RISKS-LIST: Risks-Forum Digest Friday 4 May 2012 Volume 26 : Issue 81 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.81.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Fed report on that Southern California blackout (Danny Burstein) How to handle voter registration (Douglas A. Kellner) Re: The Power of Individual Voters to Transform Their Government (Mark E. Smith) North Korea jamming commercial airliner GPS? (PGN) Ars Technica on "back doors" in critical systems (Dan Goodin via C Y Cripps) "Microsoft detects new malware targeting Apple computers" (Jeremy Kirk via Gene Wirchenko) Data breaches in Massachusetts (Jenn Abelson via Monty Solomon) Tiny memory card causes unusual trouble for police (Mark Brader) Thwarting the Cleverest Attackers (Larry Hardesty via ACM TechNews) How to Muddy Your Tracks on the Internet (Kate Murphy via Monty Solomon) "Canadians hit by bogus Microsoft Help calls" (Gene Wirchenko) "Bad stats sink cyber crime costs claims" (Bill Snyder via Gene Wirchenko) DiscoverCard stores passwords in plaintext, e-mails them on request (Gregory Marton) "iPad in the enterprise: prepare for guerilla tactics" (Gene Wirchenko) Re: CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover (Geoff Kuenning) Re: Airline pilot distracted by new text messages (Peter Bernard Ladkin) Harvard and M.I.T. Team Up to Offer Free Online Courses (Tamar Lewin via ACM TechNews) Re: Harvard Library open access? (Jurek Kirakowski) Re: "Did first DDOS attack sink the Titanic?" (Scott Dorsey) Workshop on the Economics of Information Security WEIS 2012 (Jeremy Epstein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 1 May 2012 20:05:59 -0400 (EDT) From: Danny Burstein <dannyb_at_private> Subject: Fed report on that Southern California blackout If only the utilities would talk to each other... [from the FERC press release:] Staff of the Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) today said the September 2011 blackout that left 2.7 million customers in Southern California, Arizona and Baja California without power stemmed from operating in an unsecured state due to inadequate planning and a lack of observability and awareness of system operating conditions on the day of the event. .... (it all started with) the loss of Arizona Public Service's (APS) Hassayampa-North Gila 500 kV transmission line. That line loss itself did not cause the blackout, but it did initiate a sequence of events that led to the blackout, exposing grid operators' lack of adequate real-time situational awareness of conditions throughout the Western Interconnection. More effective review and use of information would have helped operators avoid the cascading blackout. For example, had operators reviewed and heeded their Real Time Contingency Analysis results prior to the loss of the APS line, they could have taken corrective actions, such as dispatching additional generation or shedding load, to prevent a cascading outage. rest: http://www.ferc.gov/media/headlines/2012/2012-2/05-01-12-news-release.pdf report: http://www.ferc.gov/legal/staff-reports/04-27-2012-ferc-nerc-report.pdf ------------------------------ Date: Thu, 26 Apr 2012 14:22:19 -0400 From: "Douglas A. Kellner" <Douglas.Kellner_at_private> Subject: How to handle voter registration The real solution is election day registration, or even better, the elimination of "voter registration" as we now know it. There should be a presumption that every American citizen over the age of 18 is entitled to vote, unless that person has been formally disqualified by court order. North Dakota has no voter registration, and last time I counted, there were 8 states with election day voter registration. Several states have started to combine their voter registration database with other databases, such as driver's licenses. It makes little sense to incur the expense of maintaining a separate voter registration system. As to David Jefferson's observation that "the technical community has been so busy with voting itself that we have never had time to address registration issues," we should realize that virtually all boards of elections now rely heavily, if not solely, on computerized registration databases. There have been many reports about problems keeping these databases current and there have been numerous controversies over procedures for purging persons from the lists of eligible voters. Litigation over counting provisional ballots confirms that there are a substantial number of Americans who do not have their votes counted because of the requirements of voter registration. No citizen should be denied the right to vote because she was not properly registered to vote. Douglas A. Kellner, Co-Chair, New York State Board of Elections [Incidentally, Barbara Simons notes that she and Paula Hawthorn co-chaired a USACM study on Voter Registration Databases: http://usacm.acm.org/images/documents/vrd_report2.pdf PGN] ------------------------------ Date: Wed, 25 Apr 2012 18:34:32 -0700 From: "Mark E. Smith" <mymark_at_private> Subject: Re: The Power of Individual Voters to Transform Their Government (RISKS-26.80) Even if the Voters Rights Amendment (USVRA) were passed and ratified, which