[RISKS] Risks Digest 27.04

From: RISKS List Owner <risko_at_private>
Date: Wed, 24 Oct 2012 14:49:14 PDT
RISKS-LIST: Risks-Forum Digest  Wednesday 24 October 2012  Volume 27 : Issue 04

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.04.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Alaska Airlines: Operations returning to normal (Doug Esser via Paul Saffo)
Apps Alert the Doctor When Trouble Looms (John Karabaic)
Error and Fraud at Issue as Absentee Voting Rises (Adam Liptak via PGN)
Online schools face backlash as states question results (Stephanie Simon via
  Monty Solomon)
A network scientist examines the lifespan of a fact (Slate via
  Lauren Weinstein)
UK launching "virtual ID card" system / critics fear it's an instant target
  (Lauren Weinstein)
Microsoft robo-DMCA takedown orders run amok (Torrent Freak via LW)
Cyberattacks continue to affect U.S. banks (Nicole Perlroth via LW)
DDoS attacks on major US banks are no Stuxnet: here's why (ars technica)
Another bank software problem (Martyn Thomas)
McAfee, Trust Guard certifications can make websites *less* safe
   (ars technica via LW)
The Risks of Bad Mapping (Gene Wirchenko)
Support your right to own a 3D printer! (Mark Thorson)
Don't just throw your old hard drives into the trash (Jim Reisert)
"Phony Facebook application security tests?  Say it ain't so, Zuckerberg
  (Gene Wirchenko)
"Windows 8 pirates: No noose is good noose" (Cringely via Gene Wirchenko)
"Hackers exploit Skype API to infect Windows PCs" (Ted Samson via GW)
Misconduct Widespread in Retracted Science Papers, Study Finds (Carl Zimmer
  via Monty Solomon)
Penn -- Hackers leak personal info of students, employees and alums
  (Dave Farber)
Re: Risks of linking information from Facebook leads to bigamy charges
  (Amos Shapir)
Re: The Anti-Cloud? (Scott Miller)
Re: Security experts not understanding security risks (Neil McKellar)
Re: "Fake sign causes real outage" (Gene Wirchenko)
Re: Mac calendar spam invites (Ed Ravin)
REVIEW: "Learning from the Octopus", Rafe Sagarin (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 8 Oct 2012 20:54:16 -0700
From: Paul Saffo <paul_at_private>
Subject: Alaska Airlines: Operations returning to normal (Doug Esser)

Alaska Airlines said flights were running close to normal late Monday after
a fiber-optic outage shut down its ticketing system for more than four
hours, causing the airline and its regional carrier to cancel 78 flights
(roughly 10 percent of their daily flights), affecting nearly 7,000 customers.

More than 130 other flights departed during the disruption, but some were
delayed for as long as four hours, the airline said.  "Flights are running
real close to schedule right now in all major cities. We expect tomorrow to
be back on track completely," airline spokeswoman Marianne Lindsey said
Monday evening. Most affected were Alaska's hub cities of Seattle, Portland,
Ore., Los Angeles, Anchorage, Alaska, and the San Francisco area.

The problems were caused by a combination of two cut cables in Sprint's
fiber-optic network.  One occurred at a construction site along railroad
tracks between Chicago and Milwaukee and the other was somewhere between
Portland and Seattle.  The Chicago-Milwaukee cable was cut accidentally due
to some kind of work or maintenance, The second cut involved an aerial cable
that runs along power lines.  "Typically if there's just one cut, traffic
reroutes automatically," Davis said. "Because there were two cuts within
hours of each other, it caused this disruption."
[Source: Doug Esser, Associated Press, 8 Oct 2012; PGN-ed]

Read more:
http://www.sfgate.com/news/article/Alaska-Airlines-Operations-returning-to=
-normal-3928410.php#ixzz28lppX4kW=

------------------------------

Date: Tue, 9 Oct 2012 08:54:45 -0400
From: John Karabaic <jk_at_private>
Subject: Apps Alert the Doctor When Trouble Looms

Part of a wonderful NYTimes Science Times focus on IT in medicine [9 Oct
2012], this article goes into more depth on apps that have more risks of
false positives and privacy issues.

