 |
ON COMPUTER AND NETWORK SECURITY |
God is in the details
TABLE OF CONTENTS
- The Network is a Dog
- Where Angels Fear to Click
- Fire Burn, Cauldron Bubble
- Attack of the Killer Data
- Oh, What a Tangled Web We Weave
- All Creatures Great and Small
- Snow White, Archimedes, and Tylenol
- Private Parties on the Party Line
- Shootout at the E-COM Corral
- Famous Last Words
- Family Jewels
- Digital Flotsam
- Recent Footage
CONTACT INFORMATION
CREDITS
THE NETWORK IS A DOG
Canine redux
What a difference a year makes, and certainly a year on the Internet.
It's been said that an Internet-year is like a dog-year, having within it the
development of seven normal human years.
When we published our first issue on
computer and network security, the Internet was an interesting frontier
and those splashy IPOs of Internet companies had not yet begun.
Now here midway through 1996, it has become a ubiquitous communication
channel. In the US, for
example, a URL is as essential for many businesses as a toll-free 800
phone number.
In the last twelve months,
the first wave of businesses, entrepreneurs, professionals, and consumers has
adopted the networked desktop computer as an information
appliance.
Computer and network security used to be problems for large or specialized
organizations and the provenance of technical professionals
steeped in lore and arcana.
Now there are many network users who do not have the advantage of these
resources and must practise safe networking and know how to
protect themselves.
Likewise, our first issue of Netsurfer Focus
on computer and network security largely addressed the
concerns of system administrators. In this issue, we will continue
to bring you new developments in these areas. In addition, we
will touch upon problems of concern to small business and home users alike.
For new readers who are interested in the topic, we highly recommend
you also visit the revised edition of our first annual issue on
Computer and Network Security.
- Netsurfer Focus on Computer and Network Security
-
http://www.netsurf.com/nsf/v01/01/nsf.01.01.html
- The original network and the dog
-
http://www.netsurf.com/nsf/v01/02/nsf.01.02a.html#s14
WHERE ANGELS FEAR TO CLICK
Coming full circle
You are connected to a network. Every click of your mouse can take you to
into the unknown. Do you know where you are going? Do you know what
will happen there?
The original application of the World Wide Web was perfectly
safe. You download text and graphics, the browser interprets and displays them, and
you can always view the source code the browser interpreted.
There is no hiding behind secret files or obscure binary code that only
a trained programmer or a computer can read.
Although you may not know much about the web site you are visiting and
whether you can trust it or not, the content you get does not do anything
to your computer system.
But along came the downloadable plug-ins, Java applets, Javascripts scripts,
and ActiveX controls.
Each is a piece of software that runs on your system and has varying
capabilities to modify the local software and hardware.
Clicking on a hotlink to a file of a special mime-type can cause a plug-in to
run, but at least you have to have the plug-in and to click on the link.
Java and Javascript are more insidious because support
comes with popular browsers, and applets and scripts
run immediately when the page has been downloaded. Although the language
designers have taken pains to make Java and Javascript safe,
problems are still being identified.
ActiveX controls, on the other hand, have much greater access to your
PC system, and being newer to the Net, has had less time for its potential
flaws to be discovered.
The trick is to not let any unknown code, no matter where it is from,
run on your computer without strong precautions.
If you have not disabled these features in your browser, every time you
click on the URL of a web page, you are potentially allowing code
that you might not even know is on the page run on your computer.
Unlike a BBS download or even an e-mail attachment, there is no
separate and conscious step to run an executable. The first click of your
mouse is the crucial one.
When the Web first started, those who had heard about viruses were
wary, and we were able to reassure them that it was perfectly safe
to point and click. Now that we have trained the world
to think that it is safe to point and click and surf the Net, we need
to bring the precautions back.
FIRE BURN, CAULDRON BUBBLE
Caffeine jitters
Judging by the industry response, Java is proving to be a potent brew.
Its strength comes from being a programming language that does most of
the "right" things by modern programming standards; or as Sun Microsystems
itself describes it, Java is fully buzzword-compliant.
The security challenge comes when we rely on it to run, sight unseen,
applets from the four corners of the earth.
