[RISKS] Risks Digest 23.46

From: RISKS List Owner (risko@private)
Date: Thu Jul 29 2004 - 11:53:58 PDT


RISKS-LIST: Risks-Forum Digest  Thursday 29 July 2004  Volume 23 : Issue 46

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/23.46.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
*Chicago Tribune* computer meltdown (J H Haynes)
Balloon stuck over Baltimore, risk of automatic shutdowns (Dave Provine)
NASA space station software repairs (James Paul)
Laptops at the FleetCenter at risk of breaches, attack (Hiawatha Bray via 
  Monty Solomon)
Censorware deletes Japanese city (John S. Karabaic)
Using Google against Google! (Peter Parker)
Court Opens Door To Searches Without Warrants (Monty Solomon)
Risks of ordinary GUI "pop-up" windows? (Daniel P. B. Smith)
Windows XP SP2 Installation Failures ()
Should we trust them? (Bruce Sinclair via Dawn Cohen)
Citibank 'sorry' for current account difficulties (Patrick O'Beirne)
Citibank assists scammers (Keith Gregory)
Cosmic ray hits Brussels election - really? (Dirk Fieldhouse)
Florida faces vote chaos in 2004, Commission hears (Fredric L. Rice)
Lost Record '02 Florida Vote Raises '04 Concern (Joe Shead)
Counting error on SMS poll evicts wrong contestant from 'Big Brother'
  (George Michaelson)
California Online Privacy Protection Act (Monty Solomon)
iPod security (Paul Wexelblat)
Re: E-mail nonprivacy (David Cantrell)
Re: Keyless remotes to cars suddenly useless (Chuck Charlton)
Re: "Stolen:" one-third of the world's software (Pascal J. Bourguignon)
Update: DC Metro flag-day issues (Joe Thompson)
REVIEW: "The Sundering", Walter Jon Williams (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 20 Jul 2004 11:50:51 -0500 (CDT)
From: jhhaynes@private
Subject: *Chicago Tribune* computer meltdown

Beginning at 5:30am on Sunday morning 18 Jul 2004, the *Chicago Tribune*
began a planned upgrade of their server systems and their Newsdesk software
(developed by Denmark-based CCI Europe A/S).  By noon, everything tested out
OK.  However, around 4pm, proofing pages for the Monday morning paper could
not be generated.  At 7pm, pages sent to the off-site Freedom Center
printing facility would not produce plates.  A third-party trouble-shooter
(CCI in Denmark) was called in.  At 9:45pm, the disaster-recovery backup
system was considered, but CCI thought that would not be necessary.  At
1:30am Monday sending scanned pages to Freedom Center was abandoned as
taking too long, and preparations were made to switch back to the backup
plan.  However, by 2am some pages were correctly processed, and a hybrid
plan was cobbled together.  Finally, at 3am, the paper was abbreviated to 24
pages and printed -- except for four pages that would not print, and which
were replaced by advertisements.  Production of the paper was finally begun
at 5:30am, well beyond the normal time.  It was reportedly the first time
since the Great Chicago Fire of 1871 that the *Tribune* failed to print as
planned.  Source: Computer glitch nearly stops Tribune presses; A story we
never thought we'd print, James Coates, *Chicago Tribune*, 20 Jul 2004;
starkly PGN-ed; also noted by Rich Harrington; PGN-ed]

------------------------------

Date: Sun, 18 Jul 2004 08:14:34 -0400
From: Dave Provine <dave@private>
Subject: Balloon stuck over Baltimore, risk of automatic shutdowns

A tourist balloon tethered over downtown Baltimore stalled during a wind
squall on 17 Jul 2004, with 17 occupants stranded 200 feet in the air for
two hours, amid strong wind gusts that swung the balloon around the tether,
resulting in the computer control system losing track of the balloon's
position -- which apparently automatically shut down the winch engine.
Because the program cannot restart the engine unless the balloon is on the
ground, a smaller backup engine was invoked -- although an added
complication was involving releasing the brakes that had automatically
clamped on the winch.  (This was supposed to be a 20-minute excursion.)
Four people were hospitalized.  [*The Baltimore Sun*, 18 Jul 2004; PGN-ed]
  http://www.baltimoresun.com/news/local/bal-te.md.balloon18jul18,0,4500292.story?coll=bal-home-headlines
  http://www.baltimoresun.com/news/local/
  bal-te.md.balloon18jul18,0,4500292.story?coll=bal-home-headlines