New technology uses standard features on smartphones -- GPS and movement
tracking -- to monitor a patient's behavior and alert the doctor when
something seems out of order.  *The New York Times*
  http://nyti.ms/VHdm3A

------------------------------

Date: Sun, 7 Oct 2012 10:10:17 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Error and Fraud at Issue as Absentee Voting Rises (Adam Liptak)

  Every problem that we have in our election system is magnified 10k times
  in absentee voting.  At that point in the process, all eyes and all sides
  have one thing to focus on -- absentee ballots.  There are some problems
  that are unique to absentee voting -- major one being the voter is not
  present to work through any issues with the election officials - but there
  are many of the same problems we have with all of the other modes of
  voting.  Adam Liptak, *The New York Times*, front page, 7 Oct 2012

http://www.nytimes.com/2012/10/07/us/politics/as-more-vote-by-mail-faulty-ballots-could-impact-elections.html

------------------------------

Date: Wed, 3 Oct 2012 16:42:17 -0400
From: Monty Solomon <monty_at_private>
Subject: Online schools face backlash as states question results
  (Stephanie Simon)

Stephanie Simon, Reuters, 3 Oct 2012

Virtual public schools, which allow students to take all their classes
online, have exploded in popularity across the United States, offering what
supporters view as innovative and affordable alternatives to the
conventional classroom.

Now a backlash is building among public officials and educators who question
whether the cyber-schools are truly making the grade.

In Maine, New Jersey and North Carolina, officials have refused to allow new
cyber-schools to open this year, citing concerns about poor academic
performance, high rates of student turnover and funding models that appear
to put private-sector profits ahead of student achievement.

In Pennsylvania, the auditor general has issued a scathing report calling
for revamping a funding formula that he said overpays online schools by at
least $105 million a year. In Tennessee, the commissioner of education
called test scores at the new Tennessee Virtual Academy "unacceptable."

And in Florida, state education officials are investigating a virtual school
after it was accused of hiring uncertified teachers; in the past two weeks
two local school boards in the state have rejected proposals for virtual
schools.

Some states, including Michigan, Indiana and Louisiana, are still moving
aggressively to embrace online schools. But the anger and skepticism
elsewhere is striking, in part because some of it comes from people who have
ardently supported opening the public school system to competition. ...

http://www.reuters.com/article/2012/10/03/us-usa-education-online-idUSBRE8920J420121003

------------------------------

Date: Fri, 5 Oct 2012 20:54:55 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: A network scientist examines the lifespan of a fact

  "The Harvard network scientist and pop theorist Samuel Arbesman stokes our
  fears of information on the cover of his recent book, The Half-Life of
  Facts: Why Everything We Know Has an Expiration Date.  Watch out, that
  title says: The truth is melting! But the argument that Arbesman lays out
  (in a set of loosely connected anecdotes and essays) works to do the
  opposite. He uses math as a medication for this anxiety, to keep us calm
  in the face of shifting knowledge. His book works like a
  data-beta-blocker: By fitting fickle truths to models and equations, it
  promises a way to handle life's uncertainty and keep abreast of "the
  vibrations in the facts around us." In the end, though, the prescription
  runs afoul of a more fundamental ambiguity: What does it mean to call a
  fact a fact to start with?"  http://j.mp/SAKg5n  (Slate via NNSquad)

------------------------------

Date: Thu, 4 Oct 2012 09:49:30 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: UK launching "virtual ID card" system / critics fear it's an
  instant target

  "The Government will announce details this month of a controversial
  national identity scheme which will allow people to use their mobile
  phones and social media profiles as official identification documents for
  accessing public services."  http://j.mp/SFDc1a  (Independent via NNSquad)

Like the article headlines: "What could go wrong?"

------------------------------

Date: Sun, 7 Oct 2012 18:53:18 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Microsoft robo-DMCA takedown orders run amok (Torrent Freak)

http://j.mp/OMWF58  (Torrent Freak via NNSquad)

  "Claiming to prevent the unauthorized distribution of Windows 8 Beta the
  software company listed 65 "infringing" web pages. However, nearly half of
  the URLs that Google was asked to remove from its search results have
  nothing to do with Windows 8.  This apparent screw up in the automated
  filter mistakenly attempts to censor AMC Theatres, BBC, Buzzfeed, CNN,
  HuffPo, TechCrunch, RealClearPolitics, Rotten Tomatoes, ScienceDirect,
  Washington Post, Wikipedia and even the U.S.  Government.  Judging from
  the page titles and content the websites in question were targeted because
  they reference the number "45."

------------------------------

Date: Sun, 30 Sep 2012 12:32:44 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Cyberattacks continue to affect U.S. banks (Nicole Perlroth)

  "Six major American banks were hit in a wave of computer attacks last
  week, by a group claiming Middle Eastern ties, that caused Internet
  blackouts and delays in online banking.  Frustrated customers of Bank of
  America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo and PNC, who
  could not get access to their accounts or pay bills online, were upset
  because the banks had not explained clearly what was going on."
  http://j.mp/TX1GKi  (*The New York Times* via NNSquad)

I am extremely skeptical of the blame game being asserted, especially the
Iran bashing.  Anybody can claim to be anyone in this context, and I see no
conceivable upside to Iran deploying an effort to merely slow down access to
online banking in the U.S.  I've seen the effects myself -- extra page
reloads required and such, but frankly the explanations the banks are giving
stink to high heaven, and the politicos seem to be pulling so-called
explanations out of thin air.

------------------------------

Date: Sat, 6 Oct 2012 09:49:32 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: DDoS attacks on major US banks are no Stuxnet: here's why
  (ars technica)

  "The compromised servers were outfitted with itsoknoproblembro (pronounced
  "it's OK, no problem, bro") and other DDoS tools that allowed the
  attackers to unleash network packets based on the UDP, TCP, HTTP, and
  HTTPS protocols. These flooded the banks' routers, servers, and server
  applications-layers 3, 4, and 7 of the networking stack-with junk
  traffic. Even when targets successfully repelled attacks against two of
  the targets, they would still fall over if their defenses didn't
  adequately protect against the third.  "It's not that we have not seen
  this style of attacks or even some of these holes before," said Dan
  Holden, the director of research for the security engineering and response
  team at Arbor Networks. "Where I give them credit is the blending of the
  threats and the effort they've done. In other words, it was a focused
  attack."  Adding to its effectiveness was the fact that banks are mandated
  to provide Web encryption, protected login systems, and other defenses for
  most online services. These "logic" applications are naturally prone to
  bottlenecks-and bottlenecks are particularly vulnerable to DDoS
  techniques. Regulations that prevent certain types of bank traffic from
  running over third-party proxy servers often deployed to mitigate attacks
  may also have reduced the mitigation options available once the
  disruptions started."  http://j.mp/PIsE0M  (ars technica via NNSquad)

------------------------------

Date: Fri, 05 Oct 2012 15:29:54 +0100
From: Martyn Thomas <martyn_at_thomas-associates.co.uk>
Subject: Another bank software problem

Lloyds TSB says it is suffering from a "temporary system error" that is
causing "intermittent problems".  Users of the Twitter social network have
complained of being unable to use their debit cards, Lloyds TSB ATMs, or the
bank's online banking service.  The bank says it is sorry for the
inconvenience and is trying to sort out the problems.

Earlier this summer some account holders at RBS and NatWest suffered
disruption due to a computer failure.  Lloyds TSB has admitted the problem
has affected both its internet and telephone banking service, "but we don't
have a definite time scake at this time," it said.
  http://www.bbc.co.uk/news/business-19846157

------------------------------

Date: Fri, 5 Oct 2012 11:55:46 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: McAfee, Trust Guard certifications can make websites *less* safe

  "That's because a design flaw in the service, and in competing services
  offered by Trust Guard and others, makes it easy to discover in almost
  real time when a customer has had the seal revoked. A revocation is a
  either a sign the site has failed to pay its bill, has been inaccessible
  for a sustained period of time, or most crucially, is no longer able to
  pass the daily security test."  http://j.mp/OaLi5z  (ars technica via NNSq)