To keep applets from running amok in the system, a browser that
supports Java constrains them to a "sandbox".
By definition, this sandbox includes only access to the screen and computing
power of the client computer, and connection to the host computer from
which the applet came. It usually cannot get to your local file system,
and it cannot get to other computers on the network.
But as we gain experience with Java, we are finding sins of both commission and
omission. A number of design and implementation bugs have
been reported and quickly fixed. Among other things, these allowed attacks
on computers behind firewalls, and also attacks that seem to come from an unwary
and innocuous third party.
More bugs will doubtlessly be discovered and remedied
with new releases and continued scrutiny.
Other problems that come up are part of the nature of the beast.
For example, while applets may stay in the sandbox, they
can raise quite a ruckus and do each other harm in the process.
These "hostile applets" are able to
lock up your screen, crash the browser, sabotage or kill other applets, try and
steal your password by putting up a login screen and asking you to enter
your password,
or simply siphon off system resources to work on computational problems
and report the results to the originating server.
There are currently no way to control these types of applets except
to restart the browser or the computer.
The Internet is not always a safe place, but there is no point
in throwing out the Java with the grounds.
Turn off Java support in your browser while visiting
sites you do not trust, and use up-to-date versions of browsers and
Java development kits to get the latest fixes.
With the prevalence of applet-sharing on the Net, the possibility of popular
applets (such as the ticker tape) being turned into Trojan horses
is also very real. So it is equally important not to use or post any applets
to your web site unless you know exactly what it does.
- Two easy pieces
-
http://www.javaworld.com/javaworld/jw-05-1997/jw-05-security.html
-
http://www.cs.princeton.edu/sip/java-faq.html
- The original Princeton paper on Java security
-
http://www.cs.princeton.edu/sip/pub/secure96.html
- Java security info
- http://java.sun.com/sfaq
- http://java.sun.com:80/security/index.html
- History of Java security Bugs
- http://java.sun.com/sfaq/chronology.html
- Netscape Communicator update
-
http://developer.netscape.com/tech/security/index.html
Javascript, not to be confused with Java, is a scripting language supported
by the Netscape browsers to improve the interactivity of HTML pages.
While Java applets can get at each other, Javascript code has access to
your computer and what you do within the browser. Instead of stealing
resources a la applets, the bugs that have been found tend to violate the privacy of
your system.
Malicious Javascript code can track the history of your websurfing,
read your files and file directory listings, and send all the
information back to the server from which it originated.
Most of these problems have been fixed as of this writing but continued
scrutiny may reveal new ones. So the same precautions that are used for Java
applies to Javascript also.
- Javascript problems
-
http://www.osf.org/~loverso/javascript/
- Javascript security in Netscape Communiocator
-
http://developer.netscape.com/docs/manuals/communicator/jsguide4/sec.htm
-
http://developer.netscape.com/docs/manuals/communicator/jssec/contents.htm
ATTACK OF THE KILLER DATA
New tricks for old bugs
Programs such as Microsoft Word have a macro language that can modify
program behaviour and enable greater functionality. If macros are
carried along in the same file as the data, then the program is
susceptible to macro viruses. Whether you are downloading the file
through FTP or the Web, the data file is not as innocuous at it seems.
And actually, you don't even have to go to the trouble of downloading
the file containing a
macro gone bad. E-mail will take care of it for you just fine.
Safely ensconced
in the protective sheath of a MIME attachment, the lethal payload is
carried through the firewall and only released
when you open the file.
Likewise, someone can also send you an infected program as an e-mail
attachment.
The old sneakernet viruses have turned into netsurfing jetsetters, and their
geographic spread has escalated through use of the Internet.
In each case, the culprit comes through intervening firewalls unscathed.
But of course nothing stands still in the spy-versus-spy world of
computer security. In the last few months, a number of firewall-based
virus-scanners have been announced. These will usually check e-mail
attachments and Web and FTP downloads into your organization for potential
invaders.
