From root at mikieboy.net Mon Mar 4 23:29:52 2013 From: root at mikieboy.net (Root) Date: Mon, 4 Mar 2013 23:30:52 +0001 (GMT) Subject: security policy question Message-ID: Hi All, I am not sending this from my usual account as gmail seems to have hit various blacklists. Even though the 2 factor auth and MITM detection seems to be a good thing in a web-mail service. So instead i am probably going to be giving spamd on this OBSD box a good work out. I am looking for a bit of advice. I work for part of the NHS and was recently given a new version of our security policy to sign. It contains the usual i will be a good citizen, take care of the datas, not hand out my password or transfer data onto unencrypted memory sticks/laptops and leave them in taxis etc. I am generally in favor of these and usually have no problems appending my signature but the difference between the old and new policy is the following: "I further understand that I am responsible for any transactions carried out under my personal password and code" I have no confidence that it wouldn't be trivial for someone to get hold of my user-name and password by methods which don't involve me being irresponsible. Any advice would be very helpful before i make a nuisance of myself. thanks mike From amidgley at gmail.com Tue Mar 5 08:23:57 2013 From: amidgley at gmail.com (Adrian Midgley) Date: Tue, 5 Mar 2013 08:23:57 +0000 Subject: security policy question In-Reply-To: References: Message-ID: I agree. -------------- next part -------------- An HTML attachment was scrubbed... URL: From maxsec at gmail.com Tue Mar 5 11:29:12 2013 From: maxsec at gmail.com (Martin Hepworth) Date: Tue, 5 Mar 2013 11:29:12 +0000 Subject: security policy question In-Reply-To: References: Message-ID: I suggest this is trying to make you think twice about sharing passwords and the like, but it does seem poorly worded and under evidence they'd have to prove it wasnt you anyway (innocent until proved guiltly). I see your point though, esp if you have quite a powerfull account with access to lots of sensitive data. -- Martin Hepworth, CISSP Oxford, UK On 4 March 2013 23:29, Root wrote: > Hi All, > > I am not sending this from my usual account as gmail seems to have hit > various blacklists. Even though the 2 factor auth and MITM detection seems > to be a good thing in a web-mail service. So instead i am probably going to > be giving spamd on this OBSD box a good work out. > > I am looking for a bit of advice. > I work for part of the NHS and was recently given a new version of our > security policy to sign. > It contains the usual i will be a good citizen, take care of the datas, > not hand out my password or transfer data onto unencrypted memory > sticks/laptops and leave them in taxis etc. > > I am generally in favor of these and usually have no problems appending my > signature but the difference between the old and new policy is the > following: > "I further understand that I am responsible for any transactions carried > out under my personal password and code" > > I have no confidence that it wouldn't be trivial for someone to get hold > of my user-name and password by methods which don't involve me being > irresponsible. > > Any advice would be very helpful before i make a nuisance of myself. > > thanks > mike > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.goodenough at btconnect.com Tue Mar 5 10:24:54 2013 From: david.goodenough at btconnect.com (David Goodenough) Date: Tue, 5 Mar 2013 10:24:54 +0000 Subject: security policy question In-Reply-To: References: Message-ID: <201303051024.54728.david.goodenough@btconnect.com> On Monday 04 Mar 2013, Root wrote: > Hi All, > > I am not sending this from my usual account as gmail seems to have hit > various blacklists. Even though the 2 factor auth and MITM detection seems > to be a good thing in a web-mail service. So instead i am probably going to > be giving spamd on this OBSD box a good work out. > > I am looking for a bit of advice. > I work for part of the NHS and was recently given a new version of our > security policy to sign. > It contains the usual i will be a good citizen, take care of the datas, > not hand out my password or transfer data onto unencrypted memory > sticks/laptops and leave them in taxis etc. > > I am generally in favor of these and usually have no problems appending my > signature but the difference between the old and new policy is the > following: > "I further understand that I am responsible for any transactions carried > out under my personal password