Columnist Robert Lemos says the Bush administration's plan to ask home computer users to secure their systems as part of its "National Strategy to Secure Cyberspace" is a misguided effort. Citing the prevalence of users who still call tech support wondering why their computer won't turn on (because they've neglected to plug it in), Lemos says: "The experts are guilty of wrongheaded thinking in relying upon home users to shore up the nation's security. Frankly, that's somebody else's job. Home users are responsible for protecting their own important data. But it's a dangerous illusion to believe they will take better precautions after authorities ask them to upgrade their cyberdefenses." Lemos says the government instead should be focusing on persuading the ISPs "to protect cyberspace from home users. There are simple technologies for doing this. Source egress filtering — a technique for preventing users from sending data with a false source address, useful in denial-of-service attacks — should be the norm. Companies filter e-mail messages for any viruses and disallow several types of executable attachments; ISPs should do the same." Security expert Dorothy Denning says the only question left is, who will pay? "Once you start formalizing where we are going to put liability, the questions start coming up about who's going to pay for it. And, almost anywhere you put it, the costs are going to end up coming back to the users." [CNet News.com 29 Oct 2002; NewsScan Daily, 29 October 2002] http://news.com.com/2010-1071-963614.html?tag=lh [This seem like old news to long-time RISKS readers, but the fundamentally inadequate approach of relying only on users to do something rather palliative totally ignores the rampant vulnerabilities in the computer-communication systems provided by mass-market software developers, ISPs, and others. It seems to reflect an abysmal lack of understanding of or perhaps willful obliviousness to the pervasiveness of problems associated with security and other trustworthiness issues (reliability, survivability, etc.) by folks who should know better... The marketplace does not solve these problems. PGN]
Autotote (a subsidiary of Scientific Games Corp in New York state) develops the software for most of the nation's off-track betting systems. One of its programmers apparently "software-engineered" the system to yield a $3 million Pick Six payoff from the Catskill NY OTB site, to be collected by a man in Baltimore who had placed his bets by phone before the first race. The bets were somewhat unusual: picks for the first four races, and wild-card multiple bets spanning all possibilities for the remaining two races. Because of a design decision to minimize loading of the Autotote system, local OTB data on the first four sets of bets is not posted to the host network until just after the first four results were known. Apparently, a little internal engineering resulted in the first four bets being altered to name the winners of the first four legs, including 26-to-1 and 13-to-1 long shots, along with all possible combinations for the fifth and sixth races. The Baltimore man was the only person with the winning Pick-6 combination, and also had consolation combinations for picking 5 out of 6. We presume some sort of collusion. However, a spokesman for SGC said that their anomaly detection system caught this event before any payoffs occurred, after which 72 other consolation winners were then allocated proportionally larger sums. He added that he and his technical people had "considered it absolutely impossible" to hack into the system. One wag later posted a note on the SGC Internet Web site asking if he could still post a bet on those races. Incidentally, the programmer has been fired, and the case is under investigation. [Source: Computer programmer fired in Pick Six investigation, Greg Sandoval and John Scheinman, *The Washington Post*, 1 Nov 2002, D01; PGN-ed] [In this forum, we have been long been noting many of the risks in gambling systems as well as in electronic voting systems. Even in a system that has seemingly been carefully designed for security and integrity, a little bit of insider action can result in very nasty results. PGN]
iVotronic voting machines lost 294 votes at early voting site in Wake County, NC due to a "glitch in the software". Officials apparently have the names of the voters but have lost their virtual ballots. They are trying to contact the voters so that they can revote. Given the times and locations in the article, I may be one of those voters! http://newsobserver.com/news/triangle/story/1876251p-1865783c.html
A recent revision to the timezone files used by (among other operating systems) FreeBSD highlights an unforeseen risk of electronic voting. This year the Brazilian elections were sufficiently close that a second round of voting is required. This will take place on October 27th, which would normally be after the DST transition. The Brazilian Constitution requires elections to start at 8am and finish at 5pm. However, Brazil's vote counting systems are computerised, and the electoral machines can not have their internal clock changed. Rather than change the constitution, or do the necessary timezone adjustments to the output of the electoral machines, Brazil's government decided to postpone the DST transition. The diff (at http://www.freebsd.org/cgi/cvsweb.cgi/src/share/zoneinfo/ southamerica.diff?r1=1.19&r2=1.20) has more details in the comments.
