group has presented the White House's Office of
    Science and Technology Policy with a 200-page final report on using
    biometric technologies to secure the nation's borders, airports, and
    seaports.  New counterterrorism laws, including the USA Patriot Act and
    Enhanced Border Security and Visa Entry Reform Act, require authorities to
    use biometrics to detect immigration fraud.
    
    Among the report's recommendations:
    
    * The United States should design a solution that incorporates other
      countries' choices of biometrics. The United States, for example, may
      prefer fingerprint readers because they can interact with existing law
      enforcement databases, while another country chooses facial recognition or
      iris scanners.
    
    * The State Department should capture multiple biometric identifiers from
      every person who applies for a U.S. visa, including high-quality face,
      fingerprint and iris scans.
    
    * Biometrics used at a port of entry should augment, not replace, an
      inspector's judgment in deciding whether to admit someone.
    
    * Use tethered portable fingerprint devices in traffic lanes at border
      crossings to easily read fingerprints from everyone in a car.
    
    In a similar study recently, the Commerce Department's National Institute of
    Standards and Technology suggested that a combination of fingerprint and
    facial-recognition technologies would be the most secure. NIST suggested
    using at least two fingerprints to identify each visa applicant, and a
    combination of fingerprint and facial recognition to verify the identity of
    visa holders crossing borders.
    
      [The GAO also has a report on the relative merits of using biometrics
      for border security, GAO-03-174, Nov 2002.  PGN]
    
    ------------------------------
    
    Date: Fri, 28 Feb 2003 16:20:24 +1300
    From: "Dr Richard A. O'Keefe" <okat_private>
    Subject: Someone protecting patient data well
    
    We hear so much bad news on comp.risks I thought it would be nice to pass on
    a story about someone doing something right.  A common mistake is selling
    computers whose discs contain sensitive information.  There's a medical
    research group in this University that get data from all round the country,
    including patient name, address, phone number, and all sorts of stuff.  I
    asked the sysadmin what she did when they disposed of any computers.
    
    1. The disc is reformatted.
    2. The drive is physically removed from the computer.
    3. The case of the drive is opened, and every visible wire cut.
    4. She then takes it home and her husband slams a heavy axe through
       the platter a couple of times.
    5. The thing is then put in an ash bucket and hot domestic ash
       dumped on it and shaken well in.
    6. Finally it's taken to the recycling depot.
    
    If there's anything she can do to make it harder for the data to be
    recovered, short of melting the unit down, I'd like to know what it might
    be, and so would she.
    
    ------------------------------
    
    Date: Sat, 1 Mar 2003 08:40:05 +0100
    From: "roger gonnet" <gonnetat_private>
    Subject: Error: Scientology critic fined for undeclared file (RISKS-22.59)
    
    The item in RISKS-22.59 is erroneous; indeed, the "religious" aspect wasn't
    part of the final trial against me.  Though the plaintiff tried to complain
    also for that (Article 226-19 of the penal code), this was specifically
    dismissed by the instructor judge (Non-lieu).
    
    The truth of the matter is that in France, Article 226-16 of the penal code
    (for which I was convicted) says that one has no right to establish any
    lists of people's names before having done some "declaration of personal
    filings" to an official agency (called CNIL).
    
    Another Article (226-19) establishes a rule about an interdiction to file
    religious and political opinions of people, but I wasn't sued for that,
    because Scientology is considered to be a dangerous cult in France, and has
    never been called a religion apart from a sentence by a judge that was
    subsequently canceled by the Supreme Court (Cassation).
    
    Moreover, the State Council has even rejected the religious status of
    Scientology years ago, and the cult does pay lots of taxes, like companies.
    