and code" Perhaps you should demand sight of the software that will carry out what you request. Of course if the NHS used open source software this would not be a problem.... David > > I have no confidence that it wouldn't be trivial for someone to get hold > of my user-name and password by methods which don't involve me being > irresponsible. > > Any advice would be very helpful before i make a nuisance of myself. > > thanks > mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From bdm at fenrir.org.uk Tue Mar 5 10:09:14 2013 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 5 Mar 2013 10:09:14 +0000 Subject: security policy question In-Reply-To: References: Message-ID: <20130305100914.00004fc9@surtees.fenrir.org.uk> On Mon, 4 Mar 2013 23:30:52 +0001 (GMT) Root wrote: > I have no confidence that it wouldn't be trivial for someone to get > hold of my user-name and password by methods which don't involve me > being irresponsible. > > Any advice would be very helpful before i make a nuisance of myself. Do you have some sort of access token, such as a smartcard or similar? I have noticed that our local health centre people all have to insert their cards into a card reader slot on their keyboards, if this token must be present to process any transactions then it makes the task of keeping it out of other people's hands a little easier in that there is a physical device to protect rather than virtual authentication tokens (which will be just your password unless your user name is not related to your real life identity). Do you know what else is done to protect your login details? I would ask about this as without knowing this information it is effectively impossible for you to be responsible for access to systems you don't know about and don't control. -- Brian Morrison From siraj.shaikh at gmail.com Tue Mar 5 12:40:30 2013 From: siraj.shaikh at gmail.com (Siraj Shaikh) Date: Tue, 5 Mar 2013 12:40:30 +0000 Subject: security policy question In-Reply-To: References: Message-ID: Is it worth exploring/clarifying the level of liability incurred by the employee? Or the split across the institution and the employee? The allocation of people/resources made available to you depends on this. Also, are we assuming that this will always be due to an employee? What happens when a password is compromised due to a direct decision made by the employer? A possibly silly question: are there any insurance policies that would cover people against such work-related liabilities? Siraj On 5 Mar 2013 11:29, "Martin Hepworth" wrote: > I suggest this is trying to make you think twice about sharing passwords > and the like, but it does seem poorly worded and under evidence they'd have > to prove it wasnt you anyway (innocent until proved guiltly). > > I see your point though, esp if you have quite a powerfull account with > access to lots of sensitive data. > > -- > Martin Hepworth, CISSP > Oxford, UK > > > On 4 March 2013 23:29, Root wrote: > >> Hi All, >> >> I am not sending this from my usual account as gmail seems to have hit >> various blacklists. Even though the 2 factor auth and MITM detection seems >> to be a good thing in a web-mail service. So instead i am probably going >> to >> be giving spamd on this OBSD box a good work out. >> >> I am looking for a bit of advice. >> I work for part of the NHS and was recently given a new version of our >> security policy to sign. >> It contains the usual i will be a good citizen, take care of the datas, >> not hand out my password or transfer data onto unencrypted memory >> sticks/laptops and leave them in taxis etc. >> >> I am generally in favor of these and usually have no problems appending my >> signature but the difference between the old and new policy is the >> following: >> "I further understand that I am responsible for any transactions carried >> out under my personal password and code" >> >> I have no confidence that it wouldn't be trivial for someone to get hold >> of my user-name and password by methods which don't involve me being >> irresponsible. >> >> Any advice would be very helpful before i make a nuisance of myself. >> >> thanks >> mike >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From fjmd1a at gmail.com Tue Mar 5 14:34:17 2013 From: fjmd1a at gmail.com (Francis Davey) Date: Tue, 5 Mar 2013 14:34:17 +0000 Subject: security policy question In-Reply-To: References:

