[risks] Risks Digest 22.71

From: RISKS List Owner (riskoat_private)
Date: Sat May 03 2003 - 16:09:09 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.72"

    RISKS-LIST: Risks-Forum Digest  Saturday 3 May 2003  Volume 22 : Issue 71
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at
      http://catless.ncl.ac.uk/Risks/22.71.html
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    OpenBSD release protects against buffer-overflow attacks (SANS via 
      Monty Solomon)
    Prescription error (Monty Solomon)
    Spelling checker renames Amritsar to AmriCzar (David J. Aronson)
    Kellogg's American Airlines online sweepstakes swept away (PGN)
    Pilots fail exams (Jill Treu)
    Inside Cisco's eavesdropping apparatus (Declan McCullagh via Monty Solomon)
    Internet fraud complaints triple (NewsScan)
    Bogus Internet domain-name renewal offers (Network Solutions via PGN)
    Spammers use viruses to hijack computers (NewsScan)
    Breastfeeding mothers, avoid Continental (Meng Weng Wong via Dave Farber)
    Re: NCIC database accuracy requirements (John Beattie)
    Re: Friendly Fire (Jan C. Vorbrueggen)
    REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin (Rob Slade)
    REVIEW: "Inside the Security Mind", Kevin Day (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Sun, 20 Apr 2003 22:28:52 -0400
    From: Monty Solomon <montyat_private> 
    Subject: OpenBSD release protects against buffer-overflow attacks (SANS)
    
    Excerpt from
    	SANS NewsBites April 16, 2003 Vol. 5, Num. 15
    	http://www.sans.org/newsletters/newsbites/vol5_15.php
    
    The most recent release of OpenBSD should eliminate buffer overflows,
    according to the group's project leader. The group took three approaches to
    hardening the software. First, the location of the stack in memory is
    randomized. Second, the team added a tag to the memory structure that will
    detect address modifications. Finally, they managed to divide the main
    memory into two sections: writable and executable; the pieces of data and
    programs, called "pages", would be stored in one or the other section,
    ensuring that no page is writable and executable at the same time.
      http://news.com.com/2100-1002-996584.html
    
    [Editor's Note (Gene Schultz): Many kudos are in order here.  If what the
    OpenBSD people are doing really works, they will put considerable pressure
    on other vendors and developers to do the same.  Buffer overflow problems
    continue to plague operating systems and applications. Eliminating this
    category of vulnerabilities would be a major victory for the information
    security arena.
    
    (Schneier): It's great to see this kind of approach to buffer
    overflows. This is an example of building in security instead of trying to
    patch it afterwards.
    
    (Ranum): It's GREAT to see that at least a few people are smart enough to
    try to attack problems like this systemically, rather than keeping stuck in
    the fruitless "penetrate and patch" while loop. This is how to make progress
    in security: fundamental protections.
    
    (Shpantzer): Initiatives like this should be taught as case studies
    in computer science courses at the undergraduate level.
    ]
    
    ------------------------------
    
    Date: Tue, 8 Apr 2003 02:57:07 -0400
    From: Monty Solomon <montyat_private>
    Subject: Prescription error
    
    I recently had a prescription filled that was written for 60 pills with 4
    refills.  The pharmacist made a data-entry mistake, and the prescription was
    entered for 60 pills with 60 refills!
    
    Because prescriptions are valid for a year, the pharmacy computer could have
    detected the error and alerted the pharmacist.  But, in this case, the
    prescription was printed by my doctor's computer so the issue of reading the
    doctor's handwriting was not an issue.
    
    The pharmacist may be used to finding the number of refills in a specific
    place on the prescription and the computer generated prescription might have
    the number of refills and quantity of pills in unusual places.  The
    prescription was laser printed in the corner of a standard 8.5" x 11" piece
    of paper so the form factor of the prescription was also non-standard.
    
