Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In a new report called "Bigger Monster, Weaker Chains," the American Civil Liberties Union says that there is a rapidly growing "American Surveillance Society" brought about by "a combination of lightning-fast technological innovations and the erosion of privacy protections" threatening "to transform Big Brother from an oft-cited but remote threat into a very real part of American life." This "surveillance monster" includes, among other things, cameras monitoring public spaces, proposals for databases filled with personal information on U.S. citizens, and anti-terrorist legislation allowing the government to demand that libraries turn over reading histories of their patrons. Yet the report asserts that these monsters don't even have to be real for them to be terrifying: "It is not just the reality of government surveillance that chills free expression and the freedom that Americans enjoy. The same negative effects come when we are constantly forced to wonder whether we might be under observation." [AP/*USA Today 16 Jan 2003; NewsScan Daily, 16 Jan 2003] http://www.usatoday.com/tech/news/2003-01-16-privacy-threats_x.htm
Michelin plans to embed technology in its tires that would allow the tires to communicate wirelessly to the car, sending pressure readings, etc., to the dashboard computer, using an antenna and an integrated circuit the size of a match head. Proponents of such RFID tags, which store, send and receive data through weak radio signals, believe they will one day replace bar codes and revolutionize the way that inventories are tracked and consumer products are designed once their price falls far enough. [Source: Reuters item 14 Jan 2003; PGN-ed] http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=2045403 [Also noted by Richard M. Smith]
MIT graduate students Simson Garfinkel and Abhi Shelat bought 158 hard drives at second hand computer stores and eBay over a two-year period, and found that more than half of those that were functional contained recoverable files, most of which contained "significant personal information." The data included medical correspondence, love letters, pornography and 5,000 credit card numbers. The investigation calls into question PC users' assumptions when they donate or junk old computers — 51 of the 129 working drives had been reformatted, and 19 of those still contained recoverable data. The only surefire way to erase a hard drive is to "squeeze" it — writing over the old information with new data, preferably several times — but few people go to the trouble. The findings of the study will be published in the IEEE Security & Privacy journal Friday. [AP 16 Jan 2003; Newsscan Daily, 16 Jan 2003 http://apnews.excite.com/article/20030116/D7OJBBBG0.html
A 15-year-old girl suffered second-degree burns to her hands and thighs after the laptop she was using exploded. [Source: Tim Richardson, *The Register*, 16 Jan 2003 ] http://www.theregister.co.uk/content/54/28899.html
A story widely reported in the UK news today (Thursday 16/1/2003) e.g. http://www.guardian.co.uk/uk_news/story/0,3604,875749,00.html and also http://www.telegraph.co.uk/news/main.jhtml?xml=/opinion/news/2003/01/16/ncash16 regarding a family who discovered errors in a cash machine whose software had recently been upgraded. They were able to obtain unlimited cash from the machine (some 135,000 pounds) by typing in random PIN numbers. An issue not included in all the reports was that the family allegedly contacted the building society to report the error (this was reported in the print edition of the Metro, a free newspaper supplied on the UKs public transport infrastructure). Only when the society failed to take action did the family begin exploiting the error. The risk here (assuming the family did indeed report the fault) would be the failure of the society to implement remedial action when notified of a problem, perhaps due to a lack of procedure for handling such information. This is quite apart from the clearly inadequate testing of the software added to the cash machine in the first place.
I don't know if this has been covered before, but I have a correspondence going with someone who uses Exchange for his mail. I have a procmail filter that files mail containing an html tag (the opening html identifier, not just any html tag) in a box labelled spam, which I then peruse about weekly. (and just discards any containing both an html and script tag...) 1;0cHe complains that I don't answer him timely, and that he has configured his mailer to not send html. This appears to be the case; his messages to me are not put in html form. The zinger here, is that my quoted message in his reply is in html form, identified as "converted from text/plain", (in the DTD line, I found the conversion having been done by the exchange server) "We're Microsoft, and we're here to help you"... I don't know if he can suppress that one, either; perhaps by not quoting my incoming message (which should be edited anyhow; I don't like postquotes since they tend to grow uncontrollably).
I sometimes wonder why some sites use 128 bit encryption. For example: I just ordered my credit report from Equifax (www.equifax.com). When I completed the order, it sent me to the order confirmation page with my username and password as clear text in the URL. The next day I get a e-mail confirming my order with my password in plain text. RISKS are obvious.