------------------------------

Date: Thu, 04 Oct 2012 12:46:28 -0700
From: Gene Wirchenko <genew_at_private>
Subject: The Risks of Bad Mapping

Apple is taking a kicking over their latest Map app.  Many sites are making
fun of it.  In particular
  http://theamazingios6maps.tumblr.com/

has been a great time so far.  I am only on page 24.  That page has a sign
at a London transit station with an additional information section that
reads: "For the benefit of passengers using Apple iOS 6, local area maps are
available from the booking office."  Ouch!
  http://theamazingios6maps.tumblr.com/post/31969830493/london-tube

------------------------------

Date: Sat, 29 Sep 2012 13:27:25 -0700
From: Mark Thorson <eee_at_private>
Subject: Support your right to own a 3D printer!

Gun parts are being made by 3D printer, and it may soon be possible to make
a complete gun.  This raises concerns about how legislation will respond to
advances in 3D printer technology.

http://techcrunch.com/2012/08/26/the-next-battle-for-internet-freedom-could-be-over-3d-printing/

------------------------------

Date: Tue, 2 Oct 2012 14:11:41 -0600
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: Don't just throw your old hard drives into the trash

Kate Gosselin Halts Sale Of Negative Tell-All Book
http://www.huffingtonpost.com/2012/10/02/kate-gosselin-book_n_1933185.html

"Kate Gosselin has scored a victory. She has gotten her lawyers to halt the
sale of a shocking new book that claims that the mom of eight "fooled the
world." [...]  ""Kate had her own lawyers deal with this," says a network
insider.  "TLC lawyers were involved as well, since there was some
confidential documents in there. "This confidential information that
troubled TLC was found in a series of private emails exchanged between
Gosselin and the Discovery network. The emails were leaked via computer hard
drives that Gosselin had put in the trash."

Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us

------------------------------

Date: Mon, 08 Oct 2012 10:14:50 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Phony Facebook application security tests?  Say it ain't so,
  Zuckerberg"

http://www.csoonline.com/article/716903/phony-facebook-application-security-tests-say-it-ain-t-so-zuckerberg
Phony Facebook application security tests? Say it ain't so, Zuckerberg
How can we explain the FTC's discovery that, for
close to a year, Facebook operated a for-profit
application security testing service that was little more than a sham?

------------------------------

Date: Mon, 08 Oct 2012 13:38:36 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Windows 8 pirates: No noose is good noose"

http://www.infoworld.com/t/cringely/windows-8-pirates-no-noose-good-noose-204304
InfoWorld, 8 Oct 2012
Windows 8 pirates: No noose is good noose
Are the BBC, CNN, and Wikipedia distributing illegal copies of
Windows 8? Nope, it's just another example of the Copyright Cartel gone wild
By Robert X. Cringely | InfoWorld

------------------------------

Date: Tue, 09 Oct 2012 11:13:54 -0700
From: Gene Wirchenko <genew_at_private>
Subject: "Hackers exploit Skype API to infect Windows PCs" (Ted Samson)

Ted Samson, *InfoWorld*, 9 Oct 2012
Hackers exploit Skype API to infect Windows PCs
New worm reinforces Skype's reputation as an app with security issues
http://www.infoworld.com/t/anti-virus/hackers-exploit-skype-api-infect-windows-pcs-204333

------------------------------

Date: Sun, 7 Oct 2012 10:37:17 -0400
From: Monty Solomon <monty_at_private>
Subject: Misconduct Widespread in Retracted Science Papers, Study Finds
  (Carl Zimmer)

Carl Zimmer, *The New York Times*, 1 Oct 2012

Last year the journal *Nature* reported an alarming increase in the number
of retractions of scientific papers - a tenfold rise in the previous decade,
to more than 300 a year across the scientific literature.

Other studies have suggested that most of these retractions resulted from
honest errors. But a deeper analysis of retractions, being published this
week, challenges that comforting assumption.

In the new study, published in the Proceedings of the National Academy of
Sciences, two scientists and a medical communications consultant analyzed
2,047 retracted papers in the biomedical and life sciences. They found that
misconduct was the reason for three-quarters of the retractions for which
they could determine the cause. ...

http://www.nytimes.com/2012/10/02/science/study-finds-fraud-is-widespread-in-retracted-scientific-papers.html

------------------------------

Date: Wed, 3 Oct 2012 09:11:23 -0400
From: Dave Farber <dave_at_private>
Subject: Penn -- Hackers leak personal info of students, employees and alums

http://www.thedp.com/article/2012/10/hackers-leak-personal-info-of-students-admins-and-alums

------------------------------

Date: Mon, 8 Oct 2012 13:30:23 +0200
From: Amos Shapir <amos083_at_private>
Subject: Re: Risks of linking information from Facebook leads to bigamy 
  charges (RISKS-27.03)

I do not use Facebook much, so when my 13-year-old nephew requested to
become my "friend", I have accepted without giving it much thought.  Every
now and then, Facebook suggests a list of people I may want to befriend,
including their pictures.  This list now includes many 13 year old girls --
some of whose profile pictures may be considered quite provocative...  I
hope that no computer I use is ever seized by a police investigation, or I
might end up in deep trouble!

------------------------------

Date: Mon, 1 Oct 2012 10:51:21 -0400
From: "Scott Miller" <SMiller_at_private>
Subject: Re: The Anti-Cloud? (Mark Thorson, RISKS-27.03)

There are certainly risks there, but I am not certain that any are new,
unique, or even uni-directional. Did not the SETI At Home program operate by
a similar paradigm (albeit the pay-off was not strictly a cash-equivalent)?
As an aside, I've wondered for quite some time to what extent that program
served as a prototype for botnets (may have been discussed here, but if so I
missed it). How many "cloud" users know the ultimate disposition of their
data? How many even read the EULA and privacy agreements (understandable
since a half-hour spent wading knee-deep through a fetid swamp of legalese
will in many or most cases produce nothing more definitive than a statement
allowing data sharing or delegation to _some_ third-party, identity
undisclosed or unknown)? A case could probably be made that a commercial
third party recipient of delegated cloud customer data would probably have a
greater incentive to use that data in some way counter to the interests or
desires of the original "owner". My main interest, however, lies in
identifying the risk posed to the person "renting" their excess disk space
to Symform. Suppose one of Symform customers uploads some electronic
contraband (e.g., kiddie porn) to their cloud, and though some coincidence
it is discovered by some government authority on the hard drive of a
different Symform customer?  What is the legal status of the "landlord"? I'm
not even certain if Symform is an ISP under the legal doctrine that provides
a limited shield from legal liability regarding content uploaded by
customers; I very much doubt that any shield that exists would be extended
by a court to the customer providing drive space. What little remains of the
4th amendment (US) would also seem to be of little help.

------------------------------

Date: Mon, 01 Oct 2012 07:45:43 -0600
From: Neil McKellar <mckellar_at_private>
Subject: Re: Security experts not understanding security risks

I disagree that the picket, to use the analogy from your note, is high
enough.  Yes, the Ars Technica article focuses on password length and even
Costin Raiu's blog post focuses heavily on length, only touching on the two
choices he thinks Microsoft has had to make.  What would make me worried
about the length restriction is that there is some technical reason why the
password cannot be longer.

Raiu talks about sha512crypt, but even the weaker SHA-1 or MD5 hashes he
talks about do not have length restrictions on the passwords that can be
entered.  If there is a length restriction, I would be concerned that
Hotmail is using some homegrown hash function that limits itself to 16
characters.  History has a handful of similar hash functions and they've
generally proven to be even weaker than SHA-1.  In this case, I agree with
Raiu: I don't know which of his two options is worse.

Arguably, if the only concern here is local administrative staff at Hotmail
having access to the hashes, the risk is moderate or even low.  In that
case, Microsoft's characterization of the risk is correct and 16 characters
is plenty.  These days, I don't think security professionals should only be
worried about phishing and keystroke loggers, in spite of what was said in
the article.  We continue to see attacks that result in sizable credential
lists posted publicly.  The likelihood for any one target may not be
significant, but it is, nonetheless, a possibility that should be accounted
for.  The size of the picket makes no difference if it's not firmly attached
to the fence.

