RISKS Forum mailing list archives
Risks Digest 27.42
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 18 Aug 2013 15:28:40 PDT
RISKS-LIST: Risks-Forum Digest Sunday 18 August 2013 Volume 27 : Issue 42 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.42.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Lamp-post lamp-oon (Gary Hinson) Online search for pressure cooker leads to police visit (Peter Houppermans) Four people can cut off a whole city from the railways: Getting sick (Lothar Kimmeringer) ReKords of the Keystone Kops (Richard A. O'Keefe) You can't make up the solution (Jeremy Epstein) Boston Public Schools lose flash drive with data on 21,000 students (Jonathan Kamens) Don't charge to see the last few lines of an obituary (jidanni) Researchers reveal how to hack an iPhone in 60 seconds (Violet Blue via Monty Solomon) Android one-click Google authentication method puts users, businesses at risk (Lucian Constantin via Monty Solomon) Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent looking devices (Darlene Storm via Monty Solomon) The devil is in the subscription-licensing details" (Robert L. Mitchell via Gene Wirchenko) "Outsourced software project with 6,000 pages of specs ends badly" (Patrick Thibodeau via Gene Wirchenko) "What's worse than a system failure? What you say about it" (Matt Prigge via Gene Wirchenko) "Dangerous Linux Trojan could be sign of things to come" (Jon Gold via Gene Wirchenko) "Anonymous is not anonymous" (Roger A. Grimes via Gene Wirchenko) "AARP website hacked" (Woody Leonhard via Gene Wirchenko) "Video: Watch what happens when a Prius gets hacked" (Pete Babb via Gene Wirchenko) Re: Xerox scanners/photocopiers randomly alter numbers (T Byfield) Re: The Public/Private Surveillance Partnership (Kelly Bert Manning) Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (Danny Burstein) Re: Download manager takes Web site down (Chris Adams) Re: How a Misplaced Reef on a Digital Chart Destroyed a Minesweeper (Jeffrey Alexander) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 1 Aug 2013 09:41:12 +1200 From: "Gary Hinson" <Gary () isect com> Subject: Lamp-post lamp-oon "An electricity company is apologising after it sent a letter to a lamp-post and threatened to cut its power off. Meridian Energy apparently believed someone was living in the pole." <http://www.stuff.co.nz/oddstuff/8988229/Meridian-finally-sees-the-light> Asked who might be occupying the light, Clive Saleman (the neighbour who received the letter) said "Well he'd have to be very tall and skinny. I suspect he sleeps all day because the light's on all night. So maybe he's a night owl. I have a suspicion he could be a being of pure energy actually, and not actually human, but I'm just not sure. But, whatever, he's not paying his power bill." Risk: being lampooned for a data integrity failure. Dr Gary Hinson, IsecT CEO isect.com http://www.iso27001security.com/ NoticeBored.com SecurityMetametrics.com ISO27001security.com ------------------------------ Date: Thu, 01 Aug 2013 19:52:22 +0200 From: Peter Houppermans <ph () privacyclub ch> Subject: Online search for pressure cooker leads to police visit Honestly, this raises such a massive amount of questions, I don't quite know where to begin.. A New York woman says her family's interest in the purchase of pressure cookers and backpacks led to a home visit by six police investigators demanding information about her job, her husband's ancestry and the preparation of quinoa. Michele Catalano, who lives in Long Island, New York, said her web searches for pressure cookers, her husband's hunt for backpacks, and her `news junkie' son's craving for information on the Boston bombings had combined somewhere in the Internet ether to create a `perfect storm of terrorism profiling'. Anyone any recipes? Peter Houppermans /Others take your privacy - we give it back to you/ ------------------------------ Dae: Thu, 08 Aug 2013 21:26:52 +0200 From: Lothar Kimmeringer <lothar () kimmeringer de> Subject: Four people can cut off a whole city from the railways: Getting sick Not terrorists but a group of four people that work at the railway control center being responsible for the railway network in and around Mainz were the reason why trains weren't able to get to Mainz anymore. It's vacation time and four of the remaining people had to call in sick today leaving DB Die Bahn with not enough people who are capable of operating the system. This situation will last for a couple of days at least and might take up until the end of August. Next week school season will start again, so the biggest chaos is still to come if not enough qualified people are back on duty. Risk here: Having a mission critical system with a single point of failure: People that can become sick at the same time, which can happen quite easily if all of them are working in the same room. ------------------------------ Date: Fri, 9 Aug 2013 19:51:48 +1200 From: "Richard A. O'Keefe" <ok () cs otago ac nz> Subject: ReKords of the Keystone Kops I mentioned recently that New Zealand is trying to modernise its justice system. Part of that is introducing a system of Audio-Visual links between prisons and courts in order to improve safety and reduce costs by having prisoners stay in prison and make their appearance in court electronically. The new system is already being rolled out. Of course, in order to know how much the new system is saving, you need to know how much the old system was costing. They don't.
From the *Otago Daily Times* front page, 29 Jul 2013, the Police and
prison system * do not know how much they spent transporting prisoners between the new jail and courts since the new jail opened in 2007; * do not know how much it cost last year; * do not know what the annual budget for transport is/was. The newspaper was told that "the [prison] department cannot readily extract ... the costs or budgets relating to the transportation of prisoners ... from our electronic records ... of wider offender transportation costs. ... we would be required to manually review a large number of files" They don't know what it costs now, but they are quite certain there will be 50% to 70% savings (however much that is...) The computer-related part of this is that in an age of manual records, regional information would be kept locally, and only summaries aggregated nationally. Now, the details can be kept nationally, making regional summaries extremely difficult to extract. Of course, it's always possible that their data base _does_ support ad hoc queries, and they are just lying (:-). ------------------------------ Date: Fri, 9 Aug 2013 21:59:44 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: You can't make up the solution In an earlier, simpler day, notes between a publisher and reviewers and the public took a while, and there was plenty of time for proofreading. Not so today, with the increasing speed of publishing, which the publishers of Organometallics discovered the hard way. A note suggesting that data could be fabricated to fill in a gap appeared in an online version of an article. The RISK is simply that there are more mistakes possible as we speed up the publication process - both the mistakes from pressure to publish quickly, and the mistakes of not checking what you're releasing before you do the release. (NSA learned this lesson some years ago in Word documents, and more recently with redaction of PDF documents - although this case is at a higher level of the "stack", its' a variation of the problem that with all electronic documents, it's sometimes hard to see what's being released.) http://sciencecareers.sciencemag.org/career_magazine/previous_issues/articles/2013_08_08/caredit.a1300167 ------------------------------ Date: Tue, 13 Aug 2013 11:15:32 -0400 From: Jonathan Kamens <jik () kamens us> Subject: Boston Public Schools lose flash drive with data on 21,000 students A flash drive containing Boston Public Schools ID badge PDFs was lost en route to the printing vendor. The PDFs contain student name, age, grade, school, ID number, library card number, CharlieCard number, and (in some) photo. The drive was apparently not encrypted. BPS thinks the drive was lost, not stolen, but can't be sure. BPS is redesigning the cards and changing the ID numbers that can be changed to minimize the likelihood of harm from the breach. The drive was lost on Aug 9, and BPS families were notified just three days later, on Aug 12. The notification was clear and detailed. As far as I can tell, BPS's handling of the breach has been perfect. Having said that, the big remaining question is why the flash drive wasn't encrypted. I've emailed Superintendent John McDonough and asked him that question, as well as encouraging him to ensure that flash drives en route to vendors are encrypted as a matter of policy in the future. Although the flash drive had no confidential information on it, as the parent of a BPS parent whose data was lost, I am still concerned, because the information on the drive can be used in social engineering attacks, not to mention that names, ages, schools, grades, and photos is just the kind of information a pedophile would need to pick out attractive targets. Details: http://www.boston.com/yourtown/news/allston_brighton/2013/08/boston_public_schools_vendor_loses_flash_drive_with_data_on.html ------------------------------ Date: Fri, 16 Aug 2013 12:06:19 +0800 From: jidanni () jidanni org Subject: Don't charge to see the last few lines of an obituary [Sent to American Chemical Society:] Your Society should really consider the public relations value of not charging users to see the last few lines of an obituary. I'm sure your members would have never dreamed when they were alive that half of it would be in Google and could be shared publicly. But when 80 years later someone wanted to see those last few lines, out comes the collection plate. And if I link to http://pubs.acs.org/doi/abs/10.1021/cen-v010n006.p073b from my http://jidanni.org/me/ancestors.html all I would be doing is creating more dismayed relatives. So thanks for sending it to me so I now finally see what it says, but I still cannot legally share it in its full form. ------------------------------ Date: Mon, 5 Aug 2013 01:42:46 -0400 From: Monty Solomon <monty () roscom com> Subject: Researchers reveal how to hack an iPhone in 60 seconds (Violet Blue) Violet Blue for Zero Day, 31 Jul 2013 Summary: Three Georgia Tech hackers have disclosed how to hack iPhones and iPads with malware in under sixty seconds using a "malicious charger." UPDATED. Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a "malicious charger." Today at a Black Hat USA 2013 press conference, the researchers revealed for the first time exactly how the USB charger they built can compromise iOS devices in less than a minute. Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary looking charger into a malicious vector for transmitting malware using an open source BeagleBoard, available for $125 (similar to a Raspberry Pi). For the demonstration, the researchers used an iPhone. They plugged in the phone, and when the passcode was entered, the sign-code attack began. For the demo, the Facebook app was used as an example. Within seconds of plugging in the charger, the Facebook app was invisibly removed from the device and seamlessly replaced with a Facebook app imitation with a malicious payload. The app's icon was in the exact same spot as it was before the attack - there is no way of knowing the application is not malware. ... http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds-7000018822/ ------------------------------ Date: Mon, 5 Aug 2013 01:39:04 -0400 From: Monty Solomon <monty () roscom com> Subject: Android one-click Google authentication method puts users, businesses at risk (Lucian Constantin) Lucian Constantin, PCWorld, 4 Aug 2013 A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas. The feature is called "weblogin" and works by generating a unique token that can be used to directly authenticate users on Google websites using the accounts they have already configured on their devices. Weblogin provides a better user experience but can potentially compromise the privacy and security of personal Google accounts, as well as Google Apps accounts used by businesses, Craig Young, a researcher at security firm Tripwire, said during his talk. Young created a proof-of-concept rogue app that can steal weblogin tokens and send them back to an attacker who can then use them in a Web browser to impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other Google services. The app was designed to masquerade as a stock viewing app for Google Finance and was published on Google Play, with a description that clearly indicated it was malicious and shouldn't be installed by users. ... http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html ------------------------------ Date: Mon, 5 Aug 2013 01:49:33 -0400 From: Monty Solomon <monty () roscom com> Subject: Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent looking devices (Darlene Storm) Darlene Storm, 1 Aug 2013 A trio of researchers presented "Mactans: Injecting Malware into iOS Devices via Malicious Chargers" at Black Hat, demonstrating how an "iOS device can be compromised within one minute" after plugging into a maliciously crafted charger. Until Apple patches the vulnerability that allows the exploit, all iPhone or iPad users are vulnerable as the device does not need to be jailbroken for the attack to work. It takes advantage of an iOS flaw that allows pairing without any notification to the user. Their proof-of-concept charger, dubbed Mactans, was built using a $45 BeagleBoard. As soon as an iOS device is plugged in, the fake charger instantly captures the Unique Device Identifier (UDID). Then it connects to Apple's developer support website and submits that UDID for a "provisioning profile." The charger installs code and the attacker now has full control of the device. GTISC associate director Paul Royal said, "Getting the UDID is trivial, and getting a provisioning profile is easy and automated." In one demonstration of what an attacker could do remotely, the researchers plugged an iPhone 5 into the charger, hid the iPhone Facebook app and installed a malicious copy over it that launched before the legitimate "hidden" copy. The Mactans' malicious payload could be about anything, from allowing "a remote attacker to make an unauthorized phone call from the iOS device" to taking "a screenshot whenever the user enters a password or other sensitive information." Basically it turns an iOS device into a spy tool. ... http://blogs.computerworld.com/cybercrime-and-hacking/22579/wolf-sheeps-clothing-black-hat-getting-pwnd-innocent-looking-devices ------------------------------ Date: Thu, 15 Aug 2013 13:00:32 -0700 From: Gene Wirchenko <genew () telus net> Subject: "The devil is in the subscription-licensing details" (Robert L. Mitchell) Robert L. Mitchell | Computerworld, 13 Aug 2013 The transition to cloud-based services is ratcheting up traditional enterprise software costs and adding layers of complexity ------------------------------ Date: Fri, 16 Aug 2013 10:24:02 -0700 From: Gene Wirchenko <genew () telus net> Subject: "More Android malware distributed through mobile ad networks" (Lucian Constantin) http://www.infoworld.com/d/mobile-technology/more-android-malware-distributed-through-mobile-ad-networks-224815 Lucian Constantin | IDG News Service, InfoWorld, 13 Aug 2013 Security researchers from Palo Alto Networks found Android apps downloading malware from rogue mobile ad networks ------------------------------ Date: Thu, 15 Aug 2013 12:47:58 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Outsourced software project with 6,000 pages of specs ends badly" (Patrick Thibodeau) http://www.infoworld.com/t/outsourcing/outsourced-software-project-6000-pages-of-specs-ends-badly-224777 Patrick Thibodeau | Computerworld, 13 Aug 2013 Orange County files lawsuit to recover damages from offshore firm Tata in tax system rewrite ------------------------------ Date: Thu, 15 Aug 2013 12:43:18 -0700 From: Gene Wirchenko <genew () telus net> Subject: "What's worse than a system failure? What you say about it" (Matt Prigge) http://www.infoworld.com/d/data-explosion/whats-worse-system-failure-what-you-say-about-it-224751 Matt Prigge, Infoworld, 13 Aug 2013 Communicating well in emergencies is often just as important as working to end the emergency ------------------------------ Date: Thu, 15 Aug 2013 12:29:36 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Dangerous Linux Trojan could be sign of things to come" (Jon Gold) http://www.infoworld.com/d/security/dangerous-linux-trojan-could-be-sign-of-things-come-224649 Jon Gold | Network World, 12 Aug 2013 'Hand of Thief' Trojan specifically targets Linux but operates a lot like similar malware that targets Windows machines ------------------------------ Date: Thu, 15 Aug 2013 12:25:39 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Anonymous is not anonymous" (Roger A. Grimes) http://www.infoworld.com/d/security/anonymous-not-anonymous-224783 Roger A. Grimes | InfoWorld, 13 Aug 2013 At this point, most of us would welcome shelter from the gaze of government cyber spies. Here are six reasons why that may be unattainable ------------------------------ Date: Wed, 14 Aug 2013 12:49:01 -0700 From: Gene Wirchenko <genew () telus net> Subject: "AARP website hacked" (Woody Leonhard) Woody Leonhard | InfoWorld Now would be a good time to change your passwords ------------------------------ Date: Wed, 14 Aug 2013 12:46:22 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Video: Watch what happens when a Prius gets hacked" (Pete Babb) http://www.infoworld.com/t/hacking/video-watch-what-happens-when-prius-gets-hacked-224270 Pete Babb | InfoWorld, 07 Aug 2013 Security engineers take over the various computerized systems of a Toyota hybrid and wirelessly control it ------------------------------ Date: Sun, 18 Aug 2013 09:54:01 -0400 From: t byfield <tbyfield () panix com> Subject: Re: Xerox scanners/photocopiers randomly alter numbers (RISKS-27.41) Glynn Clements <glynn () gclements plus com> wrote:
Any scanner has limits to its accuracy, and any form of lossy compression has some loss. But unlike e.g. JPEG, where the artifacts are often clearly visible, there is no indication of the degree of uncertainty involved.
Therein lies the real innovation: arbitrary textual variations that can't be detected by the human eye. This kind of technique can and, I expect, will be used to serialize documents by introducing subtle variations into each instance of them -- to trace leaks, for example.
-- From a legal perspective, the mere fact that such scanners exist brings into question the authenticity of any document unless its entire history is known.
One way to establish that provenance is to ensure that each instance of a document is unique -- by serializing it! ------------------------------ Date: Sun, 18 Aug 2013 12:55:09 -0400 (EDT) From: bo774 () freenet carleton ca (Kelly Bert Manning) Subject: Re: The Public/Private Surveillance Partnership (RISKS-27.41) I carry a cell phone only when my employer pays for it, and pays me to carry it. The battery in the work phone lasts longer with GPS and blue tooth turned off. The GPS is supposed to activate automatically if I press 911. GPS is a real time compute intensive application. In other words a battery drainer for mobile devices. Walking around, or commuting by transit I often feel that I an in the middle of some science fiction story, surrounded by people largely oblivious to what is going on around them, eyes focused on a display screen and their hearing blocked by ear buds or by a phone held to their head. Pedestrians often seem oblivious to traffic or sidewalk hazards while they focus on a display or a conversation. RAND Emeritus Willis H. Ware, an ACM and IEEE Fellow, who chaired the committee which wrote the "Records, Computers, and the Rights of Citizens" HEW report, might have an interesting perspective on radio location, identification and tracking. I have read that during the 2nd World War Dr. Ware did classified work on advanced Radio Location and Identify Friend or Foe transponders. I am old enough to remember politicians making a big deal of the fact that that citizens don't have to carry Internal Passports with them at all times, even within the same city, unlike folks in Moscow. Seemed like a killer argument to me at the time. Now you can't get on an intercity bus without identifying yourself. If you drive a private car, it may have built in GP. Your license plate may be scanned as you leave town, drive along the highway, or enter a new town. We saw that used by police in Boston earlier this year, in combination with phone location tracking. How times have changed. www.worldcat.org/title/records-computers-and-the-rights-of-citizens/oclc/251870191/editions?referer=di&editionsView=true ------------------------------ Date: Sun, 18 Aug 2013 10:31:15 -0400 (EDT) From: Danny Burstein <dannyb () panix com> Subject: Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (R-27.41)
"The District has also recently been installing next-generation speed cameras that use infrared light instead of a visible flash when photographing vehicles. This means drivers will have no way of knowing whether they will receive a ticket until weeks after the alleged violation."
About 30 years ago (where does the time go?) I read a snippet in New Scientist that their Spy Folk accidentally released some of their super duper sekrit tech tricks. Per the article, the Brits had patented a "near infrared" [a] flash unit assembly for their spooks that hooked into a surveillance camera, letting them take nighttime photograph license plates of the folk they were watching without warning them. So... unless the folk on this side of the pond are paying royalties, they might get hit with Patent Trolls! - I was heavily into photography back then and had my very own Wratton 87C (infrared) filters for my lights, was using Kodak's B&W and colour IR recording film, had the books, etc. [a] "near infrared" is the part of the spectrum just beyond standard and visible red light. It looks... black to the human eye since we can't see that far up the scale. "Far infrared" (or usually, just "infrared" by itself) refers to heat. I'm highly doubtful consumer level speed cameras are using temperature readings for license plate number catching, and doubt it would even work. ------------------------------ Date: Sat, 3 Aug 2013 13:41:31 -0400 From: Chris Adams <chris () improbable org> Subject: Re: Download manager takes Web site down (Kuenning, RISKS-27.40)
RISK: The TCP/IP specification is extensive and explicit, but doesn't address simultaneous connections from the same client. ...
I'm not sure this can really be blamed on TCP/IP: in the specific example above, the HTTP specification both recommends a connection limit (2, although common convention has adjusted up to 6 over the last few years) and does offer the convention of quickly returning HTTP 503 errors when the server is over capacity. The problem, however, is that this is neither effective nor desirable in practice because by now it's quite rare for the hard limit to actually be the number of simultaneous connections rather than the total bandwidth available -- it's quite easy to end up with, say, a hundred slow connections using as much bandwidth as one connection from someone with a gigabit link and modern web servers can easily handle many tens of thousands of simultaneous connections. Total capacity is also affected by traffic using protocols other than HTTP, or even TCP, so effective flow control has to happen at a lower level: there's an existing standard called ECN (http://en.wikipedia.org/wiki/Explicit_Congestion_Notification), which provides a mechanism for a router to inform clients that the upstream path is congested. This problem is also more crudely but effectively solved on the client by adjusting the connection count and speed based on measured performance and error rates. Unfortunately, as the example illustrates there's no way to handle this situation nicely when faced with clients which are buggy and do not follow either standards or accepted best practices. As described above, IDM obviously does not follow standard HTTP conventions, honor ECN, or even throttle or retry failed attempts (a ridiculous lapse for a download manager). There's simply no way to handle that kind of badly broken client without deploying some sort of fair-queuing system on either your servers or, better, the upstream router to avoid clogging the pipe with likely-doomed packets. A good queuing system, possibly combined with a robust fronting cache like Varnish, would also tend to keep the connections from timing even when they become quite slow by ensuring that each connection doesn't go too long without receiving at least a few bytes. Chris P.S. As an aside, http://iotta.snia.org/ does not appear to support HTTP byte ranges, which more intelligent clients can use to resume partial transfers. While this obviously can't help with broken clients I have found this quite effective for retrieving files over unstable links as something wget or curl can repeatedly retry as needed until they've retrieved every chunk of the file. ------------------------------ Date: Fri, 9 Aug 2013 06:11:57 +0000 From: Jeffrey Alexander <jeffrey.alexander () sri com> Subject: Re: How a Misplaced Reef on a Digital Chart Destroyed a Minesweeper (Saffo, RISKS-27.13) [Jeff missed Paul Saffo's earlier posting in RISKS-27.13, Jan 2013, having sent in an incremental item. He then responded to my response.] Perhaps of greater interest is the link to the site with the official report on the incident, completed in May 2013: http://www.cpf.navy.mil/foia/reading-room/ Jeffrey Alexander, Assoc.Dir. Research & Analytics, Center for Science, Technology & Economic Development, SRI Arlington VA http://csted.sri.com ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.42 ************************
Current thread:
- Risks Digest 27.42 RISKS List Owner (Aug 18)