Lexmark lawsuit seeks to defend intellectual property rights while preserving customers' rights to choose As a result of a Lexmark International, Inc. lawsuit against Static Control Components, Inc., for violation of the Copyright Act and the Digital Millennium Copyright Act, the federal district court in Lexington, Ky., issued a temporary order - agreed to by Static Control - requiring Static Control to immediately cease making, selling, or otherwise trafficking in the "Smartek(TM)" microchip for the toner cartridges developed for the Lexmark T520/522 and T620/622 laser printers. The order is in effect until Lexmark's motion for a preliminary injunction is heard by the Court. Lexmark's complaint alleges that the Smartek(TM) microchips incorporate infringing copies of Lexmark's copyrighted software and are being sold by Static Control to defeat Lexmark's technological controls, thereby allowing the unauthorized access to Lexmark's protected software programs and the unauthorized remanufacturing of Lexmark "Prebate(TM)" toner cartridges. [Source: PRNewswire-FirstCall, 9 Jan 2003; PGN-ed] http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/01-09-2003/0001869517
[I've copied the attorneys for the plaintiffs in case they wish to reply to Fred. For their reference: Politech is a moderated discussion forum populated by many members of the legal community, and I attempt to include all reasonable, well-stated views. --Declan] Date: Wed, 15 Jan 2003 18:48:21 -0800 Subject: DMCA v garage door openers >From: Fred von Lohmann EFF <fred@eff.org> To: Declan McCullagh <declan@well.com> In the latest bit of DMCA lunacy, copyright guru David Nimmer turned me onto a case that his firm is defending, where a garage door opener company (The Chamberlain Group) has leveled a DMCA claim (among other claims) against the maker of universal garage door remotes (Skylink). Yet another case where the anti-circumvention provisions of the DMCA are being used to impede legitimate competition, similar to the Lexmark case. Not, I think, what Congress had in mind when enacting the DMCA. The Complaint: http://www.eff.org/IP/DMCA/20030113_chamberlain_v_skylink_complaint.pdf The Amended Complaint: http://www.eff.org/IP/DMCA/20030114_chamberlain_v_skylink_amd_complaint.pdf The Summary Judgment Motion: http://www.eff.org/IP/DMCA/20030113_chamerlain_v_skylink_motion.pdf Attorneys for Skylink are (both at the Orange County offices of Irell & Manella, a large law firm): "Nobles, Kimberley" <KNobles@irell.com> "Greene, Andra" <AGreene@irell.com> Fred von Lohmann, Senior Intellectual Property Attorney, Electronic Frontier Foundation fred@eff.org +1 (415) 436-9333 x123
Shouldn't a warning that "Computer users will be plagued with a host of new viruses this year" be taken with a grain of salt when it comes from a company whose business is selling anti-virus software?
BKBUSCSW.RVW 20021124
"Building Secure Software", John Viega/Gary McGraw, 2002,
0-201-72152-X, U$54.99/C$82.50
%A John Viega www.buildingsecuresoftware.com
%A Gary McGraw www.buildingsecuresoftware.com
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2002
%G 0-201-72152-X
%I Addison-Wesley Publishing Co.
%O U$54.99/C$82.50 416-447-5101 fax: 416-443-0948
%O http://www.amazon.com/exec/obidos/ASIN/020172152X/robsladesinterne
%P 493 p.
%T "Building Secure Software: How to Avoid Security Problems the
Right Way"
The "right way" of the subtitle is, of course, designing and building
a product correctly the first time. The preface states that the book
is concerned with broad principles of systems development, and so does
not cover specialized topics such as code authentication and
sandboxing. It also points out that software vendors are effectively
exempt from liability, and so have no reason to produce secure or
reliable software.
Chapter one is an introduction to software security, with an overview
of related topics and considerations. Managing software security
risks, in chapter two, looks at good practices in the system
development life cycle, the position of the security engineer in
development, and standards. The authors point out problems in common
security "solutions," mostly dealing with authentication, in chapter
three. The common myths about the security of open and closed source
systems are examined in chapter four. Instead of a checklist of
thousands of security items (that likely won't be of much use anyway),
chapter five presents ten guiding principles which will probably catch
most problems. The list is not a panacea: the first principle is to
secure the weakest link, and it takes lots of forethought to design
this for type of factor in advance. Auditing software, in chapter
six, is more about security assessments being conducted at various
stages in the process, for example, using attack trees at the design
stage.
The preface states that the book is divided into two parts, conceptual
and implementation, and, although there is no formal division, this is
probably the beginning of part two. Chapter seven looks at buffers
overflows, always and still the most common software security problem.
This book, it must be assumed, is written primarily for a programming
audience, and yet the first part has presented concepts very clearly
without necessarily getting into code examples. At this point,
however, the material is definitely written for advanced C (and
specifically UNIX) programmers, and the basic concepts are sometimes
hidden in the details. Access control, primarily in UNIX systems,
although with some mention of special capabilities in Windows NT, is
the topic of chapter eight. Chapter nine deals with race conditions,
including the familiar "time of check versus time of use" problem,
although most of the material is limited to file access concerns.