      [I suppose Monty was lucky the fields were not transposed.
      Imagine having a prescription for 60 refills of 4 pills each.  PGN]
    
    ------------------------------
    
    Date: Tue, 29 Apr 2003 11:53:15 -0400
    From: "David J. Aronson" <postmasterat_private>
    Subject: Spelling checker renames Amritsar to AmriCzar
    
    A Reuters news story written yesterday ("Revenge Behind Air India Bombing,
    Court Told", by Allan Dowd) included mention of "the Golden Temple in the
    city of AmriCzar".  Google-ing AmriCzar revealed eight hits, compared to the
    about 141,000 of the correct spelling.  (That, as you may have guessed, is
    Amritsar.)  The six shown (two other similar hits were omitted) are:
    
     http://www.washingtonpost.com/wp-dyn/ articles/A58594-2003Mar7.html
     http://www.punjabi.net/talk/messages/1/829.html
     http://cndyorks.gn.apc.org/news/articles/ asia/itemsonconflict.htm
     http://terrorism.com/
     http://www.ocf.berkeley.edu/~andychou/archive200211.htm
     http://www.jekyl.com/jekyl/arc_Nov02.htm
    
    (Note that some of these are quoting Reuters articles!)
    
    At a guess, the cause seems to have been blind string-matching without
    regard for context, including whether the string was part of a larger word.
    
    The RISK?  Fortunately, just mild embarrassment in this case, and even that
    is assuming that the IT folks at Reuters ever catch wind of this.  However,
    we've seen worse consequences reported here before due to similar "help",
    even when the "correction" is limited to spelling....
    
    David J. Aronson, Software Engineer for hire in Washington DC area.
    See http://destined.to/program/ for online resume, references, etc.
    
      [Roto-reuters strike again.  PGN]
    
    ------------------------------
    
    Date: Wed, 30 Apr 2003 16:07:58 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Kellogg's American Airlines online sweepstakes swept away
    
    The Kellogg Company ("cereal giant") began a two-month sweepstake intended
    to give away one grand prize of 25,000 American Airlines' AAdvantage miles
    each day for 60 days.  Unfortunately, due to a "computer glitch", several
    thousand people were erroneously notified by e-mail that they were winners
    -- and then later notified that the earlier e-mail was in error but that
    they would receive 500 miles as a goodwill gesture.  [Source: AP item, 29
    Apr 2003; PGN-ed] 
      http://www.siliconvalley.com/mld/siliconvalley/
    
    ------------------------------
    
    Date: Wed, 23 Apr 2003 11:10:42 -0400
    From: "Treu, Jill" <Jill.Treuat_private>
    Subject: Pilots fail exams
    
      [For those readers who wonder about why this item is relevant to RISKS,
      please remember that technology usually depends on a lot of people.  PGN]
    
    The pilots couldn't pass the psychological and physical tests to be allowed
    to carry a firearm --- but flying huge planes full of people is OK.  Oh, this
    makes so much sense! The risks should be obvious.
    
      Four pilots did not finish gun training.  Four of the 48 veteran airline
      pilots who began the government's first training course for pilots wishing
      to carry guns in the cockpit were rejected after they failed at least one
      of the battery of required background checks, psychological exams and
      firearms tests.  Officials said the four rejections showed that the
      government was serious about providing guns only to pilots who were
      psychologically and physically fit to carry firearms in flight and defend
      their planes against attackers.  The bill permitting airline pilots to
      carry guns was passed by Congress last year, a legacy of the hijackings on
      11 Sep 2001, over the serious objections of senior members of the Bush
      administration and some members of Congress.  [Source: *The New York
      Times*, 22 Apr 2003]
        http://www.nytimes.com/2003/04/22/international/worldspecial/22PILO.html
    
    ------------------------------
    
    Date: Tue, 22 Apr 2003 02:26:16 -0400
    From: Monty Solomon <montyat_private>
    Subject: Inside Cisco's eavesdropping apparatus (from Declan McCullagh)
    
    By Declan McCullagh, 21 Apr 2003
    
    Cisco Systems has created a more efficient and targeted way for police and
    intelligence agencies to eavesdrop on people whose Internet service provider
    uses their company's routers.
    
    The company recently published a proposal that describes how it plans to
    embed "lawful interception" capability into its products. Among the
    highlights: Eavesdropping "must be undetectable," and multiple apolice
    agencies conducting simultaneous wiretaps must not learn of one another. If
    an Internet provider uses encryption to preserve its customers' privacy and
    has access to the encryption keys, it must turn over the intercepted
    communications to police in a descrambled form.
    