- Anti-viral products for e-mail, Web, and FTP access
-
http://www.mcafee.com/products/virusscan/virusscan.asp
-
http://www.trendmicro.com
- List of common viruses on the Internet
-
http://www.nai.com/vinfo/f_1.asp
-
http://www.av.ibm.com/InsideTheLab/VirusInfo/Descriptions/
- A virus infecting Microsoft Word and Excel
-
http://www.nai.com/vinfo/w97mshiver.asp
- Immunizing against viruses
-
http://www.research.ibm.com/resources/magazine/1996/issue_4/immune496.html
- Some viruses aren't
-
http://www.nai.com/services/support/hoax/hoax.asp
OH, WHAT A TANGLED WEB WE WEAVE
The fly in the parlor ... with the chainsaw
As computers reach across the ether and interconnect to one another,
regardless of whether they are browser clients or servers,
they take on a certain amount of risk. In addition to the basic dangers
of being a computer on the Net and being hacked, the World Wide Web
brings them new and wonderful hazards.
Java and Javascript abuse at malicious web sites
and virus-infected content can cause problems. But they are not the
sole villains in the drama. As part of the http protocol,
the browser gives out a great deal of information about you to the
server. The "cookie" mechanism can be used to closely track and
record your activities on any given site - just like going into a store
and having every movement you make recorded filmed for use and analysis.
But the web server is not always the evil spider inviting the fly to step into
its parlor. Sometimes the fly comes in armed with a chainsaw, and not always
by the front door. The web server equally faces all the hazards of connection,
without many of the protections of the underlying operating system.
For example, you may restrict access to members
only, and use the web server's user ID and password mechanism. First of all,
an attacker can make repeated attempts to guess the password - the server does not
shut him down after the third try as do many operating systems. In addition,
the password is not strongly encrypted as it traverses the Net, but
traverse the Net it does. To increase the odds of capture and discovery,
user name and password are sent not once but each time any protected
document is accessed.
CGI scripts, those solid workhorses of interactive web pages, are programs running
on your server computer, and therefore potentially large security holes. How, you might
ask; well myriad are the ways. Suffice it be said that the first law is never
to trust user input. An innocent but unexpectedly large input that overwrites
part of system memory has been the downfall
of many a program. And given the fact that these scripts frequently work
with system commands (such as 'remove all files'), they are attractive targets
that can cause disproportionate damage.
And last but not least, the friendly, helpful robots that scuttle across the Web
indexing all pages in their path do not discriminate against files you did
not plan for the world to see. Carelessly managed sites have had their password
and system configuration files scooped into massive Web index databases, waving
the red flag of a vulnerable site under the nose of potential hackers.
Exposure of other files is a lesser risk, but do you really want to share all
your organization's secrets with all of cyberspace?
- What malicious web sites can do
-
http://www.swcp.com/~mccurley/danger/infect.html
-
http://www.digicrime.com
- What the server gets out of the browser
-
http://www.vortex.com/privacy/priv.03.22
- Cookies
-
http://home.netscape.com/newsref/std/cookie_spec.html
- WWW Security FAQ
-
http://www.w3.org/Security/Faq/
- Writing secure CGI scripts
-
http://hoohoo.ncsa.uiuc.edu/cgi/security.html
- Search engines and web server security
-
http://ciac.llnl.gov/ciac/notes/notes96-01.shtml#SEARCH
- Securing Internet information servers
-
http://ciac.llnl.gov//ciac/documents/ciac2308.html
ALL CREATURES GREAT AND SMALL
Cybercritters in the night
In addition to the web page traps and viruses that snare unwary netsurfers,
the Net ecosystem is also home to a growing host of robots, agents,
spiders, worms, ants, and other creatures. Speaking the language of HTTP
and other network protocols, these are basically small programs that traverse the
Net for a variety of purposes. The best known are the spiders that
index Net resources for public and private use.
Alta Vista, Infoseek, and Lycos are a few that come to mind. Others
help webmasters manage their sites, checking for and pruning away
defunct hotlinks. Newer programs can help you harvest Net resources,
look for updated
pages, download entire sites while you sleep, or even shop for bargains.
In the brave new world, intelligent agents will not just bring you information,
but become active in
coordinating schedules, executing transactions, and performing other tasks
at your behest.
