I fixed the security issues by copying the code from ACS 3.4.10. This enables ad_sign and the like. I was careful not to break anything, but if you detect anything unusual, tell me so.
Furthermore I added the table secure_tokens to /packages/acs-core/security.sql. So, if you get the latest checkout from CVS make sure you create this table.