    Cisco's decision to begin offering "lawful interception" capability as an
    option to its customers could turn out to be either good or bad news for
    privacy.
    
    Because Cisco's routers currently aren't designed to target an individual,
    it's easy for an Internet service provider (ISP) to comply with a police
    request today by turning over all the traffic that flows through a router or
    switch. Cisco's "lawful interception" capability thus might help limit the
    amount of data that gets scooped up in the process.
    
    On the other hand, the argument that it hinders privacy goes like this: By
    making wiretapping more efficient, Cisco will permit governments in other
    countries -- where court oversight of police eavesdropping is even more
    limited than in the United States -- snoop on far more communications than
    they could have otherwise.
    
    Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I
    don't see why the technical community should hardwire surveillance standards
    and not also hardwire accountability standards like audit logs and public
    reporting. The laws that permit 'lawful interception' typically incorporate
    both components -- the (interception) authority and the means of
    oversight -- but the (Cisco) implementation seems to have only the
    surveillance component. That is no guarantee that the authority will be used
    in a 'lawful' manner."
    
    U.S. history provides many examples of government and police agencies
    conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt,
    Martin Luther King Jr., feminists, gay rights leaders and Catholic
    priests. During its dark days, the bureau used secret files and hidden
    microphones to blackmail the Kennedy brothers, sway the Supreme Court and
    influence presidential elections. Cisco's Internet draft may be titled
    "lawful interception," but there's no guarantee that the capability will
    always be used legally.
    
    Still, if you don't like Cisco's decision, remember that they're not the
    ones doing the snooping. Cisco is responding to its customers' requests, and
    if they don't, other hardware vendors will.
    
    If you're looking for someone to blame, consider Attorney General John
    Ashcroft, who asked for and received sweeping surveillance powers in the USA
    Patriot Act, along with your elected representatives in Congress, who gave
    those powers to him with virtually no debate.
    
    I talked with Fred Baker, a Cisco fellow and former chairman of the Internet
    Engineering Task Force (IETF), about his work on the "lawful interception"
    draft.  ...
    
    http://news.com.com/2010-1071-997528.html
    
    ------------------------------
    
    Date: Thu, 10 Apr 2003 08:15:43 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Internet fraud complaints triple
    
    Complaints about fraudulent schemes perpetrated over the Internet tripled in
    2002 from the previous year, with the most common grievance being auction
    fraud, followed by non-delivery of promised merchandise, credit card fraud
    and fake investments. According to a report from the Internet Fraud
    Complaint Center, which is run by the FBI and the National White Collar
    Crime Center, the 48,252 complaints referred for prosecution in 2002
    represent only a fraction of the crimes authorities believe are occurring.
    The center also received almost 37,000 other complaints that did not
    constitute fraud, but involved such things as spam, illegal child
    pornography and computer intrusions. The report says 80% of known fraud
    perpetrators and about 71% of complainants are male. Fraud complaints
    originated in all parts of the country, with a third coming from California,
    Florida, Texas and New York. One of the most persistent scams described in
    the report is the infamous "Nigerian letter," which urges victims to pay an
    upfront fee (characterized as a bribe to the government) in order to receive
    non-existent funds from the "Government of Nigeria."  There were 16,000
    complaints related to that scam in 2002, up from 2,600 in 2001. [AP, 9 Apr
    2003; NewsScan Daily, 10 Apr 2003]
      http://apnews.excite.com/article/20030409/D7QA6UFO0.html
    
    ------------------------------
    
    Date: Wed 23 Apr 2003
    From: neumannat_private
    Subject: Bogus Internet domain-name renewal offers
    
    The following CUSTOMER SERVICE ANNOUNCEMENT warns of bogus e-mail offering
    domain renewals.
    
    > Date: Tue, 22 Apr 2003 19:51:59 -0400
    > From: "Network Solutions, Inc." [...]
    > Subject: Customer Renewal Warning
    
    > Dear Network Solutions(R) Customer,
    
    > We recently learned that our customers are receiving domain name renewal
    > notices from companies falsely representing themselves as Network
    > Solutions.  These notices inform customers that their domain name
    > registration is due to expire and provides instructions on how to renew.
    
    > If you receive a renewal notice you do not believe is from Network
    > Solutions or if you have an unauthorized vendor listed on your credit card
    > statement for 'domain name renewal,' please contact us immediately [...].
    
    ------------------------------
    
    Date: Wed, 30 Apr 2003 08:46:57 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Spammers use viruses to hijack computers
    
    As efforts to tackle junk e-mail ramp up, unscrupulous spammers increasingly
    are hiding their identities by taking over innocent users' accounts using
    e-mail messages that resemble computer viruses. Like many other viruses,
    these programs exploit weaknesses in Microsoft's popular Outlook e-mail
    package. One of the first hijacking programs to emerge was called "Jeem,"
    which contained a hidden e-mail engine that enabled it to route messages via
    the infected computer. Another, called Proxy-Guzu, comes as a spam message
    with an attachment. When the unsuspecting recipient clicks on the
    attachment, the computer contacts a Hotmail account and transmits
    information about the infected machine, making it possible to route e-mail
    through that machine. "Spammers are beginning to use virus-like techniques
    to cover themselves," says Larry Bridwell, content security programs manager
    at ICSA Labs. "Spam is one of the two things that the security industry is
    going to be asked to deal with. The other is adware or spyware." [BBC News
    30 Apr 2003; NewsScan Daily, 30 Apr 2003]
      http://news.bbc.co.uk/2/hi/technology/2988209.stm
    
    ------------------------------
    
    Date: Tue, 22 Apr 2003 10:50:54 -0400
    From: Meng Weng Wong <mengwongat_private>
    Subject: Breastfeeding mothers, avoid Continental (via Dave Farber's IP)
    
    Deborah Wolfe, a Canadian citizen who was just breast-feeding her son and
    changing his diaper while en route between Houston and Vancouver, says her
    "subversive" actions led to her being threatened with detainment, RCMP
    involvement and legal charges for terrorist action against a U.S. citizen in
    international airspace while on an American flight during a time of war.
    ...  Wolfe says she refused a flight attendant's offer of an airline blanket
    to hide herself because it hadn't been sealed and, given the SARS scare,
    she'd rather use her own things. Thus, unbeknownst to her, a "Level 1" crew
    complaint was filed.  ...  She says the flight attendants also began to call
    her and her travelling party "foreign nationals in international airspace on
    an international flight during a time of war." And she was informed both of
    the complaint and that it could be upgraded to a Level 3, which meant
    possible mandatory detainment by U.S. authorities for 24 hours, RCMP
    involvement and criminal charges for an act of war upon an American.
      http://www.canada.com/montreal/montrealgazette/story.asp
      ?id=51AA6AB6-034B-4FE0-911C-04871E6B1EC5
    
    IP archives at: http://www.interesting-people.org/archives/interesting-people/
    
    ------------------------------
    
    Date: Mon, 21 Apr 2003 11:01:55 +0100
    From: John Beattie <JKBat_private>
    Subject: Re: NCIC database accuracy requirements
    
    As reported in RISKS-22.65, etc., the accuracy requirements for the FBI's
    National Crime Information Center have been reduced or eliminated.  Also
    discussed in the April 2003 Cryptogram:
      http://www.counterpane.com/crypto-gram-0304.html
    
    At first sight this is bad. But the other point of view may be worth noting:
    a widely used database which is "accurate" but has a high false positive
    rate may provide a useful widespread learning experience. Most users of
    databases regard "the computer" as infallible.  A 100-to-1 false positive
    rate would be salutary!  :-)
    
    It isn't enough that engineers and computer scientists understand accuracy
    requirements; the end-users, as represented by lawyers, have to have a
    feeling for it as well. Bad databases already do damage -- it may be that
    what is needed is a really high-profile failure.
    
    You can argue probabilities as much as you like; the thing will only hit
    home when almost everyone who's had contact with the database has actual
    knowledge of a failure.
    