These programs or robots can have intended and unintended effects
on the network and web sites they traverse. Overeager spiders have overwhelmed
web sites by requesting too many documents too rapidly.
As described elsewhere, they can also ferret out information that a careless
system administrator leaves accessible on his disk.
Efforts are under way to create formal Internet standards of behaviour for
web robots. The current version, the Robot Exclusion Standard, allows
site administrators to place a 'robot.txt' file on their web indicating where
robots should not go. For example, a large archive of bitmap images
would be useless to a robot that is trying to index HTML pages.
Serving these files to the robot is a needless use of net resources;
however, they need to remain accessible to a human with a browser or FTP.
The standard is a voluntary one for the moment, and an etiquette
is evolving for robot developers as experience is gained with their deployment.
- Web robots, wanderers, and spider information
-
http://pcmojo.com/search/spiders.htm (quick overview)
-
http://info.webcrawler.com/mak/projects/robots/robots.html (detailed resources)
- Harvesting web pages
-
http://www.bluesquirrel.com/grabasite/gasvsww.html
- Bargain finders
-
http://www.junglee.com/index.html
-
http://bf.cstar.ac.com/bf/
- Agent technology and a virtual assistant
-
http://www.genmagic.com/technology/techwhitepaper.html
-
http://www.genmagic.com/portico/portico.html
- Robot Exclusion Standard
-
http://info.webcrawler.com/mak/projects/robots/norobots.html
SNOW WHITE, ARCHIMEDES, AND TYLENOL
The issue of trust
Things are not always what they seem.
The case of cyanide-laced Tylenol tablets, Snow White eating the beautiful
apple from the Evil Queen,
and Archimedes's encounter with gold that had been adulterated with base metals.
How do you trust what you get? It's no different in cyberspace.
The applet that screams "download me" at your favourite game site.
The robot knocking at the door to your web server.
It's just often harder to verify the reliability of 1's and 0's.
We have few qualms about installing shrink-wrapped software
packages because we get it from a retailer we know, or because
it carries a brand name we trust. These days we extend trust to
Net sites that we visit. The momentum behind using digital signatures
to show that a message or a piece of software actually came from the
person or organization that we trust is growing. The Java API including
signed applets will be available in Q3 of 96, and Microsoft is spearheading
a code signing proposal. So in the not-too-distant future,
we should be able to enforce greater security and functionality by
verifying content, robots, applets, and transactions through the signature
on the digital ID card.
ID card providers (certificate authorities) are appearing, and
even the US Postal Services is getting into the act.
Signing and security
- Overview -
http://java.sun.com:80/docs/books/tutorial/jar/sign/intro.html
- Object signing -
http://developer.netscape.com/docs/manuals/signedobj/overview.html
- Form signing -
http://developer.netscape.com/tech/security/formsign/formsign.html
- Getting into the card issuing business
- Verisign -
http://digitalid.verisign.com/client/index.html
- Phone Companies -
http://www.bbn.com/products/security/cytrust/index2.htm
PRIVATE PARTIES ON THE PARTY LINE
Virtual Private Networks
The Internet is one big party line where packets of information bounce hither-thither
from source to destination, free to spend a night or a lifetime with some random computer
somewhere along the way. But as a public thoroughfare, it has great cost advantages
compared to private networks from stringing your own wire.
So how do you have the best of both worlds of low cost and privacy?
Although some large scale network providers such as MCI can provide a facsimile of
private lines by routing your traffic entirely over network segments that it manages, the
trend has been to more control over your own destiny
through virtual private networks (VPNs).
And the party line on privatizing the party line? IP level encryption.
Sender to recipient, end-to-end encryption of information being
transmitted across the Internet means that
stray packets are unintelligible to anyone but the intended recipient.
Encryption at the IP level of the Internet protocol stack also allows easy support
of different application protocols such as HTTP, FTP, and Telnet, on a variety
of underlying network technology such as Ethernet, Frame Relay, or ATM.
Products that secure the communications between designated sites in
your private network on the Internet are springing up like mushrooms after a rain.