Neil (mckellar_at_private)

------------------------------

Date: Sun, 30 Sep 2012 23:19:03 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Re: "Fake sign causes real outage" (Risks-27.03)

The story also shows another risk, that of jurisdictions.  Who had
jurisdiction?  The property loss was bad enough, but what if there had been
the possibility of loss of life?

------------------------------

Date: Mon, 1 Oct 2012 03:36:31 -0400
From: Ed Ravin <eravin_at_private>
Subject: Re: Mac calendar spam invites

Does not seem to be a new issue - I found this 2008 discussion of what seems
to be the problem George Michaelson is reporting:

  https://discussions.apple.com/message/6991955?messageID=6991955#6991955?messageID=6991955

------------------------------

Date: Mon, 8 Oct 2012 14:49:42 -0800
From: Rob Slade <rMslade_at_private>
Subject: REVIEW: "Learning from the Octopus", Rafe Sagarin

BKLNFOCT.RVW   20120714

"Learning from the Octopus", Rafe Sagarin, 2012, 978-0-465-02183-3,
U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   "Learning from the Octopus"

The subtitle promises that we will learn "how secrets from nature can help
us fight terrorist attacks, natural disasters, and disease."  The book does
fulfill that aim.  However, what it doesn't say (up front) is that it isn't
an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire
security community to task for not paying sufficient attention to the
lessons of biology.  The text and examples in the work, however, do not
present the reader with particularly useful insights.  The prologue drives
home the fact that 350 years of fighting nation- state wars did not prepare
either society or the military for the guerilla-type terrorist situations
current today.  No particular surprise: it has long been known that the
military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of "natural" security.  In this regard, the
reader is inescapably reminded of Bruce Schneier's "Liars and Outliers"
(cf. BKLRSOTL.RVW), and Schneier's review of evolution, sociobiology, and
related factors.  But whereas Schneier built a structure and framework for
examining security systems, Sagarin simply retails examples and stories,
with almost no structure at all.  (Sagarin does mention a potentially
interesting biology/security working group, but then is strangely reticent
about it.)  In chapter two, "Tide Pool Security," we are told that the
octopus is very fit and functional, and that the US military and government
did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in
regard to one type of learning (and there is no mention at all of
education).  The learning force that the author lauds is that of evolution,
which does tend to modify behaviours for the population over time, but tends
to be rather hard on individuals.  Sagarin is also opposed to "super
efficiency" (and I can agree that it leaves little margin for error), but
mostly tells us to be smart and adaptable, without being too specific about
how to achieve that.  Chapter four tells us that decentralization is better
than centralization, but it is interesting to note that one of the examples
given in the text demonstrates that over-decentralization is pretty bad,
too.  Chapter five again denigrates security people for not understanding
biology, but that gets a bit hard to take when so much of the material
betrays a lack of understanding of security.  For example, passwords do not
protect against computer viruses.  As the topics flip and change it is hard
to see whether there is any central thread.  It is not clear what we are
supposed to learn about Mutual Assured Destruction or fiddler crabs in
chapter six.

Chapter seven is about bluffing, use and misuse of information, and alarm
systems.  Yes, we already know about false positives and false negatives,
but this material does not help to find a balance.  The shared values of
salmon and suicide bombers, religion, bacterial addicts, and group identity
are discussed in chapter eight.  Chapter nine says that cooperation can be
helpful.  We are told, in chapter ten, that "natural is better," therefore
it is ironic to note that the examples seem to pit different natural systems
against each other.  Also, while Sagarin says that a natural and complex
system is flexible and resilient, he fails to mention that it is difficult
to verify and tune.

This book is interesting, readable, erudite, and contains many interesting
and thought-provoking points.  For those in security, it may be good bedtime
reading material, but it won't be helpful on the job.  In the conclusion,
the author states that his goal was to develop a framework for dealing with
security problems, of whatever type.  He didn't.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714
rslade_at_private     slade_at_private     rslade_at_private
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.04

************************
Received on Wed Oct 24 2012 - 14:49:14 PDT

This archive was generated by hypermail 2.2.0 : Wed Oct 24 2012 - 15:29:39 PDT