[risks] Risks Digest 22.85

From: RISKS List Owner (riskoat_private)
Date: Fri Aug 15 2003 - 07:29:10 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.86"

    RISKS-LIST: Risks-Forum Digest  Friday 15 August 2003  Volume 22 : Issue 85
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
      http://catless.ncl.ac.uk/Risks/22.85.html
    The current issue can be found at
      http://www.csl.sri.com/users/risko/risks.txt
    
      Contents:
    Niagara-Mohawk power grid overload causes major outages
    Pilot fixes faulty jet (Chuck Weinstock)
    ATM scam netted $620,000 Australian (John Colville)
    Credit-card theft spam (Drew Dean)
    New worm targets Microsoft security site (NewsScan)
    Blaster worm analysis (Monty Solomon)
    CERT Advisory CA-2003-20 W32/Blaster worm (Monty Solomon)
    DCOM worm analysis report: W32.Blaster.Worm (Dave Ahmad)
    FBI enters investigation of Blaster (NewsScan)
    Re: Software patching gets automated (Fuzzy Gorilla)
    Hidden risks: location dependence (Fuzzy Gorilla)
    Another variant on deceptive URLs (Geoffrey Brent)
    Risks of globally filtering mail to IT and security staff (Aryeh Goretsky)
    Denver school information system on the Internet (Dave Brunberg)
    Biloxi schools have cameras in classrooms, pictures on Internet 
      (Carl G. Alphonce)
    Beyond Fear, Bruce Schneier (PGN)
    CFP: RFID Privacy and Security Workshop @ MIT (Simson L. Garfinkel)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Fri, 22 Aug 2003 07:01:11 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Niagara-Mohawk power grid overload causes major outages
    
    A grid overload just after 4pm EDT knocked out power in NY City, Boston,
    Cleveland, Detroit, Toronto, and Ottawa, among many other cities, and
    spanning New York, New Jersey, Vermont, Connecticut, Pennsylvania, Ohio,
    Michigan, Ontaria, and parts of Quebec.  Much of midtown NYC and Wall Street
    were shut down.  At least 10 major airports, causing schedule problems
    across the country and abroad.  Nine nuclear power plants were shut down.
    Landline phones and cell circuits were severely affected, with extensive
    traffic saturation even where battery backups were available.  At least 50
    million people were affected.  800 trapped-in-elevator rescues.  For a
    while, a lightning strike on the US side of Niagara Falls was reportedly the
    trigger, and then attributed to a fire, although this morning the exact
    cause is still mysterious -- with one power expert suggesting "somewhere in
    the midwest".  Terrorism is ruled out, but not apparently not yet
    cyberactivity.  All this supposedly happened in nine seconds, and yet the
    cause is still unclear!  (My summary is of course *not* a definitive
    report.)  
    
    Once again this should certainly be instructive from a RISKS point of view.
    Despite the experience gained from past power-outage propagations, plus the
    unrelated but propagationally similar 1980 complete ARPAnet collapse and
    1990 nationwide AT&T collapse, we still have a lot to learn.  Each time we
    get a widespread effect of this nature, the people who keep saying that this
    kind of propagation is impossible get serious egg on their faces.  Stay
    tuned for more detailed analyses and more discussion of what it takes to
    have seriously defensive/preventive design and implementation.
    
    One quote from New Mexico governor Bill Richardson is intriguing: "We're a
    superpower with a Third World grid."
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 10:34:20 -0400
    From: Chuck Weinstock <weinstockat_private>
    Subject: Pilot fixes faulty jet
    
