[RISKS] Risks Digest 23.44

From: RISKS List Owner (risko@private)
Date: Sat Jul 03 2004 - 19:18:19 PDT


RISKS-LIST: Risks-Forum Digest  Saturday 3 July 2004  Volume 23 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/23.44.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Acting Now to Prevent the Internet Meltdown (PGN)
Court rules e-mail eavesdropping okay (NewsScan)
Fed. Court Rules No Privacy For E-Mail Passing Through ISP Servers
  (Lauren Weinstein)
Florida Felon list is wrong, wrong, wrongity wrong (Danny Burstein)
Israeli Police losses laptop with critical agents information 
  (Gadi Evron)
DC Metro discovers flag-day issues with changeover in payment systems
  (Joe Thompson)
Coca-Cola Cans as Security Threat (Jack M Dominey)
Pharmacists worry about drug vending units (Daniel P. B. Smith)
RFID could cost 4 million jobs by 2007 (NewsScan)
Barclays Bank of Zimbabwe suffers data theft (Bob Heuman)
French authority forbids "DIDTHEYREADIT?" service (Bob Heuman from
  NewsScan)
Web service maps tax codes to ID info (John)
Re: Attacking the attackers: maybe not a good idea (Nick Brown,
  Curtis Karnow)
REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 4 Jul 2004 08:12:11
From: "Peter G. Neumann" <neumann@private>
Subject: Acting Now to Prevent the Internet Meltdown

Both the Internet and its users are under increasingly serious attacks from
numerous technical and non-technical threats.  If you are seriously
interested in helping to avoid an "Internet meltdown" that could negatively
and dramatically impact people around the world, please consider joining a
group of us who will be meeting in Los Angeles from July 26 - 28 to address
these issues under the aegis of People for Internet Responsibility (which I
co-founded with Lauren Weinstein).

The expanding program agenda is on the conference main Web page:

  http://www.pfir.org/meltdown

In contrast to many other meetings, the conference program is
oriented toward technology-related *policies* rather than to technical
details, and should be of interest to techies and non-techies alike.

Please note that conference registrations need to be received prior to 
July 18 for the reduced conference rate, and that the hotel is offering
discounted room rates through July 11.

I'm looking forward to seeing many of you at the conference.

Peter G. Neumann
Principal Scientist, SRI International Computer Science Lab 
Chairman, ACM Committee on Computers and Public Policy

------------------------------

Date: Thu, 01 Jul 2004 08:33:22 -0700
From: "NewsScan" <newsscan@private>
Subject: Court rules e-mail eavesdropping okay

In a surprise decision, a federal appeals court has ruled that it was
acceptable for a company that offered e-mail service to peruse
messages sent by its subscribers. The case stems from 1998 when it was
discovered that Interloc, a now-defunct literary clearinghouse,
surreptitiously copied messages sent to its subscribers by rival
Amazon in order to "develop a list of books, learn about competitors
and attain a commercial advantage." An Interloc executive was later
indicted on an illegal wiretapping charge, but yesterday's ruling
upheld a federal judge's dismissal of that charge on the grounds that
the e-mails were copied while in "electronic storage" (during the
process of being routed through a network of servers to
recipients). The Wiretap Act prohibits unauthorized eavesdropping on
messages that are not stored -- such as a real-time telephone
conversation -- but does not afford the same protection to stored
messages. In a dissenting opinion, Appeals Court Judge Kermit Lipez
wrote that the ruling unravels "decades of practice and precedent
regarding the scope of the Wiretap Act" and essentially renders the
act "irrelevant to the protection of wire and electronic privacy."  In
a concurring statement, the Electronic Frontier Foundation said that
yesterday's ruling "dealt a grave blow to the privacy of Internet
communications."  [AP 30 Jun 2004; NewsScan Daily, 1 Jul 2004]
  http://apnews.excite.com/article/20040701/D83HMB0O0.html

------------------------------

Date: Fri, 02 Jul 2004 17:32:20 -0700
From: Lauren Weinstein <lauren@private>
Subject: Fed. Court Rules No Privacy For E-Mail Passing Through ISP Servers

   		                  PFIR Bulletin

		 Federal Court Rules No Privacy in E-mail Stored
                      at ISPs, Even Temporarily in Transit

                                 July 2, 2004

    PFIR - People For Internet Responsibility - http://www.pfir.org

   [ To subscribe or unsubscribe to/from this list, please send the
     command "subscribe" or "unsubscribe" respectively (without the
     quotes) in the body of an e-mail to "pfir-request@private". ]

A federal appeals court has ruled that your e-mail passing through ISP
servers is virtually without privacy protections.  It is impossible to
overstate the potential significance of this astoundingly poor decision.