is extremely unlikely because it would have to be passed and ratified by politicians who are now in office due to the current corrupt system and not apt to want it to change, millions of voters writing in the names of whoever they wished would have no effect on the results. The central tabulators would just flip as many of those votes as needed to the major candidates and there is no way to verify it even when it is obvious, as when the woman who voted for a Green candidate complained that the results showed he had gotten no votes in her precinct. Just because you use a paper ballot, don't think you're not using a voting machine. Your paper ballot will be fed into an optical scanner and the memory card from the scanner will go to a central tabulator to be "counted." More than 90% of the vote in the US are tallied by these unverifiable central tabulators. And that's only if the Supreme Court is gracious enough to allow the votes to be counted at all. Here in San Diego we elected a write-in candidate for Mayor. The Registrar threw out more than 5,000 votes because the optical scanners wouldn't accept the write-in votes unless a little bubble next to them was filled in. So a new election was held and this time the candidate we'd elected was on the ballot and won by a two-to-one or three-to-one margin at the polling places. But the new Registrar (the old one had resigned) "forgot" to notify the official observers when the mail-in ballots were counted, and announced that mail-in voters outnumbered and had voted differently from all other local voters and that our candidate had lost. But so many people had turned out that they didn't have a big enough margin to install the candidate the 1% wanted, so they held a third "election" and this time the 1% got their way, as they usually do. The only way to get honest elections is to refuse to vote until we do. If you're willing to vote in elections where your vote doesn't have to be counted and isn't verifiable, you have no leverage with which to demand honest elections. Boycott 2012! [I don't think that is the *only* way, or even a *viable* way, because that could result in your having zero leverage and *never* being counted. As RISKS readers are generally aware, achieving real election integrity is an enormous problem, and requires total-system approaches that address hardware, software, and operational procedures within the entire beginning-to-end life cycle. PGN] ------------------------------ Date: Fri, 4 May 2012 6:24:30 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: North Korea jamming commercial airliner GPS? http://worldnews.msnbc.msn.com/_news/2012/05/02/11498368-n-korea-accused-of-jamming-commercial-flight-signals?lite http://www.raeng.org.uk/news/releases/shownews.htm?NewsID=633 http://www.raeng.org.uk/news/publications/list/reports/RAoE_Global_Navigation_Systems_Report.pdf ------------------------------ Date: Mon, 30 Apr 2012 05:49:21 -0400 (EDT) From: C Y Cripps <cycmn_at_private> Subject: Ars Technica on "back doors" in critical systems (Dan Goodin) Dan Goodin, 25 Apr 2012 Backdoor in mission-critical hardware threatens power, traffic-control systems http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars Like a key under a doormat, the MAC address exposed here allows hackers to tamper with this Internet-connected RuggedCom device, used to control power substations and other critical infrastructure. In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you'd think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there's a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise. That's because equipment running RuggedCom's Rugged Operating System has an undocumented account that can't be modified and a password that's trivial to crack. What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people. "You treat these embedded appliances as a device that you don't have a window to see into," says researcher K. Reid Wightman of industrial machinery, which is often designed to withstand extreme heat and cold, dust, and other brutal conditions where they're housed. "You can't really patch it. You have to rely on the vendor to do the right thing when they set the device up and when they install the OS. And the vendor really fell down on this one." The backdoor uses the login ID of "factory" and a password that's recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script, according to this post published on Monday to the Full Disclosure security list. To make unauthorized access easy, paying customers of the Shodan computer search engine can find the IP numbers of more than 60 networks that use the vulnerable equipment. The first thing users who telnet into them see, as the picture above demonstrates, is its MAC address. [Long item truncated for RISKS. PGN] ------------------------------ Date: Thu, 03 May 2012 10:22:08 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Microsoft detects new malware targeting Apple computers" (Jeremy Kirk) Jeremy Kirk, IDG News Service, *InfoWorld*, 2 May 2012 Users should be sure their Mac version of Office has up-to-date patches http://www.infoworld.com/d/security/microsoft-detects-new-malware-targeting-apple-computers-192205 