RISKS-LIST: Risks-Forum Digest Friday 30 July 2010 Volume 26 : Issue 12 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.12.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Tech worker: 'Blue screen of death' on oil rig's computer (Gregg Keizer via Gene Wirchenko) BP: "Will no one rid me of this turbulent alarm?" (Danny Burstein) Verizon experienced nationwide Network Extender network failure (Kevin G. Barkes) Oracle's Java Company Change Breaks Eclipse (timothy on Slashdot via Lauren Weinstein) Important Lessons to Learn from the Black Hat ATM Hack (Matthew Kruk) Wal-Mart Radio Tags to Track Clothing (Miguel Bustillo via Monty Solomon) iPhone GPS leads police to stolen device in minutes (Gene Wirchenko) Slovenian Mariposa botnet (Ali Zerdin via George Ledin) Android wallpaper malware (Dean Takahashi via George Ledin) Slashdot: Online banking Trojan horse (PGN) Personal Info For 100 Million Facebook Users Harvested Into One (Dave Farber) WikiLeaks classified documents (PGN) Risks of free-text fields in medical records (dkross via PGN) Photo fakery in the news again (Mark Brader) ICANN touts DNSSEC as tool to fight "Internet Criminals" (Lauren Weinstein) To Change or Not to Change Passwords? (Gene Wirchenko) Re: Cal payroll data system cannot be changed (Valdis Kletnieks, Michael Smith) iPhone Used Left-handed and Used by Lefthanders (Gene Wirchenko) Paper on the law and Implantable Devices security (Gadi Evron) REVIEW: "The Design of Rijndael", Joan Daemen/Vincent Rijmen (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 29 Jul 2010 11:42:28 -0700 From: Gene Wirchenko <genew_at_private> Subject: Tech worker: 'Blue screen of death' on oil rig's computer Gregg Keizer, *Computerworld*, 26 Jul 2010 A computer that monitored drilling operations on the Deepwater Horizon had been freezing with a [BSOD] prior to the explosion that sank the oil rig last April, the chief electrician aboard testified Friday at a federal hearing. In his testimony Friday, Michael Williams, the chief electronics technician aboard the Transocean-owned Deepwater Horizon, said that the rig's safety alarm had been habitually switched to a bypass mode to avoid waking up the crew with middle-of-the-night warnings. Williams said that a computer control system in the drill shack would still record high gas levels or a fire, but it would not trigger warning sirens, He also said that five weeks before the April 20 explosion, he had been called to check a computer system that monitored and controlled drilling. The machine had been locking up for months. You'd have no data coming through." With the computer frozen, the driller would not have access to crucial data about what was going on in the well. The April disaster left 11 dead and resulted in the largest oil spill in U.S. history. ------------------------------ Date: Fri, 23 Jul 2010 18:48:13 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: BP: "Will no one rid me of this turbulent alarm?" Fire Alarm Was Partially Disabled on Oil Rig, Electrician Says The fire- and natural-gas alarm system aboard the Deepwater Horizon was partly disabled on the night the drilling rig caught fire, the chief electrician aboard testified Friday at a hearing outside New Orleans. "The general alarm was inhibited," said Michael Williams, an employee of Transocean Ltd., which owned the rig. He explained that the system that automatically sounded a general alarm had been disabled because rig managers "did not want people woken up at 3 a.m. with false alarms." ^^^^^^^^ http://online.wsj.com/article/SB10001424052748703294904575385160342490350.html ------------------------------ Date: July 28, 2010 2:57:15 PM EDT From: "Kevin G. Barkes" <kgbarkes_at_private> Subject: Verizon experienced nationwide Network Extender network failure [From Dave Farber's IP distribution. PGN] I was thinking of ordering a Verizon Network Extender because my office is in the basement of my home and the signal there fades from time to time. Before ordering, I stuck "Verizon Network Extender" into Google News and found this from phonenews.com: Verizon Network Extenders Experiencing Outage Nationwide Written by Christopher Price on July 27, 2010 If you have a Verizon Network Extender, you might be asking the infamous 'Can you hear me now?' Verizon has confirmed to PhoneNews.com that all Network Extenders nationwide are down, due to an outage. Representatives for Verizon could not provide an estimate as to when the service would be restored. Verizon may be preparing to release an EV-DO version of the Network Extender, first shown to the public by PhoneNews.com earlier this year. Both the current femtocell and Verizon's next-generation Network Extender are manufactured by Samsung. In the comments section, a user reported the system was up at 4:45 am EST today. Lots of interesting information in the readers comments section: "- This is a consistent issue and really needs addressed. 