For the news story, please see:
  http://www.washingtonpost.com/wp-dyn/articles/A19211-2004Jun30.html

The full text of the decision is at:  
  http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

If generally upheld, it means that user e-mail stored on ISP servers
even temporarily or while in transit (Gmail, Hotmail, POP, IMAP, SMTP,
etc.) is vulnerable to legal monitoring or other abuses by ISPs and
others, including use for competitive or even prurient purposes,
without notification to the persons whose e-mails are involved.

With many ISPs forcing more users (especially typical dynamic-IP
customers) to route all mail through ISP servers (e.g., via blocking
of port 25), the implications are staggering.

Though ISPs may claim privacy policies that prohibit snooping,
policies are subject to change, and the legal barriers for access to
the mail by outside entities is also much lower in such cases.

Regardless of whether or not this decision stands, the underlying
facts should be very clear.  The most reliable and trustworthy path to
secure e-mail is via direct, end-to-end, encrypted connections that
are not forced to route through ISP mail servers.  This is one of the
goals of the PFIR "Tripoli" project (
http://www.pfir.org/tripoli-overview ).

The court's ruling will also now be a topic at a legal issues
panel at our PFIR "Internet Meltdown" conference late in July 
( http://www.pfir.org/meltdown ).  [See above.  PGN]

This is one of the worst and most dangerous court decisions ever 
to appear relating to the Internet.

Lauren Weinstein
lauren@private or lauren@private or lauren@private
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Co-Founder, URIICA - Union for Representative International Internet
                     Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy

------------------------------

Date: Sat, 3 Jul 2004 01:06:21 -0400 (EDT)
From: danny burstein <dannyb@private>
Subject: Florida Felon list is wrong, wrong, wrongity wrong

First, after a court battle, some news organizations and the Florida ACLU 
got a judge to grant them access to the Florida Felon list - the one that 
keeps people from voting ( a very painful topic we all recall from 2000):

> "TALLAHASSEE - In a victory for Florida voters, a Leon circuit court judge
> today struck down a state law that prevents copying a state list with
> names of more than 47,000 registered voters who may be deleted from the
> voter rolls because the state has identified them as possible ex-felons.

http://www.aclufl.org/news_events/index.cfm?action=viewRelease&emailAlertID=289

And to no one's suprise, a couple of days later we got stories like this:

Thousands of eligible voters are on felon list
BY ERIKA BOLSTAD, JASON GROTTO AND DAVID KIDWELL

More than 2,100 Florida voters -- many of them black Democrats --
could be wrongly barred from voting in November because Tallahassee
elections officials included them on a list of felons potentially
ineligible to vote, a Herald investigation has found.

A Florida Division of Elections database lists more than 47,000 people
the department said may be ineligible to vote because of felony
records.  But a Herald review shows that at least 2,119 of those names
-- including 547 in South Florida -- shouldn't be on the list because
their rights to vote were formally restored through the state's
clemency process...

http://www.miami.com/mld/miamiherald/news/front/9062928.htm?ERIGHTS=-2146699848262413226miami::cypherpunks@private&KRD_RM=4ksloqmmnrqknptkkkkkkkklnk|Nobody|Y

------------------------------

Date: Sat, 03 Jul 2004 04:39:18 +0200
From: Gadi Evron <ge@private>
Subject: Israeli Police losses laptop with critical agents information

The Israeli Police psychologist, in-charge of consulting and evaluating 
police under-cover agents, lost her laptop.

The laptop was stolen in a break-in to her house.

According to Police sources the laptop held no names, rather than just
the psych evaluations and information.  Police said the loss is not
critical, but non-the-less, they invested a lot of resources in
locating the thieves and arranging for a buy.

The laptop was bought for _only_ 5K INS (a bit over 1K USD). When
bought, the information on the laptop was also deleted.  This suggests
that maybe the thieves were only after selling the laptop and were
completely unaware of the information it held or of its value.  When
were any of us last that lucky? I figure that's wishful thinking, but
that's only my opinion.

Heck, I personally hope they were lucky, but I've seen many such
warning signs completely ignored by different organizations until a
9/11 of sorts happens.  Maybe this will be enough of a shock for them
to bump-up information security enforcement. I am pretty sure they
already have a policy and regulations.

The laptop supposedly holding no names is a consolation. At least proper 
compartmentalization policies were followed.

------------------------------

Date: Tue, 29 Jun 2004 13:27:05 -0400
From: Joe Thompson <joe@orion-com.com>
Subject: DC Metro discovers flag-day issues with changeover in payment systems

Recently the DC Metro discovered two things: 1) it was short on cash,
2) parking revenues weren't what they should be.  An audit implicated
theft by parking attendants as a contributor to the revenue shortfall.
 Accordingly, the decision was apparently made to ax the contract with
the company which provided the attendants and change over completely
to the existing automated "SmarTrip" smart-card system.

Yesterday was the first day of all-automated parking (with attendants
standing by in case of problems) and all failed to go quite according
to plan:

http://www.wtopnews.com/?sid=217505&nid=30

"New machines selling SmarTrip cards were installed in stations, but
many customers trying to use credit cards in those machines found they
were unable to. Metro said the volume of sales was too much."

...further annoying commuters already miffed at having to shell out $5
just to buy yet another card.  Apparently to buy a card in cash, the
machines would *only* accept a $10 bill.  (Here in DC and the
surrounding area, the $20 has been the bill of choice for some time
now.  They're known as "yuppie food-stamps" because so many people
have them and so few people can make change for them.)

For the time being, commuters can buy a traditional Metro farecard for
the exact amount of the parking fee and hand that in to the
attendants, but no one has addressed what happens when the attendants
are gone and the SmarTrip machines are all that remains.

Also unaddressed, to my knowledge, are questions about the degree of
redundancy and the failure modes in the SmarTrip system.  Even before
the changeover it was a regular occurrence for SmarTrip card readers
in parking-lot exit gates to fail, leaving the gate down and forcing
everyone to shift to another exit line.  After fully-automated
operation commences, will a single failed telephone or network line
incapacitate all readers in a station's lot (or more than one
station's lot)?  Is there a contingency plan in place for that?  Will
gates be changed to automatically lift if communications with the
card-authorization system are lost?  Have they been changed to do so
already, and if so, has the change been tested?

(The SmarTrip cards appear to store the current value in the chip
embedded in the card, but some kind of communication does go on since
registered cards' value is protected from the time the card is
reported lost or stolen.)

What puzzles me is why the existing paper farecards aren't an option
for automated parking payment.  The readers for those much predate the
SmarTrip system and the farecard vending machines are much more
flexible.

RISKS: Making major system changes without sufficient forethought and
testing for what are essentially political reasons. -- Joe

------------------------------

Date: Wed, 30 Jun 2004 08:48:23 -0400
From: "Dominey, Jack M, NEO" <dominey@private>
Subject: Coca-Cola Cans as Security Threat

Following message forwarded by my boss.  I wonder what they think of
this at Coca Cola HQ?

Subject:	SCIF Security Advisory 

Security Managers:

The Coca Cola Company has a summer game promotion running from 5/17 -
7/12/04 in all 50 states and the District of Columbia that has the
capability to compromise classified information.  The company has
intermixed approximately 120 Coca-Cola cans that actually contain GPS
locators equipped with a SIM card, keypad and GPS chip transponder so
it functions as a cell phone and GPS locator.  The cans are concealed
in specially marked 12, 18, 20, or 24 can multi-packs of Coca-Cola
Classic, Vanilla Coke, Cherry Coke and Caffeine Free Coke.  The
hi-tech Coke "Unexpected Summer" promotion can has a button,
microphone, and a tiny speaker on the outside of the can.  Pressing
the larger red button starts the game in process, thus activating the
GPS signal and a cell phone used by the customer to call a special
hotline.  Consumers who find these cans, activate the technology, and
call the hot line must agree to allow Coke "search teams" using the
GPS tracker (accurate to within 50 feet), to surprise them anyplace,
anytime within three weeks to deliver a valuable prize.

In accordance with DIA, no specific policy for this promotion will be
issued.  However, DISA employees with access to SCIFs should take a
common sense approach and if one of these cans are found inside a
SCIF, they should treat it as they would any two-way electronic device
in a SCIF and remove it immediately. Until such time as this sales
promotion ends and all 120 cans are accounted for, Coca-Cola packages
should be opened and inspected before taking them into any area marked
as a" Restricted Area" or classified meetings/discussions, etc. are in
progress or have the potential to occur at any time.

Scott Addis, Chief, SSO, Defense Information Systems Agency

RISKS submission from Jack Dominey, AT&T Network Disaster Recovery

------------------------------

Date: Sat, 3 Jul 2004 06:54:06 -0400
From: "Daniel P. B. Smith" <dpbsmith@private>
Subject: "Pharmacists worry about drug vending units"

Boston Globe, July 3, 2004. Available (for 48 hours) at  
http://www.boston.com/news/nation/articles/2004/07/03/ 
drug_vending_units_worry_pharmacists/

"...[The Beth Israel Deaconess network] wants to introduce automatic  
prescription machines to their clinics in the Boston area. From afar, a  
pharmacist sends a message from his computer telling the machine which  
prepackaged bottles of pills to dispense. A staffer at a clinic  
retrieves the bottle, affixes a label, and gives it to the patient.  
...Telepharmacy Solutions Inc., ...pioneered the concept in the 1990s.  
The automated dispensers cost about $60,000 each, and so far a  
smattering of public health centers, hospitals, and Veterans  
Administration clinics around the country use them. The VA has 55  
machines in different states and is considering wider use."

"...[A machine at the Thundermist Clinic in Warwick, Rhode Island] The  
West Warwick machine carries 50 branded and generic drugs in preset  
doses and bottle sizes, including antibiotics, blood-pressure  
medication, Lipitor for cholesterol, and several kinds of  
antidepressants. 'I liken it to a Coke machine,' said Stephanie  
McCaffrey, Thundermist's vice president for program development. 'You  
put the order in, and plop, it comes out.' To get drugs, a doctor faxes  
the patient's prescription to a pharmacist in Woonsocket. The  
pharmacist reviews it and sends an electronic message via a secure  
computer link to the vending machine telling which drug to dispense.  
Bar codes on the pills and on the labels ensure the right medicine is  
given to the right patient."

"A staffer gives the bottle to the patient with printed information  
showing the drug's side effects and warnings. The patient is asked  
whether he or she wishes to speak to a pharmacist. If the answer is  
yes, the patient is directed to a telephone."

In addition to the obvious RISKS (machines never make a mistake--make a  
mistake--make a mistake), we have yet another area where automation is  
being used to handle the easy part of a difficult task, one that  
traditionally involved the personal participation of very highly  
skilled humans. No doubt the bulk of today's pharmaceutical practice  
consists of repeatedly dispensing the "top forty hits" of the drug  
world on a routine basis. This will now be handled by machines, by  
remote access, and by relatively lower-skilled persons that "give the  
bottle to the patient" (at least until someone decides these staffers  
can be eliminated, too). At clinics with the machines which "plop" out  
drugs, the functions for which pharmacists train for six years will  
theoretically still be available. But now it will be the exception  
rather than the rule, and over time these services may become rarer and  
harder to access. Today, what happens in those rare occasions when a  
prescription actually needs to be compounded? What will happen ten  
years from now?

Daniel P. B. Smith, dpbsmith@private  dpbsmith@private

------------------------------

Date: Fri, 02 Jul 2004 08:32:22 -0700
From: "NewsScan" <newsscan@private>
Subject: RFID could cost 4 million jobs by 2007

The Yankee Group, a prominent market research firm, is predicting that
RFID tags will cost four million U.S. jobs by 2007, throughout
numerous industries. (RFID stands for Radio Frequency Identification,
a technology embedded for inventory and tracking purposes into
products, materials, and shipments.) However, Yankee Group analyst
Adam Zabel thinks that most workers who lose their jobs due to
increased efficiencies made possible by RFID technology will be able
to obtain 'more value-added' positions.  [Vnunet 2 Jul 2004; NewsScan
Daily, 2 Jul 2004]
  http://www.vnunet.com/news/1156369

------------------------------

Date: Fri, 02 Jul 2004 10:34:47 -0400
From:  Bob Heuman <rsh@private>
Subject: Barclays Bank of Zimbabwe suffers data theft

No new risk in the following article, but under the government of Robert
Mugabe it is possible that this theft was government sponsored!

