I have decided to invite several of the folks who run NSF funded
security educaiton scholarship programs to join this group - along with
the members of the CCD team at Sandia - to facilitate more widespread
discussion of the issues surrounding such programs.  This forum will be
used for that purpose unless and until there is a concensus to fork a
different group for the purpose.

Group members might be interested in reading these articles:

The "CyberCorps" fellowships support US citizens who are working towards
an undergraduate or Masters degree in Information Assurance with the
requirement that students work for a federal agency upon graduation.
Six Universities were selected to participate in the first year of the
program: Carnegie Mellon University, Iowa State University, Purdue
University, the University of Idaho, the University of Tulsa, and the
Naval Postgraduate School.  See Colleen O'Hara's articles in Federal
Computing Week (5/23/01, 5/28/01):
www.fcw.com/fcw/articles/2001/0521/web-nsf-05-23-01.asp and
www.fcw.com/fcw/articles/2001/0528/mgt-nsf-05-28-01.asp.

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087

Per the message sent by Kathryn Barrett:

For Immediate Release
August 28, 2001
For more information, a review copy, cover art or an interview with
the author, contact:
Kathryn Barrett (707) 829-0515 ext 387 or kathrynb@...

FIGHTING MALICIOUS MOBILE CODE--O'REILLY AUTHOR
PROVIDES AN EDGE IN THE WAR AGAINST ROGUE TECHNOLOGY

Sebastopol, CA--Contrast the experience of spying, then deleting or
otherwise disarming a virus-infected attachment in your email with the
feeling that accompanies the discovery that a remote access Trojan has
invaded your hard drive and ground your computer to a halt. The first
brings a secret thrill of victory, while the second leaves you feeling
violated and powerless. The truth is that malicious mobile code can be
destructive, causing hours of lost time, lost data and enormous
inconvenience to the recipient of the code. Nor is the prevalence of
malicious mobile code diminishing. According to Roger Grimes, author of
"Malicious Mobile Code: Virus Protection for Windows" (O'Reilly, US
$39.95), it is a technical war. The idea that someone could write
malicious code and spread it to 60 million computers in a matter of
hours is no longer a fantasy.

"Some antivirus companies are cataloging 200-400 new malicious programs
a month, with some vendors saying their products now catch over 54,000
different bugs," says Grimes. "If the general public knew what was
possible, they might not want to get on the Internet. There are
automated malicious programs, bots, and scripts, all designed to fight
it out with the good guys. They look for weaknesses in control and then
automate the attack."

Malicious mobile code is destructive self-replicating code, such as a
virus or worm that is loaded onto a computer without the user's
knowledge and runs against the user's wishes. Even a simple virus can
quickly use all available memory and bring a system to a standstill.
Grimes, who has been fighting malicious mobile code in many forms since
1987, provides information to help system administrators and users
understand the issues of malicious mobile code on Windows systems.

"The rapid pace of malicious mobile code is starting to make
conventional antivirus protection tools ineffective," says Grimes.
"Everything is now connected to the Internet and new technologies make
it easier than ever to send rogue code."

The good news is that there are effective ways to thwart Windows
malicious code attacks. "Malicious Mobile Code: Virus Protection for
Windows" offers chapters on each of the different types of "rogue"
codes filled with comprehensive information on each type of attack,
including how the attack works, how to recognize symptoms of the
attack, and how to protect your system. Grimes covers viruses, Trojans
and worms, ActiveX and Java exploits, DOS viruses, Macro viruses,
browser-based exploits, email attacks and instant messaging attacks.

In addition to covering the various types of malicious mobile code,
Grimes provides insight into the current state of malicious code
writing and the cracker community. For those who wonder about what type
of person would write malicious mobile code and why, Grimes presents a
detailed picture of the very active virus-writing subculture and what
motivates it.

"Malicious Mobile Code: Virus Protection for Windows" was written for
intermediate and advanced level personal computer users, as well as
network administrators who are interested in protecting Windows-based
computer assets against malicious mobile code. Drawing on his extensive
experience and research, Grimes details the best ways to configure
Windows for maximum protection, what a DOS virus can and can't do, what
today's biggest threats are, and other important and frequently
surprising information. Users everywhere will find "Malicious Mobile
Code" to be the essential guide for securing a system from catastrophic
loss.

An article by the author, "Not Your Mother's Computer Virus" may be
found at:  http://windows.oreilly.com/news/virus_0500.html

Chapter 11, "Malicious ActiveX Controls," is available free online at:
http://oreilly.com/catalog/malmobcode/chapter/ch11.html

For more information about the book, including Table of Contents,
index, author bio, and samples, see:
http://oreilly.com/catalog/malmobcode/

For a cover graphic in jpeg format, go to:
ftp://ftp.ora.com/pub/graphics/book_covers/hi-res/156592682x.jpg

Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
August 2001
ISBN 1-56592-682-X, 522 pages, $39.95 (US)
order@...
1-800-998-9938

About O'Reilly
O'Reilly & Associates is the premier information source for
leading-edge computer technologies. We communicate the knowledge of
experts through our books, conferences, and web sites. Our books, known
for their animals on the covers, occupy a treasured place on the
shelves of the developers building the next generation of software. Our
conferences and summits bring innovators together to shape the
revolutionary ideas that spark new industries. From the Internet to the
web, Linux, Open Source, and now peer-to-peer networking, we put
technologies on the map. For more information: http://www.oreilly.com

Computer Security is Like Military Intelligence-A Contradiction
Future Banker, 9/6/2001

As banks of all sizes push their on-line treasury management systems
farther down the corporate food chain, their risk of being hacked rises,
because the systems of smaller companies are typically less well-
protected than bank systems.

So the more successful banks are selling service, the more vulnerable
they are."You're joining systems together, and every time there's a
join, you get a risk," says Alan Matthews, CEO of Rapid 7, a computer
security firm. "You're creating more layers between end users, and
anytime there are layers, you have danger."

This is a bigger problem than people think, says Matthews, because
smaller banks and larger banks are linked. So once a hacker has
penetrated, say, a pet food store's computers and used them to attack
that company's local bank, the hacker is well-launched to cruise
wherever he or she wants.

Of course, Matthews is in the security business-security types depend
for business on feelings of insecurity, just as financial companies
depend on the image of security. But Matthews still says hack attacks
are easier to launch than most people think. Not only are there large
numbers of hacker sites with ready-made attack programs available for
the taking; the better security gets, the more it tends to assume a
homogenous format. The more it assumes a homogenous format, the greater
the value of breaking the security-and thus, the greater likelihood of
attack.

Matthews says the best security models tend to be those which allow
broad information exchange. But these hold more information, which is
more valuable to crack. And that makes it more likely that people will
try to hack it. Popularity usually begets success in the hacking game.
Matthews is not a fan of digital certificates. Since most are based on a
single algorithm, all public/private key infrastructures are equally
vulnerable, to the extent the algorithm can be broken-has been shown.
"It makes it very easy to de-encrypt information en masse," he says.
Even so, since it's currently state-of-the-art encryption, digital
certificates are likely to spread across the most sensitive parts of the
digital landscape.

Matthews argues when digital certificates are used for encryption the
certificate only encrypts the key that secures the data. The precious
data itself is usually encrypted with a weaker encryption technology.
This weakness is unavoidable since digital certificates multiply the
amount of data a computer needs to deal with as much as 15
times-straining the capacity of any system to deal with the
transmission.

Institutions that invest in digital certificates aren't safe, says
Matthews, because a hacker with any brains or skill who wants to poke
around a major, well-protected firm wouldn't attack the big bank
directly anyway-he or she would attack a smaller bank that probably has
weaker security, and then breach the firewall.

This makes committing real crime easy, says Matthews. "If I were an
intelligent black hat, I would be writing programs that dug deep into
the recesses of things like a wide-spread accounting programs, and learn
how to mail checks to myself, or just create accounts and put very small
positive balances in them, and then call up the company rather later and
ask for a credit," he says.

Philosophical and sociological value: 8
Technical accuracy: 0

I can't believe a security expert is so misguided on cryptography and use of
hybrid encryption systems.  Now if he had stated that the problems with the
cryptographic applications is in their proper implementation, he would have
been fine.  The algorithms and ciphers are not the weak link here.

About as bad as the journalist I caught comparing 512 bit RSA to 56 bit DES,
claiming that RSA was better because of the bit size.  Sheesh!


David W. Ford, CISSP
Network Knowledge, Inc.
Bozeman, MT
(406) 585-2948       email: dwford@...

-----Original Message-----
From: Fred Cohen [mailto:fc@...]
Sent: Friday, September 07, 2001 7:24 AM
To: Security Educators
Subject: [secedu]
[fc:Computer-Security-is-Like-Military-Intelligence-A-Contradiction]



Computer Security is Like Military Intelligence-A Contradiction
Future Banker, 9/6/2001

As banks of all sizes push their on-line treasury management systems
farther down the corporate food chain, their risk of being hacked rises,
because the systems of smaller companies are typically less well-
protected than bank systems.

So the more successful banks are selling service, the more vulnerable
they are."You're joining systems together, and every time there's a
join, you get a risk," says Alan Matthews, CEO of Rapid 7, a computer
security firm. "You're creating more layers between end users, and
anytime there are layers, you have danger."

This is a bigger problem than people think, says Matthews, because
smaller banks and larger banks are linked. So once a hacker has
penetrated, say, a pet food store's computers and used them to attack
that company's local bank, the hacker is well-launched to cruise
wherever he or she wants.

Of course, Matthews is in the security business-security types depend
for business on feelings of insecurity, just as financial companies
depend on the image of security. But Matthews still says hack attacks
are easier to launch than most people think. Not only are there large
numbers of hacker sites with ready-made attack programs available for
the taking; the better security gets, the more it tends to assume a
homogenous format. The more it assumes a homogenous format, the greater
the value of breaking the security-and thus, the greater likelihood of
attack.

Matthews says the best security models tend to be those which allow
broad information exchange. But these hold more information, which is
more valuable to crack. And that makes it more likely that people will
try to hack it. Popularity usually begets success in the hacking game.
Matthews is not a fan of digital certificates. Since most are based on a
single algorithm, all public/private key infrastructures are equally
vulnerable, to the extent the algorithm can be broken-has been shown.
"It makes it very easy to de-encrypt information en masse," he says.
Even so, since it's currently state-of-the-art encryption, digital
certificates are likely to spread across the most sensitive parts of the
digital landscape.

Matthews argues when digital certificates are used for encryption the
certificate only encrypts the key that secures the data. The precious
data itself is usually encrypted with a weaker encryption technology.
This weakness is unavoidable since digital certificates multiply the
amount of data a computer needs to deal with as much as 15
times-straining the capacity of any system to deal with the
transmission.

Institutions that invest in digital certificates aren't safe, says
Matthews, because a hacker with any brains or skill who wants to poke
around a major, well-protected firm wouldn't attack the big bank
directly anyway-he or she would attack a smaller bank that probably has
weaker security, and then breach the firewall.

This makes committing real crime easy, says Matthews. "If I were an
intelligent black hat, I would be writing programs that dug deep into
the recesses of things like a wide-spread accounting programs, and learn
how to mail checks to myself, or just create accounts and put very small
positive balances in them, and then call up the company rather later and
ask for a credit," he says.


Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This article has more unevaluated and unsupported hypotheses than a
bank has money.  I'm puzzled as to the purpose of this article on this
listserv.
It seems to be an infomercial. ????????

Dale Thompson
Student
School of Information Studies
Syracuse University


At 06:23 AM 9/7/01 -0700, you wrote:
>Computer Security is Like Military Intelligence-A Contradiction
>Future Banker, 9/6/2001
>
>As banks of all sizes push their on-line treasury management systems
>farther down the corporate food chain, their risk of being hacked rises,
>because the systems of smaller companies are typically less well-
>protected than bank systems.
>
>So the more successful banks are selling service, the more vulnerable
>they are."You're joining systems together, and every time there's a
>join, you get a risk," says Alan Matthews, CEO of Rapid 7, a computer
>security firm. "You're creating more layers between end users, and
>anytime there are layers, you have danger."
>
>This is a bigger problem than people think, says Matthews, because
>smaller banks and larger banks are linked. So once a hacker has
>penetrated, say, a pet food store's computers and used them to attack
>that company's local bank, the hacker is well-launched to cruise
>wherever he or she wants.
>
>Of course, Matthews is in the security business-security types depend
>for business on feelings of insecurity, just as financial companies
>depend on the image of security. But Matthews still says hack attacks
>are easier to launch than most people think. Not only are there large
>numbers of hacker sites with ready-made attack programs available for
>the taking; the better security gets, the more it tends to assume a
>homogenous format. The more it assumes a homogenous format, the greater
>the value of breaking the security-and thus, the greater likelihood of
>attack.
>
>Matthews says the best security models tend to be those which allow
>broad information exchange. But these hold more information, which is
>more valuable to crack. And that makes it more likely that people will
>try to hack it. Popularity usually begets success in the hacking game.
>Matthews is not a fan of digital certificates. Since most are based on a
>single algorithm, all public/private key infrastructures are equally
>vulnerable, to the extent the algorithm can be broken-has been shown.
>"It makes it very easy to de-encrypt information en masse," he says.
>Even so, since it's currently state-of-the-art encryption, digital
>certificates are likely to spread across the most sensitive parts of the
>digital landscape.
>
>Matthews argues when digital certificates are used for encryption the
>certificate only encrypts the key that secures the data. The precious
>data itself is usually encrypted with a weaker encryption technology.
>This weakness is unavoidable since digital certificates multiply the
>amount of data a computer needs to deal with as much as 15
>times-straining the capacity of any system to deal with the
>transmission.
>
>Institutions that invest in digital certificates aren't safe, says
>Matthews, because a hacker with any brains or skill who wants to poke
>around a major, well-protected firm wouldn't attack the big bank
>directly anyway-he or she would attack a smaller bank that probably has
>weaker security, and then breach the firewall.
>
>This makes committing real crime easy, says Matthews. "If I were an
>intelligent black hat, I would be writing programs that dug deep into
>the recesses of things like a wide-spread accounting programs, and learn
>how to mail checks to myself, or just create accounts and put very small
>positive balances in them, and then call up the company rather later and
>ask for a credit," he says.
>
>
>Community email addresses:
>   Post message: secedu@onelist.com
>   Subscribe:    secedu-subscribe@onelist.com
>   Unsubscribe:  secedu-unsubscribe@onelist.com
>   List owner:   secedu-owner@onelist.com
>
>Shortcut URL to this page:
>   http://www.onelist.com/community/secedu
>
>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



       -~--
       *U*     edthomps@...
       ^--^

Per the message sent by Dale Thompson:

> This article has more unevaluated and unsupported hypotheses than a
> bank has money.  I'm puzzled as to the purpose of this article on this
> listserv.
> It seems to be an infomercial. ????????

I put it there because I thought the list members might be interested in it.

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087

On second thought, it is actually a very good article for educational purposes.
This is a good reflection of the world of information security.  Many ideas and
concepts are overhyped, the tried and true is under-appreciated, and many more
concepts are novel and untested.  This, the recent spate of security books, and
the upsurge in security education offerings makes it hard to decide where the
educational (not to mention IT) resources should go.

- DT


At 12:43 PM 9/7/01 -0700, you wrote:
>Per the message sent by Dale Thompson:
>
> > This article has more unevaluated and unsupported hypotheses than a
> > bank has money.  I'm puzzled as to the purpose of this article on this
> > listserv.
> > It seems to be an infomercial. ????????
>
>I put it there because I thought the list members might be interested in it.
>
>FC
>--This communication is confidential to the parties it is intended to serve--
>Fred Cohen              Fred Cohen & Associates.........tel/fax:925-454-0171
>fc@...              The University of New Haven.....http://www.unhca.com/
>http://all.net/         Sandia National Laboratories....tel:925-294-2087
>
>
>
>Community email addresses:
>   Post message: secedu@onelist.com
>   Subscribe:    secedu-subscribe@onelist.com
>   Unsubscribe:  secedu-unsubscribe@onelist.com
>   List owner:   secedu-owner@onelist.com
>
>Shortcut URL to this page:
>   http://www.onelist.com/community/secedu
>
>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/



       -~--
       *U*     edthomps@...
       ^--^

Hi,

The forward (below) isn't directly about Infosec Education; instead, it is
an essay by Phil Agre about advanced training, the professions and
leadership. Since some of us are interested in the issue of ethics,
professional ethics and the self-regulating potential (or lack thereof) of
professionalization, I thought it worth sending along. I want to stress my
strong agreement with Phil: the book _Moral Mazes_ by Robert Jackall is an
excellent study of decision-making and business ethics. If you've ever
wondered why firms end up making highly unethical decisions, this book
certainly illuminates how such decisions result from everyday, ordinary
practices, rather than from "bad" people doing "bad" things. Tangentially,
I've always found David Noble's _American By Design_ an excellent
historical study of the rise of the profession of engineering. There are a
wealth of insights that can be applied to IT/IS as an emerging profession, too.

At any rate, when I was studying for the PostHoleDigger, I found articles
like Agre's helpful in thinking about how to organize my energies,
particularly since I tend to enjoy mastering a wide array of subject
matters. It's a virtue in many situations, but too much of it in graduate
school is a vice. :)

Best,

Kelley

--
Kelley Walker
Organizational Researcher/Technical Writer
Interpact, Inc.
www.interpactinc.com

Internet & Computer Ethics for Kids: www.nicekids.net/


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
You are welcome to send the message along to others but please do not use
the "redirect" option.  For information about RRE, including instructions
for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



    How to Be a Leader in Your Field:
    A Guide for Students in Professional Schools


    Phil Agre
    http://dlis.gseis.ucla.edu/pagre/

    Version of 5 September 2001.
    2400 words.

    This is an early, experimental draft.  Comments appreciated.


A profession is more than a job -- it is a community and a culture.
Professions serve society by pooling knowledge among their members,
and by creating incentives to synthesize new knowledge.  They also
support networking that helps their members to find jobs, recruit
staff, start collaborative projects, and organize around the
issues that affect them.  In a world without change or innovation,
professions would not be necessary.  But in a world where change and
innovation are ever more intense, every occupation needs to develop
more of the institutions and culture of traditional professions such
as law, medicine, engineering, education, librarianship, business,
and architecture.

Every profession has leaders.  In a formal sense, the leaders of
a profession are the elected officers of the professional society.
Because a profession is fundamentally about knowledge, however, the
true leaders of a profession are the thought leaders: the individuals
who synthesize the thinking of the profession's members and articulate
directions for the future.  Sometimes a profession will recognize
its thought leaders by electing them to official positions.  But
often the thought leaders have no such positions, preferring to lead
through writing and speaking, cutting-edge projects, and dialogues
with other professionals in their field.  Leadership means not just
talking but listening, and not just vision but consensus.  A leader
builds a web of relationships within the profession and articulates
the themes that are emerging in the thinking of the profession as a
whole.

In a knowledge-intensive world of ceaseless innovation and change,
every professional must be a leader.  This is not a universally
popular idea.  Some people say, "leadership is fine for some people,
but I just want to get a job".  I want to argue that it doesn't work
that way.  The same skills that the leader exercises in building
consensus around the profession's emerging issues are the same skills
that every individual needs to stay employed at all.  Once upon a
time the leadership-averse could hide out in bureaucracies.  But as
institutions are turned inside out by technology, globalization, and
rising public and client expectations of every sort, the refuges are
disappearing.  Every professional's job is now the front lines, and
the skills of leadership must become central to everyone's conception
of themselves as a professional.

But how?  It is well-known that simply declaring yourself a leader
will not cause anyone to follow you.  The process of becoming a leader
doesn't happen overnight, but it is perfectly methodical.  Here is
a six-step recipe.  Things aren't really this rigid in practice, but
you'll have no trouble varying the recipe once you get used to it.

(1) Pick an issue.  You need an issue that the profession as a whole
is not really thinking about, but which is going to be the center
of attention in five years.  The issue could be technical, strategic,
managerial, policy-related, or all of the above.  It should be fairly
specific, and should directly address the day-to-day work of people
in some segment of the profession.  "Technology" is too big.  You
can find an issue in two ways.  One is to talk to a large number of
dynamic practitioners and notice a pattern in what they are saying.
The other, which is probably more practical while you're a student,
is to talk to people at your professional school.  One purpose
of a professional school is to be the early-warning system for
the profession -- the surveillance center where emerging issues
are articulated, researched, and taught.  Many issues that you take
for granted as lecture and paper topics in your classes actually
represent the farthest horizon so far as most practitioners are
concerned.  Feel free to identify an issue that you care about and
put yourself in charge of raising the profession's awareness of it.
If putting yourself in charge feels arrogant, that's just because
you're not used to it.  Focus on the issue and you'll be fine.

(2) Having chosen your issue, start a project to study it.  You might
do this in context of a term paper, an independent study, or organized
through the local student chapter of a professional association.
Or you might simply do it on your own time.  It's hard work, yes, but
it's an investment, as well as a service to the field.  See if a local
faculty member will sign on as an advisor to the project, and if you
can use the faculty member's name in talking to people.

(3) Do your library work so you know any conventional wisdom that's
out there.  Then talk to some working professionals who are facing the
issue, especially if they have publicly articulated an aspect of it.
You can find these people by asking the faculty in your school; it's
their job to know everyone.  If they are reticent at first to unleash
you on their contacts, then work your own contacts, for example
through your fellow students or the professional society.  You
can also find relevant people by reading professional publications,
attending conferences, and searching Web sites.  Tell them that
your project is pulling together the profession's experience
with the issue, and ask if you can interview them.  Have a good,
focused talk, make serious notes, ask if they want to keep anything
confidential, give them your card, and promise to keep in touch.
Why are they willing to talk to you?  Because you're working on an
important issue, and because you're associated with a professional
school, which as they well know is a center of thinking and networking
for the field.  Use the symbolic power of the university while you're
still associated with it.

(4) Pull together what you've heard.  Nobody is expecting you to
solve the problems.  The emphasis is more on questions than answers.
You will make a huge contribution simply by defining the whole scope
of the problems that people are facing.  Make a taxonomy and give
examples.  Talk about what people are doing to address the problems.
Focus on practice: the actual decisions that working professionals
will have to make, and the full range of considerations that they
will have to take into account.  Remember that professionals have to
justify their decisions in a rational way, giving reasons why they
have made one choice rather than another.  You'll do an important
service just by laying out the choices and reasons.  Talk about
the consequences people see for the future.  Just impose some order.
Faculty in your school can probably help you with this.  Clear,
concise writing will be important, and you should get someone who can
write well to copyedit your work.

(5) Circulate the result.  Send copies to the people who helped you.
Call it a draft or interim report if you want.  Give credit to the
people whose ideas you've written down.  Then follow up.  Get further
comments.  Now write some short columns for professional publications.
Describe your project and summarize the issue.  Explain why the issue
is becoming important.  Concisely present the dangers and opportunities
for the profession.  Your goal is to lead: to present the profession
with a valid issue that calls for action.  Again, you don't need to
identify what the right action is.  You only need to give form to the
issue.  Make sure your published columns provide a permanent e-mail
address where people can reach you, and ideally the URL for a Web page
where you've collected materials related to the issue.

(6) Get invited to speak at meetings.  Correspond with people who have
contacted you after reading your work.  Meet more people who appreciate
the significance of the issue, including people you hadn't heard of
who are working on related issues.  (Some of them will complain that
you're on their turf, but don't worry about that.)  If your network
grows, and if interest in the issue accelerates, then you can build
institutions around it.  See if the people in your network want to
start a moderated mailing list about it.  Organize a panel discussion
about it at a professional meeting.  And so on.  Keep going until the
issue either matures or disappears.  Then find another issue and start
over.

That's the procedure.  You should always have at least one issue that
you are developing in this way.  In doing so, you are helping the
profession to think out loud about its problems and potentials, and
you are also helping to knit the profession together by establishing
connections with all of the people who are thinking about the issues
that are on the horizon.  You are also making yourself a very strong
job candidate.  You are building knowledge, and you are building
professional networks.  One purpose of your school is to build such
networks, and by helping you network the school helps itself.

If you've spent your whole life going to school and toiling at normal
jobs, then you might find the prospect of leadership nerve-wracking.
Most schools and jobs are afraid of you, so they encourage a dependent
attitude where you wait around for other people to give you things.
Of course they don't entirely succeed; no institution can completely
extinguish your human agency.  Even so, few schools or jobs actively
train people to take the initiative by organizing people around
emerging issues.  Yet successful people have exercised leadership
in this way for all of recorded history.  The methods of leadership
that I have described are largely a secret, and many courses that
supposedly teach leadership skills omit them entirely.  But they
are out there, roaring at full throttle just below the surface, and
you can learn them by watching any successful person in action.  I'm
just hoping that by reading this you'll learn them a little faster.

As you advance in your profession, you will be organizing people in
more sophisticated ways around more sophisticated issues.  As such,
it will be important to cultivate your intellectual life.  Leadership
is such a rare skill that it doesn't matter whether you are a genius
in your own right.  Leadership is process, and the whole point is that
you're not figuring out all of the answers yourself.  Accordingly,
it will be important for you to develop your own brain trust -- smart
and knowledgeable people that you can turn to when you need expert
judgements.  This is one reason to stay in touch with the faculty at
your professional school, and with the smart people who pass through
the school while you are there.  One good way to start a brain trust
is to organize a speaker series.  Fearlessly assess your intellectual
strengths and weaknesses, and then make professional friends whose
intellectual strengths complement your own.  Your contribution is to
facilitate a large-scale movement within the profession, and that's
what makes the difference in the long run.

Why, then, do I argue that the modern world requires all professionals
to engage in leadership?  In the old days, before the world was
heavily networked, professionals had to be generalists.  A wide
variety of problems would arise, and you had to solve them all.
Now, however, the institutions and infrastructures of your profession
easily bring professional knowledge to bear wherever it is needed.
To succeed in your career, you need more than the skills that you got
in school -- you need to be the world expert in something.  Knowledge
is global, it's growing exponentially, and nobody can pack all of
the necessary knowledge into their toolkit.  So everyone's going
to specialize.  "Leadership" used to mean something unique: the army
had one leader and everyone else followed.  Today, however, knowledge
is multiplying so fast that we need more leaders than we can possibly
produce.  Every leader can feel important, and genuinely be important,
even as everyone is a leader, including you.


Here are some books and articles that might be useful.

Networking on the Network.  This is a much longer article that I wrote
about professional networking for students in PhD programs.  Although
most of the detailed instructions are specific to the research world,
the underlying philosophy will carry over into the professional world.
On the Web at <http://dlis.gseis.ucla.edu/people/pagre/network.html>.

Peter Block, Flawless Consulting: A Guide to Getting Your Expertise
Used, Austin: Learning Concepts, 1981.  Though written for management
consultants, this book has valuable things to say about the feelings
that come up in any kind of professional work, and how to use them
honestly for everyone's benefit.

Donna Fisher and Sandy Vilas, Power Networking, Austin: Mountain
Harbour, 1992.  This is the best all-around book on the subject of
professional neworking.  It abstracts a long list of guidelines that
apply pretty widely across professions.

Roger Fisher and William Ury, Getting to Yes: Negotating Agreement
Without Giving In, Boston: Houghton Mifflin, 1981.  This is the
classic book on negotiating.  Its core message is that you should
negotiate on the basis of interests and not on positions, so that
negotiation becomes cooperative problem-solving.  If you lead then
you'll need these skills.

Ford Harding, Rain Making: The Professional's Guide to Attracting New
Clients, Holbrook, MA: Bob Adams, 1994.  The way to get ahead is to
do something new and tell everyone about it.  This is a pretty good
introduction to the process, with a focus on publishing an article
and developing professional networks.

Linda A. Hill, Becoming a Manager: Mastery of a New Identity, Boston:
Harvard Business School, 1992.  As a professional you'll have probably
a manager, and soon enough you'll probably be a manager yourself.
Your job is to deal with these relationships in a mutually beneficial
way while also maximizing your own autonomy.  This is a study of new
managers getting used to their jobs, and it's a good source of insight
into these issues.

Robert Jackall, Moral Mazes: The World of Corporate Managers, New
York: Oxford University Press, 1988.  This is a terrific book about
the ethical issues that will surround you in the organizational world.
Once you understand these issues, you will see trouble coming much
further off, while you can still make your own decisions about it.

Tom Jackson, Guerrilla Tactics in the New Job Market, second edition,
New York: Bantam, 1991.  This is an excellent book about finding
a job; though it is out of print, you can probably find a used copy
online.  Sending dozens of resumes to personnel departments is one
approach, but a much better approach is systematic networking and
inside research.

Ronald L. Krannich and Caryl Rae Krannich, The New Network Your Way to
Job and Career Success, Manassas Park, VA: Impact Publications, 1993.
Another good book on networking for job-seekers, with a fair amount of
concrete, useful advice.

end

New Copyright Bill Heading to DC
By Declan McCullagh

4:19 p.m. Sep. 7, 2001 PDT


WASHINGTON -- Music and record industry lobbyists are quietly readying an
all-out assault on Congress this fall in hopes of dramatically rewriting
copyright laws.

With the help of Fritz Hollings (D-S.C.), the powerful chairman of the
Senate Commerce committee, they hope to embed copy-protection controls in
nearly all consumer electronic devices and PCs. All types of digital
content, including music, video and e-books, are covered.

The Security Systems Standards and Certification Act (SSSCA), scheduled to
be introduced by Hollings, backs up this requirement with teeth: It would be
a civil offense to create or sell any kind of computer equipment that "does
not include and utilize certified security technologies" approved by the
federal government.

It also creates new federal felonies, punishable by five years in prison and
fines of up to $500,000. Anyone who distributes copyrighted material with
"security measures" disabled or has a network-attached computer that
disables copy protection is covered.

Hollings' draft bill, which Wired News obtained on Friday, represents the
next round of the ongoing legal tussle between content holders and their
opponents, including librarians, programmers and open-source advocates.

Hollywood executives fret that without strong copy protection in widespread
use, piracy will allow digital versions of movies to be pirated as readily
as MP3 audio files once were with Napster. With the SSSCA enacted, the
thinking goes, U.S. technology firms will have no choice but to insert
copy-protection technology in future products.

The last legislative salvo in the content wars was the controversial 1998
Digital Millennium Copyright Act, which the SSSCA extends and expands. Under
existing law, Russian programmer Dmitry Sklyarov has been charged with
allegedly selling "circumvention" devices, and 2600 magazine has been sued
for distributing a DVD-decryption utility.

"The government is mandating what your technology has to do," says Cindy
Cohn, the legal director of the Electronic Frontier Foundation of the SSSCA.
"The government's now in some ways effectively writing code that anyone who
makes anything with a microprocessor has to implement in anything they make.
I'm unaware of any other requirement like that."

Hollings' aides could not be reached for comment on Friday. One lobbyist
opposing the legislation said Disney, which markets movies and TV shows, is
the measure's most ardent supporter among industry groups.

The SSSCA and existing law work hand in hand to steer the market toward
using only computer systems where copy protection is enabled. First, the
Digital Millennium Copyright Act created the legal framework that punished
people who bypassed copy protection -- and now, the SSSCA is intended to
compel Americans to buy only systems with copy protection on by default.

The SSSCA says that it is illegal to create, sell or distribute "any
interactive digital device that does not include and utilize certified
security technologies" that are approved by the U.S. Commerce Department. An
interactive digital device is defined as any hardware or software capable of
"storing, retrieving, processing, performing, transmitting, receiving or
copying information in digital form."

Jessica Litman, a law professor at Wayne State University who specializes in
intellectual property, likened it to the 1992 Audio Home Recording Act that
slapped restrictions on digital audio recorders.

"This appears to be an attempt to expand the concept to anything that has a
microprocessor in it and to have everyone agree or to have the government
set technological standards that will enforce copyright owners'
preferences," Litman says.

"Forgetting all the reasons why this is bad copyright policy and bad
information policy, it's terrible science policy," she says.

Sonia Arrison, a technology policy analyst at the free-market Pacific
Research Institute, said, "Some parts of this go too far.... Would this mean
that if I distributed a file that I received from someone who had broken
security technology that I would be breaking the law? Sounds like it."

Under the SSSCA, industry groups have a year to agree on a security
standard, or the Commerce Department will step in and decide on one.
Sunshine laws would not apply to meetings held in conjunction with the law,
and industry organizations would be immune from antitrust prosecution.

Scanned draft of SSSCA Senate legislation. Interesting that it's lumped with
a well-intentioned computer security clause as well.     -rf



[header] S:\WPSHR\LEGGNSL\XYWRITE\COMMS\COPYRITE.5A

[footer] August 6, 2001 (10:37 a.m.)

[STAFF WORKING DRAFT]

AUGUST 6, 2001

107TH CONGRESS
1ST SESSION

S. ______________

To provide for private sector development of workable security system
standards and a certification protocol that could be implemented and
enforced by Federal regulations, and for other purposes.

______________________

IN THE SENATE OF THE UNITED STATES

SEPTEMBER ____, 2001

Mr. HOLLINGS (for himself and Mr. STEVENS) introduced the following bill;
which was read twice and referred to the Committee on
_______________________

______________________

A BILL

To provide for private sector development of workable security system
standards and a certification protocol that could be implemented and
enforced by Federal regulations, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,

SECTION 1. SHORT TITLE: TABLE OF CONTENTS.

(a) SHORT TITLE. -- This Act may be cited as the "Security Systems Standards
and Certification Act.".

(b) TABLE OF SECTIONS.--The table of sections for this Act is as follows:

Sec. 1 Short title: table of contents
Sec. 2 Findings

                   TITLE I--SECURITY SYSTEM STANDARDS AND CERTIFICATION

Sec. 101. Prohibition of certain devices.
Sec. 102. Preservation of the integrity of security.
Sec. 103. Prohibited acts.
Sec. 104. Adoption of security system standards.
Sec. 105. Certification of technologies
Sec. 106. Federal Advisory Committee Act exemption
Sec. 107. Antitrust exemption
Sec. 108. Enforcement
Sec. 109. Definitions
Sec. 110. Effective date

                   TITLE II--INTERNET SECURITY INITIATIVES

Sec. 201. Findings
Sec. 202. Computer Security Partnership Council
Sec. 203. Research and development
Sec. 204. Computer security training programs
Sec. 205. Government information security standards
Sec. 206. Recognition of quality in  computer security practices
Sec. 207. Development of automated privacy controls.

SEC. 2. FINDINGS

[TO BE SUPPLIED]

TITLE I--SECURITY SYSTEMS

STANDARDS

SEC. 101. PROHIBITION OF CERTAIN DEVICES

(a) IN GENERAL.--It is unlawful to manufacture, import, offer to the public,
provide or otherwise traffic in any interactive digital device that does not
include and utilize certified security technologies that adhere to the
security systems standards adopted under section 104.

(b) EXCEPTION.--Subsection (a) does not apply to the offer for sale or
provision of, or other trafficking in, any previously-owned interactive
digital device, if such device was legally manufactured or imported, and
sold, prior to the effective date of regulations adopted under section 104
and not subsequently modified in violation of (a) or 103(a).

SEC. 102. PRESERVATION OF THE INTEGRITY OF SECURITY.

     An interactive computer service shall store and transmit with integrity
any security measure associated with certified security technologies that is
used in connection with copyrighted material or other protected content such
service transmits or stores.

SEC. 103. PROHIBITED ACTS.

(a) REMOVAL OR ALTERATION OF SECURITY. -- No person may --
(1) remove or alter any certified security technology in an interactive
digital device; or

(2) transmit or make available to the public any copyrighted material or
other protected content where the security measure associated with a
certified security technology has been removed or altered.

(b) PERSONAL TIME-SHIFTING COPIES CANNOT BE BLOCKED. -- No person may apply
a security measure that uses a certified security technology to prevent a
lawful recipient from making a personal copy for time-shifting purposes of
programming at the time it is lawfully performed, on an over-the-air
broadcast, non-premium cable channel, or non-premium satellite channel, by a
television broadcast station (as defined in section 122(j)(5)(A) of title
17, United States Code), a cable system (as defined in section 111(f) of
such title), or a satellite carrier (as defined in section 119(d)(6) of such
title.)

SEC. 104. ADOPTION OF SECURITY SYSTEM STANDARDS.

(a) CRITERIA. -- In achieving the goals of setting standards that will
provide effective security for content and certifying as many conforming
technologies as possible to develop a competitive and innovative
marketplace, the following criteria shall be applied to the development of
security system standards and certified security technologies:
(1) Reliability

(2) Renewability

(3) Resistance to attack

(4) Ease of implementation

(5) Modularity

(6) Applicability to multiple technology platforms

(b) PRIVATE SECTOR EFFORTS. --

(1) IN GENERAL. -- The Secretary shall make a determination, nor more than
12 months after the date of enactment of the Act, as to whether --
(A) representatives of interactive digital device manufacturers and
representatives of copyright owners have reached agreement on security
system standards for use in interactive digital devices; and

(B) the standards meet the criteria in subsection (a).

(2) EXTENSION OF 12-MONTH PERIOD. --  The Secretary may, for good cause
shown, extend the 12-month period in paragraph (1) for a period of not more
than 6 months if the Secretary determines that --

(A) substantial progress has been made by those representatives toward
development of security system standards that will meet those criteria;

(B) those representatives are continuing to negotiate in good faith; and

(C) there is reasonable expectation that final agreement will be reached by
those representatives before the expiration of the extended period of time.

(c) AFFIRMATIVE DETERMINATION. -- If the Secretary makes a determination
under subsection (b)(1) that an agreement on security system standards that
meet the criteria in subsection (a) has been reached by those
representatives, then the Secretary shall --

(1) initiate rulemaking within 30 days after the date on which the
determination is made to adopt those standards; and

(2) publish a final rule pursuant to that rulemaking not later than 90 days
after initiating the rulemaking that will take effect 1 year after its
publication.

(d) NEGATIVE DETERMINATION. -- If the Secretary makes a determination under
subsection (b)(1) that an agreement on security system standards that meet
the criteria in subsection (a) has not been reached by those
representatives, then the Secretary --

(1) in consultation with representatives described in subsection (b)(1)(A),
the National Institute of Standards and Technology and the Register of
Copyrights, shall initiate a rulemaking within 30 days after the date on
which the determination is made to adopt security system standards that meet
those criteria to provide effective security for copyrighted material and
other protected content; and

(2) publish a final rule pursuant to that rulemaking not later than 1 year
after initiating the rulemaking that will take effect 1 year after its
publication.

(e) MEANS OF IMPLEMENTING STANDARDS. -- The security system standards
adopted under subsection (c) or (d) shall provide for secure technical means
of implementing directions of copyright owners, for copyrighted material,
and rights holders, for other protected content, with regard to the
reproduction, performance, display, storage, and transmission such material
or content.

(f) SUBSEQUENT MODIFICATION; NEW STANDARDS. -- The Secretary may conduct
subsequent rulemakings to modify any standards established under subsection
(c) or (d) or to adopt new security system standards that meet the criteria
in subsection (a). In conducting any such subsequent rulemaking, the
Secretary shall consult with representatives of interactive digital device
manufacturers, representatives of copyright owners, the National Institute
of Standards and Technology, and the Register of Copyrights. Any final rule
published in such a subsequent rulemaking shall --

(1) apply prospectively only; and

(2) take into consideration the effect of adoption of the modified or new
security system standards on consumers' ability to utilize interactive
digital devices manufactured before the modified or new standards take
effect.

SEC. 105. CERTIFICATION OF TECHNOLOGIES.

The Secretary shall certify technologies that adhere to the security system
standards adopted under section 104. The Secretary shall certify only those
conforming technologies that available for licensing on reasonable and
nondiscriminatory terms.

SEC. 106. FEDERAL ADVISORY COMMITTEE ACT EXEMPTION.

The Federal Advisory Committee Act (5 U.S.C. App.) does not apply to any
committee, board, commission, council, panel, task force, or other similar
group of representatives of interactive digital devices and representatives
of copyright owners convened for the purpose of developing the security
system standards described in section 104.

SECTION 107. ANTITRUST EXEMPTION.

(a) IN GENERAL. -- Any person described in section 104(b)(1)(A) may file
with the Secretary of Commerce a request for authority for a group of 2 or
more such persons to meet and enter into discussions, if the sole purpose of
the discussions is to discuss the development of security system standards
under section 104. The Secretary shall grant or deny the request within 10
days after it is received.

(b) PROCEDURE. -- The Secretary shall establish procedures within 30 days
after the date of enactment of this Act for filing requests for an
authorization under subsection (a).

(c) EXEMPTION AUTHORIZED. -- When the Secretary finds that it is required by
the public interest, the Secretary shall exempt a person participating in a
meeting or discussion described in subsection (a) from the antitrust laws to
the extent necessary to allow the person to proceed with the activities
approved in the order.

(d) ANTITRUST LAWS DEFINED. -- In this section, the term "antitrust laws"
has the meaning given that term in the the first section of the Clayton Act
(15 U.S.C. 12).

SEC. 108. ENFORCEMENT.

The provisions of section 1203 and 1204 of title 17, United States Code,
shall apply to any violation of this title as if --

(1) a violation of section 101 or 103(a)(1) of this Act were a violation of
section 1201 of title 17, United States Code; and

(2) a violation of section 102 or section 103(a)(2) of this Act were a
violation of section 1202 of that title.

SEC. 109. DEFINITIONS.

In this title:

(1) CERTIFIED SECURITY TECHNOLOGY. -- The term "certified security
technology" means a security technology certified by the Secretary of
Commerce under section 105.

(2) INTERACTIVE COMPUTER SERVICE. -- The term "interactive computer service"
has the meaning given that term in section 230(f) of the Communications Act
of 1934 (47 U.S.C. 230(f)).

(3) INTERACTIVE DIGITAL DEVICE. -- The term "interactive digital device"
means any machine, device, product, software, or technology, whether or not
included with or as part of some other machine, device, product, software,
or technology, that is designed, marketed or used for the primary purpose
of, and that is capable of, storing, retrieving, processing, performing,
transmitting, receiving, or copying information in digital form.

(4) SECRETARY. -- The term "Secretary" means the Secretary of Commerce.

SEC. 110. EFFECTIVE DATE.

This Act shall take effect on the date of enactment of this Act, except that
sections 101, 102, and 103 shall take effect on the day on which the final
rule published under section 104(c) or (d) takes effect.

TITLE II -- INTERNET SECURITY
INITIATIVES

SEC. 201. FINDINGS.

The Congress finds the following:

(1) Good computer security practices are an underpinning of any privacy
protection. The operator of a computer system should protect that system
from unauthorized use and secure any sensitive information.

(2) The Federal Government should be a role model in securing its computer
systems and should ensure the protection of sensitive information controlled
by Federal agencies.

(3) The National Institute of Standards and Technology has the
responsibility for developing standards and guidelines needed to ensure the
cost-effective security and privacy of sensitive information in Federal
computer systems.

(4) This Nation faces a shortage of trained, qualified information
technology workers, including computer security professionals. As the demand
for information technology workers grows, the Federal government will have
an increasingly difficult time attracting such workers into the Federal
workforce.

(5) Some commercial off-the-shelf hardware and off-the-shelf software
components to protect computer systems are widely available. There is still
a need for long-term computer security research, particularly in the area of
infrastructure protection.

(6) The Nation's information infrastructures are owned, for the most part,
by the private sector, and partnerships and cooperation will be needed for
the security of these infrastructures.

(7) There is little financial incentive for private companies to enhance the
security of the Internet and other infrastructures as a whole. The Federal
government will need to make investments in this area to address issues and
concerns not addressed by the private sector.

SEC. 202. COMPUTER SECURITY PARTNERSHIP COUNCIL.

(a) ESTABLISHMENT. -- The Secretary of Commerce, in consultation with the
President's Information Technology Advisory Committee established by
Executive Order No. 13035 of February 11, 1997 (62 F.R. 7231), shall
establish a 25-member Computer Security Partnership Council the membership
of which shall be drawn from Federal, State, and local governments,
universities, and businesses.

(b) PURPOSES. -- The purpose of the Council is to collect and share
information about, and to increase public awareness of, information security
practices and programs, threats to information security, and responses to
those threats.

(c) STUDY. -- Within 12 months after the date of enactment of the Act, the
Council shall publish a report which evaluates and describes areas of
computer security research and development that are not adequately developed
or funded.

SEC. 203. RESEARCH AND DEVELOPMENT.

Section 20 of the National Institute of Standards and Technology Act (15
U.S.C. 278g-3) is amended --

(1) by redesignating subsections (c) and (d) as subsections (d) and (e)
respectively; and

(2) by inserting after subsection (b) the following:

"(c) RESEARCH AND DEVELOPMENT OF PROTECTION TECHNOLOGIES. --
"(1) IN GENERAL. -- The Institute shall establish a program at the National
Institute of Standards and Technology to conduct, or to fund the conduct of,
research and development of technology and techniques to provide security
for advanced communications and computing systems and networks including the
Next Generation Internet, the underlying structure of the Internet, and
networked computers.

"(2) PURPOSE. -- A purpose of the program established under paragraph (1) is
to address issues or problems that are not addressed by market-driven,
private-sector information security research. This may include research --

"(A) to identify Internet security problems which are not adequately
addressed by current security technologies;

"(B) to develop interactive tools to analyze security risks in an
easy-to-understand manner;

"(C) to enhance the security and reliability of the underlying Internet
infrastructure while minimizing other operational impacts such as speed; and

"(D) to allow networks to become self-healing and provide for better
analysis of the state of Internet and infrastructure operations and
security.

"(3) MATCHING GRANTS. -- A grant awarded by the Institute under the program
established under paragraph (1) to a commercial enterprise may not exceed 50
percent of the cost of the project to be funded by the grant.

"(4) AUTHORIZATION OF APPROPRIATIONS. -- There are authorized to be
appropriated to the Institute to carry out this subsection --

"(A) $50,000,000 for fiscal year 2001;

"(B) $50,000,000 for fiscal year 2002;

"(C) $70,000,000 for fiscal year 2003;

"(D) $80,000,000 for fiscal year 2004;

"(E) $90,000,000 for fiscal year 2005; and

"(F) $100,000,000 for fiscal year 2006."

SEC. 204. COMPUTER SECURITY TRAINING PROGRAMS.

(a) IN GENERAL. -- The Secretary of Commerce, in consultation with
appropriate Federal agencies, shall establish a program to support the
training of individuals in computer security, Internet security, and related
fields at institutions of higher education located in the United States.

(b) SUPPORT AUTHORIZED. -- Under the program established under subsection
(a), the Secretary may provide scholarships, loans, and other forms of
financial aid to students at institutions of higher education. The Secretary
shall require a recipient of a scholarship under this program to provide a
reasonable period of service as an employee of the United States government
after graduation as a condition of the scholarship, and may authorize full
or partial forgiveness of indebtedness for loans made under this program in
exchange for periods of employment by the United States government.

(c) AUTHORIZATION OF APPROPRIATIONS. -- There are authorized to be
appropriated to the Secretary such sums as may be necessary to carry out
this subsection --

(A) $15,000,000 for fiscal year 2001;

(B) $17,000,000 for fiscal year 2002;

(C) $20,000,000 for fiscal year 2003;

(D) $25,000,000 for fiscal year 2004;

(E) $30,000,000 for fiscal year 2005; and

(F) $35,000,000 for fiscal year 2006.

SEC. 205. GOVERNMENT INFORMATION SECURITY STANDARDS.

(a) IN GENERAL. -- Section 20(b) of the National Institute of Standards and
Technology Act (15 U.S.C. 278g-3(b)) is amended --
(1) by striking "and" after the semicolon in paragraph (4);

(2) redesignating paragraph (5) as paragraph (6); and

(3) by inserting after paragraph (4) the following:

"(5) to provide guidance and assistance to Federal agencies in the
protection of interconnected computer systems and to coordinate Federal
response efforts related to unauthorized access to Federal computer systems;
and".

(b) FEDERAL COMPUTER SYSTEM SECURITY TRAINING. -- Section 5(b) of the
Computer Security Act of 1987 (49 U.S.C. 759 note) is amended --

(1) by striking "and" at the end of paragraph (1);

(2) by striking the period at the end of paragraph (2) and inserting in lieu
thereof "; and"; and

(3) by adding at the end the following new paragraph:

"(3) to include emphasis on protecting the availability of Federal
electronic citizen services and protecting sensitive information in Federal
databases and Federal computer sites that are accessible through public
networks.".

SEC. 206. RECOGNITION OF QUALITY IN COMPUTER SECURITY PRACTICES.

Section 20 of the the National Institute of Standards and Technology Act (15
U.S.C. 278g-3), as amended by section 203, is further amended --

(1) by redesignating subsections (d) and (e) as subsections (e) and (f)
respectively; and

(2) by inserting after subsection (c), the following:

"(d) AWARD PROGRAM. -- The Institute may establish a program for the
recognition of excellence in Federal computer system security practices,
including the development of a goal, symbol, mark, or logo that could be
displayed on the website maintained by the operator of such a system
recognized under the program. In order to be recognized under the program,
the operator --
"(1) shall have implemented exemplary processes for the protection of its
systems and the information stored on that system;

"(2) shall have met any standard established under subsection (a);

"(3) shall have a process in place for updating the system security
procedures; and

"(4) shall meet other criteria as the Institute may require.".

SEC. 207. DEVELOPMENT OF AUTOMATED PRIVACY CONTROLS.

Section 20 of the the National Institute of Standards and Technology Act (15
U.S.C. 278g-3), as amended by section 206, is further amended --

(1) by redesignating subsections (f) as subsection (g); and

(2) by inserting after subsection (e), the following:

"(f) DEVELOPMENT OF INTERNET PRIVACY PROGRAM. -- The Institute shall
encourage and support the development of one or more computer programs,
protocols, or other software, such as the World Wide Web Consortium's P3P
program, capable of being installed on computers, or computer networks, with
Internet access that would reflect the users preferences for protecting
personally-identifiable or other sensitive, privacy-related information, and
automatically execute the program, once activated, without requiring user
intervention.".

Transcription and HTML by Cryptome.

<a
href="http://www.theregister.co.uk/content/6/21591.html">http://www.theregister.\
co.uk/content/6/21591.html</a>

World's first DeCSS executable prime number
By Thomas C Greene mailto:<a
href="mailto:thomas.greene@...?Subject=Re:%20DeCSS%20executable%20\
prime%20number%2526In-Reply-To=%2526lt;NFBBLAEICLEBFNIBCMKMKEIDCDAA.tcgreene@bel\
latlantic.net>">thomas.greene@...</a>
Posted: 11/09/2001 at 03:56 GMT

Math professor Phil Carmody, who in March of this year managed to encode the
DeCSS source in a prime number, has upped the ante by producing a prime
number which represents an executable version of the banned CSS descrambler.

Legally this is all a bit squishy, as the DMCA forbids us to make available
an access-control circumvention device. All well and good, not that we've
tended to care what the DMCA allows or forbids; but this item is also the
fruit of mathematical research which the public certainly has a right to
see.

It's a fine legal paradox for the recording industry to chew on. Is research
illegal because it could in some tiny degree weaken their monopoly over the
production and distribution of digital media? Or does the public's right to
be informed of academic developments make a circumvention device legal when
it also exhibits academic value?

In practical terms, we have to wonder if there's anything to be gained from
objecting to such an exercise. Would the industry dare try to chill research
and journalism, with the public-relations nightmare that entails, merely to
maximize their profits? We wonder. They certainly lost their nerve over the
SDMI debacle <a
href="http://www.theregister.co.uk/content/6/21086.html">http://www.theregister.\
co.uk/content/6/21086.html</a>.

And anyway, isn't the public's right to exchange information ultimately a
superior concern? Which is not to say that profits don't matter -- but just
that some things matter more.

"I'm a firm believer in authors' and artists' rights, the rights that are
protected under copyright," Carmody writes on a Web page detailing his
latest potentially illegal prime number
<a
href="http://asdf.org/~fatphil/maths/#Smallest">http://asdf.org/~fatphil/maths/#\
Smallest</a>. "Ripping off DVDs with no
intention to buy the originals is illegal in almost all countries in the
world, and correctly so."

"However, I do not believe that the current implementation of US law is a
sensible one," he continues. "I believe it's logically inconsistent, and is
biased towards the interests of multinational publishers and against
consumers."

We couldn't agree more. So here's that fascinating prime number, which
incidentally just happens to defeat CSS:

493108359702850190027577767239076495728490777215020863208075
018409792627885097658864557802013660073286795447341128317353
678312015575359819785450548115719393458773300380099326195058
764525023820408110189885042615176579941704250889037029119015
870030479432826073821469541570330227987557681895601624030064
111516900872879838194258271674564774816684347928464580929131
531860070010043353189363193439129486044503709919800477094629
215581807111691530318762884778783541575932891093295447350881
882465495060005019006274705305381164278294267474853496525745
368151170655028190555265622135314631042100866286797114446706
366921982586158111251555650481342076867323407655054859108269
562666930662367997021048123965625180068183236539593483956753
575575324619023481064700987753027956186892925380693305204238
149969945456945774138335689906005870832181270486113368202651
590516635187402901819769393767785292872210955041292579257381
866058450150552502749947718831293104576980909153046133594190
302588132059322774443852550466779024518697062627788891979580
423065750615669834695617797879659201644051939960716981112615
195610276283233982579142332172696144374438105648552934887634
921030988702878745323313253212267863328370279250997499694887
759369159176445880327183847402359330203748885067557065879194
611341932307814854436454375113207098606390746417564121635042
388002967808558670370387509410769821183765499205204368255854
642288502429963322685369124648550007559166402472924071645072
531967449995294484347419021077296068205581309236268379879519
661997982855258871610961365617807456615924886608898164568541
721362920846656279131478466791550965154310113538586208196875
836883595577893914545393568199609880854047659073589728989834
250471289184162658789682185380879562790399786294493976054675
348212567501215170827371076462707124675321024836781594000875
05452543537

We knew you'd be intrigued. ®

Related Story:
DVD descrambler encoded in 'illegal' prime number
<a
href="http://www.theregister.co.uk/content/archive/17681.html">http://www.thereg\
ister.co.uk/content/archive/17681.html</a>

Did Encryption Empower These Terrorists? And would restricting crypto
have given the authorities a change to stop these acts?
By Steven Levy, Newsweek, 9/12/2001
<a
href="http://msnbc.com/news/627390.asp?cp1=1">http://msnbc.com/news/627390.asp?c\
p1=1</a>

Sept. 11 - "Well, I guess this is the end now. . . ." So wrote the first
Netizen to address today's tragedy on the popular discussion group,
sci.crypt. The posting was referring what seems like an inevitable
reaction to the horrific terrorist act: an attempt to roll back recent
relaxations on encryption tools, on the theory that cryptography helped
cloak preparations for the deadly events.

BUT THE DESPONDENCY reflected in the comment can be applied more
generally. The destruction of the World Trade Center and the attack on
the Pentagon comes at a delicate time in the evolution of the
technologies of surveillance and privacy. In the aftermath of September
11, 2001, our attitude toward these tools may well take a turn that has
profound implications for the way individuals are monitored and tracked,
for decades to come. The first issue on the docket will be the fate of
tools that enable citizens to encrypt their e-mail, documents and phone
conversations as they zip through cyberspace and the ether. Over the
past decades there have been heated debates over whether this technology
should be restricted-as it can clearly benefit wrong-doers as well as
businesspeople and just plain average people. The prime government
argument in favor of restrictions invoked the specter of precisely this
kind of atrocity. Quite literally, it was the fear of "another World
Trade Center" that led the Clinton administration in the 1990s to
propose a system whereby people could encode their e-mails and
conversations, but also provide the Feds with a "back-door" means of
access. Now that those fears have come to pass, it's fair to ask those
who lionized crypto as a liberating tool to face a tough question: Did
encryption empower these terrorists? And would restricting crypto have
given the authorities a chance to stop these acts?  In the recent trial
over the bombing of the Libyan embassy, prosecutors introduced evidence
that Bin Laden had mobile satellite phones that used strong crypto.
The answer to the first question is quite possibly yes. We do know that
Osama Bin Laden, who has been invoked as a suspect, was a sophisticated
consumer of crypto technology. In the recent trial over the bombing of
the Libyan embassy, prosecutors introduced evidence that Bin Laden had
mobile satellite phones that used strong crypto. Even if Bin Laden was
not behind it, the acts show a degree of organization that indicates the
terrorists were smart enough to scramble their communications to make
them more difficult, if not impossible, to understand. If not for
encryption, notes former USAF Col. Marc Enger (now working for security
firm Digital Defense) "they could have used steganography [hiding
messages between the pixels of a digital image] or Web anonymizers
[which cloak the origin of messages]."  But that doesn't mean that laws
or regulations could have denied these tools to the terrorists. After
all, many of the protocols of strong cryptography are in the public
domain. Dozens of programs were created overseas, beyond the control of
the U.S. Congress. The government used to argue that allowing crypto to
proliferate, particularly to the point of being built into popular
systems made by Microsoft or AOL, would empower even stupid criminals.
But these were sophisticated terrorists, not moronic crooks.

Before September 11, commercial interests, privacy advocates and most in
the government had reached a sort of common ground, balancing high-tech
with threats. Cryptography was regarded as a fact of life, one with some
benefit to national secruity as well as risks. (In an age of
Info-Warfare, we are the most vunerable nation, and cryptography can
help secure our infrastructure.) Intelligence agencies could make up for
the difficulties that crypto creates for them by several means,
including heightened work in codebreaking, more use of "human assets"
(spies), and-most of all-taking advantage of the bounty of new
information that the telecom revolution has forced out into the open.
E-mail, pagers, faxes, cell phones, Blackberries, GPS systems, Web
cookies-every year another device or system seems to emerge to expose
information to eavesdroppers. Even if terrorists encrypt content on some
of those tools, simply tracking who talks to whom, and measuring the
volume of messages, can yield crucial intelligence. (Indeed, this form
of "traffic analysis" did produce evidence that was used in the Embassy
bombing trial.) The challenge to our spy agencies-one tragically not met
this time around-is to use those means to compensate for whatever
information might have been lost to encryption.  Before this attack,
there was a general feeling that we would see legislation to protect
privacy on the Web and perhaps limit tools that threatened civil
liberties.
Beyond the crypto issue are a raft of controversies involving other
technologies of surveillance. Before this attack, there was a general
feeling that we would see legislation to protect privacy on the Web and
perhaps limit tools that threatened civil liberties. Some feared that
face-scanning devices like the one used at the last Super Bowl can track
individuals as they move from one publicly mounted surveillance camera
to another. There was criticism directed toward the FBI's "Carnivore"
device, capable of scooping up massive numbers of e-mails from Internet
service providers. There was concern over Web bugs that tracked people's
movements on the Internet. There were objections to the Department of
Justice's scheme to insure that cell phones were also tracking devices,
presumably to aid 911 services, but potentially becoming homing devices
to follow our roamings. Until today, a pro-privacy consensus was
building. Will those concerns be set aside in the rush to do
something-anything-to assure ourselves that we can prevent another
September 11, 2001? Privacy advocate Richard Smith anticipates big
changes in airport security, but not necessarily a reboot on overall
privacy outlook. "Those types of restrictions just don't work against
people like [these terrorists]," he says. Let's hope that he's
right-that wisdom and courage, and not fear, dictates future policy.
Otherwise, the legacy of this terrible day may become even more painful.
Newsweek Senior Editor Steven Levy is the author of "Crypto: How the
Code Rebels Beat the Government-Saving Privacy in the Digital Age"

© 2001 Newsweek, Inc.

This is a great learning experience, and it is an excellent point of discussion
for the classroom.  As one ponders the value of
cryptography to the success of this operation, one might find that very little
is needed in the way of communications and, thus, little need for crypto.
A simple friendly phone conversation, during which a prearranged codeword
is spoken, is adequate for command and control purposes.  The key is in the
planning.
If carefully planned, there is very little need for continuing communications.
This is especially true if you are not trying to exfiltrate the ones who
execute
the plan; i.e., it's a one-way mission.   Put simply, to communicate is to die.

- DT




At 07:12 AM 9/12/01 -0700, you wrote:
>Did Encryption Empower These Terrorists? And would restricting crypto
>have given the authorities a change to stop these acts?
>By Steven Levy, Newsweek, 9/12/2001
><a
>href="http://msnbc.com/news/627390.asp?cp1=1">http://msnbc.com/news/627390.asp?\
cp1=1</a>
>
>Sept. 11 - "Well, I guess this is the end now. . . ." So wrote the first
>Netizen to address today's tragedy on the popular discussion group,
>sci.crypt. The posting was referring what seems like an inevitable
>reaction to the horrific terrorist act: an attempt to roll back recent
>relaxations on encryption tools, on the theory that cryptography helped
>cloak preparations for the deadly events.
>
>BUT THE DESPONDENCY reflected in the comment can be applied more
>generally. The destruction of the World Trade Center and the attack on
>the Pentagon comes at a delicate time in the evolution of the
>technologies of surveillance and privacy. In the aftermath of September
>11, 2001, our attitude toward these tools may well take a turn that has
>profound implications for the way individuals are monitored and tracked,
>for decades to come. The first issue on the docket will be the fate of
>tools that enable citizens to encrypt their e-mail, documents and phone
>conversations as they zip through cyberspace and the ether. Over the
>past decades there have been heated debates over whether this technology
>should be restricted-as it can clearly benefit wrong-doers as well as
>businesspeople and just plain average people. The prime government
>argument in favor of restrictions invoked the specter of precisely this
>kind of atrocity. Quite literally, it was the fear of "another World
>Trade Center" that led the Clinton administration in the 1990s to
>propose a system whereby people could encode their e-mails and
>conversations, but also provide the Feds with a "back-door" means of
>access. Now that those fears have come to pass, it's fair to ask those
>who lionized crypto as a liberating tool to face a tough question: Did
>encryption empower these terrorists? And would restricting crypto have
>given the authorities a chance to stop these acts?  In the recent trial
>over the bombing of the Libyan embassy, prosecutors introduced evidence
>that Bin Laden had mobile satellite phones that used strong crypto.
>The answer to the first question is quite possibly yes. We do know that
>Osama Bin Laden, who has been invoked as a suspect, was a sophisticated
>consumer of crypto technology. In the recent trial over the bombing of
>the Libyan embassy, prosecutors introduced evidence that Bin Laden had
>mobile satellite phones that used strong crypto. Even if Bin Laden was
>not behind it, the acts show a degree of organization that indicates the
>terrorists were smart enough to scramble their communications to make
>them more difficult, if not impossible, to understand. If not for
>encryption, notes former USAF Col. Marc Enger (now working for security
>firm Digital Defense) "they could have used steganography [hiding
>messages between the pixels of a digital image] or Web anonymizers
>[which cloak the origin of messages]."  But that doesn't mean that laws
>or regulations could have denied these tools to the terrorists. After
>all, many of the protocols of strong cryptography are in the public
>domain. Dozens of programs were created overseas, beyond the control of
>the U.S. Congress. The government used to argue that allowing crypto to
>proliferate, particularly to the point of being built into popular
>systems made by Microsoft or AOL, would empower even stupid criminals.
>But these were sophisticated terrorists, not moronic crooks.
>
>Before September 11, commercial interests, privacy advocates and most in
>the government had reached a sort of common ground, balancing high-tech
>with threats. Cryptography was regarded as a fact of life, one with some
>benefit to national secruity as well as risks. (In an age of
>Info-Warfare, we are the most vunerable nation, and cryptography can
>help secure our infrastructure.) Intelligence agencies could make up for
>the difficulties that crypto creates for them by several means,
>including heightened work in codebreaking, more use of "human assets"
>(spies), and-most of all-taking advantage of the bounty of new
>information that the telecom revolution has forced out into the open.
>E-mail, pagers, faxes, cell phones, Blackberries, GPS systems, Web
>cookies-every year another device or system seems to emerge to expose
>information to eavesdroppers. Even if terrorists encrypt content on some
>of those tools, simply tracking who talks to whom, and measuring the
>volume of messages, can yield crucial intelligence. (Indeed, this form
>of "traffic analysis" did produce evidence that was used in the Embassy
>bombing trial.) The challenge to our spy agencies-one tragically not met
>this time around-is to use those means to compensate for whatever
>information might have been lost to encryption.  Before this attack,
>there was a general feeling that we would see legislation to protect
>privacy on the Web and perhaps limit tools that threatened civil
>liberties.
>Beyond the crypto issue are a raft of controversies involving other
>technologies of surveillance. Before this attack, there was a general
>feeling that we would see legislation to protect privacy on the Web and
>perhaps limit tools that threatened civil liberties. Some feared that
>face-scanning devices like the one used at the last Super Bowl can track
>individuals as they move from one publicly mounted surveillance camera
>to another. There was criticism directed toward the FBI's "Carnivore"
>device, capable of scooping up massive numbers of e-mails from Internet
>service providers. There was concern over Web bugs that tracked people's
>movements on the Internet. There were objections to the Department of
>Justice's scheme to insure that cell phones were also tracking devices,
>presumably to aid 911 services, but potentially becoming homing devices
>to follow our roamings. Until today, a pro-privacy consensus was
>building. Will those concerns be set aside in the rush to do
>something-anything-to assure ourselves that we can prevent another
>September 11, 2001? Privacy advocate Richard Smith anticipates big
>changes in airport security, but not necessarily a reboot on overall
>privacy outlook. "Those types of restrictions just don't work against
>people like [these terrorists]," he says. Let's hope that he's
>right-that wisdom and courage, and not fear, dictates future policy.
>Otherwise, the legacy of this terrible day may become even more painful.
>Newsweek Senior Editor Steven Levy is the author of "Crypto: How the
>Code Rebels Beat the Government-Saving Privacy in the Digital Age"
>
>© 2001 Newsweek, Inc.
>
>
>Community email addresses:
>   Post message: secedu@onelist.com
>   Subscribe:    secedu-subscribe@onelist.com
>   Unsubscribe:  secedu-unsubscribe@onelist.com
>   List owner:   secedu-owner@onelist.com
>
>Shortcut URL to this page:
>   http://www.onelist.com/community/secedu
>
>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Gartner: Drop Microsoft IIS now
By Wendy McAuliffe, ZDNet, 9/25/01
<a
href="http://www.zdnet.com/zdnn/stories/news/0,4586,2814546,00.html?chkpt=zdnnt0\
92501ts">http://www.zdnet.com/zdnn/stories/news/0,4586,2814546,00.html?chkpt=zdn\
nt092501ts</a>

Research group Gartner is warning enterprises to "immediately" replace
their Microsoft Internet Information Server (IIS) server software with a
more secure server application, following attacks on IIS by the worms
Code Red and Nimda.

Last week, mass-mailing computer worm Nimda was released into the wild.
It combined elements of the Web-based Code Red virus and attacked the
same buffer-overflow vulnerability in Microsoft's IIS software.  The
trend confirms that IIS has become a popular target for hackers, and
Gartner is recommending that companies affected by both worms should
look at moving their Web applications to a more secure platform.  "Using
Internet-exposed IIS Web servers securely has a high cost of ownership,"
states the Gartner report.  "Nimda has again shown the high risk of
using IIS and the effort involved in keeping up with Microsoft's
frequent security patches."

Some antivirus experts are dismissing the Gartner warnings as
"knee-jerk" and "unnecessary".  Graham Cluley, senior technology
consultant at security firm Sophos, is concerned that a mass move to
alternative Web server software would cause more disruption than
sticking with Microsoft IIS and patching it.  "Code Red was less about
the vulnerability of IIS, as all software has bugs, but more about
system administrators ignoring the warnings that came well in advance of
Code Red," said Cluley.

According to Gartner, iPlanet and Apache offer advisable alternatives to
Microsoft's server software.  "Although these Web servers have required
some security patches, they have much better security records than IIS
and are not under active attack by the vast number of virus and worm
writers," the report says.

The analysts predict that it might be late next year before the server
software is safer for corporations.  "Gartner remains concerned that
viruses and worms will continue to attack IIS until Microsoft has
released a completely rewritten, thoroughly and publicly tested, new
release of IIS."

The attempt to rank vendors according to their security success rate is
a risky business.  The aim of most virus writers is usually for their
worm to achieve its biggest impact, and so will target platforms that
are widely used.  "Microsoft is targetted as it is so popular, rather
than the system being the least secure," said Cluley.  "There are few
viruses for the Macintosh in comparison to the PC, as the hacker will be
going for the most popular platform," he pointed out.  Microsoft
officials were not immediately available to comment on the report.

Colleges Work to Block Net in Class

jBy LISA LIPMAN, Associated Press Writer

BOSTON (AP) - Two colleges on the cutting edge of Internet technology
are now pioneering solutions to a rapidly growing problem: students who
pay more attention to their computers than to their professors.

Bentley and Babson colleges were among the first in the nation to wire
their classrooms for the Internet.  And now they're spending tens of
thousands of dollars on software and hardware that lets professors block
some Internet access in classrooms with network connections.

``Faculty members were finding students surfing the Net, sending instant
messages, even looking at porn in some of the freshman intro classes,''
said Phillip Knutel, Bentley's director of academic technology.

As another deterrent, some classrooms at Bentley have technology that
allows teachers to capture a student's e-mails or instant messages and
display them on a large screen for the whole class to see.

The software doesn't censor which sites a student can visit on the
Internet.  Instead, a professor can choose whether classes have access
to the entire Internet or just the school's internal network.
Professors can also block out e-mail and instant messaging.

Babson math professor Joe Aieta said his students have told him the
temptation to use the Internet during class is too great when it is at
their fingertips.  That's why Aieta occasionally limits their access.

``They think they can keep up with the classwork while sending and
receiving messages,'' Aieta said.  ``But they acknowledged that it
didn't always work so well.''

Babson freshman Patrick Lehner, 19, said the network-blocking software
doesn't bother him that much.

``Are students here happy or proud about it? Probably not,'' he said.
``But there's a good lesson to be learned from it.  It might help
rebuild people's habits so that they focus more (on class).''

Bentley, which in 1985 became one of the first U.S.  colleges to require
undergraduates to have computers, first implemented the blocking
technology in classrooms in the last academic year.  Babson had a
primitive version of the software installed three years ago.

Cabletron, a Rochester, N.H.-based company founded by Babson alumnus
Craig Benson, developed the original Babson blocking program.
Enterasys, a subsidiary of Cabletron, developed Bentley's program and
recently upgraded the one at Babson.  Both schools were involved in the
development.

Lois Brooks, director of the Academic Technology Specialist program at
Stanford University, said she doesn't know of any other school that is
doing what Babson and Bentley have done.

``I've heard people talk about this, but I haven't heard it go beyond
the speculation stage,'' she said.

Some schools have been trying less sophisticated solutions to the
problem.

The University of Virginia has installed switches in its business school
classrooms that kill access to computer networks.  But the switches
aren't well-hidden, and students who know where they are can flip them
back on.

Other schools, such as UCLA, last year banned Internet connections in
its required, core classes.  And Columbia last year expanded its
``integrity code'' to include a student promise to ``use technology in
the classroom only as it is directly relevant to the material being
discussed.''

So far, no tech-savvy student has been able to crack Bentley's or
Babson's software, according to Knutel and Aieta.

Aieta plans to ask his students to try to crack the program in order to
test its security, figuring that's what they'd be trying to do anyway.

``If you have denied access, and if the student thinks they can somehow
get it back, they will try everything,'' Aieta said.  ``They've never
seen a button they didn't want to push.''

-

On the Net:

Babson: <a href="http://www.babson.edu">http://www.babson.edu</a>

Bentley: <a href="http://www.bentley.edu">http://www.bentley.edu</a>

Per the message sent by PFIR - People For Internet Responsibility:
From fc  Sun Oct 21 11:03:08 2001
Return-Path: <pfir@...>
Delivered-To: fc@...
Received: from 204.181.12.215 [204.181.12.215]
	 by localhost with POP3 (fetchmail-5.7.4)
	 for fc@localhost (single-drop); Sun, 21 Oct 2001 11:03:08 -0700 (PDT)
Received: (qmail 16547 invoked by uid 510); 21 Oct 2001 18:00:57 -0000
Received: from chrome.vortex.com (192.136.140.6)
   by 204.181.12.215 with SMTP; 21 Oct 2001 18:00:57 -0000
Received: from localhost (pfir@localhost)
	 by chrome.vortex.com (8.9.3/8.9.3) with SMTP id KAA12783;
	 Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Date: Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Message-Id: <200110211724.KAA12783@...>
Subject: Cutting through hype, spin, and propaganda - "Fact Squad Radio"
From: pfir@... (PFIR - People For Internet Responsibility)
To: PFIR-List@...



	    	          Announcing "Fact Squad Radio"

                               October 21, 2001

                         http://www.factsquad.org/radio


	 PFIR - People For Internet Responsibility - http://www.pfir.org

         [ To subscribe or unsubscribe to/from this list, please send the
           command "subscribe" or "unsubscribe" respectively (without the
	   quotes) in the body of an e-mail to "pfir-request@...". ]


Greetings.  The main purpose of People For Internet Responsibility's
recently-announced "Fact Squad" effort is to cut through hype, spin,
misinformation, and propaganda regarding technological issues and their
effects upon society.

In furtherance of this goal, we're pleased to announce the launching of the
"Fact Squad Radio" service.  Fact Squad Radio is providing very
short (one minute), tightly-focused audio features, each concentrating on
a single relevant topic of importance.  These vignettes are aimed at
explaining the issues briefly in a non-technical manner suitable for
general audiences.  Topics to be covered will include both matters of
long-standing importance and crucial issues of the moment.

We encourage linking and redistribution of these features, and they are
freely distributable without any further permission being needed for
non-broadcast, non-commercial usage.  Requests for other kinds of usage will
be considered on a case-by-case basis.  We'll be ramping up towards a five
per week, M-F schedule.  All segments are in the standard MP3 format.

The debut Fact Squad Radio feature concerns a topic of some significant
interest right now -- National ID Cards.

Fact Squad Radio is at:

    http://www.factsquad.org/radio


Thanks very much!

--Lauren--
Lauren Weinstein
lauren@... or lauren@... or lauren@...
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


--This communication is confidential to the parties it is intended to serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087

Fred,
As with some other items from this list in the past, I would like to mention the
existence of "FSR" in the "Trainia" column of the upcoming issue of Federal
Information Systems Security Educators' Association's newsletter (of which I am
the Editor).  Any problem with doing this?
Louis

>>> fc@... 10/21/01 02:07PM >>>
Per the message sent by PFIR - People For Internet Responsibility:
From fc  Sun Oct 21 11:03:08 2001
Return-Path: <pfir@...>
Delivered-To: fc@...
Received: from 204.181.12.215 [204.181.12.215]
	 by localhost with POP3 (fetchmail-5.7.4)
	 for fc@localhost (single-drop); Sun, 21 Oct 2001 11:03:08 -0700 (PDT)
Received: (qmail 16547 invoked by uid 510); 21 Oct 2001 18:00:57 -0000
Received: from chrome.vortex.com (192.136.140.6)
   by 204.181.12.215 with SMTP; 21 Oct 2001 18:00:57 -0000
Received: from localhost (pfir@localhost)
	 by chrome.vortex.com (8.9.3/8.9.3) with SMTP id KAA12783;
	 Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Date: Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Message-Id: <200110211724.KAA12783@...>
Subject: Cutting through hype, spin, and propaganda - "Fact Squad Radio"
From: pfir@... (PFIR - People For Internet Responsibility)
To: PFIR-List@...



	    	          Announcing "Fact Squad Radio"

                               October 21, 2001

                         http://www.factsquad.org/radio


	 PFIR - People For Internet Responsibility - http://www.pfir.org

         [ To subscribe or unsubscribe to/from this list, please send the
           command "subscribe" or "unsubscribe" respectively (without the
	   quotes) in the body of an e-mail to "pfir-request@...". ]


Greetings.  The main purpose of People For Internet Responsibility's
recently-announced "Fact Squad" effort is to cut through hype, spin,
misinformation, and propaganda regarding technological issues and their
effects upon society.

In furtherance of this goal, we're pleased to announce the launching of the
"Fact Squad Radio" service.  Fact Squad Radio is providing very
short (one minute), tightly-focused audio features, each concentrating on
a single relevant topic of importance.  These vignettes are aimed at
explaining the issues briefly in a non-technical manner suitable for
general audiences.  Topics to be covered will include both matters of
long-standing importance and crucial issues of the moment.

We encourage linking and redistribution of these features, and they are
freely distributable without any further permission being needed for
non-broadcast, non-commercial usage.  Requests for other kinds of usage will
be considered on a case-by-case basis.  We'll be ramping up towards a five
per week, M-F schedule.  All segments are in the standard MP3 format.

The debut Fact Squad Radio feature concerns a topic of some significant
interest right now -- National ID Cards.

Fact Squad Radio is at:

    http://www.factsquad.org/radio


Thanks very much!

--Lauren--
Lauren Weinstein
lauren@... or lauren@... or lauren@...
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


--This communication is confidential to the parties it is intended to serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087



Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Louis,

There's nothing wrong with mentioning the existence of any organization.  I
think that when it appears as an endorsement or recommendation is when it
becomes a problem.

Regards
Tom

-----Original Message-----
From: Louis Numkin [mailto:lmn@...]
Sent: Monday, October 22, 2001 2:21 PM
To: secedu@yahoogroups.com
Subject: Re: [secedu] Cutting through hype, spin, and propaganda -"Fact
Squad Radio" (fwd)


Fred,
As with some other items from this list in the past, I would like to mention
the existence of "FSR" in the "Trainia" column of the upcoming issue of
Federal Information Systems Security Educators' Association's newsletter (of
which I am the Editor).  Any problem with doing this?
Louis

>>> fc@... 10/21/01 02:07PM >>>
Per the message sent by PFIR - People For Internet Responsibility:
>From fc  Sun Oct 21 11:03:08 2001
Return-Path: <pfir@...>
Delivered-To: fc@...
Received: from 204.181.12.215 [204.181.12.215]
	 by localhost with POP3 (fetchmail-5.7.4)
	 for fc@localhost (single-drop); Sun, 21 Oct 2001 11:03:08 -0700 (PDT)
Received: (qmail 16547 invoked by uid 510); 21 Oct 2001 18:00:57 -0000
Received: from chrome.vortex.com (192.136.140.6)
   by 204.181.12.215 with SMTP; 21 Oct 2001 18:00:57 -0000
Received: from localhost (pfir@localhost)
	 by chrome.vortex.com (8.9.3/8.9.3) with SMTP id KAA12783;
	 Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Date: Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Message-Id: <200110211724.KAA12783@...>
Subject: Cutting through hype, spin, and propaganda - "Fact Squad Radio"
From: pfir@... (PFIR - People For Internet Responsibility)
To: PFIR-List@...



	    	          Announcing "Fact Squad Radio"

                               October 21, 2001

                         http://www.factsquad.org/radio


	 PFIR - People For Internet Responsibility - http://www.pfir.org

         [ To subscribe or unsubscribe to/from this list, please send the
           command "subscribe" or "unsubscribe" respectively (without the
	   quotes) in the body of an e-mail to "pfir-request@...". ]


Greetings.  The main purpose of People For Internet Responsibility's
recently-announced "Fact Squad" effort is to cut through hype, spin,
misinformation, and propaganda regarding technological issues and their
effects upon society.

In furtherance of this goal, we're pleased to announce the launching of the
"Fact Squad Radio" service.  Fact Squad Radio is providing very
short (one minute), tightly-focused audio features, each concentrating on
a single relevant topic of importance.  These vignettes are aimed at
explaining the issues briefly in a non-technical manner suitable for
general audiences.  Topics to be covered will include both matters of
long-standing importance and crucial issues of the moment.

We encourage linking and redistribution of these features, and they are
freely distributable without any further permission being needed for
non-broadcast, non-commercial usage.  Requests for other kinds of usage will
be considered on a case-by-case basis.  We'll be ramping up towards a five
per week, M-F schedule.  All segments are in the standard MP3 format.

The debut Fact Squad Radio feature concerns a topic of some significant
interest right now -- National ID Cards.

Fact Squad Radio is at:

    http://www.factsquad.org/radio


Thanks very much!

--Lauren--
Lauren Weinstein
lauren@... or lauren@... or lauren@...
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


--This communication is confidential to the parties it is intended to
serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087



Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Thanks.
Louis

>>> austin@... 10/22/01 03:07PM >>>
Louis,

There's nothing wrong with mentioning the existence of any organization.  I
think that when it appears as an endorsement or recommendation is when it
becomes a problem.

Regards
Tom

-----Original Message-----
From: Louis Numkin [mailto:lmn@...]
Sent: Monday, October 22, 2001 2:21 PM
To: secedu@yahoogroups.com
Subject: Re: [secedu] Cutting through hype, spin, and propaganda -"Fact
Squad Radio" (fwd)


Fred,
As with some other items from this list in the past, I would like to mention
the existence of "FSR" in the "Trainia" column of the upcoming issue of
Federal Information Systems Security Educators' Association's newsletter (of
which I am the Editor).  Any problem with doing this?
Louis

>>> fc@... 10/21/01 02:07PM >>>
Per the message sent by PFIR - People For Internet Responsibility:
>From fc  Sun Oct 21 11:03:08 2001
Return-Path: <pfir@...>
Delivered-To: fc@...
Received: from 204.181.12.215 [204.181.12.215]
	 by localhost with POP3 (fetchmail-5.7.4)
	 for fc@localhost (single-drop); Sun, 21 Oct 2001 11:03:08 -0700 (PDT)
Received: (qmail 16547 invoked by uid 510); 21 Oct 2001 18:00:57 -0000
Received: from chrome.vortex.com (192.136.140.6)
   by 204.181.12.215 with SMTP; 21 Oct 2001 18:00:57 -0000
Received: from localhost (pfir@localhost)
	 by chrome.vortex.com (8.9.3/8.9.3) with SMTP id KAA12783;
	 Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Date: Sun, 21 Oct 2001 10:24:16 -0700 (PDT)
Message-Id: <200110211724.KAA12783@...>
Subject: Cutting through hype, spin, and propaganda - "Fact Squad Radio"
From: pfir@... (PFIR - People For Internet Responsibility)
To: PFIR-List@...



	    	          Announcing "Fact Squad Radio"

                               October 21, 2001

                         http://www.factsquad.org/radio


	 PFIR - People For Internet Responsibility - http://www.pfir.org

         [ To subscribe or unsubscribe to/from this list, please send the
           command "subscribe" or "unsubscribe" respectively (without the
	   quotes) in the body of an e-mail to "pfir-request@...". ]


Greetings.  The main purpose of People For Internet Responsibility's
recently-announced "Fact Squad" effort is to cut through hype, spin,
misinformation, and propaganda regarding technological issues and their
effects upon society.

In furtherance of this goal, we're pleased to announce the launching of the
"Fact Squad Radio" service.  Fact Squad Radio is providing very
short (one minute), tightly-focused audio features, each concentrating on
a single relevant topic of importance.  These vignettes are aimed at
explaining the issues briefly in a non-technical manner suitable for
general audiences.  Topics to be covered will include both matters of
long-standing importance and crucial issues of the moment.

We encourage linking and redistribution of these features, and they are
freely distributable without any further permission being needed for
non-broadcast, non-commercial usage.  Requests for other kinds of usage will
be considered on a case-by-case basis.  We'll be ramping up towards a five
per week, M-F schedule.  All segments are in the standard MP3 format.

The debut Fact Squad Radio feature concerns a topic of some significant
interest right now -- National ID Cards.

Fact Squad Radio is at:

    http://www.factsquad.org/radio


Thanks very much!

--Lauren--
Lauren Weinstein
lauren@... or lauren@... or lauren@...
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


--This communication is confidential to the parties it is intended to
serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087



Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/




Community email addresses:
   Post message: secedu@onelist.com
   Subscribe:    secedu-subscribe@onelist.com
   Unsubscribe:  secedu-unsubscribe@onelist.com
   List owner:   secedu-owner@onelist.com

Shortcut URL to this page:
   http://www.onelist.com/community/secedu

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

-----BEGIN PGP SIGNED MESSAGE-----

Dear Colleagues,

In a recent interchange,

*   member 1 posted a notice in message 1;

*   member 2 sent message asking if he could quote the notice and
included a copy of the entire message 1;

*   member 3 replied in message 3 that there would be no problem and
included a copy of the entire message 2 (including the copy of message
1);

*   member 2 replied in message 4 with a "Thank you" and included a
copy of the entire message 3 (including the copy of message 2
(including the copy of message 1)).

Total text in messages 2, 3 & 4:  15199 bytes (not counting the
Internet e-mail header).

New text excluding copies of previous messages:  3407 bytes (including
unavoidable automatic text generated by list management software)

Signal-to-noise ratio (counting overhead as signal):  24%

New text excluding overhead from list management:  989

Signal-to-noise ratio (excluding overhead):  6.5%


* * *

May I suggest that everyone stop using automatic includes in e-mail
replies?  If you want to reply to a specific point, quote only enough
material to make your response clear.

Including copies of entire messages (let alone copies of entire
messages which already contain copies of the same entire messages) is a
complete waste of bandwidth:  it serves no purpose whatever, it makes
reading harder; it causes harmful rises in some readers' blood
pressure; it raises doubts about the rational capacities of the
quoters; and it increases the likelihood that participants will
withdraw from a list.

* * *

Best wishes,

Mich

M. E. Kabay, PhD, CISSP -- Assoc. Prof. Computer Info. Systems
Norwich University, Northfield VT
http://www2.norwich.edu/mkabay/index.htm


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: Digital signatures increase security for everyone.

iQB1AwUBO9n47DPd6/an40lzAQHBqQL/X3AGk0poWGHi6PxJce2WwuYHYgrxTMwv
JxYsbdLz+QPZL9YqdWOS3lkIDnxF4tBno3oGIM4f5Nqj188Ynw1e7X0c8xX6SAAO
zTpxpavpAwAKj237pFBlK4kNFxHQ5v/h
=hUnF
-----END PGP SIGNATURE-----

BKWHTHSA.RVW   20010814

"White Hat Security Arsenal", Aviel D. Rubin, 2001, 0-201-71114-1,
U$44.99/C$67.50
%A   Aviel D. Rubin rubin@...
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2001
%G   0-201-71114-1
%I   Addison-Wesley Publishing Co.
%O   U$44.99/C$67.50 416-447-5101 fax: 416-443-0948 bkexpress@...
%P   330 p.
%T   "White Hat Security Arsenal: Tackling the Threats"

The distinctive of this book is that it approaches security as a
series of specific problems or concerns.  The non-distinctive, if you
will, is that it attempts to address all audience levels; users, IT
professionals, academics, and administrators.  A series of icons
identifies, at the beginning of each chapter and at particular
sections of the text, who should read the various segments of the
text.

Part one examines the size and scope of the security issue.  Chapter
one starts out with perhaps our biggest problem, as security people:
the insistence on secrecy by companies who get hit, and the fact that
this obstinate refusal to discuss the facts makes our job, in
protecting institutions, that much harder.  A brief look at what may
be at risk from security problems is given in chapter two.  Recent
email viruses are reviewed in chapter three, but they get an
interesting treatment.  The material, while technically sound,
concentrates on the general security attitudes and lessons to be
learned, as they apply to computer use in general.

Part two looks at information storage.  Chapter four's problem is to
ensure that information is kept private if an attacker gets hold of
your machine, and Rubin gives a good introduction to symmetric
encryption and provides tips on passwords.  If you are concerned about
storage at remote sites over an insecure network, chapter five touches
on passwords again, and asymmetric encryption.  Chapter six is
supposed to deal with securing backups, but seems to get a bit
confused, although it does provide some good tips, as well as an
overview of some online backup services.

Part three considers the problems of data transfers over an insecure
net.  Chapter seven introduces authentication and some of the problems
of public key management.  Session keys and key exchange are examined
in chapter eight: it has an academic icon at the top of the chapter,
and non-specialist users might get a bit confused here.  The aspects
of virtual private networks are reviewed in chapter nine, and the book
begins moving towards the usual technology oriented model.

Part four looks at network threats.  Chapter ten explains firewalls
while eleven discusses a variety of network based attacks.

Part five doesn't really have a central theme.  The title of chapter
twelve is "Protecting E-Commerce Transactions," but most of the text
deals with the Secure Sockets Layer for Web browsers.  Privacy, in
email and Web browsing, is discussed in chapter thirteen, but many
areas are left unexplored.

For managers and users who are not specialists in computer and
communications security, this book provides a readable and accurate
introduction to a number of important topics.  There are,
unfortunately, a number of gaps in terms of the total security
picture, but that is probably to be expected when taking the problem
oriented approach.  Rubin does not talk down to the audience and does
not oversimplify, and this work therefore is superior to a number of
the introductory books on the market.

copyright Robert M. Slade, 2001   BKWHTHSA.RVW   20010814


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
You're always a little disappointing in person because you can't
be the edited essence of yourself.                      - Mel Brooks
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

BKCISPPG.RVW   20010924

"The CISSP Study Guide", Ronald L. Krutz/Russell Dean Vines, 2001,
0-471-41356-9, U$69.99
%A   Ronald L. Krutz
%A   Russell Dean Vines
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2001
%G   0-471-41356-9
%I   John Wiley & Sons, Inc.
%O   U$69.99 416-236-4433 fax: 416-236-4448
%P   556 p.
%T   "The CISSP Study Guide: Mastering the Ten Domains of Computer
       Security"

Of late there has been a significant increase in interest in the CISSP
(Certified Information Systems Security Professional) exam and
designation produced by the (ISC)^2 (International Information Systems
Security Certification Consortium).  The CISSP exam is based on the
Common Body of Knowledge (CBK) which, as the name implies, is that
information assumed to be customarily known by those qualified or
experienced in the field of computer security.  Since the (ISC)^2 also
runs courses based on the CBK, many people seem to feel that there is
some trick or secret to passing the exam.

Krutz and Vines appear to want to foster this myth, since the first
sentence of the introduction states that this book holds the "key to
unlocking the secrets of the world of information systems security."
If true, this assertion would make a mockery of the (ISC)^2
requirement for three years' work experience, and the insistence that
no one book holds the entire CBK.

The introduction also states that this work is intended as a
preparatory guide for CISSP students, a reference for students of
other information security courses, and a manual in security basics
and emerging technologies for security professionals.  That's a rather
tall order.

For those who have seen the (ISC)^2 CBK course materials, it is
immediately obvious where the structure of the book, and most of the
content, originates.  Much of the text is in point form, following the
slides used in the CBK, with only minor expansion to explain the
elements.  Discussion of concepts is limited, and some of the detail
provided is of questionable value.  In addition, while the CBK is a
substantial and useful work, the (ISC)^2 course structure does suffer,
over time, as areas are added or amended, and the strict adherence to
that order, which can be smoothed over in a seminar, makes the book
very jumpy in places.  Security management practices, in chapter one,
is rather choppy, and access control, in chapter two, is even worse in
this regard.

Each chapter covers one of the ten domains of the CBK.  These topics
tend to overlap in places, but there is little attempt to explain,
reconcile, or reference duplicated material.  Both chapter two and
telecommunications and network security, in chapter three, address
intrusion detection systems, but neither section refers to the other.
(Telecom and networks is a large topic, and would have benefitted from
some attempt at reorganization.)

Chapter four describes many details of cryptography.  While the
particulars provided are correct, the lack of background reduces the
value of the text.  Security architecture and models, in chapter five,
defines most of the terms, but does not give a complete picture of the
topic.  Operations security generally involves the coordination of a
number of individually simple aspects, so chapter six deals with the
topic adequately.  The same minimalist denotation of points does not
work as well for applications and systems development, in chapter
seven.  (In addition, it is disturbing to see that discussion of
viruses has been completely excluded, particularly in view of the fact
that the subject has greater representation in the CISSP exam than in
the CBK course itself.)  Again, business continuity and disaster
recovery planning involve a number of basic operations, so chapter
eight provides reasonable coverage.  Chapter nine's review of law,
investigation, and ethics is terse, but not out of line with the
requirements of the exam.  Physical security, in chapter ten, is
covered better than most other areas.

There are a number of appendices.  A glossary is taken from the old
(1985) US government glossary, with a few additions.  There is an
overview of the old "Rainbow" series of security manuals.  An essay on
using the Capability Maturity Model (CMM) with the Health Information
Portability and Accountability Act (HIPAA) will possibly be of
interest to a very select group.  There is an overview of the National
Security Agency (NSA) Infosec Assessment Methodology, a simplistic
look at penetration testing, and a ludicrously brief list of the
contents of British Standard 7799.  The examination of the Common
Criteria is slightly better, but not sufficient to address the needs
of the CISSP exam.  A list of references for further study is
basically taken from the (ISC)^2 resource list with some added URLs,
and is not annotated.

Oddly, the illustrations are not copied from the CBK course, and table
and section headings relate very poorly to the surrounding text.

Practice with sample questions can be important in preparing for the
CISSP exam.  Those provided by the CBK course, and even the
independent www.cccure.org site, are very similar in tone, style, and
difficulty, to those on the exam.  The specimen questions in this
book, however, are not.  The quizzes are simplistic reading checks and
definition queries, with none of the complexity of the exam, and
requiring little in the way of judgment.  The full list of questions
is given again in appendix C, with answers: the solutions are
sometimes explained, but often are not.

For those studying for the CISSP exam, this book does provide a guide
to the topics to be covered.  If you are confident that you know more
than the book at every point, you should be in good shape to sit the
exam: if not, you will have to get help somewhere else.  If you are
studying for another security course, or are a security professional,
this work will not have much to offer you.

copyright Robert M. Slade, 2001   BKCISPPG.RVW   20010924


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Either books are worth fighting over or they're not--and if
they're not, why read them in the first place?         - Walter Kirn
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Apologies in advance for this advertisement - but online courses
starting in January may be of interest to list members.  More details at:
         http://unhca.com/

Courses Offered Starting January - Sign Up Now

Firewalls and Secure Enterprise Computing - This course deals with the
theory and practice of Internet firewalls and covers many of the details
and vulnerabilities of the IP and embedded protocol suites.  In the
laboratory portion of the course, the students construct, deploy, and
test a real firewall against common Internet-based attack methods.

Computer Viruses and Malicious Code This course covers the theoretical
and practical issues surrounding computer viruses, and along the way,
covers a wide range of topics in information protection - ranging from
undecidability to evolution - from tracking distributed coordinated
attacks to tagent technology - and from pure theory to pure practice.

CJ-671J-98 Special Topics: Research Issues in CyberTerrorism This course
consists of a few lectures and discussions a lot of practical research
into issues in cyberterrorism, its causes, its limitations, and its
implications.  It will focus largely on the thresholds and factors that
drive terrorist groups into the information arena, the use of
information technology by terrorist groups, and the emergence of new
terrorist groups which use the information arena as their primary
terrorism mechanism.

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087

BKHKRBWR.RVW   20010829

"Hackers Beware", Eric Cole, 2001, 0-7357-1009-0,
U$45.00/C$67.95/UK#34.99
%A   Eric Cole www.securityhaven.com eric@...
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2002
%G   0-7357-1009-0
%I   Macmillan Computer Publishing (MCP)
%O   U$45.00/C$67.95/UK#34.99 800-858-7674 317-581-3743 info@...
%P   778 p.
%T   "Hackers Beware: Defending Your Network from the Wiley Hacker"

It is difficult to maintain confidence in a book that, within six
sentences of the opening of the first chapter, misspells the word
"brakes."  We are told that two developmental editors, two copy
editors, two proofreaders, and no less than five technical reviewers
had at this work.  Did any of them pay attention to what they were
reading?

Chapter one basically states that dangers are out there, security is
bad, and companies should be concentrating on prevention, detection,
and education.  Cole also nudges at the "hacking for protection"
theory, without ever really examining it.  A brief but reasonable list
of security breaking activities is given in chapter two.  Various
steps and tools involved in gathering information about a network
connected to the Internet are described in chapter three.
Unfortunately, this explanation, while helpful to a potential
attacker, has no utility for the defender: almost all of the data
discussed must be publicly available for the network to function, and
so there are no means of blocking this level of access.  Spoofing, or
masquerading, is dealt with in chapter four, but again, while some
protective measures are provided, much more time is spent on the
disease than the cure.  After twenty six pages of telling you how to
hijack sessions, including the best programs to use and how to operate
them, chapter five gives us two pages of simplistic advice (avoid
remote connections) on protection.  Chapter six lists a number of
common denial of service attacks and, while it does devote a lot of
ink to describing the exploits, the material is reasonably balanced,
and the suggested defensive measures realistic.  Chapter seven
requires almost forty pages to tell us that buffer overflows are not
good, and you should apply software patches.  Password security is
very important, but the material in chapter eight is vague,
disorganized, and has relatively little to say about good password
choice.  (Chapters nine and ten describe some NT and UNIX password
cracking programs.)  The examination of background fundamentals of NT,
in chapter eleven, is a terse and unfocused grab bag of information.
The analysis It would be of little help in explaining the specific
attack programs listed in chapter twelve, a number of which rely on
particular applications.  The same relation is true of chapters
thirteen and fourteen, relating to UNIX.  A number of backdoor and
remote access trojan programs are described in chapter fifteen.
Chapter sixteen discusses log files, and lists some programs for
generating spurious network traffic in order to hide attacks.  Some
random exploits are listed in chapter seventeen, and a few more in
eighteen.  An attempt is made to combine various attacks into
scenarios, in chapter nineteen, but these do not add anything to the
material already provided.  Chapter twenty is the usual vague look to
the future.