    A pilot personally fixed a faulty plane stranded on Spain's Balearic island
    of Menorca before getting weary British tourists to vote on whether they
    wished to be flown home aboard the repaired jet.  The incident occurred on 8
    Aug 2003 after a Boeing 757 run by British tour operator MyTravel was found
    to have a faulty onboard computer that insisted the aircraft was airborne
    when it was in fact parked on the tarmac.  Covered in oil after resetting a
    sensor in the aircraft's nosewheel, the pilot asked passengers gathered in
    the airport's terminal to raise their hands if they wished to board the
    plane.  In the end, only 13 of nearly 200 tourists decided to stay put.
    [Source: AFP, 12 Aug 2003, from *The Times* (London); PGN-ed]
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 08:56:06 +1000
    From: colvilleat_private
    Subject: ATM scam netted $620,000 Australian 
    
    ATM swipe-and-snap scam netted A$620,000, court told
    Leonie Lamont, 12 Aug 2003, *Sydney Morning Herald*, 12 Aug 2003; PGN-ed
      http://www.smh.com.au/articles/2003/08/11/1060588322961.html
    [$A620,000 is about $US400,000.]
    
    In the first case of its kind in Australia, a man has pleaded guilty to
    defrauding more than A$623,000 from bank customers by electronically spying
    on them while they used ATMs.  Kok Meng Ng, 29, a Malaysian, admitted in the
    District Court yesterday to taking part in an elaborate scheme in which an
    electronic skimming device and pin-head camera were planted in 36 ATMs in
    Sydney.  The skimming devices read the data on the magnetic stripe on
    customer's cards, while the camera recorded the PINs as they were punched
    in, beaming a signal that could be received up to 400 metres away.
    
    On 64 occasions between May 2001 and November last year, Ng, who was in
    Australia on successive tourist visas, transferred amounts of less than
    A$10,000 to overseas accounts.  Amounts over A$10,000 must be reported by
    financial institutions.  The court heard that among the incidents, the scam
    was conducted on 15 Oct 2002 on a St George ATM in Darlinghurst, a Westpac
    machine in Bondi Junction a day later, and, four days later, on a
    Commonwealth Bank ATM in Chatswood.
    
    The prosecutor, Sunil de Silva, said Ng was part of a gang that raided the
    bank accounts of 315 people, generally withdrawing less than A$1000. Ng also
    pleaded guilty to federal charges under the Financial Transactions Act.  The
    federal charges carry a maximum five year jail term, and the computer crime
    charges a three year term.  ...
    
    John Colville, Dept of Computer Systems, University of Technology, Sydney AU
    PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854 colvilleat_private
    
    ------------------------------
    
    Date: Thu, 14 Aug 2003 12:38:08 -0700 (PDT)
    From: Drew Dean <ddeanat_private>
    Subject: Credit-card theft spam
    
    I've recently received a couple pieces of spam trying to induce me to give
    out my credit-card number.  One used a lot of artwork from PayPal, and even
    referenced PayPal's privacy policy.  The biggest problem with it (besides
    the decidedly non-PayPal domain the form was submitted to, of course :-)) is
    that I don't have a PayPal account.
    
    Interestingly, neither spam used https to actually submit the form.  This
    makes one wonder about the RISK: what a machine to crack and to steal
    credit-card numbers from!  The operators of the scam can hardly go to law
    enforcement, after all.  The owners of the machine, if it's a Web-hosting
    service, might be able to go to law enforcement, although it would rather
    embarrassing for them.
    
    Drew Dean, SRI International, Computer Science Laboratory
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 11:19:20 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: New worm targets Microsoft security site
    
    A virus-like computer attack expected to infect hundreds of thousands of
    computers worldwide is programmed to direct all infected computers to attack
    the security-related Microsoft Web site www.windowsupdate.com, used by
    millions of Microsoft users each week.  The worm, variously called LoveSan,
    Blaster and MSBlaster, is apparently similar in structure to the Code Red
    virus that affected 300,000 computers two years ago; it targets a flaw in
    Microsoft Windows operating systems, and is considered to be a worm type of
    virus because it doesn't require computer users to open an e-mail attachment
    or take any other action to spread automatically from computer to computer.
    Home computer users who leave computers constantly online to the Internet
    through DSL or cable are among those most at risk.  [*San Jose Mercury News
    11 Aug 2003; NewsScan Daily, 12 Aug 2003]
      http://www.siliconvalley.com/mld/siliconvalley/6511962.htm
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 15:02:01 -0400
    From: "monty solomon" <montyat_private>
    Subject: Blaster worm analysis
    