There is an excellent and thorough discussion of pseudo random number
generation in chapter ten. Applying cryptography, in chapter eleven,
stresses the fact that you shouldn't "roll your own," helps out by
reviewing publicly available cryptographic code libraries, and even
examines the drawbacks of one-time pads. Managing trust and input
validation, in chapter twelve, emphasizes input concerns to the point
that an important element is possibly buried: in the modern
environment, you not only have to trust the goodwill of an entity, but
also its ability to defend itself, so as not to become part of an
attack against you. Password authentication, in chapter thirteen,
promotes randomly chosen passwords. Given a work directed at
programming I suppose this is understandable, but recent research has
shown that "well chosen" passwords are as easy to remember as naive,
and as secure as random. Chapter fourteen is an overview of the basic
aspects of database security, although it only touches on the more
advanced topics of this specialized field. Client-side security
concentrates on copy protection and other anti-piracy measures in
chapter fifteen. Some means of establishing a connection through a
firewall are examined in chapter sixteen.
While I can understand and sympathize with the desire to give examples
of specific code in dealing with implementation details, there are a
number of major concepts covered in the latter part of the book which
would have been more accessible to non-programmers had they been dealt
with as tutorially as in the first part. Still, the book has a great
deal to teach programmers about security and reliability, and security
professionals about the requirements of the development process.
copyright Robert M. Slade, 2002 BKBUSCSW.RVW 20021124
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKNTWSEC.RVW 20021106 "Network Security", Charlie Kaufman/Radia Perlman/Mike Speciner, 2002, 0-13-046019-2, U$54.99/C$85.99 %A Charlie Kaufman ckaufman@usibm.com %A Radia Perlman radia@alum.mit.edu %A Mike Speciner ms@alum.mit.edu %C One Lake St., Upper Saddle River, NJ 07458 %D 2002 %G 0-13-046019-2 %I Prentice Hall %O U$54.99/C$85.99 201-236-7139 fax 201-236-7131 mfranz@prenhall.com %O http://www.amazon.com/exec/obidos/ASIN/0130460192/robsladesinterne %P 713 p. %T "Network Security: Private Communication in a Public World, 2e" For communications security, this is the text. As well as solid conceptual background of cryptography and authentication, there is overview coverage of specific security implementations, including Kerberos, PEM (Privacy Enhanced Mail), PGP (Pretty Good Privacy), IPsec, SSL (Secure Sockets Layer), AES (Advanced Encryption Standard), and a variety of proprietary systems. Where many security texts use only UNIX examples, this one gives tips on Lotus Notes, NetWare, and Windows NT. Chapter one is an introduction, with a brief primer on networking, some reasonable content on malware, and basic security models and concepts. Part one deals with cryptography. The foundational concepts are covered in chapter one. Symmetric encryption, in chapter three, is presented in terms of the operations of DES (Data Encryption Standard), IDEA (International Data Encryption Algorithm), and AES. Chapter four details the major modes of DES. The algorithms for a number of hash functions and message digests are described in chapter five. Asymmetric algorithms, such as RSA (Rivest-Shamir-Adleman) and Diffie-Hellman, are explained in chapter six, although one could wish for just slightly more material, such as actual numeric computations, that might reach a wider audience. The number theory basis of much of modern encryption is provided as well, in chapter seven. More, including a tiny bit on elliptic curves, is given in chapter eight. Part two covers authentication. The general problems are outlined in chapter nine. Chapter ten looks at the traditional means of authenticating people: something you know, have, or are. Various problems in handshaking are reviewed in chapter eleven. Chapter twelve describes some strong protocols for passwords. Part three examines a number of security standards. Kerberos gets two whole chapters, since we are provided with not only concepts but actual packets: version 4 in thirteen and 5 in fourteen. PKI (Public Key Infrastructure) terms, components, and mechanisms are outlined in chapter fifteen. The basic problems in real-time communications security are delineated in chapter sixteen. Chapter seventeen examines the authentication and encryption aspects of IPsec, while chapter eighteen deals with key exchange packets. SSL and TLS (Transport Layer Security) are described in chapter nineteen. Part four concentrates on electronic mail. Chapter twenty lays out the major concerns and problems. Chapter twenty one discusses PEM and S/MIME (Secure Multipurpose Internet Mail Extensions). PGP is covered in chapter twenty two. Part five contains miscellaneous topics. Chapter twenty three looks at firewalls, twenty four at a variety of specific security systems, and twenty five at Web issues. Folklore, in chapter twenty six, briefly lists a number of simple "best practices" that aren't generally part of formal security literature. The explanations are thorough and well written, with a humour that illuminates the material rather than obscuring it. The organization of the book may be a bit odd at times (the explanation of number theory comes only after the discussion of encryption that it supports), but generally makes sense. (It is, sometimes, evident that later text has created chapters that are slightly out of place.) The end of chapter "homework" problems are well thought out, and much better than the usual reading completion test. If there is a major weakness in the book, it is that the level of detail seems to vary arbitrarily, and readers may find this frustrating. Overall, though, this work