------------------------------

Date: Thu, 29 Jul 2004 01:17:48 -0400
From: "James Paul" <James.Paul@private>
Subject: NASA space station software repairs

John Kelly, NASA begins repairing station glitches, 29 Jul 2004

  NASA and the Russians are beaming a series of software-upgrade files from
  Earth to several International Space Station computers with the goal of
  eliminating hundreds of potentially dangerous glitches before year's end.
  The carefully scheduled updates are meant to fix about 500 of the more
  than 1,000 errors in the computer code that operates everything from the
  space station's robot arm to critical life-support systems.  Most notably,
  the repairs are expected to fix 35 of 39 software bugs that were deemed
  "safety critical" in a review done by the space station program in the
  wake of the shuttle Columbia disaster.

Source:
http://www.floridatoday.com/news/space/stories/2004b/spacestoryN0729STATIONBUG.htm
http://www.floridatoday.com/news/space/stories/2004b/spacestoryN0729STATIONBUG.htm
Earlier items:
http://www.floridatoday.com/news/space/stories/ISS2004/spacestoryONSOFTWARE06.htm
http://www.floridatoday.com/news/space/stories/ISS2004/spacestoryONSOFTWARE06.htm

------------------------------

Date: Fri, 23 Jul 2004 17:02:09 -0400
From: Monty Solomon <monty@private>
Subject: Laptops at the FleetCenter at risk of breaches, attack (H.Bray)

Hiawatha Bray, *The Boston Globe*, 22 Jul 2004

The Democratic National Convention will attract thousands of visitors armed
with laptop computers that feature wireless Internet access.  And that could
be a formula for disaster, according to Michael Maggio, whose Newbury
Networks Inc. recently ran a vulnerability test in the area around the
FleetCenter: Unless proper precautions are taken, computer vandals will be
able to tap into these laptops by using wireless transmitters located
outside of the FleetCenter.  The attackers could then use the compromised
laptops to gain access to the computer network used to run the convention.

http://www.boston.com/business/technology/articles/2004/07/22/laptops_at_the_fleetcenter_at_risk_of_breaches_attack/
  http://www.boston.com/business/technology/articles/2004/07/22/
  laptops_at_the_fleetcenter_at_risk_of_breaches_attack/

------------------------------

Date: Fri, 16 Jul 2004 11:03:14 -0400
From: "John S. Karabaic" <risks@private>
Subject: Censorware deletes Japanese city

Censorware installed either at the LinuxElectrons or IBM press release site
has inadvertently deleted part of the name of a Japanese city in a press
release from IBM:

http://www.linuxelectrons.com/article.php/20040714101727502

relevant excerpt:

  The trial is expected to be completed by early August and then, if
  successful, onsite testing will take place at Kureha Environmental
  Engineering's waste processing site. When the effectiveness of RFID
  tagging is confirmed the company plans to equip Kureha General Hospital,
  in *censored*ushima, Japan, with the RFID technology to track their
  discarded medical waste.

John Karabaic, 3545 Zumstein Ave, Cincinnati OH 45208-1309  513.295.6365

------------------------------

Date: Fri, 09 Jul 2004 03:05:30 -0700
From: "Peter Parker" <peterparker@private>
Subject: Using Google against Google!

Good news for the spammers!!

As most of us are aware that Google provides various options/operators for
writing effective queries. One of the operator is the "site:" option, which
restricts the search to the website specified with this tag. Just tried
googling for some gmail accounts with site:gmail.google.com and the results
were a list of urls with the title "Link Already Used". The area of concern
is that all these pages are actually error pages with a valid gmail user
accounts.... so with a small script its very easy for some one to glean a
list of _valid_ gmail accounts.

Do you have a gmail account? ....check if your name is already harvested ;-)

------------------------------

Date: Tue, 27 Jul 2004 18:08:02 -0400
From: Monty Solomon <monty@private>
Subject: Court Opens Door To Searches Without Warrants

It's a groundbreaking court decision that legal experts say will affect
everyone: Police officers in Louisiana no longer need a search or arrest
warrant to conduct a brief search of your home or business.  Leaders in law
enforcement say it will keep officers safe, but others argue it's a
privilege that could be abused.  The decision in United States v. Kelly
Gould, No. 0230629cr0, was made March 24 by the New Orleans-based 5th
Circuit Court of Appeals.  ...  [29 Mar 2004]
  http://www.theneworleanschannel.com/news/2953483/detail.html
  http://caselaw.findlaw.com/data2/circs/5th/0230629cr0p.pdf
  http://caselaw.findlaw.com/data2/circs/5th/0230629cv0p.pdf
  http://caselaw.lp.findlaw.com/data2/circs/5th/0230629cv0p.pdf

------------------------------

Date: Wed, 28 Jul 2004 11:08:18 -0400
From: "Daniel P. B. Smith" <dpbsmith@private>
Subject: Risks of ordinary GUI "pop-up" windows?