Message-ID: 2013/3/5 Siraj Shaikh > Is it worth exploring/clarifying the level of liability incurred by the > employee? Or the split across the institution and the employee? The > allocation of people/resources made available to you depends on this. > In legal terms (i.e. thinking about liability) I am not sure the wording is strong enough or clear enough to impose an indemnity on the employee. "I am responsible for..." seems to me to be weaker than "I insure you against...". -- Francis Davey -------------- next part -------------- An HTML attachment was scrubbed... URL: From colinthomson1 at o2.co.uk Tue Mar 5 16:54:30 2013 From: colinthomson1 at o2.co.uk (Tom Thomson) Date: Tue, 5 Mar 2013 16:54:30 -0000 Subject: security policy question In-Reply-To: References: Message-ID: <2726F1030A5640F6B6BE98F3A5B1A3B2@your41b8d18ede> I would be inclined to be a nuisance and insist on a change of wording: for example to somehing like "carried out under my personal password and code while that password and code are being used by me or with my consent." Tom -----Original Message----- From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Root Sent: 04 March 2013 23:30 To: ukcrypto at chiark.greenend.org.uk Subject: security policy question Hi All, I am not sending this from my usual account as gmail seems to have hit various blacklists. Even though the 2 factor auth and MITM detection seems to be a good thing in a web-mail service. So instead i am probably going to be giving spamd on this OBSD box a good work out. I am looking for a bit of advice. I work for part of the NHS and was recently given a new version of our security policy to sign. It contains the usual i will be a good citizen, take care of the datas, not hand out my password or transfer data onto unencrypted memory sticks/laptops and leave them in taxis etc. I am generally in favor of these and usually have no problems appending my signature but the difference between the old and new policy is the following: "I further understand that I am responsible for any transactions carried out under my personal password and code" I have no confidence that it wouldn't be trivial for someone to get hold of my user-name and password by methods which don't involve me being irresponsible. Any advice would be very helpful before i make a nuisance of myself. thanks mike From prunesquallor at proproco.co.uk Tue Mar 5 17:47:37 2013 From: prunesquallor at proproco.co.uk (John Brazier) Date: Tue, 5 Mar 2013 17:47:37 -0000 Subject: security policy question In-Reply-To: <20130305100914.00004fc9@surtees.fenrir.org.uk> References: <20130305100914.00004fc9@surtees.fenrir.org.uk> Message-ID: <002d01ce19c9$86729460$9357bd20$@proproco.co.uk> Brian essentially has it. It looks to me like someone in "management" has been spending ill-advised money with Consultants. They've ended up trying to somehow restrict their liabilities with regard to digital signatures. Why don't you innocently ask the following questions: 0. What do they mean by transaction (this has a financial implication: an agreement need not require finance)? 1. Does "personal password and code" mean the equivalent of a digital signature? 2. If so, to what standard - the FDA or the more than one that's floating about in Germany? 3. If this is an electronic signature, are they willing to provide a declaration that their entire system meets 21 CFR Part 11 (FDA: the most common signature 'standard')? 4. How does the application of a signature work within their systems, how do they specify a signature manifestation, and is the application of the signature 21 CFR Part 11 compliant? ... at this point they'll either fire you or back off. TTFN JB >> I have no confidence that it wouldn't be trivial for someone to get >> hold of my user-name and password by methods which don't involve me >> being irresponsible. >> >> Any advice would be very helpful before i make a nuisance of myself. Brian Morrison said: >Do you have some sort of access token, such as a smartcard or similar? >I have noticed that our local health centre people all have to insert their cards into a card reader slot on their keyboards, if this token must be present to process any >transactions then it makes the task of keeping it out of other people's hands a little easier in that there is a physical device to protect rather than virtual authentication >tokens (which will be just your password unless your user name is not related to your real life identity). >Do you know what else is done to protect your login details? I would ask about this as without knowing this information it is effectively impossible for you to be >responsible for access to systems you don't know about and don't