Barclays victim of data robbery
GodFrey Marawanyika /Anita Fleming
http://www.theindependent.co.zw/news/2004/July/Friday2/885.html

  Barclays Bank of Zimbabwe has become the second financial institution
  to fall victim to computer data robbery, the Zimbabwe Independent
  has established.  Barclays lost computer hard drives which contained
  classified information on the bank and its clientele. The hard drives
  were stolen over the weekend.  Barclays has since informed the central
  bank of the incident.

The FIRST financial institution was robbed of a hard drive in
February, [when] NMB fell victim to hard-drive robbery and up to now
the case is still to be resolved.

------------------------------

Date: Fri, 02 Jul 2004 19:59:00 -0400
From: Bob Heuman <rsh@private>
Subject: French authority forbids "DIDTHEYREADIT?" service

To me via NewsScan Daily, 2 Jul 2004 ("Above The Fold")

And what is the risk to someone from outside of France who has this type
of service and flies into France? Do they too risk a 5 year prison term
and a substantial fine?  If so, Yankee stay home! This service seems to
be offered almost all over North America, after all...

> From: "NewsScan" <newsscan@private>:

CNIL, the French data protection authority, has declared Rampell
Software's new  mail-service 'Did they read it?' to be illegal.

(Subscribers to "DidTheyReadIt?" get a report about the exact time their
e-mail was opened, for how long, on what kind of operating system and if
the mail was forwarded to other people.)

The CNIL finds the service unacceptable under French privacy
Legislation; as a result, any French subscriber to this service risks a
prison sentence of 5 years plus a substantial fine.

(EDRIgram 1 Jul 2004)  www.edri.org  Rec'd from Jim Sterne via Mark Gibbs

------------------------------

Date: Thu, 1 Jul 2004 19:30:23 +0200
From: "John" <john@private>
Subject: Web service maps tax codes to ID info

The Lombardia Region (Italy) local administration has set up a web
service to help citizens obtain a certificate of free entitlement to
medical treatment (form E111) for travel to other European Union
countries.  The web service asks for only your tax code as proof of
identity and then proceeds to supply you the following information:

- Forename and Surname
- Health authority district of registration
- Health authority registration number

So, if I have only the tax code of a Lombardia resident I can at least
find out their full name and their health district (which is more or
less certain to be in the same area of their home address).

The risk is providing a service without user authentication which gives out
id information to unknown users if they are in possession of a valid tax
code.

When challenged about this, the technical staff replied that they had
examined the possibility that someone could make up a valid tax code
by trial and error. They believed this to be quite remote (and I agree
with them). The risk is that they hadn't considered the circumstances
where someone might come into possession of a real tax code and then
use it to complete the ID info.

------------------------------

Date: Wed, 30 Jun 2004 23:40:16 +0200
From: Nick Brown <Nick.BROWN@private>
Subject: Re: Attacking the attackers: maybe not a good idea (RISKS-23.43)

It's now common practice for viruses to leverage the expected
countermeasures of security software, as part (or all) of their payload.
For example, the authors of the various Netsky (etc) worms know that for
every mail their software sends, at least one more of the "you sent us a
virus" variety will be sent by a corporate e-mail gateway virus scanner.

Once any type of automated retaliation is in place, exactly the same thing
will happen.  Indeed, there's plenty of potential for DOS attacks, eg if
someone in company X can forge an attack as being "from" their rivals at
company Y.

------------------------------

Date: Mon, 28 Jun 2004 11:39:52 -0700 (PDT)
From: Curtis Karnow <cekarnow@private>
Subject: Re: Attacking the attackers: maybe not a good idea (RISKS-23.43)

Attacking the attacker may or not be a good idea: there are public
relations, and practicalities to consider. In many cases, it's a very
bad idea. But if done correctly (accurate, targeted, no or
[relatively] little collateral damages) it might be legal.  See my
"Launch On Warning: Aggressive Defense of Computer Systems,” 8
Cyberspace Lawyer 4 (March 2003); rewritten and published at
http://islandia.law.yale.edu/isp/digital%20cops/papers/karnow_newcops.pdf