Yesterday, I was annoyed yet again--by Mac OS X, as it happens, but OS X and
WinNT/2K/XP are equal-opportunity annoyers in this regard. I was about to
hit "return" to accept the default in a dialog box, and another application
that was running at the same time popped up its own dialog box just as I was
pressing the key. I couldn't stop in time. I intended to OK one dialog box,
and I ended up OK-ing a completely different one.

No harm done this time. But this sort of thing happens to me several times a
week. Frequently I will type two or three keystrokes into an window that has
unexpectedly popped up before I can stop myself.  Occasionally I will
actually mouse-click on a button in a window that popped up just as I was
starting to press the mouse.

It seems astonishing to me that nobody complains about this, and that in
twenty-odd years of GUI use there isn't a well-established solution to this
problem. It appears that when it comes to computer usability, any problem
that persists for more than a few years is apparently no longer perceived as
a problem. Or am I the only person this happens to?

The RISKS when a user who intends to confirm one dialog box accidentally
confirms another are obvious. Serious consequences in ordinary daily use are
admittedly unlikely; contriving a suitably example will be left as an
exercise for the reader.

------------------------------

Date: Fri, 23 Jul 2004 20:08:49 PDT
From: [identity withheld by request]
Subject: Windows XP SP2 Installation Failures

Some choice bits from this site:
http://www.crn.com/sections/breakingnews/breakingnews.jhtml;?articleId=23905071

  "CRN Test Center engineers evaluated a release candidate two (RC2) version
  of SP2, and upon completion of the install on three out of five systems,
  the machines blue-screened."

  "[Microsoft] provided instructions on how to work around the blue screen
  and uninstall SP2.  After that process finished, some interesting events
  occurred. The rollback process uninstalled every device that existed in
  the PC. Network cards, video cards and all system resources were
  uninstalled.  The rollback also removed SP1; absolutely no remnants of SP1
  existed anywhere in the system. "

If they can't get the installation process right, I highly doubt they
got the security fixes right either.

------------------------------

Date: Thu, 29 Jul 2004 07:03:26 -0700 (PDT)
From: Dawn Cohen <cohend64@private>
Subject: Should we trust them? (Bruce Sinclair)

Here's one from the absurd department...

(As reported on http://www.netfunny.com/rhf/jokes/04/Jul/cia.html)

Did they really say that ?
bruce.sinclair@private (Bruce Sinclair) TelstraClear

Found recently on a web site as part of a privacy policy statement ...
[http://www.odci.gov/cia/notices.html#priv]

  Privacy Notice: The Central Intelligence Agency is committed to protecting
  your privacy and will collect no personal information about you unless you
  choose to provide that information to us.

------------------------------

Date: Wed, 28 Jul 2004 12:19:45 +0100
From: "Patrick O'Beirne" <pob2004@private>
Subject: Citibank 'sorry' for current account difficulties

http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1087373456479
http://news.ft.com/servlet/ContentServer
?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1087373456479

Customers of Citibank, the world's largest bank, are suffering a wave of
current account service problems that has forced the company to post a
seven-page "service update" explanation on its website.

The bank admitted receiving complaints from customers over direct debit
payments which mistakenly defaulted to 999,999.99 pounds and personal
identification numbers for automatic teller machines, internet and telephone
banking that did not work.

Other problems included current accounts being debited twice, incorrect
reference and cheque numbers, changes to statements, canceled cheques and
replacement cheque books and cards being sent to old or wrong addresses.

Citibank said that it was "very sorry" about the problems, which were caused
by a large systems upgrade in late March that triggered a big increase in
the volume of calls from customers.