      [Slight changes made in English for clarity, hopefully without changing
      the intended meaning.  I trust Roger will correct me if I erred.  Merci!
      PGN]
    
    ------------------------------
    
    Date: Thu, 27 Feb 2003 07:46:34 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "WiFi Security", Stewart S. Miller
    
    BKWIFISC.RVW   20030209
    
    "WiFi Security", Stewart S. Miller, 2003, 0-07-141073-2,
    U$49.95/C$78.95/UK#40.00
    %A   Stewart S. Miller wifiat_private
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   2003
    %G   0-07-141073-2
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$49.95/C$78.95/UK#40.00 800-565-5758 fax: 905-430-5020
    %O  http://www.amazon.com/exec/obidos/ASIN/0071410732/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0071410732/robsladesinte-21
    %O   http://www.amazon.ca/exec/obidos/ASIN/0071410732/robsladesin03-20
    %P   309 p.
    %T   "WiFi Security"
    
    When a book starts out with a preface that is basically an advertising pitch
    for the author's consulting services, one can be forgiven for doubting the
    author's dedication to the task of informing the audience.  This work is yet
    another attempt to jump on a hot topic bandwagon.
    
    Supposedly chapter one introduces us to the standards for wireless LAN
    security.  Instead, the material meanders through an unstructured collection
    of security and wireless topics.  The material is limited, random, and not
    particularly informative.  Even when dealing with strictly technical areas,
    such as the various types of spread spectrum technologies, the text seems to
    have been lifted wholesale from marketing brochures, and fails to explain
    much of anything.  There isn't much "Technology Comparison" in chapter two
    unless we are comparing apples and oranges: again there is a haphazard
    compilation of topics, with Bluetooth getting the lion's share of the ink.
    Instead of considering security factors, chapter three lists some basic
    attacks against systems in general.  The "issues in wireless security" are a
    little more on topic in chapter four.
    
    Chapter five mentions a few terms related to the 802.11 family of standards.
    There isn't much about the promised 802.11 security infrastructure in
    chapter six: instead we have another amalgam of security problems.  Miller
    demonstrates his limited understanding of the technology, in chapter seven,
    with common mistakes such as the comparison of "40" and "128" bit WEP (Wired
    Equivalent Privacy) keys (WEP keys are composed of either 40 or 104 bit base
    keys concatenated with 24 bit initialization vectors, for total lengths of
    64 or 128 bits respectively), so it is no surprise that the analysis of the
    weaknesses of WEP is only half a page long, and misses all the fundamental
    problems.
    
    Chapter eight is a generic warning that people might snoop on you.  The
    authentication topics jump around so much that it is impossible to say what
    chapter nine is really talking about.  A number of technologies are
    mentioned, but those discussed together frequently come from completely
    separate protocols or functions.  Similarly, chapter ten is entitled "Direct
    Sequence Spread Spectrum," but doesn't explain anything about DSSS at all,
    and isn't even consistent in terms of the subject area under discussion.
    Chapter eleven does stick to the topic of equipment issues, but does not
    provide any useful direction to the reader.  Cross-platform issues are
    rather confused, in chapter twelve, although there is a reasonable
    discussion of the WEP initialization vector reuse problem--which should have
    been covered in chapter seven.  The vulnerabilities listed in chapter
    thirteen constitute another grab bag: since we have been discussing wireless
    LANs throughout the book, why do we now bring up the topic of the "WAP
    (Wireless Access Protocol) gap," which only affects Internet enabled cell
    phones?  Chapter fourteen and fifteen mostly duplicate content from nine,
    with a few minor additions.  Chapter sixteen repeats a lot of other
    material, adding a tiny bit on risk assessment.  PDA security issues are
    reviewed in chapter seventeen.  Chapter eighteen collects another random
    assortment of duplicated topics for a supposed look to the future.
    
    This is an arbitrary and disorganized conflation of subjects, with very
    little of value to anyone.  There are a few salient and helpful facts,
    which, if brought together, might fill a few pages.  However, these tidbits
    are buried in a deluge of impenetrable verbiage, designed more to impress
    the naive reader than to inform anyone.
    
    copyright, Robert M. Slade, 2003   BKWIFISC.RVW   20030209
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.60
    ************************
    



    This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 17:05:31 PST