4 times our area has been out in just a few months. Tech support is useless. They keep having you reset stuff just to inform you after an hour that it's there (sic) system." Instead of ordering one now, I think I'll just walk the 12 steps to the first floor where coverage is adequate... Archives: https://www.listbox.com/member/archive/247/=now ------------------------------ Date: Wed, 28 Jul 2010 15:39:27 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Oracle's Java Company Change Breaks Eclipse (timothy on Slashdot) http://bit.ly/dA8Ier (Slashdot) Posted by timothy <http://www.monkey.org/~timothy/> 28 Jul 2010 crabel writes "In Java 1.6.0_21, the company field was changed from 'Sun Microsystems, Inc' to 'Oracle.' Apparently not the best idea, because some applications depend on that field to identify the virtual machine. All Eclipse versions since 3.3 (released 2007) until and including the recent Helios release (2010) have been reported to crash with an OutOfMemoryError due to this change. This is particularly funny since the update is deployed through automatic update and suddenly applications cease to work." [Lots of subsequent discussion. Problem now fixed. PGN] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6969236 https://bugs.eclipse.org/bugs/show_bug.cgi?id=319514 http://www.facebook.com/sharer.php?u=http://it.slashdot.org/story/10/07/28/2121259/Oracles-Java-Company-Change-Breaks-Eclipse http://twitter.com/home?status=Oracle's+Java+Company+Change+Breaks+Eclipse%3A+http%3A%2F%2Fbit.ly%2FdvJFiL ------------------------------ Date: Thu, 29 Jul 2010 16:23:06 -0600 From: "Matthew Kruk" <mkrukg_at_private> Subject: Important Lessons to Learn from the Black Hat ATM Hack A security researcher named Barnaby Jack amazed attendees at the Black Hat security conference by hacking ATM machines in a session titled "Jackpotting Automated Teller Machines Redux". There are some important lessons to be learned from the hacks Jack demonstrated, and they apply to more than just ATM machines. http://www.pcworld.com/businesscenter/article/202172/important_lessons_to_learn_from_the_black_hat_atm_hack.html?tk=hp_blg ------------------------------ Date: Fri, 23 Jul 2010 21:20:29 -0400 From: Monty Solomon <monty_at_private> Subject: Wal-Mart Radio Tags to Track Clothing (Miguel Bustillo) [Source: Miguel Bustillo, *Wall Street Journal*, Business Technology, 23 Jul 2010; PGN-ed] Wal-Mart Stores Inc. plans to roll out sophisticated electronic ID tags to track individual pairs of jeans and underwear, the first step in a system that advocates say better controls inventory but some critics say raises privacy concerns. Starting next month, the retailer will place removable "smart tags" on individual garments that can be read by a hand-held scanner. Wal-Mart workers will be able to quickly learn, for instance, which size of Wrangler jeans is missing, with the aim of ensuring shelves are optimally stocked and inventory tightly watched. If successful, the radio-frequency ID tags will be rolled out on other products at Wal-Mart's more than 3,750 U.S. stores. "This ability to wave the wand and have a sense of all the products that are on the floor or in the back room in seconds is something that we feel can really transform our business," said Raul Vazquez, the executive in charge of Wal-Mart stores in the western U.S. ... While the tags can be removed from clothing and packages, they can't be turned off, and they are trackable. Some privacy advocates hypothesize that unscrupulous marketers or criminals will be able to drive by consumers' homes and scan their garbage to discover what they have recently bought. They also worry that retailers will be able to scan customers who carry new types of personal ID cards as they walk through a store, without their knowledge. Several states, including Washington and New York, have begun issuing enhanced driver's licenses that contain radio- frequency tags with unique ID numbers, to make border crossings easier for frequent travelers. Some privacy advocates contend that retailers could theoretically scan people with such licenses as they make purchases, combine the info with their credit card data, and then know the person's identity the next time they stepped into the