They can be software-only, such as Digital Equipment's Internet Tunnel, or
hardware-based, as NetFortress from Digital Secure Networks Technology. The
SunScreen solution from Sun Microsystems provides firewall and cryptographic key
clearinghouse services as well as the basic site-to-site encryption.
These solutions work well for organizations that must secure communications
between different facilities.
The Security Middleware products from Virtual Online Network Environments
use smartcard authentication to verify individual users rather than
host computers. This product, if deployed by Internet Service Providers, would allow
even small Mom-and-Pop outfits to have affordable private networks.
And on the large
enterprise side of the story, an industry coalition is forming to enable
secure wide area networks (S/WAN) through encryption and key management standards.
- Encryption and Cryptographic Keys
-
http://www.netsurf.com/nsf/v01/03/nsf.01.03.html
- Internet Tunnel
-
http://www.digital.com/info/SP5613/SP5613PF.PDF
- SunScreen
-
http://www.sun.com/security/overview.html
- Smartgate
-
http://www.v-one.com/smartgate.htm
- S/WAN
- http://www.rsa.com/rsa/SWAN/home.html
SHOOT-OUT AT THE E-COM CORRAL
Where's the beef?
Glorious sunrise on the range. The entrance to the E-COM corral, Marlboro
Man look-alikes hoist the corral's new brand over the gates.
Bold, wrought iron letters, SET. The crowds cheer and applaud.
Suddenly, a lone cowboy in black with a gold belt buckle
rides up with six shooters blazing. The natives
shoot back and give chase. Exit, stage left. The scene continues
undisturbed.
By late 1995, Netscape's SSL (Secure Sockets Layer) had won the standards race for
secured transmission of content (read credit card numbers)
across the Net.
Commerce on the Internet received a crucial boost in early 1996 when leading
credit card associations Visa and Mastercard finally set aside their differences
and competing standards (STT and SEPP) in favour of a common specification,
SET (Secure Electronic Transaction). This specification enables the other aspects
of a credit card transaction, e.g., authorization of the charges,
to occur online, not just the transmission of card number information.
Then First Virtual Holdings announced the identification of a major flaw
in the use of software-based encryption of credit card numbers: keystroke
capture at the client desktop. Their point is that
if someone has managed to gain control of
your computer to monitor your keystrokes, he can capture your credit card
number and no amount of encryption for transmission will help protect you.
With the interconnectivity of the net and the ease of downloading
a hostile applet, the vulnerability of the desktop computer cannot be
overemphasized, particularly for those new to computer and network
security issues.
However the hyperbolic press releases on a topic well known to security experts,
combined with the fact that First Virtual
offers electronic commerce through a mechanism without the use of
encryption has led to a flurry of responses ranging from supportive to
outraged.
As of this writing, the tempest has subsided to the bottom of the virtual teacup
and electronic commerce marches on.
- The Original SSL vs. SHTTP race
-
http://www.netsurf.com/nsf/v01/01/nsf.01.01.html#s12
- The SET specification
-
http://www.visa.com/cgi-bin/vee/nt/ecomm/set/intro.html?2+0
- RSA's SET Central
-
http://www.rsa.com/set/
- The First Virtual press release
- http://www.fv.com/gabletxt/release2_7_96.html (no longer available)
- Select e-mail responses
-
http://www.netsurf.com/nsf/v02/02/local/cy_email.html
- Backlash
- http://www.c2.org/nofv/ (no longer available)
FAMOUS LAST WORDS
Chiselled in stone, many many copies
Large scale search sites are invaluable to many netizens.
For example, with the growth of the Net in the past year,
publishing Netsurfer Focus would be too painful
to contemplate without access to sites such as Alta Vista*.
The corollary is that with these high powered spiders,
every utterance on the Net, be it on a web page or a newsgroup,
may be a matter of public record that above all else
can be readily found.
The story of your online life,
whether you are a frequent poster to 'alt.sex.binaries' or
'sci.crypt' (hello, potential employer!),
or your personal web page showing three beautiful children,
a dog named Jimmy, and a house far beyond your 20K$ a year salary
(hello, IRS!) can be there for all who cares to see.