The *Sueddeutsche Zeitung* in Munich reports: Thanks to a rather absurd accident, dozens of suspected extremists and criminals obtained proof that their phones were being tapped by German security services. A few days ago, they received from their phone company O2 an invoice that listed and billed connections to a mailbox unknown to them. For instance, a man in Berlin was asked to pay phone charges of 15.35 euros for 53 connections made during 3-30 September 2002 to always the same mailbox. At the listed number, a voice informs the caller about a lack of authorization. The accident was discovered when the customer complained with his phone company. Security sources confirmed Monday that around 50 persons, all of whose phone numbers start with +49 179, had been invoiced for eavesdropping costs. Initially, the authorities suspected a much larger number of persons, because the number of phone taps is high. According to latest informations from the telecommunication services providers, almost 20000 lines are being recorded at present in Germany. The number of lines under surveillance has increased particularly significantly since 11 September 2001. Security services contacted O2 in Munich immediately after the accident was noticed and stopped the delivery of printed but not yet mailed invoices. Security service sources claimed that the problem was triggered by a software update. [Summarizing translation by M. Kuhn] Source: Annette Ramelsberger: "Beweis auf dem Silbertablett - Durch Panne tauchten Abhörkosten auf Telefonrechnung auf", Sueddeutsche Zeitung, Munich, Germany, 2002-10-31. http://www.sueddeutsche.de/aktuell/sz/getArticleSZ.php?artikel=artikel4992.php Markus Kuhn, Computer Lab, Univ of Cambridge, GB http://www.cl.cam.ac.uk/~mgk25/ | __oo_O..O_oo__ [This article also noted by Martyn Thomas. In addition Florian Liekweg, IPD Universität Karlsruhe, reported on an article in in *Frankfurter Rundschau*, with original German at http://www.heise.de/newsticker/data/jk-30.10.02-006/ 02 was formerly known as Viag Interkom. PGN]
[I have to wonder what happened to basic software testing?] If you stayed at a Holiday Inn, Holiday Inn Express, or Crowne Plaza hotel and checked out between 24 Oct and 26 Oct 2002, you are likely to have been one of 26,000 people who were charged 100 times what they owed, such as $6,500 to $21,000 per night. A credit-processing error resulted in the decimal points being dropped. Most of the charges were later reversed, although many people discovered that their credit limits had been exhausted. Overcharged guests will get two free nights at any of those hotels. [Source: Article by Russ Bynum, Associated Press, 01 Nov 2002; PGN-ed] http://story.news.yahoo.com/news ?tmpl=story2&u=/ap/20021101/ap_on_re_us/guests_overcharged
*Wall Street Journal*, 31 Oct 2002, p. D10, American Revised Training Methods in Wake of Crash The role of simulators in predisposing pilots to particular strategies is part of the NTSB investigation into last year's crash of AA flight 587. From the article... "Mr. Young said that until earlier this year, American flight instructors routinely set the stage for practicing upset recoveries in simulators by telling pilots to pretend they had just entered the wake of a preceding jumbo jet. Then the simulator was instructed to depict a sharp roll or steep nose-up maneuver, which typically required a fair amount of rudder input to correct." This resembles issues surrounding decoding any constructed "word problem" into a "math problem". Scenario setters decided on the physical forces -- and it seems from this report, the solution — then programmed it into the simulator; the equivalent of a fully articulated mathematical problem. Then they gave the pilots a scenario and set them loose to discover the biological/mathematical simulated solution in the cockpit. Conclusions drawn from Mr. Young's testimony differ, and the NTSB investigation are incomplete. Yet this seems to suggest the increasing difficulty of adequately simulating our complex machinery for correct operations under real-world conditions.