      [Perhaps if a few Senators, Representatives, Justice Department folks,
      and other government officials were mistakenly apprehended, that might
      help.  PGN]
    
    ------------------------------
    
    Date: Mon, 28 Apr 2003 15:58:19 +0200
    From: "Jan C. =?iso-8859-1?Q?Vorbr=FCggen?=" <jvorbrueggenat_private>
    Subject: Re: Friendly Fire (Ladkin, RISKS-22.68)
    
    I believe a technical contribution to this organizational problem was the
    fact that Aegis computed/computes the first and second derivatives of
    measured target height to derive sink/climb rate and acceleration. These
    values, derived as they are from noisy measurements, are notoriously
    unreliable. The crew seems to have treated these "measurements" at face
    value, deriving a threat from the fact that they indicated a high sink rate
    directed at the Vincennes, when in reality the aircraft was flying level. So
    in this case the misinterpretation (at least in part) resulted in the
    ability of computers to provide processed but unreliable data, very likely
    without an indication of its unreliability (ever seen error bars on such
    displays?).
    
    Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
    Research & Development  - Tel. +49 201 437 52 52  http://www.mediasec.com
    
    ------------------------------
    
    Date: Fri, 25 Apr 2003 08:36:55 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin
    
    BKFRINSC.RVW  20030321
    
    "Firewalls and Internet Security", William R. Cheswick/Steven M.
    Bellovin/Aviel D. Rubin, 2003, 0-201-63466-X, U$49.99/C$77.99
    %A   William R. Cheswick chesat_private
    %A   Steven M. Bellovin smbat_private
    %A   Aviel D. Rubin aviat_private
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
    %D   2003
    %G   0-201-63466-X
    %I   Addison-Wesley Publishing Company
    %O   U$49.99/C$77.99 416-447-5101 fax: 416-443-0948
    %O  http://www.amazon.com/exec/obidos/ASIN/020163466X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/020163466X/robsladesinte-21
    %O   http://www.amazon.ca/exec/obidos/ASIN/020163466X/robsladesin03-20
    %P   433 p.
    %T   "Firewalls and Internet Security: Repelling the Wily Hacker,
          Second Edition"
    
    As the first work to deal seriously and completely with the topic, the first
    edition of "Firewalls and Internet Security" was one of those classics that
    get known only by the last names of the authors, so as not to leave any
    possibility of confusion with books whose titles may be similar.
    
    When such a long time has elapsed between editions of a work such as this,
    it is more than possible that the field has moved on far enough that a minor
    updating of the material is simply not feasible.  The authors are quite well
    aware of the new territory: where useful, the original structure has been
    retained, but otherwise, the book has essentially been rewritten.  A huge
    undertaking, but the only practical course, in the circumstances.
    
    Part one establishes a starting point.  Chapter one, an introduction,
    presents a number of basic, but worthwhile, security concepts.  The
    operations of various components of the TCP/IP protocol suite are discussed,
    with the most serious security vulnerabilities helpfully highlighted, in
    chapters two (lower layers) and three (upper layers).  The authors' thoughts
    on the security of the Web are amply expressed in the title of chapter four:
    "The Web: Threat or Menace?"
    
    Part two outlines the threats to networked machines.  Chapter five describes
    a number of different types of attacks.  A variety of tools for determining
    security weaknesses are listed in chapter six, alongside discussions of the
    relative costs/benefits of disclosure versus security by obscurity.
    
    Part three details security tools and utilities.  Chapter seven reviews
    authentication concepts and techniques.  Various network security systems
    are described in chapter eight.
    
    Part four gets us to firewalls and virtual private networks (VPNs)
    themselves.  Chapter nine outlines the different types of firewalls.  Basic
    filtering concepts are examined in chapter ten.  Considerations for
    constructing and tuning your firewall are in chapter eleven.  Tunnelling and
    VPNs are discussed in chapter twelve.
    
    Part five extends the isolated technology of firewalls into the application
    of protecting an organization.  Network layout, and the implications
    thereof, is reviewed in chapter thirteen.  Chapter fourteen deals with
    hardening of hosts.  Chapter fifteen is a rather terse look at intrusion
    detection.
    
    Part six is entitled "Lessons Learned."  The detection and tracing of
    "berferd" is described in chapter sixteen, along with the taking of the
    "CLARK" machine in chapter seventeen.  In chapter eighteen, Kerberos and
    IPSec are used as examples of approaches to security of insecure networks.
    Chapter nineteen finishes with some ideas for work that yet needs to be done
    to help with the security of the Internet.
    