store. ... http://online.wsj.com/article/SB10001424052748704421304575383213061198090.html [Also noted by Ben Moore: "There are so many RISKS in this I can't even make a list!" -- e.g., There are two things you really don't want to tag, clothing and identity documents, and ironically that's where we are seeing adoption. PGN] ------------------------------ Date: Sun, 25 Jul 2010 23:04:18 -0700 From: Gene Wirchenko <genew_at_private> Subject: iPhone GPS leads police to stolen device in minutes Source: *The Daily News*, Kamloops, British Columbia, Canada, 24 Jul 2010, item from The Associated Press, 23 Jul 2010 A man accused of stealing an Apple iPhone out of a woman's hand in San Francisco may have been shocked when police found him only nine minutes later. It turns out the phone had been tracking his every move. The iPhone was being used to test a new, real-time global positioning system tracking application, and the woman holding it was an intern for the software's maker, Mountain View-based Covia Labs. Covia CEO David Kahn had sent the intern into the street to demonstrate the software. Police say Horatio Toure snatched it and sped away on a bicycle. Kahn was watching a live map of the phone's location on a computer and says he was immediately struck by how quickly the image began moving down the street. Police arrested Toure nine minutes later. [A Good Demo!] ------------------------------ Date: Thu, 29 Jul 2010 08:00:09 -0700 From: George Ledin <george.ledin_at_private> Subject: Slovenian Mariposa botnet (Ali Zerdin) A cyber mastermind from Slovenia (Iserdo) who is suspected of creating a malicious software code that infected 12 million computers worldwide and orchestrating other huge cyberscams has been arrested and questioned. His arrest comes about five months after Spanish police broke up the massive cyberscam, arresting three of the alleged ringleaders who operated the Mariposa botnet, which stole credit cards and online banking credentials. The botnet appeared in December 2008 and infected hundreds of companies and at least 40 major banks. [Source: Ali Zerdin, Cyber mastermind arrested, questioned in Slovenia, Associated Press, 28 Jul 2010; PGNed] http://www.computerworld.com/s/article/9179769/Three_arrested_in_connection_with_Mariposa_botnet http://news.yahoo.com/s/ap/20100728/ap_on_hi_te/eu_slovenia_cyber_bust http://lenta.ru/news/2010/07/28/mariposa/ [in Russian] ------------------------------ Date: Thu, 29 Jul 2010 08:00:09 -0700 From: George Ledin <george.ledin_at_private> Subject: Android wallpaper malware Questionable Android mobile wallpaper app that collects your personal data (browsing history, text messages, your phone's SIM card number, subscriber identification, and even your voicemail password, as long as it is programmed automatically into your phone) and sends it to www.imnet.us (owned by someone in China). It has been downloaded more than a million times, according to Lookout speakers at Black Hat on 28 Kul 2010. The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market for use on Google Android. [Source: Dean Takahashi, MobileBeat; PGN-ed] http://mobile.venturebeat.com/2010/07/28/android-wallpaper-app-that-steals-your-data-was-downloaded-by-millions/ ------------------------------ Date: Mon, 26 Jul 2010 9:48:33 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Slashdot: Online banking Trojan horse Original in Dutch: http://yro.slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole= -Money-From-Belgians?from=3Drss&utm_source=3Dfeedburner&utm_medium=3Dfeed&= utm_campaign=3DFeed%3A+Slashdot%2Fslashdot+%28Slashdot%29 Google-Translated into English: http://translate.google.com/translate?js=3Dy&prev=3D_t&hl=3Den&ie=3DUTF-8&= layout=3D1&eotf=3D1&u=3Dhttp%3A%2F%2Fwww.hbvl.be%2Fnieuws%2Fgeldzaken%2Fai= d956766%2Fbelgisch-gerecht-ontdekt-grootschalige-bankfraude.aspx&sl=3Dnl&t= l=3Den ------------------------------ Date: Wed, 28 Jul 2010 17:49:45 -0400 From: Dave Farber <dave_at_private> Subject: [IP] Personal Info For 100 Million Facebook Users Harvested Into One File - The Consumerist http://consumerist.com/2010/07/personal-info-for-100-million-facebook-users-harvested-into-one-file.html ------------------------------ Date: Mon, 26 Jul 2010 9:45:36 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: WikiLeaks classified documents Some 92,000 individual reports in all were made available to *The New York Times* and European news organizations by WikiLeaks on the condition that the papers not report on the data until 25 Jul 2010, when WikiLeaks said it intended to post the material on the Internet. WikiLeaks did not reveal where it obtained the material. WikiLeaks was not involved in the news organizations' research, reporting, analysis and writing. The Times spent about a month mining the data for disclosures and patterns, verifying and cross-checking with other information sources, and preparing the articles that are published today. The three news organizations agreed to publish their articles simultaneously, but each prepared its own articles. [Source: *The NYT*, 26 Jul 2010, PGN-ed] http://www.nytimes.com/2010/07/26/world/26editors-note.html See also http://www.nytimes.com/interactive/world/26warlogs.html ------------------------------ Date: Wed, 21 Jul 2010 12:19:22 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Risks of free-text fields in medical records [Source: dkross] JAMIA 2010;17:472-476 doi:10.1136/jamia.2010.003335 * Case report An unintended consequence of electronic prescriptions: prevalence and impact of internal discrepancies 1. Correspondence to Dr Alexander Turchin, Clinical Informatics Research and Development, Suite 201, 93 Worcester Street, Wellesley, MA 02481, USA; aturchin_at_private <mailto:aturchin_at_private> Many e-prescribing systems allow for both structured and free-text fields in prescriptions, making possible internal discrepancies. This study reviewed 2914 electronic prescriptions that contained free-text fields. Internal discrepancies were found in 16.1% of the prescriptions. Most (83.8%) of the discrepancies could potentially lead to adverse events and many (16.8%) to severe adverse events, involving a hospital admission or death. Discrepancies in doses, routes or complex regimens were most likely to have a potential for a severe event (p=0.0001). Discrepancies between structured and free-text fields in electronic prescriptions are common and can cause patient harm. Improvements in electronic medical record design are necessary to minimize the risk of discrepancies and resulting adverse events. ------------------------------ Date: Wed, 21 Jul 2010 17:51:19 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Photo fakery in the news again A photo posted by BP supposedly showing the company's oil spill command center was apparently a Photoshopped collage of a picture with blank screens from March 2001 that had been altered to seemingly show recent screen content. The image was posted on BP's Web site and was distributed by the Associated Press and possibly other news services. It appeared prominently on CBSNews.com. [Source: Ken Millstone, CBS News, 20 Jul 2010; PGN-ed] http://www.cbsnews.com/stories/2010/07/20/national/main6695900.shtml ------------------------------ Date: Wed, 28 Jul 2010 18:55:33 -0700 From: Lauren Weinstein <lauren_at_private> Subject: ICANN touts DNSSEC as tool to fight "Internet Criminals" [From Network Neutrality Squad] ICANN touts DNSSEC as tool to fight "Internet Criminals" ICANN said the DNSSEC would eventually allow Internet users to know "with certainty" that they have been directed to the Web site they sought. "This upgrade will help disrupt the plans of criminals around the world who hope to exploit this crucial part of the Internet infrastructure to steal from unsuspecting people," ICANN President and CEO Rod Beckstrom said in a statement." http://bit.ly/aQ4Vmr (Tech Daily Dose) - - - While the implementation of DNSSEC is certainly important, and the avoidance of DNS cache poisoning attacks is clearly very useful, ICANN's "Dragnet-esque" pronouncements about fighting crime strike me as highly ironic. The simple fact is that "Internet criminals" have a vast array of tools in their arsenal to misdirect users, and few of these depend on cache poisoning or DNS manipulation. Much of the crime is enabled by the fundamental design of the domain name registry/registrars ecosystem, which enables crooks to easily create and abandon completely valid "disposable" domains that are only used for short periods of time and cannot be reasonable tracked to their owners. In fact, through their plans to unleash vast numbers of new Top Level Domains (TLDs) on the Internet -- perhaps hundreds in the first year -- ICANN will only be increasing the confusion of consumers and providing fresh juice for criminal operations. Most Internet users aren't calling for new TLDs -- they mainly think in terms of dot-com and that's unlikely to change any time soon. The main push for new TLDs is from would-be registry operators and their registrar cohorts, who see the promise of big bucks from the rush of purely defensive domain registrations that occur when every new TLD opens. So as far as I'm concerned, ICANN isn't winning the "Joe Friday" crime-fighter award any time soon. ------------------------------ Date: Wed, 21 Jul 2010 11:06:52 -0700 From: Gene Wirchenko <genew_at_private> Subject: To Change or Not to Change Passwords? System vulnerable to default password use? Change the passwords? Well, maybe not: http://www.itbusiness.ca/it/client/en/home/news.asp?id=58452 Leave passwords alone, Siemens warns customers hit by Stuxnet worm 7/21/2010 6:00:00 AM By: Robert McMillan Although a newly discovered worm could allow criminals to break into Siemens' industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone. That's because changing the password could disrupt the Siemens system, potentially throwing large-scale industrial systems that it manages into disarray. "We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens Industry spokesman Michael Krampe in an e-mail message Monday. I think Siemens did not do too well in security design. ------------------------------ Date: Thu, 22 Jul 2010 11:07:58 -0400 From: Valdis.Kletnieks_at_private Subject: Re: Cal payroll data system cannot be changed (RISKS-26.10) As I saw reported in one (singular, unitary, not repeated a second time) story on this debacle, the *real* problem isn't that they can't reprogram the computers and databases to change salaries. The *real* problem is that the *actual* request is to *disburse* to the employees a different amount than what they earned. Think about that for a moment. Doesn't matter if it's a salary position paying $4,329/month or a temp position paying $10/hour - everybody is *given* the equivalent of minimum wage *and then we need to keep track of what we owe them* so we can cut them a reimbursement check when funds become available. That's after we figure out what the equivalent of minimum wage is for each of the zillions of different employment contracts with differing hours-worked rules, double-time for working a holiday, and so on. of And then the darn thing propagates through the system - what do we do with the report that tells a business unit how much is left in their budget for salaries? They may have had $750K, and been debited by the total paid every payday - but now that report needs to debit that pool of money by the sum of what was paid and the owed money. And so on. Then there's the accounting issues if the mess crosses a fiscal year boundary, so that we're piling up liabilities in one year and paying them in another - that's *always* an accounting mess (hint - how much extra work do you need to do so that your accounting reports accurately reflect the real fiscal position in both fiscal years?) Oh, and that $10/hr temp position? Let's say there's $15,000 budgeted for it, so the person can work 1,500 hours. We now actually pay him $7.50/hour, and he stays on the payroll for 2,000 hours. We have to remember to *not* pay him a reimbursement afterward. Sit around for a few minutes and think of other corner cases like that. It gets to be a real headache really fast... ------------------------------ Date: Tue, 27 Jul 2010 15:38:47 +1000 From: Michael Smith <emmenjay_at_private> Subject: Re: Cal payroll data system cannot be changed (RISKS-26.10) Nobody has mentioned a possible explanation that appears (to me) to be very likely. "Lying". Governor: I'm going to cut your pay. Go and change the computers. IT Staff: Hmmm. We'll get right on to that. But it might take a while. Governor: How long? IT Staff: Just 'till after the next election. ------------------------------ Date: Sat, 24 Jul 2010 21:22:19 -0700 From: Gene Wirchenko <genew_at_private> Subject: iPhone Used Left-handed and Used by Lefthanders I am a left-hander. In reading the coverage over the iPhone antenna issue, I can not tell whether I would have been affected by the problem if I had an iPhone. Which hand does a RIGHT-hander use an iPhone with? Which hand does a LEFT-hander use an iPhone with? The answers are not necessarily right and left. Consider the answers if the questions were about baseball gloves. On the computer front, I use a mouse with my right hand for about the same reason that I would use a baseball glove on my right hand. I can scroll through a Web page with my right hand while taking notes with my left. How do you right-handers manage this? ------------------------------ Date: Mon, 26 Jul 2010 13:43:51 +0300 From: Gadi Evron <ge_at_private> Subject: Paper on the law and Implantable Devices security A new research paper from the Freedom And Law Center deals with issues that some of us keep raising these past few years, and does a good job at it - bionic hacking (or cybernetic hacking if you prefer). "Killed by Code: Software Transparency in Implantable Medical Devices" outlines some of the history of these devices and even shows some cases where devices have been recalled (likely due to software issues). Some of the paper's recommendations are especially interesting, such as to create a database of implantable devices code, so that if the vendor disappears it can still be patched (I rephrased). While unintentional, I am considered the father of this field (not that I'm complaining) and I can't even begin to tell you how excited I am that a field I have been evangelizing for some years now if finally getting more attention -- even if from the legal standpoint with the main concern of liability. Still, I can't help but maintain some skepticism that before some disaster happens (to us or others) this won't be taken too seriously. The paper can be found here: http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html Here's a 2007 Wired article covering the subject from a talk I gave, covering the subject from a different perspective: http://www.wired.com/threatlevel/2007/08/will-the-bionic/ ------------------------------ Date: Thu, 22 Jul 2010 11:39:45 -0800 From: Rob Slade <rmslade_at_private> Subject: REVIEW: "The Design of Rijndael", Joan Daemen/Vincent Rijmen BKDRJNDL.RVW 20091129 "The Design of Rijndael", Joan Daemen/Vincent Rijmen, 2002, 3-540-42580-2 %A Joan Daemen %A Vincent Rijmen %C 233 Spring St., New York, NY 10013 %D 2002 %G 3-540-42580-2 %I Springer-Verlag %O 212-460-1500 800-777-4643 service-ny_at_springer-sbm.com %O http://www.amazon.com/exec/obidos/ASIN/3540425802/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/3540425802/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/3540425802/robsladesin03-20 %O Audience s- Tech 3 Writing 1 (see revfaq.htm for explanation) %P 238 p. %T "The Design of Rijndael: AES - The Advanced Encryption Standard" This book, written by the authors of the Rijndael encryption algorithm, (the engine underlying the Advanced Encryption Standard) explains how Rijndael works, discusses some implementation factors, and presents the approach to its design. Daemen and Rijmen note the linear and differential cryptanalytic attacks to which DES (the Data Encryption Standard) was subject, the design strategy that resulted from their analysis, the possibilities of reduce round attacks, and the details of related ciphers. Chapter one is a history of the AES assessment and decision process. It is interesting to note the requirements specified, particularly the fact that AES was intended to protect "sensitive but unclassified" material. Background in regard to mathematical and block cipher concepts is given in chapter two. The specifications of Rijndael sub- functions and rounds are detailed in chapter three. Chapter four notes implementation considerations in small platforms and dedicated hardware. The design philosophy underlying the work is outlined in chapter five: much of it concentrates on simplicity and symmetry. Differential and linear cryptanalysis mounted against DES is examined in chapter six. Chapter seven reviews the use of correlation matrices in cryptanalysis. If differences between pairs of plaintext can be calculated as they propagate through the boolean functions used for intermediate and resultant ciphertext, then chapter eight shows how this can be used as the basis of differential cryptanalysis. Using the concepts from these two chapters, chapter nine examines how the wide trail design diffuses cipher operations and data to prevent strong linear correlations or differential propagation. There is also formal proof of Rijndael's resistant construction. Chapter ten looks at a number of cryptanalytic attacks and problems (including the infamous weak and semi-weak keys of DES) and notes the protections provided in the design of Rijndael. Cryptographic algorithms that made a contribution to, or are descended from, Rijndael are described in chapter eleven. This book is intended for serious students of cryptographic algorithm design: it is highly demanding text, and requires a background in the formal study of number theory and logic. Given that, it does provide some fascinating examination of both the advanced cryptanalytic attacks, and the design of algorithms to resist them. copyright Robert M. Slade, 2009 BKDRJNDL.RVW 20091129 rslade_at_private slade_at_private rslade_at_private victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.12 ************************Received on Fri Jul 30 2010 - 14:22:55 PDT
This archive was generated by hypermail 2.2.0 : Fri Jul 30 2010 - 15:38:24 PDT