Microsoft has detected a new piece of malware targeting Apple OS X computers that exploits a vulnerability in the Office productivity suite patched nearly three years ago. The malware is not widespread, wrote Jeong Wook Oh of Microsoft's Malware Protection Center. But it does show that hackers pay attention if it's found people do not apply patches as those fixes are released, putting their computers at a higher risk of becoming infected. ------------------------------ Date: Thu, 26 Apr 2012 11:19:13 -0400 From: Monty Solomon <monty_at_private> Subject: Data breaches in Massachusetts (Jenn Abelson) Jenn Abelson, *The Boston Globe*, 24 Apr 2012 3.2 million people in Massachusetts have had data lost, stolen 4-year study shows consumers need more safeguards Nearly half of Massachusetts residents have had their personal information lost or stolen as a result of about 1,800 data breaches over the past four years, according to a new report from the state's Office of Consumer Affairs and Business Regulation. ... http://www.boston.com/business/articles/2012/04/24/32m_in_mass_have_had_data_lost_stolen/ http://www.boston.com/business/graphics/data_security_breaches_in_mass/ ------------------------------ Date: Thu, 3 May 2012 15:58:12 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Tiny memory card causes unusual trouble for police Last weekend at Mt. Woodside, BC, Canada, hang-gliding instructor pilot Jon Orders was conducting a tandem training flight with student Lenami Godinez when she fell to the ground and was killed. The accident is under investigation. The hang glider was equipped with a digital camera that might well show what happened, but police currently do not have access to the images because Orders *swallowed the memory card*. Authorities say he has been X-rayed and the card is confirmed to be in his digestive system. On a CTV News report I saw last night, they pointed out that the card used by this camera is much smaller than those of older models -- about the size of my thumbnail. Facing charges of obstruction of justice, Orders has been ordered held without bail until the card emerges. http://www.vancouversun.com/news/any/6560562/story.html http://www.cbc.ca/news/canada/british-columbia/story/2012/05/02/bc-hang-glider-pilot-bail.html Mark Brader, Toronto, msb_at_private | "Fast, cheap, good: choose any two." [One swallow does a plumber make, unless it's an Obstruction of Just-Us, don't Bust-Us... PGN] ------------------------------ Date: Fri, 4 May 2012 11:18:17 -0400 From: ACM TechNews <technews_at_private> Subject: Thwarting the Cleverest Attackers (Larry Hardesty) Larry Hardesty, *MIT News*, 1 May 2012 The threat of side-channel attacks is growing with the expanding popularity of cloud computing, and a general strategy for ameliorating such attacks was recently posted by Massachusetts Institute of Technology (MIT) researchers on the Web site of the Electronic Colloquium on Computational Complexity. The technique masks a computer program's computational details by converting a given computation into a sequence of smaller computational modules. Data entered within the first module is encrypted and never decrypted during execution, and then the first module's still-encrypted output is fed to the second module, which encrypts it differently, and so on. The final module's output is the same output of the original computation, but the operations performed by the individual modules are completely different. Although the instruction that inaugurates a new module is identical to the instruction that concluded the last one, the modules are executed on different servers on a network. MIT professor Shafi Goldwasser says this method could thwart attacks on private information as well as on devices that shield proprietary algorithms to prevent reverse-engineering. http://web.mit.edu/newsoffice/2012/thwarting-eavesdropping-data-0501.html ------------------------------ Date: Thu, 3 May 2012 19:45:33 -0400 From: Monty Solomon <monty_at_private> Subject: How to Muddy Your Tracks on the Internet (Kate Murphy) Kate Murphy, *The New York Times*, 3 May 2012 Legal and technology researchers estimate that it would take about a month for Internet users to read the privacy policies of all the Web sites they visit in a year. So in the interest of time, here is the deal: You know that dream where you suddenly realize you're stark naked? You're living it whenever you open your browser. There are no secrets online. That emotional e-mail you sent to your ex, the illness you searched for in a fit of hypochondria, those hours spent watching kitten videos (you can take that as a euphemism if the kitten fits) - can all be gathered to create a defining profile of you. Your information can then be stored, analyzed, indexed and sold as a commodity to data brokers who in turn might sell it to advertisers, employers, health insurers or credit rating agencies. And while it's probably impossible to cloak your online activities fully, you can take steps to do the technological equivalent of throwing on a pair of boxers and a T-shirt. Some of these measures are quite easy and many are free. Of course, the more effort and money you expend, the more concealed you are. The trick is to find the right balance between cost, convenience and privacy. ... http://www.nytimes.com/2012/05/03/technology/personaltech/how-to-muddy-your-tracks-on-the-internet.html ------------------------------ Date: Fri, 04 May 2012 11:21:04 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Canadians hit by bogus Microsoft Help calls" http://www.itbusiness.ca/it/client/en/Home/News.asp?id=67309 Canadians hit by bogus Microsoft Help calls Here's how you can protect yourself against this scam. 5/3/2012 11:13:00 AM By: ITBusiness Staff ------------------------------ Date: Thu, 19 Apr 2012 13:14:07 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Bad stats sink cyber crime costs claims" (Bill Snyder) Bill Snyder, InfoWorld, 19 Apr 2012 [PGN-ed] Microsoft researchers find that estimates of damages caused by cyber crime are wildly inflated -- and increase the danger http://www.infoworld.com/d/the-industry-standard/bad-stats-sink-cyber-crime-costs-claims-191138 If you follow computer security and have a good memory, you might remember a story from early 2009 that claimed cyber crime costs businesses as much as $1 trillion in just one year -- that's "trillion" with a "t." The version I saw was by Cnet writer Elinor Mills, whom I've always considered quite reliable. Somehow, her reporter's BS detector didn't go off, and she regurgitated that wild assertion by McAfee, a company that makes a living selling security products and services. I had forgotten about that story until I came across a study by two Microsoft researchers who took the trouble to look hard at the facts behind the cyber crime scare stories, which persist to this day. Their paper, with the appealingly sensational title of "Sex, Lies and Cybercrime Surveys," is a rigorous debunking of the wildly inflated claims spread by security companies, law enforcement, and credulous journalisI had forgotten about that story until I came across a study by two Microsoft researchers who took the trouble to look hard at the facts behind the cyber crime scare stories, which persist to this day. Their paper, with the appealingly sensational title of "Sex, Lies and Cybercrime Surveys," is a rigorous debunking of the wildly inflated claims spread by security companies, law enforcement, and credulous journalists. I don't mean to pick on McAfee or Mills, but as I've written more than once, neither IT nor the public benefit from security scare stories. Indeed, the more security companies cry wolf, the less likely it is that well-founded warnings will be heeded. Consider how much money we're talking about when McAfee claims that cyber crime costs $1 trillion a year. The requested federal defense budget for the United States for fiscal year 2013 is just (!) $525.4 billion. The total profits derived from the global trade in illegal drugs were pegged at $600 billion by the International Monetary Fund in 2010. Is cyber crime really a bigger source of revenue than the drug trade? Hard to believe. Enter Dinei Florencio and Cormac Herley, the authors of the Microsoft study, who say, "One recent estimate placed annual direct consumer losses [from cyber crime] at $114 billion worldwide. It turns out, however, that such widely circulated cyber crime estimates are generated using absurdly bad statistical methods, making them wholly unreliable." You'll notice that the figure they call wholly unreliable is just one-tenth the size of the McAfee assertion. The researchers make the point that most estimates of damage are reached via surveys. Using surveys seems like a good strategy until you realize that researchers start with what appears to be a hard number provided by respondents, then extrapolate to a larger population: "Suppose we asked 5,000 people to report their cyber crime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And because no one can claim negative losses, the error can't be canceled" through averaging, as happens somewhat when people choose from ranges. They go on to say the cyber crime surveys they've examined "exhibit exactly this pattern of enormous, unverified outliers dominating the data. In some, 90 percent of the estimate appears to come from the answers of one or two individuals," Florencio and Herley state. [...] [See Snyder's url for the rest of the story and references. PGN] ------------------------------ Date: Sun, 29 Apr 2012 23:14:26 -0400 From: Gregory Marton <gremio_at_private> Subject: DiscoverCard stores passwords in plaintext, e-mails them on request I just had the misfortune of mistyping my discovercard.com password four times. Now locked out, I had to get an agent on a chat session. She verified only my e-mail address (verifying that it was the one on file), and immediately caused a message to be sent to that address with my password in plain text. I pointed out to her the RISK: that were that e-mail compromised, e.g. even by someone looking over my shoulder, they'd have my password, and that if I happened to use similar passwords on other sites then the attacker would potentially get access to multiple accounts. She got this and agreed to lodge a complaint, but she wondered how they could do better. Hasn't it been the industry standard for a very long time now to send a rapidly expiring reset link? I even think discovercard did that in the past. Is there reason to move *away* from hashed passwords and reset links to plaintext? Perhaps too many people forget and use recovery options each time? I forgot to ask if the agent could see the password. That would be another risk. Gregory A. Marton 617-858-0775 http://goo.gl/Ne09o http://csail.mit.edu/~gremio ------------------------------ Date: Wed, 02 May 2012 08:20:12 -0700 From: Gene Wirchenko <genew_at_private> Subject: "iPad in the enterprise: prepare for guerilla tactics" http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=67270 iPad in the enterprise: prepare for guerilla tactics IT departments have to stay ahead of the curve to deal with rogues bringing in the iPad 5/1/2012 2:14:00 PM By: Tom Kaneshige ------------------------------ Date: Wed, 18 Apr 2012 23:47:55 -0700 From: Geoff Kuenning <geoff_at_private> Subject: Re: CIA's Secret Fear: High-Tech Border Checks Will Blow Spies' Cover (Schaefer, RISKS-26.80) > Who would have guessed that this would happen - high-tech security is > getting so good at border crossings that it can actually catch spies. I just have to laugh. For all of history, governments have worked on the principle that they could do with impunity what they prevented their citizens from doing. Usually, we have agreed that such actions were appropriate and moral (e.g., imprisoning criminals), but there has always been a tradition of overstepping bounds. Now, eagerly embraced technology has made it more difficult to dodge repression. And I'll bet that no government, my own included, foresaw that the very tools they were deploying to control their own population would also prevent them from freely misbehaving when they chose to do so. Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Thu, 26 Apr 2012 21:06:45 +0200 From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de> Subject: Re: Airline pilot distracted by new text messages (Flacy, R-26.80) Monty Solomon forwarded to RISKS an article by a certain Mike Flacy in Digital Trends, who misreports a landing incident with a Jetstar A320 at Singapore Changi. Flacy's main claim is flat wrong: the phone incident and the landing gear selection are separate events. The title of the story in Risks is also wrong: the captain, whose phone was involved, was the Pilot Not Flying (PNF), so he didn't "botch the landing". The short report is at http://www.atsb.gov.au/media/3599204/ao2010035.pdf The phone incident concerned beeping from the reception of text messages, and occurred about three minutes from anticipated landing. The PF called for a missed-approach target altitude of 5,000 ft to be set in the automation. The PNF missed that call, and told the investigators it was because he was turning off his phone so as not to be distracted by further beeping. The crew did not execute the landing checklist, and were not in a stabilised approach at 1,000 ft as per company procedures. They were warned by the aircraft systems that the gear was not down at about a minute before anticipated landing, some two minutes after the phone incident. The pilot flying (PF), the First Officer, prepared at that point to go around; the PNF lowered the gear and put in more flaps. Neither of them communicated their intent to the other about these contradictory actions. The ATSB says that the crew failed to execute proper procedures, and also failed to communicate effectively with each other, during their approach to landing, a flight phase which takes place over a number of minutes. The progress of the flight during approach to landing merits 20 paragraphs and 7 paragraph-size footnotes on about three pages. The phone incident merits just two of those, about 140 words. The other nine-tenths of the description details all the other things that did not go as they should have. RISKS readers may judge for themselves why Flacy chose to mislead his readers. Me, I am fed up of people writing crap about commercial aviation incidents but I guess it is not going to stop soon. Peter Bernard Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de ------------------------------ Date: Fri, 4 May 2012 11:18:17 -0400 From: ACM TechNews <technews_at_private> Subject: Harvard and M.I.T. Team Up to Offer Free Online Courses (Tamar Lewin) Tamar Lewin, *The New York Times*, 2 May 2012 Harvard University and the Massachusetts Institute of Technology (MIT) announced a plan to offer free massively open online courses under their edX partnership. Overseeing edX will be a nonprofit organization that Harvard and MIT will govern equally, and each school has pledged $30 million to the initiative. EdX's inaugural president will be Anant Agarwal, director of MIT's Computer Science and Artificial Intelligence Laboratory, while Harvard's contribution will be supervised by provost Alan M. Garber. University officials say the new online platform would be used to research educational technologies and methods as well as to build a global community of online students. Included in the edX project will be engineering courses and humanities courses, in which crowdsourcing or software may be used to grade essays. Harvard Corporation's Lawrence S. Bacow says education technology currently lacks "an online platform that gives faculty the capacity to customize the content of their own highly interactive courses." The edX effort faces competition from similar partnerships between Stanford, Princeton, the University of Pennsylvania, the University of Michigan, and Coursera. The rapid evolution of online education technology is such that those in the new ventures say the courses are still in an experimental stage. http://www.nytimes.com/2012/05/03/education/harvard-and-mit-team-up-to-offer-free-online-courses.html ------------------------------ Date: Thu, 26 Apr 2012 13:24:09 +0100 From: "Jurek Kirakowski" <jzk_at_private> Subject: Re: Harvard Library open access? (RISKS-26.80) The Harvard Library initiative is in the air all right. Less influential centres of learning usually let everyone else do the running - other universities, HEA, funders e.g. EPSRC insisting that publicly funded research be available on open access. http://www.epsrc.ac.uk/Pages/default.aspx See UK projects in this direction: http://openreflections.wordpress.com/2011/01/22/the-academic-publisher-in-2020/ http://irisproject.org.uk/index.php And examples of directories: http://www.doaj.org/ http://www.doabooks.org/ The problem then becomes one of managing the information and data, making it findable and accessible, tracking impact and ensuring its long term preservation. Kuali OLE http://kuali.org/ole http://clock.blogs.lincoln.ac.uk/tag/data-lincoln-ac-uk/ Huddersfield University. http://www2.hud.ac.uk/tali/support/proj11_lemon.php The RISK is that the infrastructure to manage, evaluate, and preserve the flow of publication information that regular publishers have built up over the years is sidelined, and although many readers of these columns may well feel that nothing could possibly go wrong with keeping all one's information digitally forever, let me remind you that we still have Sumerian clay tablets from around 3000 BCE but that their memory sticks do not seem to have survived :-)# Jurek Kirakowski http://hfrg.ucc.ie/jk ------------------------------ Date: Mon, 30 Apr 2012 11:20:23 -0400 From: Scott Dorsey <kludge_at_private> Subject: Re: "Did first DDOS attack sink the Titanic?" (Ardley, RISKS-26.80) > The industry has yet to design a resilient call response system that can > handle peak overloads while still attending to routine but life critical > calls. Not at all. The AUTOVON system was specifically designed with that in mind. Civilian systems don't prioritize calls and have failures when too many stations are placing calls simultaneously because it's not cost effective to make them robust. ------------------------------ Date: Fri, 4 May 2012 08:45:56 -0400 From: Jeremy Epstein <jeremy.j.epstein_at_private> Subject: Workshop on the Economics of Information Security WEIS 2012 11th Workshop on the Economics of Information Security (WEIS), Berlin, Germany, 25-26 June 2012 CALL FOR PARTICIPATION http://weis2012.econinfosec.org Early Registration 31 May 2012 The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security and privacy, combining expertise from the fields of economics, social science, business, law, policy, and computer science. Prior workshops have explored the role of incentives between attackers and defenders of information systems, identified market failures surrounding Internet security, quantified risks of personal data disclosure, and assessed investments in cyber-defense. The 2012 workshop builds on past efforts using empirical and analytic tools not only to understand threats, but also to strengthen security and privacy through novel evaluations of available solutions. We encourage economists, computer scientists, legal scholars, business school researchers, security and privacy specialists, as well as industry experts to participate by attending the workshop. Topics covered by the accepted research papers include: - Optimal investment in information security - Models and analysis of online crime - Risk management and cyber-insurance - Security standards and regulation - Cyber-security policy - Security models and metrics - Economics of privacy and anonymity - Behavioral security and privacy - Vulnerability discovery, disclosure, and patching - Cyber-defense strategy and game theory - Incentives for information sharing and cooperation SPECIAL SESSIONS Information security legends Ross Anderson and Bruce Schneier, both co-founders of the workshop, review "10 Years WEIS" in a special session. The workshop also features a panel discussion on the relation between privacy economics and privacy policy, and a rump session, which is open for every participant to briefly present work-in-progress or industry best practices. The full program is available online: http://weis2012.econinfosec.org/program.html ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.81 ************************Received on Fri May 04 2012 - 12:48:03 PDT
This archive was generated by hypermail 2.2.0 : Fri May 04 2012 - 13:22:56 PDT