Patrick O'Beirne, Systems Modelling Ltd.  +353 55 22294  www.sysmod.com/blog

------------------------------

Date: Thu, 22 Jul 2004 09:30:11 -0400
From: "Keith Gregory" <kgregory@gestalt-llc.com>
Subject: Citibank assists scammers

Today an a phishing scam e-mail got past the spam filters. It had the usual
wording about clicking on the link to update my e-mail address with
CityBank, which "required" my ATM card and PIN.

The strange thing about the URL was it wasn't the expected "this site @ that
site", instead, it began with: http://www.citi.com/domain/redirect
... YIPES!

Sure enough, replacing the scammer's URL with Google's took me to Google
... which didn't like the Citibank-specific query string. Being curious, I
clicked on the original URL, and was taken to what appeared to be the
Citibank site, after bouncing around a while. Needless to say, I exited
Mozilla after doing this.

------------------------------

Date: Thu, 29 Jul 2004 13:04:14 +0100
From: "Dirk Fieldhouse" <fieldhouse@private>
Subject: Cosmic ray hits Brussels election - really?

John Miller, Dow Jones Newswires (07/26/04); seen via ACM Tech News:
  http://www.acm.org/technews/articles/2004-6/0728w.html#item1

"European citizens and governments generally prefer traditional
paper-based voting because of unresolved reliability and security issues
surrounding electronic voting. ...
	[DF comment: what a fair summary, and in the UK issues are also being
        raised by the extension of postal paper voting]
... Fueling the arguments of paper ballot supporters are incidents such as
a 2003 Belgian election in which almost 4,100 extra votes for Maria
Vindevoghel's Communist Party were recorded in a precinct of Brussels due
to a malfunction triggered by a cosmic ray. ..."

I found this jaw-dropping -- not the possibility of a cosmic ray causing a
computer malfunction, which is an obvious threat for space-borne systems,
but how such an apparently unrepeatable external event could be accepted as
the cause of a terrestrial computer malfunction. The lack of any
confirmation through Google seems to support my astonishment. Can the select
RISKS readership confirm whether this actually occurred, or is it an urban
legend?

If people are prepared to accept this as an explanation for computer
malfunctions, maybe we're wasting our time testing software?

------------------------------

Date: Fri, 16 Jul 2004 20:02:05 -0700
From: "Fredric L. Rice" <damoclese@private>
Subject: Florida faces vote chaos in 2004, Commission hears

Alan Elsner, Reuters, 15 Jul 2004
http://story.news.yahoo.com/news?tmpl=story&cid=584&e=3&u=/nm/20040715/pl_nm/campaign_florida_dc
  http://story.news.yahoo.com/news
  ?tmpl=story&cid=584&e=3&u=/nm/20040715/pl_nm/campaign_florida_dc

Florida faces another debacle in the upcoming presidential election on
Nov. 2, with the possibility that thousands of people will be unjustly
denied the right to vote, the U.S. Commission on Civil Rights heard on
Thursday.

------------------------------

Date: Wed, 28 Jul 2004 12:14:06 -0500
From: "Joe Shead" <Joe@private>
Subject: Lost Record '02 Florida Vote Raises '04 Concern

Almost all the electronic records from the first widespread
use of touch-screen voting in Miami-Dade County have been
lost.  [Abby Goodnough, *The New York Times*, 28 Jul 2004]
http://www.nytimes.com/2004/07/28/politics/campaign/28vote.final.html?ex=1092033819&ei=1&en=5808587bdbefd3a6
  http://www.nytimes.com/2004/07/28/politics/campaign/28vote.final.html
  ?ex=1092033819&ei=1&en=5808587bdbefd3a6

------------------------------

Date: Mon, 5 Jul 2004 16:36:27 +1000
From: George Michaelson <ggm@private>
Subject: Counting error on SMS poll evicts wrong contestant from 'Big Brother'

  Big Brother evictee returns after SMS error
  http://www.abc.net.au/news/newsitems/200407/s1147056.htm

  The most recent evictee from the Big Brother reality television household,
  Bree, will return to the show tonight after the company which tallies
  telephone and SMS votes for the show admitted it made an mistake.

  Bree was voted out of the show last night but Channel Ten, which airs the
  show, and Endemol Southern Star, its producers, have released a statement
  admitting the vote count was wrong.

Apparently this was detected by the phone/SMS company by an internal audit
so at one level, 'the system worked' but there are so many questions about
HOW they counted SMS votes wrong..

I'm guessing this is not a very integrated process, and somebody either
slipped up doing spreadsheet column/field edits, or in parsing data.