provides a solid introduction and reference for network security related topics and technologies. copyright Robert M. Slade, 1996, 2002 BKNTWSEC.RVW 20021106 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKWBSPCM.RVW 20021106 "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford, 2002, 0-596-00045-6, U$44.95/C$67.95 %A Simson Garfinkel simsong@aol.com %A Gene Spafford spaf@cs.purdue.edu %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2002 %G 0-596-00045-6 %I O'Reilly & Associates, Inc. %O U$44.95/C$67.95 800-998-9938 707-829-0515 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596000456/robsladesinterne %P 756 p. %T "Web Security, Privacy and Commerce" Anyone who does not know the names Spafford and Garfinkel simply does not know the field of data security. The authors, therefore, are well aware that data security becomes more complex with each passing week. This is, after all, the second edition of what was originally published under the title "Web Security and Commerce," and, while it is still recognizable as such, the work is essentially completely re- written. The authors note, in the Preface, that the book cannot hope to cover all aspects of Web security, and therefore they concentrate on those topics that are absolutely central to the concept, and/or not widely available elsewhere. Works on related issues are suggested both at the beginning and end of the book. A greatly expanded part one introduces the topic, and the various factors involved in Web security. Chapter one is a very brief overview of Web security considerations and requirements, with some material on general security concepts and risk analysis. The underlying architecture of the Web is examined in chapter two, although this is basically limited to Internet structures. (While the material is quite informative, perhaps some examples of HTTP [HyperText Transfer Protocol] would add value.) Cryptography is explained reasonably well in chapter three: there is no in-depth discussion of cryptographic algorithms, but these details can be readily found in other works. Chapter four deals with cryptographic uses, and also with legal restrictions. The concepts and limitations of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are given in chapter five, although the operational details are not covered. Chapter six starts out with a general discussion of identification and authentication,but then gets bogged down in the details of using PGP (Pretty Good Privacy). The coverage of digital certificates, in chapter seven, is likewise constricted by a dependence upon system technicalities. Part two concerns the user. Chapter two looks at the various possible problems with browsers, not all of which are related to Web page programming. Chapter eight looks analytically at the possible invasions of privacy that can occur on the Web. Some non-technical techniques of protecting your privacy, such as good password choice, are described in chapter nine, with various technical means listed in chapter ten. Chapter eleven reviews backups and some physical protection systems. ActiveX and the limitations of authentication certificates, as well as plugins and Visual Basic, are thoroughly explored in chapter twelve. Java security is only marginally understood by many "experts," and not at all by users, so the coverage in chapter thirteen is careful to point out the difference between safety, security, and the kind of security risks that can occur even if the sandbox *is* secure. Part three details technical aspects of securing Web servers. Chapter fourteen looks at physical security and disaster recovery measures. Traditional host security weaknesses are reviewed in chapter fifteen. Rules for secure CGI (Common Gateway Interface) and API (Application Programmer Interface) programming are promulgated in chapter sixteen, along with tips for various languages. More details on the server- side use of SSL is given in chapter seventeen. Chapter eighteen looks at specific strengthening measures for Web servers. You legal options for prosecuting a computer crime is reviewed in chapter nineteen. Commercial and societal concerns in regard to content are major areas in Web security, so part six reviews a number of topics related to commerce, as well as other social factors. Chapter twenty discusses a number of technical access control technologies, by system. Obtaining a client-side certificate is described in chapter twenty one. Microsoft's Authenticode system is reviewed yet again in chapter twenty two. Censorship and site blocking are carefully examined in chapter twenty three. Privacy policies, systems, and legislation are reviewed in chapter twenty four. Chapter twenty five looks at current non-cash payment systems, and the various existing, and proposed, digital payment systems for online commerce. Having already studied criminal problems earlier, the book now turns to civil and intellectual property issues, such as copyright, in chapter twenty six. Although it has almost nothing to do with Web security as such, I very much enjoyed Appendix A, Garfinkel's recounting of the lessons learned in setting up a small ISP (Internet Service Provider). (I suppose that this could be considered valid coverage of Web commerce.) The other appendices are more directly related to the topic, including the SSL protocol, the PICS (Platform for Internet Content Selection) specification, and references. Although the material has been valuably expanded and updated, some of the new content is less worthwhile. The extensive space given to specific products will probably date quickly, although the surrounding conceptual text will continue to provide helpful guidance. Certainly for anyone dealing with Web servers or running ISPs, this is a reference to consider seriously. copyright Robert M. Slade, 1998, 2002 BKWBSPCM.RVW 20021106 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer