[RISKS] Risks Digest 26.81

From: RISKS List Owner <risko_at_private>
Date: Fri, 4 May 2012 12:48:03 PDT
RISKS-LIST: Risks-Forum Digest  Friday 4 May 2012  Volume 26 : Issue 81

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Fed report on that Southern California blackout (Danny Burstein)
How to handle voter registration (Douglas A. Kellner)
Re: The Power of Individual Voters to Transform Their Government
  (Mark E. Smith)
North Korea jamming commercial airliner GPS? (PGN)
Ars Technica on "back doors" in critical systems (Dan Goodin via C Y Cripps)
"Microsoft detects new malware targeting Apple computers" (Jeremy Kirk via
  Gene Wirchenko)
Data breaches in Massachusetts (Jenn Abelson via Monty Solomon)
Tiny memory card causes unusual trouble for police (Mark Brader)
Thwarting the Cleverest Attackers (Larry Hardesty via ACM TechNews)
How to Muddy Your Tracks on the Internet (Kate Murphy via Monty Solomon)
"Canadians hit by bogus Microsoft Help calls" (Gene Wirchenko)
"Bad stats sink cyber crime costs claims" (Bill Snyder via Gene Wirchenko)
DiscoverCard stores passwords in plaintext, e-mails them on request
  (Gregory Marton)
"iPad in the enterprise: prepare for guerilla tactics" (Gene Wirchenko)
Re: CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover
  (Geoff Kuenning)
Re: Airline pilot distracted by new text messages (Peter Bernard Ladkin)
Harvard and M.I.T. Team Up to Offer Free Online Courses (Tamar Lewin via
  ACM TechNews)
Re: Harvard Library open access? (Jurek Kirakowski)
Re: "Did first DDOS attack sink the Titanic?" (Scott Dorsey)
Workshop on the Economics of Information Security WEIS 2012 (Jeremy Epstein)
Abridged info on RISKS (comp.risks)


Date: Tue, 1 May 2012 20:05:59 -0400 (EDT)
From: Danny Burstein <dannyb_at_private>
Subject: Fed report on that Southern California blackout

If only the utilities would talk to each other...

[from the FERC press release:]
Staff of the Federal Energy Regulatory Commission (FERC) and North American
Electric Reliability Corporation (NERC) today said the September 2011
blackout that left 2.7 million customers in Southern California, Arizona and
Baja California without power stemmed from operating in an unsecured state
due to inadequate planning and a lack of observability and awareness of
system operating conditions on the day of the event.  ....  (it all started
with) the loss of Arizona Public Service's (APS) Hassayampa-North Gila 500
kV transmission line.

That line loss itself did not cause the blackout, but it did initiate a
sequence of events that led to the blackout, exposing grid operators' lack
of adequate real-time situational awareness of conditions throughout the
Western Interconnection.

More effective review and use of information would have helped operators
avoid the cascading blackout. For example, had operators reviewed and heeded
their Real Time Contingency Analysis results prior to the loss of the APS
line, they could have taken corrective actions, such as dispatching
additional generation or shedding load, to prevent a cascading outage.



Date: Thu, 26 Apr 2012 14:22:19 -0400
From: "Douglas A. Kellner" <Douglas.Kellner_at_private>
Subject: How to handle voter registration

The real solution is election day registration, or even better, the
elimination of "voter registration" as we now know it.

There should be a presumption that every American citizen over the age of 18
is entitled to vote, unless that person has been formally disqualified by
court order.

North Dakota has no voter registration, and last time I counted, there
were 8 states with election day voter registration.

Several states have started to combine their voter registration database
with other databases, such as driver's licenses. It makes little sense to
incur the expense of maintaining a separate voter registration system.

As to David Jefferson's observation that "the technical community has been
so busy with voting itself that we have never had time to address
registration issues," we should realize that virtually all boards of
elections now rely heavily, if not solely, on computerized registration
databases.  There have been many reports about problems keeping these
databases current and there have been numerous controversies over
procedures for purging persons from the lists of eligible voters.

Litigation over counting provisional ballots confirms that there are a
substantial number of Americans who do not have their votes counted
because of the requirements of voter registration.  No citizen should be
denied the right to vote because she was not properly registered to vote.