With $AU 1,000,000 up for grabs in a winner-takes-all outcome, I think both
the phone company and the TV station felt it was better to head off
litigation.  Else, why does anybody care? its not like this is a 'real' vote
is it...

(obvious comparisons to 'beauty contest' electronic election methods invited)

George Michaelson, APNIC, PO Box 2131 Milton, QLD 4064 Australia
+61 7 3858 3150  |  ggm@private  |  http://www.apnic.net

------------------------------

Date: Thu, 8 Jul 2004 08:44:05 -0400
From: Monty Solomon <monty@private>
Subject: California Online Privacy Protection Act

Excerpt from
Piper Rudnick E-Commerce & Privacy Group @lert, 25 Jun 2004, Vol. 4, No. 5
http://www.piperrudnick.com/db30/cgi-bin/pubs/E-Commerce%20Alert062504.pdf

CALIFORNIA LAW REQUIRING WEB SITES AND ONLINE SERVICES TO POST A PRIVACY
POLICY GOES INTO EFFECT JULY 1, 2004

Overview and Summary of Requirements

On 1 Jul 2004, the first online privacy law in the country that applies to
the collection of information from consumers over the age of 13 will take
effect.

The California Online Privacy Protection Act of 2003, CAL. BUS. & PROF. CODE
22575 et seq., ("Section 22575") is a privacy notice requirement law. It
contains a generous safe harbor that gives companies 30 days to come into
compliance if notified of failure to post a policy. The law also prohibits
"negligently and materially" or "knowingly and willfully" failing to follow
promises in a posted privacy policy.

The California law will require operators of a commercial Web site or online
service that collect through their Web site or online service personally
identifiable information(1) from consumers(2) residing in California to
conspicuously post their privacy policy on their Web site (or, in the case
of an online service, to use any other "reasonably accessible means of
making the privacy policy available to consumers"). The law exempts Internet
service providers and similar entities that transmit or store personally
identifiable information at the request of third parties. Because many Web
sites and online services do not collect physical address information, and
for that reason may be unaware that they are collecting personally
identifiable information from California consumers, sites and services may
be well advised to conform their privacy policies to the requirements of
this new law.  ...
  http://www.piperrudnick.com/db30/cgi-bin/pubs/E-Commerce%20Alert062504.pdf

------------------------------

Date: Tue, 13 Jul 2004 14:06:56 -0400
From: Paul Wexelblat
Subject: iPod security

It appears that it has occurred to folks that the iPod is a security risk

  http://www.cnn.com/2004/TECH/internet/07/13/britain.mod.reut/index.html

If someone who had access to that dangerous USB port were going to
down/upload some data, wouldn't a thumb drive be easier and smaller?

If someone was serious, how hard would it be for a real baddie to give a CD
player or Walkman (r) write capability.

Gee, why not just plug a WI-FI device into some obscure RJ45 and get the
stuff in the parking lot? or a Zip disk, or a floppy, or a laptop, or one of
those non-spec 10Xpower bluetooth thingies

Isn't it much more likely that this poor soul with the iPod is just
trying to listen to music?

Paul Wexelblat, Dept. of Computer Science, University of Massachusetts Lowell
One University Ave, Lowell, MA 01854

------------------------------

Date: Mon, 12 Jul 2004 09:59:49 +0100
From: David Cantrell <d.cantrell@private>
Subject: Re: E-mail nonprivacy (DeForest, RISKS-23.45)

I read with interest Craig DeForest's recent message about legislating for
privacy.  His argument - which is far from new - is that because legally
protecting email privacy wouldn't be 100% effective, legal protection is
foolish.  You could equally well say that because legislating to outlaw
burglary is not 100% effective, you may as well not legislate against
burglary.  A foolish notion!

Laws won't stop determined evil-doers from doing bad things.  However, they
can be used to punish them after the fact, and do have a deterrent effect on
evil-doers who are less brave.  Just look at the effort companies go to to
make sure they don't break (many) laws.  Add privacy to that list of laws
that they at least try not to break, and I for one will be a little
happier.

------------------------------

Date: Mon, 12 Jul 2004 01:14:14 GMT
From: Chuck Charlton <charlton@private>
Subject: Re: Keyless remotes to cars suddenly useless (RISKS-23.45)

This isn't news and isn't sudden to those of us in San Francisco who shop at
Tower Market.  Keyless remotes to cars have never functioned in much of Twin
Peaks area.  The seven television stations and numerous FM radio stations
that broadcast from Sutro Tower appear to overwhelm the low-power keyless
systems used in nearby cars.

------------------------------

Date: Sat, 10 Jul 2004 23:06:40 +0200
From: "Pascal J. Bourguignon" <pjb@private>
Subject: Re: "Stolen:" one-third of the world's software (NewsScan, R-23.45)

I won't comment on the risks of accepting the novlang, but wondering why all
these people don't use free software instead, what are the risks they take
in using non-free software, in their countries?

Assuming there's no legal risk for them, given the political and technical
risks of using non-free software, why don't they switch to free software?

------------------------------

Date: Tue, 27 Jul 2004 17:09:09 -0400
From: Joe Thompson <kensey@private>
Subject: Update: DC Metro flag-day issues (RISKS-23.44)

Metro has now reversed their decision and declared they will continue to
sell SmarTrip cards until the current inventory runs out, by which point
they hope new shipments will have come in:
  http://www.wtopnews.com/index.php?nid=25&sid=234093

"Taubenkibel says the agency decided to reverse course because it hopes to
receive a new shipment of about 10,000 SmarTrip cards by the end of the
month, and another 62,000 cards sometime in August."

------------------------------

Date: Wed, 28 Jul 2004 08:34:36 -0800
From: Rob Slade <rslade@private>
Subject: REVIEW: "The Sundering", Walter Jon Williams

BKSNDRNG.RVW   20040629

"The Sundering", Walter Jon Williams, 2004, 0-380-82021-8
%A   Walter Jon Williams
%C   10 East 53rd Street, New York, NY  10022-5299
%D   2004
%G   0-380-82021-8
%I   HarperCollins/Basic Books/Torch
%O   800-242-7737 fax: 212-207-7433 information@private
%O  http://www.amazon.com/exec/obidos/ASIN/0380820218/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0380820218/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0380820218/robsladesin03-20
%P   436 p.
%T   "The Sundering"

Once upon a time, a long, long time from now (and far away) there was
a great space war.

Given that it's a long time from now, it's rather bemusing that technology
hasn't advanced very far, aside from discovering traversable wormholes and
producing antimatter in commercial quantities.  This isn't entirely the
fault of human beings, since a mysterious and powerful race has come along
and generally interfered with social and technological development, although
they now seem to have stepped out for an extinction.

But you can forgive a lot to a book that understands that space battles,
even those confined to a mere solar system, take place over days, and that
the ability to withstand crushing accelerations for long periods of time is
what makes the difference.

Faster than light communications would certainly help, but that may be too
much to ask from the universe.  Smarter computers would *definitely* help,
and should have been possible.

The use and operation of computers in this brave new world is not clearly
spelled out, but they seem to run on scripts, rather than machine code.  The
mysterious and powerful race have ensured that all computers are registered
and known, thus fulfilling Microsoft's dreams for Palladium.  (Apparently no
Linux hackers, or other amateur computer enthusiasts, have survived.)
Serious cryptography seems to have been forgotten: there is one reference to
the fact that nobody can use cryptography since everyone has powerful
computers and can therefore break any ciphers.  This indicates that everyone
has forgotten that, when computer power increases, you can just increase the
key length.

The fact that computers are known and registered is used to prove the need
for low-tech communications solutions when the bad guys move in and take
over the seats of power.  However, a few pages later, our merry band of
counter-revolutionaries is happily using communications devices that seem to
have a lot of computer-related functions (even real-time broadcasts seem to
be "store and forward").

Our underground heroine manages to become a fully-fledged intruder in the
space of twenty-four hours.  Along the way she does learn something that I
wish every security professional knew: when you have functional security,
you'd better have an assurance activity as well.

(Of course, if anyone had put "defence in depth" in place, she'd have been
sunk.)

copyright Robert M. Slade, 2004   BKSNDRNG.RVW   20040629
rslade@private      slade@private      rslade@private
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

  [Rob, It's typically Weakness in Depth rather than Defense in Depth.
  But I suppose things will not have changed much by then anyway.  PGN]

------------------------------

Date: 2 Jun 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  To subscribe or unsubscribe via
 e-mail to mailman your FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit the process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.
 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

   INFO     [for unabridged version of RISKS information]
 .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 23.46
************************



This archive was generated by hypermail 2.1.3 : Fri Jan 28 2005 - 10:23:18 PST