    Blaster Worm Analysis
    Release Date: 11 Aug 2003
    Severity: High
    
    Description: The Blaster worm uses a series of components to successfully
    infect a host.  The first component is a publicly available RPC DCOM exploit
    that binds a system level shell to port 4444.  This exploit is used to
    initiate a command channel between the infecting agent and the vulnerable
    target.  Once the target is successfully compromised, the worm transmits the
    msblast.exe executable (the main body of the worm) via TFTP to infect the
    host.  The payload used in the public DCOM exploit, as well as the TFTP
    functionality, are both encapsulated within msblast.exe.
    
    http://www.eeye.com/html/Research/Advisories/AL20030811.html
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 15:05:56 -0400
    From: "monty solomon" <montyat_private>
    Subject: CERT Advisory CA-2003-20 W32/Blaster worm
    
    CERT Advisory CA-2003-20 W32/Blaster worm
    
    Original issue date: August 11, 2003
    Last revised: August 12, 2003
    Source: CERT/CC
    
    A complete revision history is at the end of this file. 
    
    Systems Affected
    * Microsoft Windows NT 4.0 
    * Microsoft Windows 2000 
    * Microsoft Windows XP 
    * Microsoft Windows Server 2003 
    
    Overview
    
    The CERT/CC is receiving reports of widespread activity related to a new
    piece of malicious code known as W32/Blaster.  This worm appears to
    exploit known vulnerabilities in the Microsoft Remote Procedure Call
    (RPC) Interface.
    
    I. Description
    
    The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
    interface as described in VU#568148 and CA-2003-16.  Upon successful
    execution, the worm attempts to retrieve a copy of the file msblast.exe from
    the compromising host.  Once this file is retrieved, the compromised system
    then runs it and begins scanning for other vulnerable systems to compromise
    in the same manner.  In the course of propagation, a TCP session to port 135
    is used to execute the attack.  However, access to TCP ports 139 and 445 may
    also provide attack vectors and should be considered when applying
    mitigation strategies.  Microsoft has published information about this
    vulnerability in Microsoft Security Bulletin MS03-026.
    
    Lab testing has confirmed that the worm includes the ability to launch a TCP
    SYN flood denial-of-service attack against windowsupdate.com.  We are
    investigating the conditions under which this attack might manifest itself.
    Unusual or unexpected traffic to windowsupdate.com may indicate an infection
    on your network, so you may wish to monitor network traffic.
    
    Sites that do not use windowsupdate.com to manage patches may wish to block
    outbound traffic to windowsupdate.com.  In practice, this may be difficult
    to achieve, since windowsupdate.com may not resolve to the same address
    every time.  Correctly blocking traffic to windowsupdate.com will require
    detailed understanding of your network routing architecture, system
    management needs, and name resolution environment.  You should not block
    traffic to windowsupdate.com without a thorough understanding of your
    operational needs.
    
    We have been in contact with Microsoft regarding this possibility of this
    denial-of-service attack.  ...
    
    http://www.cert.org/advisories/CA-2003-20.html
    
    ------------------------------
    
    Date: Mon, 11 Aug 2003 15:36:24 -0600 (MDT)
    From: Dave Ahmad
    Subject: DCOM worm analysis report: W32.Blaster.Worm
    
    A Bugtraq user has already pointed out that a worm has been
    discovered in the wild that exploits the Microsoft Windows DCOM RPC
    Interface Buffer Overrun Vulnerability (Bugtraq ID 8205) to infect
    host systems.  Symantec has been tracking its activity and is
    currently conducting analysis/full disassembly of the malicious code,
    which has been named "Blaster".  The results of our analysis are
    being made available to the public at the following location:
    
    https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
    
    It is expected that this report will be updated frequently as more
    information is discovered.  Readers are advised to download/refresh
    it throughout the day to ensure that any new information is not missed.
    
    David Mirza Ahmad, Symantec
    
    ------------------------------
    
    Date: Thu, 14 Aug 2003 08:46:52 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: FBI enters investigation of Blaster
    
    The FBI is investigating the origin of the malicious computer program
    Blaster (also known as MSBlaster and LoveSan), which has already wormed its
    way into more than 250,000 Internet-connected computers running Windows
    software. Blaster has been infecting computers in organizations of every
    kind (e.g, CBS, the Senate, and the Federal Reserve Bank of Atlanta) -- in
    spite of the fact that computer experts say it's not well-written software.
    Dan Ingevaldson of Internet Security Systems Inc. warns: "A better version
    of this worm wouldn't crash any machines; it would work correctly every
    time, move faster, and delete or steal its victims' files."  [*The
    Washington Post*, 14 Aug 2003; NewsScan Daily, 14 Aug 2003]
      http://www.washingtonpost.com/wp-dyn/articles/A56071-2003Aug13.html
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 12:23:22 -0400
    From: "Fuzzy Gorilla" <fuzzygorillaat_private>
    Subject: Re: Software patching gets automated (RISKS-22.84)
    
    In http://catless.ncl.ac.uk/Risks/22.84.html#subj11.1 Peter Neumann
    speculates: "And when it is *fully* automated, think of how wonderful
    it will be to have new Trojan horses and security flaws installed
    instantaneously, without having to require human intervention.".
    
    Even without Trojan horses and security flaws, it introduces yet another
    point of failure into the system, as evidenced by the "Blaster" worm.
    According to a New Scientist article "Computer worm attacks software patch
    server" http://www.newscientist.com/news/news.jsp?id=ns99994046 :
    
      After infecting a vulnerable computer, the worm is programmed to send a
      volley of bogus traffic to Microsoft's software update service,
      windowsupdate.com on 16 August. If enough machines are infected this will
      overwhelm the site, preventing system administrators from using it to
      download the software patches needed prevent other machines being
      infected.  "It's an extremely devious trick by Blaster's author," says
      Graham Cluley, of UK anti-virus company Sophos. "Blaster attempts to knock
      Microsoft's windowsupdate.com Web site off the Internet."
    
    ------------------------------
    
    Date: Tue, 12 Aug 2003 13:03:31 -0400
    From: "Fuzzy Gorilla" <fuzzygorillaat_private>
    Subject: Hidden risks: location dependence
    
    Although this example comes from biology rather than computers, I think it
    helps to point out the problem of hidden risks and the value of questioning
    assumptions.  Basically, a researcher was working on a study that showed a
    strong link between cholesterol and an Alzheimer's like disease in rabbits --
    until he changed the location of his lab.
    
      Sparks has been working with rabbit models of Alzheimer's for years.
      "Every time I ever fed a bunny cholesterol, I got Alzheimer's pathology,"
      he said.
    
      That is, until he moved to the Sun City lab.
    
      "I said, 'Something is wrong. I go down into the vivarium (where lab
      animals are kept) and the first thing I see is the wall being lined with
      big blue bottles."'
    
      It turns out the rabbits there were given distilled water, while all the
      other research animals Sparks had worked with got tap water.
    
      He analyzed the tap water from previous labs and found it contained
      copper. When the rabbits at Sun Health were fed tap water, they also
      developed Alzheimer's symptoms.
    
      When Sparks added copper to the distilled water and gave the rabbits
      cholesterol, they also developed Alzheimer's-like symptoms and brain
      lesions.
    
      http://asia.reuters.com/newsArticle.jhtml?type=healthNews&storyID=3258703
    
    Just as in biological systems, computers and computer networks are very
    complex and sometimes the variables are well hidden.
    
    ------------------------------
    
    Date: Thu, 14 Aug 2003 09:51:46 +1000
    From: Geoffrey Brent <g.brentat_private>
    Subject: Another variant on deceptive URLs
    
    Another refinement of the "please click this link and log into your
    financial Web site" scam. This morning I got one purporting to be from
    Westpac Australia. Obviously a fraud, since (a) legitimate institutions
    don't do business that way, and (b) I don't have an account with them.  But
    it still took me a moment to see how this one worked.
    
    The link given in the e-mail purported to be "https://olb.westpac.com.au"
    (Westpac's online banking site). I was curious to see how this one worked,
    so I did what I usually do with such hoaxes and ran the mouse over it. I
    expected to see a completely different URL show up in the status bar, or
    perhaps something along the lines of "...westpac.com.auat_private" and
    was rather surprised to see what looked to be a genuine Westpac URL,
    differing only in being HTTP rather than HTTPS: http://olb.westpac.com.au/
    -- which, although unencrypted, would still be owned by Westpac.
    
    In fact, on looking closer, the _real_ URL is:
    
    http://olb.westpac.com.au%20%20%20%20%[lots more space characters snipped]
      :UserSession%3D2f4d0zzz899amaiioiiabv5589955&userrstste
      %3DSecurityUpdate&StateLevel%3DCameFromat_private/
    
    The spaces ensure that the interesting bits in the link don't show up
    onscreen, and since one doesn't expect to see spaces in URLs it wasn't
    something I'd expected. (And yes, I missed the ... on the RHS of the bar
    that indicated that there was more to follow). AFAICT, the http/s mismatch
    is simply sloppiness on the culprit's part rather than a necessary part of
    the scam.
    
    I can't be the first to point this out, but: having a character that is
    visually indistinguishable from the absence of a character is in itself a
    risk. Perhaps it would be useful for URL-display and similar outputs to use
    a visible character to indicate spaces, as can be done with word-processors?
    
    ------------------------------
    
    Date: Wed, 13 Aug 2003 02:43:40 -0600
    From: Aryeh Goretsky <goretskyat_private>
    Subject: Risks of globally filtering mail to IT and security staff
    
    Earlier this evening I received a message in my in-box advertising an
    organic compound which, allegedly, would increase the dimensions of a
    particular body part.  
    
    Such unsolicited messages are quite commonplace these days and a quick
    perusal of the message header revealed nothing especially interesting about
    the message.
    
    What did surprise me, though, was the sender's choice of a falsified
    return address from the americanexpress.com domain.  Knowing financial
    institutions are very sensitive to misuse of their names I forwarded a
    copy to "abuseat_private" with a self-explanatory subject and
    a concise, one-line description of what the message was and I why I
    had forwarded it.
    
    I received the following automated reply (unimportant headers removed):
    
     >  Date: Sat, 09 Aug 2003 03:17:53 -0700
     >  From: no.replyat_private
     >  To: "Aryeh Goretsky" <goretskyat_private>
     >
     >  Subject: Inappropriate Language Notification
     >
     >  A communication sent from your e-mail account was
     >  intercepted and quarantined because it contained language
     >  deemed inappropriate for business communications.  If
     >  you feel your message was quarantined in error,
     >  please contact the intended recipient.
     >
     >  Sender: Aryeh Goretsky <goretskyat_private>
     >  Subject: spam sent with forged address
     >  Date: 08/09/2003, 03:17:53 AM
     >  Policy: Inappropriate Language
    
    As someone who provided technical support in the security field for a long
    time I regularly received messages with "inappropriate" language in them,
    usually in the form of messages contained in computer viruses, worms and the
    like.  As a security professional, I *needed* to know the exact message as
    it appeared on-screen or embedded in a program in order to help isolate and
    identify the problem.
    
    Frankly, the idea of *not* being able to gather this information because
    that someone, somewhere might see "inappropriate" language floored me.
    
    I understand that large companies such as American Express cannot afford to
    vet new IT hires, let alone existing ones, for a good organizational fit
    which among other things includes not being offended by "inappropriate"
    language, but the idea that someone whose job responsibilities may require
    viewing such information and not being able to see it strikes me as willful
    misconduct by whatever employee(s) came up with such a policy in the first
    place.
    
    Perhaps organizations which perform such filtering should provide staff
    whose job requirements required them to receive messages containing
    "inappropriate" language with a waiver.
    
    In the meantime, I can't help but wonder what would happen if someone
    defaced one of American Express's web servers with a message containing
    "inappropriate" language and none of their IT or security staff were able to
    coordinate a response due to their internal communiques being rejected.
    
    The *RISKS* seem obvious.
    
      [... but not surprising.  I have had so many such requests to sites
      bounced for similar reasons.  PGN]
    
         [True, but I assume (with all problems thereof) a higher level of
         accountability from the security/fraud unit of a financial institution.
         AG]
    
    ------------------------------
    
    Date: Thu, 14 Aug 2003 09:33:03 -0400
    From: Dave Brunberg <DBrunbergat_private>
    Subject: Denver school information system on the Internet
    
    I found this link to an article about Denver's "Internet Student Information
    System," which offers parents (or anyone with a userid/password combo) to
    view their children's (targets'?) whereabouts, grades, disciplinary records,
    and demographic info online.
    
    http://www.denverpost.com/Stories/0,1413,36~53~1569401,00.html
    
      Teachers enter class attendance data into the system at the beginning of
      each class, and "Almost on an hourly basis, a parent can find out if their
      child is in a particular class. Most schools will stick to updating
      attendance two or three times a day."  "While the systems differ, they
      share a concern for security with school-issued user IDs and passwords. "
      "If [parents] want to participate, they must take a photo ID to the school
      and then they are given a user ID and personal password. They have access
      only to their children's information."
    
    Sounds really secure, no?  No word on the form of userid or password, or how
    to change the password, etc., standard RISKs apply.  Near the end of the
    article, security and privacy issues are given a brief note:
    
      "Like Castagna at Lakewood High, Bailey said no concerns have been raised
      about privacy, and nobody's information has been hacked.  David Craven,
      Cherry Creek's director of instructional technology, said the systems use
      the same safeguards as online banking.  "People have an expectation to get
      general information on the Web.  It's just part of their lives."
    
      "The value is contingent on how secure the database is," said Stephen
      Keating, director of the Privacy Foundation at the University of
      Denver. "If the school district thinks they've got it protected so that
      only the parents or the student can get access to that student's
      information, then it sounds viable."  But, he cautioned, "just because you
      think it's secure doesn't mean it is."
    
      Mark Silverstein, legal director of the American Civil Liberties Union in
      Denver, said, "If the information is only available to the parents of a
      student, I don't see what the concern is about privacy."
    
    I'll take a brief quote from that to look at again: "If the school district
    thinks they've got it protected so that only the parents or the student can
    get access to that student's information, then it sounds viable."  Um,
    shouldn't the district KNOW they've got it protected?  Shouldn't they be
    actively trying to crack the system?  Maybe they can ask some of their
    brighter 10th graders to try--that would probably open up some interesting
    discussion when the results became known.  Anyone want to take a bet on how
    many Mountain Dews it takes to crack this one?
    
    David W. Brunberg, Engineering Supervisor, The F.B. Leopold Company, Inc., 
    227 South Division Street, Zelienople PA 16063  (724) 452-6300
    
    ------------------------------
    
    Date: Wed, 13 Aug 2003 20:28:37 -0400
    From: "Carl G. Alphonce" <alphonceat_private>
    Subject: Biloxi schools have cameras in classrooms, pictures on Internet
    
    According to a CNN article
      http://www.cnn.com/2003/EDUCATION/08/12/classroom.cameras.ap/index.html
    the Biloxi, Mississippi school district has put cameras in all of its
    classrooms.  The project was funded by casino revenues.  Pictures taken by
    the cameras are viewable on the Internet.  If the article is correct, and
    the images really are accessible from anywhere on the Net, the risks of
    others viewing the pictures is real.
    