control. From lists at internetpolicyagency.com Tue Mar 5 19:04:45 2013 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 5 Mar 2013 19:04:45 +0000 Subject: security policy question In-Reply-To: <2726F1030A5640F6B6BE98F3A5B1A3B2@your41b8d18ede> References: <2726F1030A5640F6B6BE98F3A5B1A3B2@your41b8d18ede> Message-ID: <00l0f0kNHkNRFACH@perry.co.uk> In article <2726F1030A5640F6B6BE98F3A5B1A3B2 at your41b8d18ede>, Tom Thomson writes >I would be inclined to be a nuisance and insist on a change of wording: >for example to somehing like "carried out under my personal password >and code while that password and code are being used by me or with my >consent." But that doesn't cover situations like the OP leaving his password on a post-it-note. So you'd need to add "... or due to my negligence". Which excludes those situations where the password is used as a result of someone else's consent or negligence. [I think both are possibilities, if the sysadmins for example release the password as a result of a court order, or if the sysadmin leaves the password on a post-it-not, and something bad happens later]. -- Roland Perry From root at mikieboy.net Tue Mar 5 23:57:05 2013 From: root at mikieboy.net (Root) Date: Tue, 5 Mar 2013 23:57:05 +0000 (GMT) Subject: security policy question In-Reply-To: <20130305100914.00004fc9@surtees.fenrir.org.uk> References: <20130305100914.00004fc9@surtees.fenrir.org.uk> Message-ID: On Tue, 5 Mar 2013, Brian Morrison wrote: > On Mon, 4 Mar 2013 23:30:52 +0001 (GMT) > Root wrote: > > > I have no confidence that it wouldn't be trivial for someone to get > > hold of my user-name and password by methods which don't involve me > > being irresponsible. > > > > Any advice would be very helpful before i make a nuisance of myself. > > Do you have some sort of access token, such as a smartcard or similar? > > I have noticed that our local health centre people all have to insert > their cards into a card reader slot on their keyboards, if this token > must be present to process any transactions then it makes the task of > keeping it out of other people's hands a little easier in that there is > a physical device to protect rather than virtual authentication tokens > (which will be just your password unless your user name is not related > to your real life identity). > > Do you know what else is done to protect your login details? I would > ask about this as without knowing this information it is effectively > impossible for you to be responsible for access to systems you don't > know about and don't control. > > -- > > Brian Morrison > > No there are no smartcards or tokens my username is my real name and I have unfettered access to all secondary services health information on everyone in a very large area. The reason for the new sec policy signature is because it has been decreed necessary to give me access to mental health letters from psychiatrists as well which are stored on yet another system. (this is not something that i have asked for) Authentication is based on user name and password and there has been no security testing (or security agenda during the design) of the systems. One of the major systems providers is unaware of the need for user input validation at login screens at senior "dev" level. I see what they are trying to achive but am also paranoid enough to wonder if this is an attempt to transfer risk in the same way that the Scottish Government transferred the risk of not having any security criteria for centrally-ish commissioned systems to the individual health boards. So I guess that i should get my red pen out. thank you for all the information I guess i will be difficult. mike From peterhendler at hushmail.com Fri Mar 22 20:08:50 2013 From: peterhendler at hushmail.com (peterhendler at hushmail.com) Date: Fri, 22 Mar 2013 16:08:50 -0400 Subject: Biggest Fake Conference in Computer Science Message-ID: <20130322200850.5211310E2C8@smtp.hushmail.com> Biggest Fake Conference in Computer Science I graduated from University of Florida (UFL) and am currently running a computer firm in Florida. I have attended WORLDCOMP conference (see http://sites.google.com/site/worlddump1 for details) in 2010. Except for few keynote speeches and presentations, the conference was very disappointing due to a large number of poor quality papers and cancellation of some sessions. I was instantly suspicious of this conference. Me and my friends started a study on WORLDCOMP. We submitted a fake paper to WORLDCOMP 2011 and again (the same paper with a modified title) to