------------------------------

Date: Mon, 28 Jun 2004 08:23:22 -0800
From: Rob Slade <rslade@private>
Subject: REVIEW: "Exploiting Software", Greg Hoglund/Gary McGraw

BKEXPLSW.RVW   20040531

"Exploiting Software", Greg Hoglund/Gary McGraw, 2004, 0-201-78695-8,
U$49.99/C$71.99
%A   Greg Hoglund
%A   Gary McGraw
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2004
%G   0-201-78695-8
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$71.99 416-447-5101 fax: 416-443-0948
%O  http://www.amazon.com/exec/obidos/ASIN/0201786958/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0201786958/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0201786958/robsladesin03-20
%P   471 p.
%T   "Exploiting Software: How to Break Code"

I have learned to beware of books with titles like this, which
generally indicate a hastily compiled set of old vulnerabilities,
benefitting nobody save the author.  This work, however, turns out to
have a lot of value for those interested in security of software.

Although it does not deal with the factors inherent in software that
almost ensure problems, chapter one outlines the fact of bugs in
software, the relative rate and increasing prevalence, and future
developments that may exacerbate the issue.  Chapter two provides
taxonomies of general types of software problems (distinguishing, for
example, between a bug and a flaw), patterns of attack activities
(pointing out that most exploits are used in combination), and types
of system scanning activities (used to determine specific attacks that
might be effective).  This material is very useful in structuring the
debate about software exploits and attacks in general, but,
ironically, the chapter (and book) itself could benefit from better
organization.  Reverse engineering, both via black box testing and
through code analysis, is described in chapter three.  The discussion
is general, and presents the different activities that can be
undertaken, usually at a fairly abstract level.  (This is not true in
all cases: there is a chunk of twelve pages of code for a plug-in
module and eight pages of script for the IDA disassembler, which is of
questionable utility, depending on the familiarity the reader may have
with that particular program.)

At this point in the book, the issue of the validity of the "learn to
exploit in order to learn to protect" philosophy should be addressed. 
In general, the "hack to protect" books do not provide much that is of
value for the defenders.  That statement is not necessarily true of
this work.  Since most of the presentation is at a conceptual level,
it is the ideas, and not particular exploits, that are being reviewed. 
The authors are explaining tools and techniques that, yes, can be used
by attackers, but can equally be used by those who wish to probe a
given system for weaknesses in order to determine vulnerabilities to
be patched.  (There appears to be only one exception in chapter three:
the authors note that vendor patches tend to act as a roadmap for
vulnerabilities, and it is difficult to say how this technique is
useful for defence, other than to note that the probability of an
exploit increases after a patch has been issued.)

Chapter four lists types of attacks on server software, while five
looks at clients, primarily web browsers.  Indications pointing to
patterns of malformed input that are likely to generate successful
exploits are described in chapter six.  The classic and ubiquitous
buffer overflow gets a detailed explanation (supported with a number
of examples) in chapter seven, which has a strangely extensive section
on RISC (Reduced Instruction Set Computer) architectures.  Chapter
eight is rather disappointing in light of the tone of the rest of the
book: it is primarily concerned with how to create and program
rootkits, and the worth for defence is doubtful.

While ultimately of greatest use to a rather select audience (those
specifically concerned with finding and patching loopholes in
software), this book does have a lot to say to most security
professionals.  The security aspects of software development tend to
be glossed over too quickly in most general works on security. 
Specific examples of malformed input are used, in too many security
texts, as evidence of the author's superior security erudition, rather
than to explain the underlying concepts.  Hoglund and McGraw have
prepared solid tutorials and definitions of these important ideas
(although one could wish that they had prepared the arrangement of the
book with the same degree of care).

copyright Robert M. Slade, 2004   BKEXPLSW.RVW   20040531
rslade@private      slade@private      rslade@private
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

------------------------------

Date: 2 Jun 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  To subscribe or unsubscribe via
 e-mail to mailman your FROM: address, send a message to 
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit the process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.
 Subscription and unsubscription requests require that you reply to a 
 confirmation message sent to the subscribing mail address.  Instructions 
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

   INFO     [for unabridged version of RISKS information]
 .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 23.44
************************



This archive was generated by hypermail 2.1.3 : Fri Jan 28 2005 - 10:23:12 PST