    The article does not give much motivation for installing the cameras.  It
    states, "[Deputy superintendent] Voles said the camera installation is a
    precaution, and that students and teachers have said they feel safer."  The
    potential for abuse and the potential chilling effect on the classroom is
    left as an exercise for the reader.  I wonder, might the introduction of
    these cameras perhaps backfire, attracting those who seek publicity, since
    they are guaranteed a record of their activities?
    
    Carl Alphonce, Dept of Computer Science and Engineering
    University at Buffalo, Buffalo, NY 14260-2000			
    
    ------------------------------
    
    Date: Fri, 15 Aug 2003 07:01:44 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Beyond Fear, Bruce Schneier
    
    Beyond Fear: Thinking Sensibly about Security in an Uncertain World
    Bruce Schneier
    Copernicus Books (a Springer-Verlag imprint)
    ISBN 0-387-02620-7
    http://www.schneier.com/bf.html
    
    Copernicus was a Polish astronomer who observed that the Earth rotates on
    its axis and revolves around the Sun.  That knowledge was absolutely
    heretical at the time.
    
    Bruce Schneier is a security guru who generally preaches common sense (a
    common theme in RISKS, although common sense is apparently surprisingly
    uncommon overall).  In our time, common sense may seem absolutely heretical
    to people other than those of us who try to practice it.  Fortunately, RISKS
    readers seem to be much more aware than nonreaders.  For those of you who
    think you believe in common sense, this book will strongly reinforce your
    beliefs -- and will do so quite entertainingly.  On the other hand, those
    who do not actually practice what we preach here had better read Bruce's
    book very carefully.
    
    ------------------------------
    
    Date: Wed, 13 Aug 2003 20:05:19 -0400
    From: "Simson L. Garfinkel" <slgat_private>
    Subject: CFP: RFID Privacy and Security Workshop @ MIT
    
    RFID PRIVACY AND SECURITY -- WORKSHOP @ MIT -- CALL FOR PARTICIPATION
    Saturday, 15 Nov 2003, 10am - 4pm, Bartos Theater, MIT Media Lab, 20 Ames St.
    
    Radio Frequency Identification technology is fast becoming a lightning rod
    for consumer privacy activists.  Is RFID destined to become the enabling
    technology for massive state-sponsored surveillance, Big Brother's
    "call-home" chip?  Or is RFID really nothing more than a supply-chain
    management technology, its dangers being over-hyped by alarmists who
    fundamentally misunderstand the technology?  One thing is sure: in the
    absence of strong data, decisions are being made and the public is either
    being poorly informed or intentionally misled.
    
    Last year Benetton pulled back from a previously-announced RFID trial after
    a consumer group announced a global boycott of the clothing manufacturer.
    Can pressure from consumer groups effectively prevent the introduction of
    RFID technology, or were other matters at work behind the scenes?
    
    The goal of the RFID Privacy Workshop is to bring together RFID
    technologists, boosters, critics, privacy activists and journalists
    covering the space to establish some technical truths and a creating a
    framework for understanding the growing body of RFID policy issues.
    
    To register online and/or submit a paper by 15 Sep 2003, see
      http://www.rfidprivacy.org/
    
    ------------------------------
    
    Date: 30 May 2003 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshallat_private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES: http://www.sri.com/risks
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version 
       of the most recent RISKS issue and a WAP version that works for many but 
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.85
    ************************
    



    This archive was generated by hypermail 2b30 : Fri Aug 15 2003 - 09:18:10 PDT