Friday, March 30, 2001

Book: Security Engineering, Ross Anderson Ross Anderson Security Engineering: A Guide to Building Dependable Distributed Systems John Wiley & Sons March 2001 xxviii+612 pp. ISBN 0-471-38922-6 This book is an enormous undertaking. The chapter titles suggest the breadth of coverage. Part 1 (basic concepts) 1. What is security engineering 2. Protocols 3. Passwords 4. Access controls 5. Cryptography 6. Distributed systems Part 2 (important applications) 7, Multilevel security 8. Multilateral security 9. Banking and bookkeeping 10. Monitoring systems 11. Nuclear command and control 12. Security printing and seals 13. Biometrics 14. Physical tamper resistance 15. Emission security 16. Electronic and information warfare 17. Telcom system security 18. Network attack and defense 19. Protecting e-commerce systems 20. Copyright and privacy protection Part 3 (organizational and policy issues) 21. E-policy 22. Management issues 23. System evaluation and assurance 24. Conclusions Although there are other books that delve into greater detail on specific topics, this book should be extremely useful to many people who need the overall system perspective that Ross provides. Ross's preface concludes with this sentence: "I believe that building systems that continue to perform robustly in the face of malice is one of the most important, interesting, and difficult tasks facing engineers in the twenty-first century." I could not agree more, although I would add that building systems to perform robustly in the face of arbitrary adversities (accommodating power and communication losses, rodents, bad software engineering, user errors, etc. -- that is, not merely accounting for malice) is even more challenging. Many systems in common use tend to fall apart all by themselves -- without any malice! ["Peter G. Neumann" via risks-digest Volume 21, Issue 31] 0:00 # G!

MSN "upgrade" creates long-distance calling As RISKS readers are aware, automatic upgrades of software aren't always as innocuous as "they" would have you believe. A recent Microsoft Networks (MSN) dial-up upgrade caused some users in the Research Triangle, NC area to suddenly start dialing in via a long distance access number, as opposed to the previously local exchange. WRAL TV's consumer reporter has received 51 calls about this so far. Someone's phone bill included $361 in long distance charges to a Chapel Hill number for his Internet connection through Microsoft Networks, despite having used a local number. An MSN customer service representative told someone else that MSN "lost local numbers for several areas" during an upgrade. Several complainants had online chats where representatives insisted the Chapel Hill number was not long distance." [Source: WRAL TV online (excerpted [and PGN-ed]) http://www.wral-tv.com/features/5onyourside/2001/0329-msn-folo/] Adding additional dial-in numbers may be a good thing for a service to do. Arbitrarily changing the numbers that existing customers chose to use, without at least warning the customers first, seems rather suspect, as MSN has now discovered. Compounding the error by telling your customers that they are mistaken, while said customers are holding their long distance bills in their hands, certainly inspires confidence... Steve Holzworth, Senior Systems Developer, SAS Institute - Open Systems R&D VMS/MAC/UNIX, Cary, N.C. sch@unx.sas.com [Steve Holzworth via risks-digest Volume 21, Issue 32] 0:00 # G!