    The place of firewalls in regard to network security has broadened
    considerably in the past decade.  This book does reflect that reality.
    Unfortunately, that breadth of topic has come at the expense of some depth
    in coverage.  The result is a book that is definitely worthwhile as an
    introduction to the field, but which may no longer be suitable as a working
    reference.  I must admit that, for some time, I have been recommending
    Chapman and Zwicky (cf. BKBUINFI.RVW) over Cheswick and Bellovin's original
    text, since "Building Internet Firewalls" seems to have the edge in terms of
    practicality.  Upon reviewing this new edition of the classic, I would have
    to stick to that recommendation.
    
    copyright Robert M. Slade, 1994, 2003   BKFRINSC.RVW   20030321
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    
    ------------------------------
    
    Date: Fri, 2 May 2003 08:21:11 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Inside the Security Mind", Kevin Day
    
    BKINSCMI.RVW   20030321
    
    "Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3,
    U$44.99/C$69.99
    %A   Kevin Day
    %C   One Lake St., Upper Saddle River, NJ   07458
    %D   2003
    %G   0-13-111829-3
    %I   Prentice Hall
    %O   U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131
    %O  http://www.amazon.com/exec/obidos/ASIN/0131118293/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0131118293/robsladesinte-21
    %O   http://www.amazon.ca/exec/obidos/ASIN/0131118293/robsladesin03-20
    %P   309 p.
    %T   "Inside the Security Mind: Making the Tough Decisions"
    
    I am quite sympathetic to the idea that the realization of a security
    mindset or attitude (I frequently refer to it as professional paranoia) is
    more important to attaining security than isolated technical skills.  I'm
    sorry to say that this work is not likely to help you find, attain, or
    assess that protection perspective.
    
    Right from the beginning of the book, readers will find a flavour of eastern
    philosophy, and even mysticism, to it.  There are four virtues, an
    eight-fold path, and even repeated injunctions for the reader to keep an
    "open mind"--a phrase which those who have conversed with devotees of the
    Buddhist faith will find rather familiar.
    
    Unfortunately, chapter one seems to demonstrate that Day is bringing us only
    a newage vagueness in his description of the security mind.  We are to rid
    ourselves of negative thoughts, and follow fundamental virtues, which we
    haven't been given yet.  Computer security is only a decade old, we are told
    in chapter two, and constantly changing, and expensive, and there are few
    practitioners, and lots of bad guys out there, and we are paralyzed by
    fear--but we have nothing to fear but fear itself!  Chapter three finally
    lists the four virtues for us: security is ongoing, a group effort, requires
    a generic approach, and is dependent upon education.  I don't disagree with
    any of these points (other than the philological debate about whether they
    should be called virtues), and neither would any other security
    professional.  However, they don't really provide us with much in the way of
    help.  Eight security "rules," in chapter four, list principles such as
    "least privilege," which are also commonly known in security work.
    
    Chapter five is supposed to tell us how to develop a security mind, but
    actually seems to be an exercise in wishful thinking.  If the world were
    neatly divided into safe and unsafe zones, and if our systems all worked
    perfectly and in correspondence with our users' known requirements, and if
    everyone that we trusted were completely competent in regard to their own
    defence, security would be much easier.  Decision-making is likewise
    simplisticly seen to be supported by the virtues and rules, in chapter six.
    There is a superficial overview of blackhats and vulnerabilities in chapter
    seven.  Chapter eight has a standard review of risk analysis.  Vague ideas
    on hiring security, and some thoughts on outsourcing, are in chapter nine.
    The author gives his opinion on some security tools in chapter ten.  Chapter
    eleven is another attempt to prove that the rules can be used.  We are given
    a final adjuration to change our attitudes in chapter twelve.
    
    Basically, this book is yet another attempt to write a general security
    guide, without first ensuring that the material is structured, sound,
    complete, or useful.
    
    copyright Robert M. Slade, 2003   BKINSCMI.RVW   20030321
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.71
    ************************
    



    This archive was generated by hypermail 2b30 : Sat May 03 2003 - 16:41:29 PDT