WORLDCOMP 2012. This paper had numerous fundamental mistakes. Sample statements from that paper include: (1). Binary logic is fuzzy logic and vice versa (2). Pascal developed fuzzy logic (3). Object oriented languages do not exhibit any polymorphism or inheritance (4). TCP and IP are synonyms and are part of OSI model (5). Distributed systems deal with only one computer (6). Laptop is an example for a super computer (7). Operating system is an example for computer hardware Also, our paper did not express any conceptual meaning. However, it was accepted both the times without any modifications (and without any reviews) and we were invited to submit the final paper and a payment of $500+ fee to present the paper. We decided to use the fee for better purposes than making Prof. Hamid Arabnia (Chairman of WORLDCOMP) rich. After that, we received few reminders from WORLDCOMP to pay the fee but we never responded. We MUST say that you should look at the website http://sites.google.com/site/worlddump1 if you have any thoughts to submit a paper to WORLDCOMP. DBLP and other indexing agencies have stopped indexing WORLDCOMP?s proceedings since 2011 due to its fakeness. The status of your WORLDCOMP papers can be changed from ?scientific? to ?other? (i.e., junk or non-technical) at anytime. See the comments http://www.mail-archive.com/tccc at lists.cs.columbia.edu/msg05168.html of a respected researcher on this. Better not to have a paper than having it in WORLDCOMP and spoil the resume and peace of mind forever! Our study revealed that WORLDCOMP is a money making business, using University of Georgia mask, for Prof. Hamid Arabnia. He is throwing out a small chunk of that money (around 20 dollars per paper published in WORLDCOMP?s proceedings) to his puppet who publicizes WORLDCOMP and also defends it at various forums, using fake/anonymous names. The puppet uses fake names and defames other conferences/people to divert traffic to WORLDCOMP. That is, the puppet does all his best to get a maximum number of papers published at WORLDCOMP to get more money into his (and Prof. Hamid Arabnia?s) pockets. Monte Carlo Resort (the venue of WORLDCOMP until 2012) has refused to provide the venue for WORLDCOMP?13 because of the fears of their image being tarnished due to WORLDCOMP?s fraudulent activities. WORLDCOMP will not be held after 2013. The paper submission deadline for WORLDCOMP?13 was March 18 and it is extended to April 6 (it will be extended many times, as usual) but still there are no committee members, no reviewers, and there is no conference Chairman. The only contact details available on WORLDCOMP?s website is just an email address! What bothers us the most is that Prof. Hamid Arabnia never posted an apology for the damage he has done to the research community. He is still trying to defend WORLDCOMP. Let us make a direct request to him: publish all reviews for all the papers (after blocking identifiable details) since 2000 conference. Reveal the names and affiliations of all the reviewers (for each year) and how many papers each reviewer had reviewed on average. We also request him to look at the Open Challenge at http://sites.google.com/site/dumpconf We think that it is our professional obligation to spread this message to alert the computer science community. Sorry for posting to multiple lists. Spreading the word is the only way to stop this bogus conference. Please forward this message to other mailing lists and people. We are shocked with Prof. Hamid Arabnia and his puppet?s activities http://worldcomp-fake-bogus.blogspot.com Search Google using the keywords ?worldcomp, fake? for additional links. Sincerely, Peter From pwt at iosis.co.uk Tue Mar 26 10:16:20 2013 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Tue, 26 Mar 2013 10:16:20 +0000 Subject: =?windows-1252?Q?Organisational_Standards_for_Cyber_Secu?= =?windows-1252?Q?rity=3A_Government=92s_Call_for_Evidence?= Message-ID: <51517574.3040008@iosis.co.uk> From IAAC via BCS: Organisational Standards for Cyber Security: Government?s Call for Evidence The government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. There are currently various relevant standards and guidance which can be confusing for organisations, businesses and companies that want to improve their cyber security. BIS and Cabinet Office are therefore calling for bodies and groups of organisations to submit their evidence in support of their preferred cyber security standard. Expressions of interest are requested before 8 April (as shown on the website). BIS and Cabinet Office can then rationalise the submissions i.e. if a number of bodies want to submit on ISO27001 then we can invite them to get-together and put forward 1 submission between them. Full details of the call for evidence is at https://www.gov.uk/government/consultations/cyber-security-organisational-standards-call-for-evidence ** end quote ** Peter Tomlinson From igb at batten.eu.org Wed Mar 27 08:35:09 2013 From: igb at batten.eu.org (Ian Batten) Date: Wed, 27 Mar 2013 08:35:09 +0000 Subject: BBC News - Anti-cyber threat centre launched Message-ID: http://www.bbc.co.uk/news/uk-21945702 I'm really sceptical about this sort of story. Incredible (in every sense) claims are made as to the cost of cyber-crime, but there doesn't seem to be any evidence for it. Suppose it's true that shadowy gangs are extorting money from British companies. How are the payments made? Large amounts of cash dropped by trees? Bogus invoicing for invisible services? Direct transfer to numbered accounts in opaque offshore banks? Have you tried getting significant amounts of money out of a company without triggering attention from your bank (obligated under money-laundering regulations to report suspicious activity), your auditors (terrified of being the next Arthur Anderson) and the taxman (for obvious reasons)? It simply doesn't stand examination that there could be a significant flow of money out of businesses without it being noticed by someone, and that someone would have far more incentive to report it than to keep quiet. We're reduced to the "but everyone is sworn to secrecy and no-one breaks their oath" stuff of conspiracy theorists to explain how all this money is disappearing out of the UK economy in a completely frictionless manner. Why, for example, hasn't there been a case of a company being accused of tax fraud (transferring large sums of money offshore) and then turning out to be, or claiming to be, the victim of extortion? Why has no company had their accounts queried because of large cash payments? Why aren't the FSA worrying about this? Cyber-crime gets almost no mention in the FSA Policy Guide on financial crime [1], and the section on it (section 6.8 on page 20) is all about insider risks. What about the claim of large off-the-books losses? Well, there's a vague suggestion of that: > One major London listed company had incurred revenue losses of ?800m as a result of cyber attack from a hostile state because of commercial disadvantage in contractual negotiations. Translation: they bid for a contract with a total contract value of ?800m and lost to a foreign company. Well, there's a million and one reasons why that could happen, starting with your price being too high or your delivery schedule being too slow, and ending with your salesman committing some terrible faux-pas over dinner. It's impossible to ascribe one explanation, but obviously "it was shadowy hackers that lost us the business" is a very easy excuse for everyone involved. I don't for a second deny that there is _risk_ associated with cyber-crime. But the question is, is that risk proportional to the money, time and emotional capital expended on it? Would the typical company be better off worrying about putting better locks on its warehouse doors and making sure they have a decent policy of random searches of cars leaving the premises? And once we're into a world of "there are shadowy gangs committing shadowy crimes who have to be paid off in a shadowy way", isn't a serious risk that financial controllers become party to the IT function in the business siphoning money off and then disappearing ("we need to pay this gang in Faraway-istan, or is it Faraway-ia, ?1m in cash or they'll bankrupt us, yes, of course I'm volunteering to deliver the cash"). ob.ukcrypto: this all smacks of the high days of crypto-wars, in which government presented "evidence" of arrival of the four horsemen of the apocalypse in order to justify the controls they wanted to impose. ian [1] http://www.fsa.gov.uk/pubs/policy/ps11_15.pdf -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at internetpolicyagency.com Wed Mar 27 14:12:53 2013 From: lists at internetpolicyagency.com (Roland Perry) Date: Wed, 27 Mar 2013 14:12:53 +0000 Subject: BBC News - Anti-cyber threat centre launched In-Reply-To: References: Message-ID: In article , Ian Batten writes >What about the claim of large off-the-books losses? ?Well, there's a >vague suggestion of that: > >One major London listed company had incurred revenue losses of ?800m as >a result of cyber attack from a hostile state because of commercial >disadvantage in contractual negotiations. > >Translation: they bid for a contract with a total contract value of >?800m and lost to a foreign company. ?Well, there's a million and one >reasons why that could happen, starting with your price being too high >or your delivery schedule being too slow, and ending with your salesman >committing some terrible faux-pas over dinner. ?It's impossible to >ascribe one explanation, but obviously "it was shadowy hackers that >lost us the business" is a very easy excuse for everyone involved A hacking scenario could be that competitors got sight of the internal bid papers and crucially managed to use that to their advantage in the late stages of the bid. -- Roland Perry From igb at batten.eu.org Wed Mar 27 17:06:38 2013 From: igb at batten.eu.org (Ian Batten) Date: Wed, 27 Mar 2013 17:06:38 +0000 Subject: BBC News - Anti-cyber threat centre launched In-Reply-To: References: Message-ID: On 27 Mar 2013, at 14:12, Roland Perry wrote: > In article , Ian Batten writes >> What about the claim of large off-the-books losses? Well, there's a vague suggestion of that: >> >> One major London listed company had incurred revenue losses of ?800m as a result of cyber attack from a hostile state because of commercial disadvantage in contractual negotiations. >> >> Translation: they bid for a contract with a total contract value of ?800m and lost to a foreign company. Well, there's a million and one reasons why that could happen, starting with your price being too high or your delivery schedule being too slow, and ending with your salesman committing some terrible faux-pas over dinner. It's impossible to ascribe one explanation, but obviously "it was shadowy hackers that lost us the business" is a very easy excuse for everyone involved > > A hacking scenario could be that competitors got sight of the internal bid papers and crucially managed to use that to their advantage in the late stages of the bid. Obviously. But proving that was the only, or even an influential, factor that caused you to lose the business would be very difficult. They might not have liked the cut of your jib. ian From lists at internetpolicyagency.com Thu Mar 28 07:43:42 2013 From: lists at internetpolicyagency.com (Roland Perry) Date: Thu, 28 Mar 2013 07:43:42 +0000 Subject: BBC News - Anti-cyber threat centre launched In-Reply-To: References:

Message-ID: In article , Ian Batten writes >> A hacking scenario could be that competitors got sight of the internal >>bid papers and crucially managed to use that to their advantage in >>the late stages of the bid. > >Obviously. But proving that was the only, or even an influential, >factor that caused you to lose the business would be very difficult. >They might not have liked the cut of your jib. Large corporate bids are handled by people who can read the signals, and who often get feedback from the client afterwards. Pipped at the post by someone who managed to under-bid you at the last minute, while also suddenly changing their product offer to match yours, would stick out like a sore thumb. -- Roland Perry From richard at highwayman.com Thu Mar 28 11:52:58 2013 From: richard at highwayman.com (Richard Clayton) Date: Thu, 28 Mar 2013 11:52:58 +0000 Subject: Biggest Fake Conference in Computer Science In-Reply-To: <20130322200850.5211310E2C8@smtp.hushmail.com> References: <20130322200850.5211310E2C8@smtp.hushmail.com> Message-ID: <8HIM3xPa8CVRFABl@highwayman.com> In article <20130322200850.5211310E2C8 at smtp.hushmail.com>, peterhendler at hushmail.com writes >Biggest Fake Conference in Computer Science another view of the situation: and, anyway, this conference is generally held to be a market leader: http://www.iiis-summer13.org/wmsci/website/default.asp?vc=1 ever since they accepted an MIT paper http://news.bbc.co.uk/1/hi/world/americas/4449651.stm -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From richard at highwayman.com Thu Mar 28 12:41:03 2013 From: richard at highwayman.com (Richard Clayton) Date: Thu, 28 Mar 2013 12:41:03 +0000 Subject: BBC News - Anti-cyber threat centre launched In-Reply-To: References: Message-ID: In article , Ian Batten writes > http://www.bbc.co.uk/news/uk-21945702 > > I'm really sceptical about this sort of story. ?Incredible (in > every sense) claims are made as to the cost of cyber-crime, but > there doesn't seem to be any evidence for it. ? there is evidence of the cost of cybercrime... but the numbers are small compared with the billions (or trillion) often put forward: http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf our comment on this specific topic, after we'd reviewed the (lack of) evidence for the cost of cyber-espionage A third part is the claim that $2.2bn per annum is lost to extortion, with the comment that 'we believe this type of cybercrime goes largely unreported'. This is a very old and persistent claim made by security salesmen. One of us (Anderson) recalls working for a bank a quarter century ago and hearing it; even when it was truthfully denied, the salesmen persisted "we know it happens but you're not allowed to tell anyone" until escorted to the door for impertinence. Extortion does occasionally happen -- there was a widely reported case in 2004 when DDoS was used against online casinos and $4m was paid before the gang was arrested [39] { but like kidnapping, extortion is a hard crime to get away with, as money-laundering isn't trivial when the sender of the funds wishes to track down the recipient and has the active collaboration of the police. In sum, because there is no reliable evidence of the extent or cost of industrial cyber-espionage and extortion, we do not include any figures for these crimes in our estimates. [39] John Leyden. Russian bookmaker hackers jailed for eight years. http://www.theregister.co.uk/2006/10/04/russian_bookmaker_h ackers_jailed/, 2006. -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From tharg at gmx.net Thu Mar 28 12:43:21 2013 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Thu, 28 Mar 2013 12:43:21 +0000 Subject: Biggest Fake Conference in Computer Science In-Reply-To: <8HIM3xPa8CVRFABl@highwayman.com> References: <20130322200850.5211310E2C8@smtp.hushmail.com> <8HIM3xPa8CVRFABl@highwayman.com> Message-ID: <51543AE9.1010507@gmx.net> On 28/03/13 11:52, Richard Clayton wrote: > ever since they accepted an MIT paper > http://news.bbc.co.uk/1/hi/world/americas/4449651.stm I have read worse-drafted abstracts for (very bad indeed) privacy conferences, but if one squints really hard between the lines one can _almost_ make sense of what the abstract might be trying to say. Comp.sci as Rorschach blot. CB http://www.pdos.lcs.mit.edu/scigen/rooter.pdf ABSTRACT Many physicists would agree that, had it not been for congestion control, the evaluation of web browsers might never have occurred. In fact, few hackers worldwide would disagree with the essential unification of voice-over-IP and public- private key pair. In order to solve this riddle, we confirm that SMPs can be made stochastic, cacheable, and interposable. -------------- next part -------------- An HTML attachment was scrubbed... URL: From richard at highwayman.com Sat Mar 30 11:29:17 2013 From: richard at highwayman.com (Richard Clayton) Date: Sat, 30 Mar 2013 11:29:17 +0000 Subject: Biggest Fake Conference in Computer Science In-Reply-To: <51543AE9.1010507@gmx.net> References: <20130322200850.5211310E2C8@smtp.hushmail.com> <8HIM3xPa8CVRFABl@highwayman.com> <51543AE9.1010507@gmx.net> Message-ID: <5ddthcfNysVRFAgq@highwayman.com> In article <51543AE9.1010507 at gmx.net>, Caspar Bowden (travelling) writes > On 28/03/13 11:52, Richard Clayton wrote: >> ever since they accepted an MIT paper >> http://news.bbc.co.uk/1/hi/world/americas/4449651.stm > > I have read worse-drafted abstracts for (very bad indeed) privacy > conferences, but if one squints really hard between the lines one > can almost make sense of what the abstract might be trying to say. if you want a clearer submission, but not one that was accepted, then Mazieres & Kohler might be preferable (for adult audiences only) http://www.scs.stanford.edu/~dm/home/papers/remove.pdf -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 185 bytes Desc: not available URL: From tharg at gmx.net Sat Mar 30 13:04:59 2013 From: tharg at gmx.net (Caspar Bowden (travelling)) Date: Sat, 30 Mar 2013 13:04:59 +0000 Subject: Biggest Fake Conference in Computer Science In-Reply-To: <5ddthcfNysVRFAgq@highwayman.com> References: <20130322200850.5211310E2C8@smtp.hushmail.com> <8HIM3xPa8CVRFABl@highwayman.com> <51543AE9.1010507@gmx.net> <5ddthcfNysVRFAgq@highwayman.com> Message-ID: <5156E2FB.1020608@gmx.net> On 30/03/13 11:29, Richard Clayton wrote: > if you want a clearer submission, but not one that was accepted, then > Mazieres & Kohler might be preferable (for adult audiences only) > > http://www.scs.stanford.edu/~dm/home/papers/remove.pdf I am indebted. It's Fig.1 and esp. Fig.2 that really makes this a deathless contribution to the literature C