George White comments that "Years ago, pilots carried circular slide rules to perform fuel and distance calculations." Let me one of the many who comment that they still do, at least those of us in general aviation. I was certainly trained to use an E6B when I got my pilot's license about a year ago, and I've never used anything else. The E6B can do time/speed/distance/fuel burn, crosswind corrections, temperature and statute<->nautical mile conversions and a few others I forget at the moment. It's more or less unchanged since WWII: cheap, durable, very fast (I can often beat people using an "electronic E6B", and my instructor made me look slow.) and it has no batteries to die at the wrong moment. See http://www.sphere.bc.ca/test/sliderules/103-aristo-aviat-617.jpg for a photo of a typical one. Eric D. Remy, Instructional Technology Coordinator Randolph-Macon Woman's College (434) 947-8618 x7 firstname.lastname@example.org
This is a re-posting from the Politech list, with comments. The news report first, comments by Declan McCullagh second, comments by me third. Date: Wed, 23 Oct 2002 10:10:45 -0400 From: Bob <email@example.com> To: firstname.lastname@example.org Subject: ID Chip's Controversial Approval Wired.com, 23 Oct 2002 http://www.wired.com/news/politics/0,1283,55952,00.html A surprise decision by the Food and Drug Administration permits the use of implantable ID chips in humans, despite an FDA investigator's recent public reservations about the devices. The FDA sent chip manufacturer Applied Digital Solutions a letter stating that the agency would not regulate the VeriChip if it was used for "security, financial and personal identification or safety applications," ADS said Tuesday. But the FDA has not determined whether the controversial chip can be used for medical purposes, including linking to medical databases, the company added... Declan McCullagh's Comments: [There are two obvious questions: Should federal bureaucrats forcibly prevent a company from selling implantable chips of this sort? And would it be desirable for society to adopt these chips? I think the answer to the first is "no," and the answer to the second is also "no." I would not stop by government force or intervention people from using such implants, but it is reasonable to be concerned about what might happen with widescale adoption and speak out against it. Previous Politech message: http://www.politechbot.com/p-03135.html --Declan] Roger's Comments: In the early 1990s, I wrote about what I call 'imposed identifiers': http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html#Imposed I also mused about prosthetisation of humans in: http://www.anu.edu.au/people/Roger.Clarke/SOS/Asimov.html For some years, I used the-chip-in-your-neck as a shock tactic in a lot of presentations. After the initial reaction of disbelief, audiences were forced to accept the line of argument that the institutionalised would be the first - prisoners, prisoners on day-release, senile dementia patients. Over a few short years, people have become inured to the shock-tactic. in response to press reports of the FDA announcement, there will be murmurs of 'oh, isn't it awful', and then parents will resume pumping chips into children (for what reason I've yet to work out), and Professor Warwick will become even more of a celebrity, with every failure reported in Wired Magazine, and hence the rest of the media, as another step forward. I've not read the psychology literature about the Nazi assault on minorities; but the human race clearly has a genetic predisposition to rationalise the most dehumanising actions being taken in respect not only of other people, but even of one's self. Any kind of external justification will do — technological determinism, cost savings, prompt recognition of cadavers, instructions by the scientist conducting the experiment, or the desires of a belligerent government (Germany of the 30s and 40s, Argentina of the Generals, the Cambodia of Pol Pot, the U.S. of the here and now). Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ +61 2 6288 1472 Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Visiting Professor, Uni of Hong Kong; Visiting Fellow, Australian National U.
BKMISROA.RVW 20020826 "Managing Information Security Risks", Christopher Alberts/Audrey Dorofee, 2003, 0-321-11886-3, U$54.99/C$85.99 %A Christopher Alberts %A Audrey Dorofee %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-321-11886-3 %I Addison-Wesley Publishing Co. %O U$54.99/C$85.99 416-447-5101 fax: 416-443-0948 %P 471 p. %T "Managing Information Security Risks: The OCTAVE Approach" Part one is an introduction to risks and risk evaluation. Chapter one is a generic, and not particularly clearly written, outline of a basic risk analysis process. The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) process is described in chapter two, along with various principles, factors (called attributes), and three phases of outputs (or deliverables) of the process. Part two presents more details of the method. Chapter three runs through the outcomes and attributes again, but in a confusing fashion. "Preparing for OCTAVE," in chapter four, is a fairly generic outline of preparation for any kind of planning. Chapter five begins a list of the individual processes of OCTAVE, but essentially says that the company should identify assets, threats and vulnerabilities. The creation of threat profiles, in chapter six, is the first part of the process that actually presents details and tools that might help in risk analysis. Chapter seven suggests that you identify key components of an asset, but, again, does not offer a specific process for doing so. Evaluating selected components, in chapter eight, seems to be merely subdividing asset threat analysis. Risk analysis is vaguely and briefly covered in chapter nine. Chapters ten and eleven contain pedestrian advice about developing a protection strategy. Part three talks about variations to OCTAVE. Chapter twelve discusses the tailoring of OCTAVE, but since OCTAVE itself is rather vague, it is difficult to understand the options for alteration. Chapter thirteen asserts that OCTAVE is suitable for a variety of situations: since the process is so generic this is probably true. Chapter fourteen recommends reviewing or redoing an OCTAVE assessment from time to time--just like any risk analysis. Appendix B lists a variety of worksheets for risk analysis which could be quite useful. This book is written in such a nebulous manner that it is difficult to day whether OCTAVE is an obscure method, or whether it is simply poorly explained. copyright Robert M. Slade, 2002 BKMISROA.RVW 20020826 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKEW101.RVW 20020902 "EW 101: A First Course in Electronic Warfare", David Adamy, 2001, 1-58053-169-5, U$89.00 %A David Adamy %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-169-5 %I Artech House/Horizon %O U$89.00 800-225-9977 fax: 617-769-6334 email@example.com %P 308 p. %T "EW 101: A First Course in Electronic Warfare" The book is based on the "EW 101" columns in the "Journal of Electronic Defense." It is, in fact, the first sixty such columns, structured into chapters and linked with additional material. Electronic warfare (EW), as chapter one tells us, is intended to reserve the electromagnetic spectrum for friendly use, while denying it to the enemy. We may be using the spectrum for communications, such as radio, although the primary concern seems to be with remote sensing, such as radar. EW is not concerned with such activities as interception of enemy communications, or the design of directed energy weapons. Chapter two covers basic mathematics necessary for working with EW, such as logarithms (for working with decibel, or dB, representations) or spherical trigonometry. There is a very clear discussion of antenna characteristics, uses and design considerations in chapter three. Chapter four does the same thing for receivers, with an added examination of the concept of sensitivity. Processing of received signals is dealt with in chapter five, with a special concentration on display for and to the user (generally a pilot or signals officer). Chapter six looks at the multidimensional and multitechnology problem of the search for "threats" (as radio emitters are known in electronic warfare circles). "Low probability of intercept" (LPI) signals are the topic of chapter seven, which emphasizes the considerations in regard to spread spectrum technology. Various techniques for locating emitters are covered in chapter eight. Chapter nine deals with the many different types of jamming, and the power calculations necessary to concepts such as "burn through" range. Different types, missions, and purposes of decoys are discussed in chapter ten. Chapter eleven examines a wide variety of considerations involved in simulations. As the title notes, for those interested in an introduction to the topic, this book is an informative and interesting tutorial, readable, and with a minimum of mathematics necessary to the topic. copyright Robert M. Slade, 2002 BKEW101.RVW 20020902 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKDRPGFM.RVW 20020825 "Disaster and Recovery Planning", Joseph F. Gustin, 2002, 0-13-009289-4 %A Joseph F. Gustin %C One Lake St., Upper Saddle River, NJ 07458 %D 2002 %G 0-13-009289-4 %I Prentice Hall %O U$ +1-201-236-7139 fax: +1-201-236-7131 %P 304 p. %T "Disaster and Recovery Planning: A guide for Facility Managers" Despite the title, and a number of the topics covered, this book seems to have more to do with business continuity than disaster planning. Chapter one does talk about disaster types (and lists not-so-recent disasters), and has a rough outline of basic parts of the planning process. Some US regulations that may influence plans are discussed in chapter two. Immediate emergency response is reviewed in chapter three. Chapter four talks about types of disasters again (and, again, the examples are fairly old). Fire protection and response, in chapter five, is very uneven in the level of detail, and concentrates heavily on technicalities in regard to exits. Bomb threat response, in chapter six, emphasizes searching techniques. Evacuations are covered in chapter seven. Chapter eight encompasses earthquakes, with the major emphasis being on structural design to prevent damage. Computer and data protection, in chapter nine, is poor and brief. Chapter ten is a simplistic look at power requirements. There is a set of generic loss prevention strategies in chapter eleven. Crisis planning, in chapter twelve, is primarily concerned with handling the media. Chapter thirteen, putting the plan together, is pedestrian, but reasonably comprehensive. The final chapter, on managing the recovery, is very thorough. For those new to business continuity planning, this book does provide some basic outlines and tips. But for those who have worked with disaster or continuity planning to any extent, there is nothing new here. copyright Robert M. Slade, 2002 BKDRPGFM.RVW 20020825 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Security and Control of IT in Society (SCITS) III Special Track on SEC'2003 18th IFIP International Information Security Conference Athens Chamber of Commerce and Industry 26-28 May 2003, Athens, Greece www.sec2003.org [Contact firstname.lastname@example.org for instructions. Papers must be received by November 12, 2002. PGN] Papers offering novel research contributions in any aspect of IT Misuse and the Law are solicited for submission to this Special Track of the 18th IFIP International Information Security Conference. Papers may present theory, applications or practical experiences (e.g. case studies) on topics including, but not limited to: - High-tech crime prevention, detection, and investigation - International Cooperation in fighting high-tech crime - Computer Forensics - IT law for preventing Misuse - Social and Legal Risks through interception and tracking technologies - Data retention vs. privacy in communication and archived systems - Crypto / Anonymity debate - Protecting users/usees by Privacy-Enhancing Technologies - Perception of security in society - Behavioral issues of information security - Security awareness - Users' security responsibilities - Critical Information Infrastructure Protection and Social Implications - Adequacy and Inadequacy of the Law - Multilateral Security - Social, legal and ethical aspects of IT security
Please report problems with the web pages to the maintainer