Douglas A. Kellner, Co-Chair, New York State Board of Elections

  [Incidentally, Barbara Simons notes that she and Paula Hawthorn co-chaired
  a USACM study on Voter Registration Databases:


Date: Wed, 25 Apr 2012 18:34:32 -0700
From: "Mark E. Smith" <mymark_at_private>
Subject: Re: The Power of Individual Voters to Transform Their Government

Even if the Voters Rights Amendment (USVRA) were passed and ratified, which
is extremely unlikely because it would have to be passed and ratified by
politicians who are now in office due to the current corrupt system and not
apt to want it to change, millions of voters writing in the names of whoever
they wished would have no effect on the results. The central tabulators
would just flip as many of those votes as needed to the major candidates and
there is no way to verify it even when it is obvious, as when the woman who
voted for a Green candidate complained that the results showed he had gotten
no votes in her precinct.

Just because you use a paper ballot, don't think you're not using a voting
machine.  Your paper ballot will be fed into an optical scanner and the
memory card from the scanner will go to a central tabulator to be "counted."
More than 90% of the vote in the US are tallied by these unverifiable
central tabulators. And that's only if the Supreme Court is gracious enough
to allow the votes to be counted at all.

Here in San Diego we elected a write-in candidate for Mayor.  The Registrar
threw out more than 5,000 votes because the optical scanners wouldn't accept
the write-in votes unless a little bubble next to them was filled in. So a
new election was held and this time the candidate we'd elected was on the
ballot and won by a two-to-one or three-to-one margin at the polling
places.  But the new Registrar (the old one had resigned) "forgot" to notify
the official observers when the mail-in ballots were counted, and announced
that mail-in voters outnumbered and had voted differently from all other
local voters and that our candidate had lost. But so many people had turned
out that they didn't have a big enough margin to install the candidate the
1% wanted, so they held a third "election" and this time the 1% got their
way, as they usually do.

The only way to get honest elections is to refuse to vote until we do. If
you're willing to vote in elections where your vote doesn't have to be
counted and isn't verifiable, you have no leverage with which to demand
honest elections. Boycott 2012!

  [I don't think that is the *only* way, or even a *viable* way, because
  that could result in your having zero leverage and *never* being counted.
  As RISKS readers are generally aware, achieving real election integrity is
  an enormous problem, and requires total-system approaches that address
  hardware, software, and operational procedures within the entire
  beginning-to-end life cycle.  PGN]


Date: Fri, 4 May 2012 6:24:30 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: North Korea jamming commercial airliner GPS?





Date: Mon, 30 Apr 2012 05:49:21 -0400 (EDT)
From: C Y Cripps <cycmn_at_private>
Subject: Ars Technica on "back doors" in critical systems (Dan Goodin)

Dan Goodin, 25 Apr 2012
Backdoor in mission-critical hardware threatens power, traffic-control systems

Like a key under a doormat, the MAC address exposed here allows hackers to
tamper with this Internet-connected RuggedCom device, used to control power
substations and other critical infrastructure.

In the world of computer systems used to flip switches, open valves, and
control other equipment inside giant electrical substations and railroad
communications systems, you'd think the networking gear would be locked down
tightly to prevent tampering by vandals. But for customers of Ontario,
Canada-based RuggedCom, there's a good chance those Internet-connected
devices have backdoors that make unauthorized access a point-and-click

That's because equipment running RuggedCom's Rugged Operating System has an
undocumented account that can't be modified and a password that's trivial to
crack.  What's more, researchers say, for years the company hasn't bothered
to warn the power utilities, military facilities, and municipal traffic
departments using the industrial-strength gear that the account can give
attackers the means to sabotage operations that affect the safety of huge
populations of people.

"You treat these embedded appliances as a device that you don't have a
window to see into," says researcher K. Reid Wightman of industrial
machinery, which is often designed to withstand extreme heat and cold, dust,
and other brutal conditions where they're housed. "You can't really patch
it. You have to rely on the vendor to do the right thing when they set the
device up and when they install the OS. And the vendor really fell down on
this one."

The backdoor uses the login ID of "factory" and a password that's recovered
by plugging the MAC, or media access control, address of the targeted device
into a simple Perl script, according to this post published on Monday to the
Full Disclosure security list. To make unauthorized access easy, paying
customers of the Shodan computer search engine can find the IP numbers of
more than 60 networks that use the vulnerable equipment. The first thing
users who telnet into them see, as the picture above demonstrates, is its
MAC address.  [Long item truncated for RISKS.  PGN]


Date: Thu, 03 May 2012 10:22:08 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Microsoft detects new malware targeting Apple computers"
  (Jeremy Kirk)

Jeremy Kirk, IDG News Service, *InfoWorld*, 2 May 2012
Users should be sure their Mac version of Office has up-to-date patches

  Microsoft has detected a new piece of malware targeting Apple OS X
  computers that exploits a vulnerability in the Office productivity suite
  patched nearly three years ago.  The malware is not widespread, wrote
  Jeong Wook Oh of Microsoft's Malware Protection Center. But it does show
  that hackers pay attention if it's found people do not apply patches as
  those fixes are released, putting their computers at a higher risk of
  becoming infected.


Date: Thu, 26 Apr 2012 11:19:13 -0400
From: Monty Solomon <monty_at_private>
Subject: Data breaches in Massachusetts (Jenn Abelson)

Jenn Abelson, *The Boston Globe*, 24 Apr 2012
3.2 million people in Massachusetts have had data lost, stolen
4-year study shows consumers need more safeguards

Nearly half of Massachusetts residents have had their personal information
lost or stolen as a result of about 1,800 data breaches over the past four
years, according to a new report from the state's Office of Consumer Affairs
and Business Regulation. ...



Date: Thu,  3 May 2012 15:58:12 -0400 (EDT)
From: msb_at_private (Mark Brader)
Subject: Tiny memory card causes unusual trouble for police

Last weekend at Mt. Woodside, BC, Canada, hang-gliding instructor pilot Jon
Orders was conducting a tandem training flight with student Lenami Godinez
when she fell to the ground and was killed.  The accident is under

The hang glider was equipped with a digital camera that might well show what
happened, but police currently do not have access to the images because
Orders *swallowed the memory card*.  Authorities say he has been X-rayed and
the card is confirmed to be in his digestive system.  On a CTV News report I
saw last night, they pointed out that the card used by this camera is much
smaller than those of older models -- about the size of my thumbnail.

Facing charges of obstruction of justice, Orders has been ordered held
without bail until the card emerges.



Mark Brader, Toronto, msb_at_private | "Fast, cheap, good: choose any two."

  [One swallow does a plumber make, unless it's an Obstruction of Just-Us,
  don't Bust-Us...  PGN]


Date: Fri, 4 May 2012 11:18:17 -0400
From: ACM TechNews <technews_at_private>
Subject: Thwarting the Cleverest Attackers (Larry Hardesty)

Larry Hardesty, *MIT News*, 1 May 2012

The threat of side-channel attacks is growing with the expanding popularity
of cloud computing, and a general strategy for ameliorating such attacks was
recently posted by Massachusetts Institute of Technology (MIT) researchers
on the Web site of the Electronic Colloquium on Computational Complexity.
The technique masks a computer program's computational details by converting
a given computation into a sequence of smaller computational modules.  Data
entered within the first module is encrypted and never decrypted during
execution, and then the first module's still-encrypted output is fed to the
second module, which encrypts it differently, and so on.  The final module's
output is the same output of the original computation, but the operations
performed by the individual modules are completely different.  Although the
instruction that inaugurates a new module is identical to the instruction
that concluded the last one, the modules are executed on different servers
on a network.  MIT professor Shafi Goldwasser says this method could thwart
attacks on private information as well as on devices that shield proprietary
algorithms to prevent reverse-engineering.


Date: Thu, 3 May 2012 19:45:33 -0400
From: Monty Solomon <monty_at_private>
Subject: How to Muddy Your Tracks on the Internet (Kate Murphy)

Kate Murphy, *The New York Times*, 3 May 2012

Legal and technology researchers estimate that it would take about a month
for Internet users to read the privacy policies of all the Web sites they
visit in a year. So in the interest of time, here is the deal: You know that
dream where you suddenly realize you're stark naked? You're living it
whenever you open your browser.

There are no secrets online. That emotional e-mail you sent to your ex, the
illness you searched for in a fit of hypochondria, those hours spent
watching kitten videos (you can take that as a euphemism if the kitten fits)
- can all be gathered to create a defining profile of you.

Your information can then be stored, analyzed, indexed and sold as a
commodity to data brokers who in turn might sell it to advertisers,
employers, health insurers or credit rating agencies.

And while it's probably impossible to cloak your online activities fully,
you can take steps to do the technological equivalent of throwing on a pair
of boxers and a T-shirt. Some of these measures are quite easy and many are
free. Of course, the more effort and money you expend, the more concealed
you are. The trick is to find the right balance between cost, convenience
and privacy. ...


Date: Fri, 04 May 2012 11:21:04 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Canadians hit by bogus Microsoft Help calls"

Canadians hit by bogus Microsoft Help calls
Here's how you can protect yourself against this scam.
5/3/2012 11:13:00 AM By: ITBusiness Staff


Date: Thu, 19 Apr 2012 13:14:07 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Bad stats sink cyber crime costs claims" (Bill Snyder)

Bill Snyder, InfoWorld, 19 Apr 2012 [PGN-ed]
Microsoft researchers find that estimates of damages caused by cyber
crime are wildly inflated -- and increase the danger

If you follow computer security and have a good memory, you might remember a
story from early 2009 that claimed cyber crime costs businesses as much as
$1 trillion in just one year -- that's "trillion" with a "t." The version I
saw was by Cnet writer Elinor Mills, whom I've always considered quite
reliable. Somehow, her reporter's BS detector didn't go off, and she
regurgitated that wild assertion by McAfee, a company that makes a living
selling security products and services.

I had forgotten about that story until I came across a study by two
Microsoft researchers who took the trouble to look hard at the facts behind
the cyber crime scare stories, which persist to this day. Their paper, with
the appealingly sensational title of "Sex, Lies and Cybercrime Surveys," is
a rigorous debunking of the wildly inflated claims spread by security
companies, law enforcement, and credulous journalisI had forgotten about
that story until I came across a study by two Microsoft researchers who took
the trouble to look hard at the facts behind the cyber crime scare stories,
which persist to this day. Their paper, with the appealingly sensational
title of "Sex, Lies and Cybercrime Surveys," is a rigorous debunking of the
wildly inflated claims spread by security companies, law enforcement, and
credulous journalists.  I don't mean to pick on McAfee or Mills, but as I've
written more than once, neither IT nor the public benefit from security
scare stories.  Indeed, the more security companies cry wolf, the less
likely it is that well-founded warnings will be heeded.

Consider how much money we're talking about when McAfee claims that
cyber crime costs $1 trillion a year. The requested federal defense
budget for the United States for fiscal year 2013 is just (!) $525.4
billion. The total profits derived from the global trade in illegal
drugs were pegged at $600 billion by the International Monetary Fund in

Is cyber crime really a bigger source of revenue than the drug trade?
Hard to believe.

Enter Dinei Florencio and Cormac Herley, the authors of the Microsoft
study, who say, "One recent estimate placed annual direct consumer
losses [from cyber crime] at $114 billion worldwide. It turns out,
however, that such widely circulated cyber crime estimates are generated
using absurdly bad statistical methods, making them wholly unreliable."

You'll notice that the figure they call wholly unreliable is just
one-tenth the size of the McAfee assertion.

The researchers make the point that most estimates of damage are reached
via surveys. Using surveys seems like a good strategy until you realize
that researchers start with what appears to be a hard number provided by
respondents, then extrapolate to a larger population: "Suppose we asked
5,000 people to report their cyber crime losses, which we will then
extrapolate over a population of 200 million. Every dollar claimed gets
multiplied by 40,000. A single individual who falsely claims $25,000 in
losses adds a spurious $1 billion to the estimate. And because no one
can claim negative losses, the error can't be canceled" through
averaging, as happens somewhat when people choose from ranges.

They go on to say the cyber crime surveys they've examined "exhibit
exactly this pattern of enormous, unverified outliers dominating the
data. In some, 90 percent of the estimate appears to come from the
answers of one or two individuals," Florencio and Herley state. [...]

  [See Snyder's url for the rest of the story and references.  PGN]


Date: Sun, 29 Apr 2012 23:14:26 -0400
From: Gregory Marton <gremio_at_private>
Subject: DiscoverCard stores passwords in plaintext, e-mails them on request

I just had the misfortune of mistyping my discovercard.com password four
times.  Now locked out, I had to get an agent on a chat session.  She
verified only my e-mail address (verifying that it was the one on file), and
immediately caused a message to be sent to that address with my password in
plain text.

I pointed out to her the RISK: that were that e-mail compromised, e.g. even
by someone looking over my shoulder, they'd have my password, and that if I
happened to use similar passwords on other sites then the attacker would
potentially get access to multiple accounts.  She got this and agreed to
lodge a complaint, but she wondered how they could do better.

Hasn't it been the industry standard for a very long time now to send a
rapidly expiring reset link?  I even think discovercard did that in the
past.  Is there reason to move *away* from hashed passwords and reset links
to plaintext?  Perhaps too many people forget and use recovery options each

I forgot to ask if the agent could see the password.  That would be another

Gregory A. Marton 617-858-0775 http://goo.gl/Ne09o http://csail.mit.edu/~gremio


Date: Wed, 02 May 2012 08:20:12 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "iPad in the enterprise: prepare for guerilla tactics"

iPad in the enterprise: prepare for guerilla tactics
IT departments have to stay ahead of the curve to deal with rogues
bringing in the iPad
5/1/2012 2:14:00 PM By: Tom Kaneshige


Date: Wed, 18 Apr 2012 23:47:55 -0700
From: Geoff Kuenning <geoff_at_private>
Subject: Re: CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover
  (Schaefer, RISKS-26.80)

> Who would have guessed that this would happen - high-tech security is
> getting so good at border crossings that it can actually catch spies.

I just have to laugh.  For all of history, governments have worked on the
principle that they could do with impunity what they prevented their
citizens from doing.  Usually, we have agreed that such actions were
appropriate and moral (e.g., imprisoning criminals), but there has always
been a tradition of overstepping bounds.  Now, eagerly embraced technology
has made it more difficult to dodge repression.  And I'll bet that no
government, my own included, foresaw that the very tools they were deploying
to control their own population would also prevent them from freely
misbehaving when they chose to do so.

Geoff Kuenning   geoff@private   http://www.cs.hmc.edu/~geoff/


Date: Thu, 26 Apr 2012 21:06:45 +0200
From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de>
Subject: Re: Airline pilot distracted by new text messages (Flacy, R-26.80)

Monty Solomon forwarded to RISKS an article by a certain Mike Flacy in
Digital Trends, who misreports a landing incident with a Jetstar A320 at
Singapore Changi.

Flacy's main claim is flat wrong: the phone incident and the landing gear
selection are separate events. The title of the story in Risks is also
wrong: the captain, whose phone was involved, was the Pilot Not Flying
(PNF), so he didn't "botch the landing". The short report is at

The phone incident concerned beeping from the reception of text messages,
and occurred about three minutes from anticipated landing. The PF called for
a missed-approach target altitude of 5,000 ft to be set in the
automation. The PNF missed that call, and told the investigators it was
because he was turning off his phone so as not to be distracted by further

The crew did not execute the landing checklist, and were not in a stabilised
approach at 1,000 ft as per company procedures. They were warned by the
aircraft systems that the gear was not down at about a minute before
anticipated landing, some two minutes after the phone incident. The pilot
flying (PF), the First Officer, prepared at that point to go around; the PNF
lowered the gear and put in more flaps. Neither of them communicated their
intent to the other about these contradictory actions.

The ATSB says that the crew failed to execute proper procedures, and also
failed to communicate effectively with each other, during their approach to
landing, a flight phase which takes place over a number of minutes. The
progress of the flight during approach to landing merits 20 paragraphs and 7
paragraph-size footnotes on about three pages. The phone incident merits
just two of those, about 140 words. The other nine-tenths of the description
details all the other things that did not go as they should have.

RISKS readers may judge for themselves why Flacy chose to mislead his
readers. Me, I am fed up of people writing crap about commercial aviation
incidents but I guess it is not going to stop soon.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com  www.rvs.uni-bielefeld.de


Date: Fri, 4 May 2012 11:18:17 -0400
From: ACM TechNews <technews_at_private>
Subject: Harvard and M.I.T. Team Up to Offer Free Online Courses (Tamar Lewin)

Tamar Lewin, *The New York Times*, 2 May 2012

Harvard University and the Massachusetts Institute of Technology (MIT)
announced a plan to offer free massively open online courses under their edX
partnership.  Overseeing edX will be a nonprofit organization that Harvard
and MIT will govern equally, and each school has pledged $30 million to the
initiative.  EdX's inaugural president will be Anant Agarwal, director of
MIT's Computer Science and Artificial Intelligence Laboratory, while
Harvard's contribution will be supervised by provost Alan M. Garber.
University officials say the new online platform would be used to research
educational technologies and methods as well as to build a global community
of online students.  Included in the edX project will be engineering courses
and humanities courses, in which crowdsourcing or software may be used to
grade essays.  Harvard Corporation's Lawrence S. Bacow says education
technology currently lacks "an online platform that gives faculty the
capacity to customize the content of their own highly interactive courses."
The edX effort faces competition from similar partnerships between Stanford,
Princeton, the University of Pennsylvania, the University of Michigan, and
Coursera.  The rapid evolution of online education technology is such that
those in the new ventures say the courses are still in an experimental


Date: Thu, 26 Apr 2012 13:24:09 +0100
From: "Jurek Kirakowski" <jzk_at_private>
Subject: Re: Harvard Library open access? (RISKS-26.80)

The Harvard Library initiative is in the air all right. Less influential
centres of learning usually let everyone else do the running - other
universities, HEA, funders e.g. EPSRC insisting that publicly funded 
research be available on open access.

See UK projects in this direction:

And examples of directories:

The problem then becomes one of managing the information and data, making it
findable and accessible, tracking impact and ensuring its long term

Kuali OLE  http://kuali.org/ole
Huddersfield University.

The RISK is that the infrastructure to manage, evaluate, and preserve the
flow of publication information that regular publishers have built up over
the years is sidelined, and although many readers of these columns may well
feel that nothing could possibly go wrong with keeping all one's information
digitally forever, let me remind you that we still have Sumerian clay
tablets from around 3000 BCE but that their memory sticks do not seem to
have survived :-)#

Jurek Kirakowski  http://hfrg.ucc.ie/jk


Date: Mon, 30 Apr 2012 11:20:23 -0400
From: Scott Dorsey <kludge_at_private>
Subject:  Re: "Did first DDOS attack sink the Titanic?" (Ardley, RISKS-26.80)

> The industry has yet to design a resilient call response system that can
> handle peak overloads while still attending to routine but life critical
> calls.

Not at all.  The AUTOVON system was specifically designed with that in mind.
Civilian systems don't prioritize calls and have failures when too many
stations are placing calls simultaneously because it's not cost effective to
make them robust.


Date: Fri, 4 May 2012 08:45:56 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: Workshop on the Economics of Information Security WEIS 2012

11th Workshop on the Economics of Information Security (WEIS),
Berlin, Germany, 25-26 June 2012

  Early Registration 31 May 2012

The Workshop on the Economics of Information Security (WEIS) is the leading
forum for interdisciplinary scholarship on information security and privacy,
combining expertise from the fields of economics, social science, business,
law, policy, and computer science. Prior workshops have explored the role of
incentives between attackers and defenders of information systems,
identified market failures surrounding Internet security, quantified risks
of personal data disclosure, and assessed investments in cyber-defense. The
2012 workshop builds on past efforts using empirical and analytic tools not
only to understand threats, but also to strengthen security and privacy
through novel evaluations of available solutions.

We encourage economists, computer scientists, legal scholars, business school
researchers, security and privacy specialists, as well as industry experts to
participate by attending the workshop.

Topics covered by the accepted research papers include:

- Optimal investment in information security
- Models and analysis of online crime
- Risk management and cyber-insurance
- Security standards and regulation
- Cyber-security policy
- Security models and metrics
- Economics of privacy and anonymity
- Behavioral security and privacy
- Vulnerability discovery, disclosure, and patching
- Cyber-defense strategy and game theory
- Incentives for information sharing and cooperation


Information security legends Ross Anderson and Bruce Schneier, both
co-founders of the workshop, review "10 Years WEIS" in a special session.
The workshop also features a panel discussion on the relation between privacy
economics and privacy policy, and a rump session, which is open for every
participant to briefly present work-in-progress or industry best practices.

The full program is available online:


Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.81
Received on Fri May 04 2012 - 12:48:03 PDT

This archive was generated by hypermail 2.2.0 : Fri May 04 2012 - 13:22:56 PDT