This book takes the all-too-common approach of assuming that teaching
you how to break into systems will help you to protect them.  The work
also amply demonstrates the fallacy of that argument.  While the
harried systems administrator spends several hours coming to grips
with the minutiae of the attacks described, the vast majority of the
exploits listed can be countered simply by ensuring that software
patches are up to date.  In addition, while dozens of loopholes are
listed in these pages, thousands more exist that are not covered.  The
material contained in these pages may be entertaining, but it is of
far more use to the attacker than to the defender.  This would be
upsetting, were it not for the fact that most of the exploits
described are old and not likely to remain unpatched if administrators
are keeping up to date.  (Of course, many small outfits can't commit a
lot of resources to keeping up to date ...)

For security specialists, this volume provides nothing that can't be
found elsewhere.  For non-specialists, it fails to supply a security
framework and strategy within which to work.

copyright Robert M. Slade, 2001   BKHKRBWR.RVW   20010829

As usual, a draft has been sent to the author.  He has requested that
this response be included, unedited:

Robert:
First allow me to say thank you for taking the time to review the book
as criticisms are as crucial as praise. We take your feedback
seriously. That being said, let me see if I might speak to some of
your discussions on "Hackers Beware".

When you buy "Hackers Beware", you buy it for the technical content.
While we maintain that this faction of the book is air-tight and well-
supported, we also admit that we could and should have done a better
job with edits on spelling and grammar. While we admit that
shortcoming, we also ask that you look at the eleven reviews posted on
Amazon, praising the technical content of my book and earning it FIVE-
STAR rating.

The book starts opens with some introductory material but does that
for a reason. Much of the security information that companies need to
protect their site is straightforward. Yet companies systems are still
hacked into with a growing frequency because they fail to understand
how to build a proper defense. So my book aims to ensure that everyone
is well, if not over-educated on DEFENSE.

There are many books on hacking but what makes this book different is
its emphasis on defense. Yes, you need to understand how the enemy
breaks into systems, so you can build better defenses. Every section
has an area on how to defend against a certain type of attack. So I am
not sure how a review can say that defense is not covered when that is
the thrust of this book. There are plenty of books that show you how
to break in. This book clearly and explicitly explains the properties
of a strong defense.

Thanks for letting me write a response.
Eric


======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
If people do not believe that mathematics is simple, it is only
because they do not realize how complicated life is.
                                             - John Louis von Neumann
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Per the message sent by Kathryn Barrett:


For Immediate Release
December 7, 2001
For more information, a review copy, cover art or an interview with
the author, contact:
Kathryn Barrett (707) 827-7094 or kathrynb@...

NEW EDITION OF O'REILLY'S "WEB SECURITY, PRIVACY & COMMERCE"
ADDRESSES TODAY'S RISKS IN USING THE WEB


Sebastopol, CA--Although nearly half the population of the United
States uses the Internet on a regular basis, most will agree that using
the Web is not without its risks. Yet, in spite of the danger lurking
on the Web, we hear relatively few reports of incidents of cyber
crime.  It may be that we have been incredibly lucky, says Simson
Garfinkel, author with Gene Spafford of "Web Security, Privacy &
Commerce" (O'Reilly, Second Edition, US $44.95). "Today, most
Net-based attackers seem to be satisfied with the publicity that their
assaults generate," Garfinkel says. "Although there have been online
heists, there are so few that they still make the news. Security is
weak, but the vast majority of Internet users still play by the rules."
But, Garfinkel explains, it may be that our luck is running out.

Despite the obvious risks in using the Web, our society and economy
have passed a point of no return, say Garfinkel and Spafford, so that
having a presence on the Web now seems to be a fundamental requirement
for businesses, governments, and other organizations. Understanding how
to minimize and neutralize the destructive power of security threats
has become a high priority for users, administrators, and
organizations. The newly revised and dramatically expanded second
edition of "Web Security, Privacy & Commerce" cuts through the
sensationalism and examines the real issues and risks inherent in the
Web.

"This is a book about how to enhance security, privacy, and commerce on
the World Wide Web," says Garfinkel. "We've actually got three books in
one. The first is a book for users; the second for service providers,
and the third is for content providers, that is, the people who publish
information on the Web. There are different issues facing each of these
groups.

"For users," Garfinkel continues, "the demise of the dot-com economy
means that even more companies are looking for ways to make a buck off
Internet users--and frequently, that means trying to find ways to
capture and resell personal information. Now more than ever, people
need to be concerned about online privacy.  For service providers,
there has been an increased attention to information security as a
result of recent current events. And for content providers, it's clear
that issues of content control, copyright, and possibly criminal
content are here to stay. This book explains all the key issues."

"Web Security, Privacy & Commerce" is a definitive reference on web
security risks and the techniques and technologies that can be used as
protection against these risks. Topics in the new edition include:

-Web technology: cryptography, the Secure Sockets Layer (SSL), the
Public Key Infrastructure (PKI), passwords, digital signatures, and
biometrics.
-Web Privacy and security for users: Cookies, log files, spam, web
logs, web bugs, personally-identifiable information, and identity
theft, as well as hostile mobile code plug-ins, ActiveX controls, Java
applets, and JavaScript, Flash and Shockwave programs.
-Web server security for administrators and content providers: CGI,
PHP, SSL certificates, P3P and privacy policies, digital payments,
client-side signatures, code signing, pornography filtering, ICS,
intellectual property, and legal issues.

What critics said about the first edition:

"Garfinkel and Spafford deal head on with key elements of Internet and
enterprise security. 'Web Security and Commerce' addresses modern
security technologies and applications in a comprehensive fashion, and
is an important work in the explosive, fast-moving, and highly visible
security field."
--Eric Greenberg, Group Security Product Manager, Netscape
Communications Corporation

"This is a truly useful book which can help people avoid a lot of the
risks in Webware. It is intelligently written, timely, informative,
accurate, comprehensive, understandable, and a great pleasure to read.
It is the Web-ster's definitive guide to security."
--Peter G. Neumann, moderator of ACM "RISKS" Forum and author of
"Computer-Related Risks"

"This book is packed with useful information and solid advice for Web
users, Webmasters, and developers. Garfinkel and Spafford skip the
usual marketing hype and tell us how and why Web security works--or
breaks down--in the real world."
--Dr. Edward Felten, head of Princeton University's Secure Internet
Programming Group

"If you have a business, and you want to learn how to protect the
security of your Web site, or if you're a Web surfer and want to know
more about privacy on the Web, a new book, 'Web Security & Commerce' by
Simson Garfinkel with Gene Spafford, is the best I've seen."
--Michael Ketcher, Bull & Bear Financial Report, March 1998

"Garfinkel and Spafford provide a thorough, engrossing, and
disconcerting overview of all the relevant security issues...an
excellent book all around--generous with technical detail and practical
examples, yet accessible and fascinating to read. It's recommended for
anyone who's interested in the subject."
--John Frazer Dobson, Computer Shopper, June 1998

Chapter 8, "The Web's War on Your Privacy," is available free online at:
http://www.oreilly.com/catalog/websec2/chapter/ch08.html

For more information about the book, including Table of Contents,
index, author bio, and samples, see:
http://www.oreilly.com/catalog/websec2/

For a cover graphic in jpeg format, go to:
ftp://ftp.ora.com/pub/graphics/book_covers/hi-res/0596000456.jpg

Web Security, Privacy & Commerce
By Simson Garfinkel, with Gene Spafford
Second Edition, November 2001
ISBN 0-596-00045-6, 756 pages, $44.95 (US)
order@...
1-800-998-9938
http://www.oreilly.com

About O'Reilly
O'Reilly & Associates is the premier information source for
leading-edge computer technologies. We communicate the knowledge of
experts through our books, conferences, and web sites. Our books, known
for their animals on the covers, occupy a treasured place on the
shelves of the developers building the next generation of software. Our
conferences and summits bring innovators together to shape the
revolutionary ideas that spark new industries. From the Internet to the
Web, Linux, open source, and now peer-to-peer networking, we put
technologies on the map. For more information: http://www.oreilly.com

# # #

O'Reilly is a registered trademark of O'Reilly & Associates, Inc. All
other trademarks are property of their respective owners.

Per the message sent by Lance J. Hoffman:

Dear Colleague:

The George Washington University is delighted to announce a new computer
security and information assurance graduate program at the Loudon-Virginia

Graduate and Research Campus.  It's accelerated and allows busy working
professionals to get a certificate in 22 weeks if they attend class two
evenings per week.  Highlights of the program are given below and more
details are at http://www.seasva.gwu.edu/Programs/CSIA/index.htm.

I. J. Hudson from Channel 4 in D. C. interviewed me and two of our
students, Brian Reilly and Kristine Rogers, about it yesterday and may show

some interesting "[anti-] hacking" demos.  It is supposedly going to air
tonight at 5 p.m. (and, conceivably in the later newscast(s) also).

Highlights of the program:
Courses:
         CSci 283 Introduction to Computer Security
         CSci 285 Information Policy
         CSci 383 Viruses, Worms and Network Security
         CSci 385 E- Commerce Security
          Geared towards busy professionals
         Accelerated: 4 courses in 22 weeks (40 evenings, TuTh 4-9:30 p.m.)
         Lectures, classwork, open discussion, lab time and dinner
         Graduate level (Master=92s) credits
         Seamless transfer to a full Master=92s degree program in computer
science
         State of the art computer security lab (=93battle lab=94)

Lance J. Hoffman, Professor, Dept. of Computer Science  www.cs.seas.gwu.edu

(202) 994-4955, fax 202 994-4875
and Cyberspace Policy Institute (202) 994-5513 www.cpi.seas.gwu.edu
The George Washington University, Washington DC 20052.

Hi,
Can you recommend me a text book for a short course on security.
Regards
Gustavo Hung

what do you need to know maybe i can help you out


[Non-text portions of this message have been removed]

I want to solicit the list members of these forums to help me with an
article I am writing for Managing Network Security.  I extract here from
the current draft beginning of the article in the hopes that those of
you who are interested will provide the raw material I need...

-------------
I have heard many decision makers and executives say things that went
unchallenged even though they were dead wrong.  the reason they went
unchallenged varried with the situation, but I think there are three
basic areas of rational.  (1) The person they were talking to perceived
themselves as less powerful and did not wish to offend, (2) the person
they were talking to did not know the facts and simply bought into the
misimpression of the more senior person without questioning it, or (3)
the person they were talking to was afraid of offending the executive
because they wanted something from the executive and figured you go
along to get along.

Well, I don't perceive myself as less powerful than anyone, I know some
of the facts, and the chances of my getting any money from anyone like
that are so poor that I have nothing to lose.  So I am going os a brief
crusade this month fighting the stupid things I have heard high-level
people say about security issues, particularly those who were believed
by others and whose expressions found their way into widespread belief.

Of course to really do this well, I need a list of the ten most stupid
things people have said so I can trash them.  Of course to really do
this well, I need a list of the ten most stupid things people have said
so I can trash them.  Rather than come up with my own list, I have
decided to ask others to list the ones they have heard, and I will
sprinkle in one or two of my favorites along the way.
-------------

Please feel free to respond directly to me (fc@...) or to the list
(if you want the list members angry at you).

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen  Fred Cohen & Associates.........tel/fax:925-454-0171
fc@...  The University of New Haven.....http://www.unhca.com/
http://all.net/  Sandia National Laboratories....tel:925-294-2087

From:            Fred Cohen <fc@...>
Date sent:       Sun, 6 Jan 2002 08:29:24 -0800 (PST)

> I have heard many decision makers and executives say things that went
> unchallenged even though they were dead wrong.  the reason they went

Off the top of my head, right away, from our mutual specialty there is the ever
popular "we don't have to worry about viruses because a) we only use Macs, b) we
only use Linux, and c) the all-time favorite, we don't use shareware."

Then there was the almost Dilbertesque (or PHB-esque) response I got from one
exec when I pointed out that a great deal of time was being wasted in
"rediscovery" of basic configurations because the system wasn't documented
properly.  His response, of course, was that the institution was too busy/had
too
many things to do to spend time documenting the system.

A rather bizarre one that I frequently encounter is the statement, when I
recommend various policies, that they don't want to establish policies, since
that
would upset the employees.

I'll try to think of some others.

> unchallenged varried with the situation, but I think there are three
> basic areas of rational.  (1) The person they were talking to perceived
> themselves as less powerful and did not wish to offend, (2) the person
> they were talking to did not know the facts and simply bought into the
> misimpression of the more senior person without questioning it, or (3)
> the person they were talking to was afraid of offending the executive
> because they wanted something from the executive and figured you go
> along to get along.

As yet another reason, may I quote from my own review of "The Human
Equation":


"The Human Equation", Jeffrey Pfeffer, 1998, 0-87584-841-9, U$24.95

[...]

Interestingly, Pfeffer writes something to this effect in chapter
four, while pointing out some of the tragically flawed beliefs and
practices of modern business.  He notes that the formal evaluation
process, so beloved of management, requires that experts explain their
conclusions to non-experts.  However, experts make decisions based on
accumulated experience and an almost intuitive level of knowledge.
This reasoning generally cannot be explained to novices, who can only
rely on common knowledge.  The explanation, therefore, must proceed at
the novice level.  As the old saw has it, if you can tell the
difference between good advice and bad advice, you don't need any
advice.  If an institution has need of expert advice, then the
organization obviously does not command the expertise to fully
evaluate that advice.  The requirement to have the expert explain
conclusions means that easy, and therefore unimportant, decisions can
be easily explained, while more complicated, and significant,
resolutions will be much harder to explain, and thus have less chance
of survival.
[...]

======================  (quote inserted randomly by Pegasus Mailer)
rslade@...  rslade@...  slade@... p1@...
Programming today is a race between software engineers striving
to build bigger and better idiot-proof programs, and the Universe
trying to produce bigger and better idiots. So far, the Universe
is winning.                                              - Rich Cook
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade