varie da slashdot e snn

qualche news sparsa, se interessa.

-- slashdot [http://www.slashdot.org]
Questioning Security Certifications
SecurityPosted by michael on Thursday October 03, @09:58AM
from the sheepskin dept.
prostoalex writes "BusinessWeek questions the validity of security
certifications[1] in the modern world. They take a look at Federal Information
Processing Standard and the certification process. Apparently 'the testing
companies make money by certifying products, not catching problems' thus
implying that the seal of approval might not mean a whole lot." 
http://slashdot.org/articles/02/10/03/1255238.shtml?tid=172

[1] http://sg.biz.yahoo.com/021001/68/33c8a.html

Survey On Security Investment Trends
SecurityPosted by Hemos on Thursday October 03, @03:18AM
from the how-does-it-work-and-measure-it dept.

whoisjoe writes "Information Security Magazine[1] has an interesting
article[2] (although it's in PDF) on the trends and effects of security
spending by organizations. Basically, organizations tend to spend less per
machine as they grow, and the effectiveness of their investment tends to
depend more on the share of the IT budget than the absolute amount."
http://slashdot.org/articles/02/10/03/0127250.shtml?tid=93

[1] http://www.infosecuritymag.com/
[2] http://www.infosecuritymag.com/2002/sep/2002survey.pdf

Web Hacking: Attacks and Defense
SecurityPosted by timothy on Wednesday October 02, @11:00AM
from the attack-of-the-bullet-points dept.
zenomorph writes: "I first heard of this book on amazon.com on a Monday
morning, and read the reviews of people who had purchased this book. I
noticed that there were no reviews from any person in the web security
community had commented on it, either on Amazon or anywhere else (with the
exception of two brief comments on the back of the book, of which one was
written by the person who wrote the book's foreword). So I decided to pick
it up on Friday after I left work and see what it had to offer. After
picking up the book I noticed it was co-authored by three people who all
work for Foundstone, a very large security company that deals with
everything (including web security). This review will cover some of the
topics covered in this book, along with things that could or should have
been covered in greater detail." Read on for the rest of zenomorph's review.
http://books.slashdot.org/article.pl?sid=02/09/22/197246&mode=thread&tid=172

-- SNN [http://www.atstake.com/security_news/]
FIPS: Foray Into Product Security
contributed by scarielli (Oct 1, 2002 3:28 pm EST)

According to an article published in Business Week, FIPS certification is
becoming more and more popular. The FIPS 140 Level 2 standard details a
rigorous set of rules surrounding encryption design and implementation.
While FIPS certification is required for those looking to sell their
products to the federal government, some companies are now viewing FIPS
certification as a marketing tool, another way to tout the security of their
products.

FIPS certification has its place, as long as potential developers and buyers
of FIPS certified products understand what they are and aren't getting. By
now, it's almost redundant to point out that many security vulnerabilities
discovered or exploited in the past few years have had nothing to do with
cryptography. FIPS certification won't make a product attack-proof, but it
does provide a certain level of assurance in the cryptography. This does
provide some value; while less frequent than in the past, many of us still
see products with poor cryptographic implementations.

Hopefully, any run towards FIPS certification will not lead people to
confuse "cryptographically sound" with "secure." The level of scrutiny
required for FIPS certification likely assures strong cryptography; if other
security components are reviewed with the same depth, that would be a
welcome trend.

Business Week: Can Software Security Be Certified?
http://www.businessweek.com/technology/content/oct2002/tc2002101_6896.htm


-- slashdot [http://www.slashdot.org] (roba vecchia, ma carino il servizio
   di news di google)
Ultrasecure Quantum Communications Over Thin Air
EncryptionPosted by timothy on Thursday October 03, @06:50AM
from the and-that-is-really-thin-air dept.
SlashDotIDOne writes "Well, given a hundred years at university and a few
extra titles to my name, I'd be comfortable trying to summarize the
article[1] so don't take what I say at face value. Apparently British and
German researchers have found a way to use quantum crypto through the air,
thus allowing it to be used to communicate with satellites, etc. A very
secure form since you know whether a message was intercepted, rather hard to
tamper with ;). Courtesy India times and Google's new news service.[2]"
http://slashdot.org/articles/02/10/03/0127250.shtml?tid=93

[1] http://timesofindia.indiatimes.com/cms.dll/articleshow?art_id=23998757
[2] http://news.google.com/news?num=30&hl=en&ie=UTF-8&filter=0&q=cluster:www%2ereuters%2ecom%2fnews%5farticle%2ejhtml%3ftype%3dtopnews%26StoryID%3d1526914


-- ddn [http://daily.daemonnews.org/]
GDOI group keying protocol for Linux, OpenBSD * BSDForums.org 02 October 2002   
Submitted By : Dan
Group Domain of Interpratation (GDOI) Group Keying provides a means for a
group of users or devices to share cryptographic keys, get efficient key
updates, and efficiently remove group members. 
http://www.bsdforums.org/forums/showthread.php?threadid=3451

New NATD for FreeBSD now available * BSDForums.org 30 September 2002   
Submitted By : Dan
The existing natd functionality is pretty powerful in translating different
kinds of traffic but not very powerful with its configuration issues.
According to project contacts Andre Opperman and Claudio Jeker, this project
rewrites natd and parts of libalias to give it a configuration set as
powerful and expressive as the ones in ipf (ipnat) and pf. In addition,
it'll use kqueue and will support aliasing to multiple IP addresses.
http://www.bsdforums.org/forums/showthread.php?threadid=3424

bye
Koba (moderatore)

-- 

Igor Falcomata'
IT Security Manager & Consultant
Infosec srl - http://www.infosec.it
Network Security and Data Defense
 --
free advertising: www.sikurezza.org - Italian Security Mailing List

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List