And then there are the large online directories. Coming
hard on the heels of the info-preneurs that have set up directory
sites, the phone companies are rushing online with their
multi-million listing offerings.
Privacy issues become intertwined with physical security because it
has become so easy to identify and physically locate you,
your beliefs and habits, and your computer.
- Resources behind Alta Vista
-
http://altavista.digital.com/av/content/about_our_technology.htm
- The Internet Archive Project
-
http://quake.think.com
- The Smithsonian's 1996 US presidential election web archive
-
http://quake.think.com/smithsonian.html
- Internet e-mail and white pages
-
http://www.bigfoot.com
-
http://www.four11.com
- NYNEX Interactive Yellow Pages (Big Yellow)
-
http://s9.bigyellow.com/
* How quickly those of us who are old enough to have done
research in the library with index cards and books of abstracts
forget! -Ed.
FAMILY JEWELS
Safeguarding the homestead
As computers move into the home, security takes on new dimensions.
Beyond the hard assets of your computer, and the soft assets of your data,
you need to think about protecting your family and especially children.
Bringing access to the cyberworld to your desktop means exactly that, and we
all know there are parts of the world, real or cyber, that you don't want to
take the kids.
A number of companies have sprung up to help you avoid the back alleys and
redlight districts of the Net. Software such as SurfWatch or NetNanny
block access to known sites where offensive
material are available, or to any site that you deem inappropriate.
The sites that are blocked vary from package to package. Some include on their
verboten-list not just pornography but web resources about homosexuality,
or feminism, or anything that does not promote "family values". Yet other packages
can log all the surfing activities, enabling Orwellian possibilities right
in your own home. In sum, they are tools that do not excuse us
from our responsibilities to decide what is appropriate in our households.
In addition to the reviewer-based systems, another development that will facilitate
appropriate surfing is some widespread form of labelling or self-labelling.
Just like the "PG", "R", and "X" movie ratings in the US, labelling provides
a more standardized way to assess the content of a web site.
The PICS (Platform for Internet Content Selection) standard is a technical
specification for how to label Net content. It is developed by the World Wide Web
consortium and can be used to implement any rating system.
Currently, there is much industry momentum
behind RSACi, the Recreational Software Advisory
Council Internet rating system. This is an extension of the rating system for computer
games, and has been endorsed by major online
services. Most of the leading blocking products do or will support RSACi.
- PICS definition
- http://www.w3.org/pub/WWW/PICS/
- Recreational Software Advisory Council System
- http://www.rsac.org/homepage.asp
- Comparison of blocking products
-
http://www.neosoft.com/parental-control/ntable.html
- Surfwatch screening product
- http://www.surfwatch.com
DIGITAL FLOTSAM
Short takes and follow-ups
Reach out and hack someone
A year ago, an enterprising cryptographer named Hal Finney issued a challenge
to his colleagues to crack the encryption on an SSL (Netscape's
Secure Sockets Layer) transmission. Appropriately for Internet time,
not one, but two independent successes turned up within a month.
This was the start of a series of black-hat testing of net software
by cryptography and security aficionados across the Internet community.
Rooted in the belief that strength of security solutions comes from careful
scrutiny and not obscurity, expert volunteers continue to probe and pummel
away. Ongoing efforts include a series of challenges issued by
Internet service provider Community ConneXion. The reward? The archetypical
programmer's notch - a t-shirt.
- The Crack SSL challenge
-
http://www.netsurf.com/nsf/v01/03/local/nscpchal.html
- The Netscape random number generator problem
-
http://hplyot.obspm.fr/~dl/netscapesec/cypherp1.txt
- The Community ConneXion challenge series (no longer available)
- Netscape -
http://www.c2.org/hacknetscape/
- Microsoft -
http://www.c2.org/hackmsoft/
- Java -
http://www.c2.org/hackjava/
- Digicash -
http://www.c2.org/hackecash
The Tracker Industry
Hacker Shimomura turned tracker when cracker Mitnick reputedly broke into
Shimomura's computer around Christmas, 1994.
Since then, the event has turned into a mini-industry of its own with not
one or two, but three books written about the incident.
A web site was also created to promote "Takedown", Shimomura's book.
This time, however, crackers had the last laugh when they hi-jacked the URL
for the Takedown site by forging a change-of-address e-mail message to address
keepers at the Internet Network Information Center.
We can be assured of future pranks and publicity stunts as the
cameras begin to roll in late 98.
- The "Takedown" Site
- http://www.takedown.com
- The Prank
-
http://cgi.sjmercury.com/business/hijac212.htm (no longer available)
International Arms Trafficking
In February, the US State Department announced an
amendment to the International Traffic in Arms Regulation (ITAR) allowing
U.S. persons to temporarily export cryptographic products for personal use
without the need for an export license (aka the 'Matt Blaze exemption').
However, US cryptographers and
their allies continue their campaign for the availability and export of strong
(>40 bit key) cryptography.
The software industry is clearly concerned about their inability to compete
in the international markets with the current export controls.
IBM-Lotus struck a compromise with the government by giving it
exclusive access to 24 bits in the 64 bit key used in Lotus Notes Release 4.
RSA went the other way and located a development center
in Japan. This allows RSA to provide identical encryption technologies outside of the
US without tripping over ITAR.
On the heels of the successful challenge to the Communications Decency
Act, an industry coalition to lobby Washington
is also forming.
- The original arms smuggler
-
http://www.netsurf.com/nsf/v01/01/local/courier.html
- Arms smuggler gets a reprieve
-
http://206.215.211.222/archive/0068.html
- A way to circumvent ITAR
-
http://www.digicrime.com/itar.html
- The Notes compromise and more offers of the same (no longer available)
-
http://www.lotus.com/corpcomm/2266.htm
-
http://www.sjmercury.com/news/nation/crypt713.htm
- Industry and citizens unite
- http://www.crypto.com
- 6TH USENIX Security Symposium: Focusing on Applications of Cryptography
-
http://www.usenix.org/publications/library/proceedings/sec96/
The Lighter Elements
- DigiCrime: Where do you want to break in today?
-
http://www.digicrime.com/
- Microsoft Bob helps you with your passwords
-
http://catless.ncl.ac.uk/Risks/17.12.html#subj5
- Storming the castle
-
ftp://ftp.research.att.com/dist/internet_security/firewall.book/cover.gif
- A portrait of J. Random Hacker
-
http://www.comedia.com/hot/jargon_3.0/APPEND_B/APPENDXB.HTML
RECENT FOOTAGE
$426.43
A yardstick of the success of a technology is the linear footage
of books written about it. A recent purchase of 7 books about the
Internet stacked up to 9 inches in height and a price of $426.43 per foot.
Computer security has come certainly into its own on this front.
When we published the first Netsurfer Focus on Network and Computer Security,
there simply weren't that many books out there. Since then,
things have changed for the better. So here is an updated selection
for your consideration.
CONTACT INFORMATION
Netsurfer Focus Home Page:
http://www.netsurf.com/nsf/index.html
Flames, flowers, and flip remarks to: focus@netsurf.com
We appreciate hearing from you even if we do not manage to respond to every message
that is sent to us. We reserve the right to quote you
in future issues of Netsurfer publications or on our website,
so don't say anything you'd regret, OK?
To subscribe to Netsurfer publications:
By WWW form: http://www.netsurf.com/subscribe.html
By e-mail: nsdigest-request@netsurf.com
Body:
subscribe nsdigest-text
subscribe nsdigest-html
CREDITS
Netsurfer Focus
Publisher: S. M. Lieu
Production Manager: Bill Woodcock
|
Netsurfer Communications, Inc.
President: Arthur Bebak
Vice President: S. M. Lieu
|
(c) S. M. Lieu. This document may be distributed freely
in electronic form in its entirety and without
modification. All other rights reserved.
NETSURFER DIGEST is a trademark of Netsurfer Communications,
Inc. Other publication, product, and company names may be trademarks
of their companies.
"God is in the details" is a quote from Mies van der Rohe.
"Fire burn, cauldron bubble" from William Shakespeare, Macbeth Act 4 Scene 1.
|
October 21, 1998
