RISKS Forum mailing list archives

Risks Digest 27.21


From: RISKS List Owner <risko () csl sri com>
Date: Thu, 21 Mar 2013 16:44:43 PDT

RISKS-LIST: Risks-Forum Digest  Thursday 21 March 2013  Volume 27 : Issue 21

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.21.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Mars Rover is Repaired, NASA Says (Henry Fountain)
Weapons Experts Raise Doubts About Israel's Antimissile System
  (William J. Broad)
Computer Networks in South Korea are Paralyzed in Cyberattack
  (Choe Sang-Hun)
Hospital computer outage does not compromise patent safety
  (Richard Irvin Cook)
Outage at Alchemy Communications data center in Irvine, California
  (Steve Golson)
Cyberattack on Florida election raises questions (Lauren Weinstein)
Details on the denial of service attack that targeted Ars Technica
  (Dewayne Hendricks)
The ephemeral Internet (Bob Frankston)
TSA tested program that tracked Bluetooth devices (Henry Baker)
Tom Coburn Amendment Limiting National Science Foundation Research
  Funding Passes Senate (Lauren Weinstein)
Re: Hacking the Papal Election (Sam Steingold, Neil Maller)
Re: Boeing 787s to create half a terabyte of data per flight
  (Dag-Erling Smorgrav)
Re: Boeing 787s to create half a terabyte of data per flight (PK,
  Dag-Erling Smorgrav)
Re: "Attorney General's testimony on Aaron Swartz raises more questions
  than answers" (Jonathan Kamens)
Sorry Google; you can Keep it to yourself (Joe Touch)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 21 Mar 2013 12:21:49 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Mars Rover is Repaired, NASA Says (Henry Fountain)

The Curiosity Mars Rover developed memory problems with one of its two
identical computers.  Control was switched to the second system to enable
repairs on the first computer.  However, the second system suffered a
software-based malfunction on 16 Mar and put itself on standby.  Finally, as
of the evening of 19 Mar, the second system was commanded back into safe
mode, and repairs of the first system continue, [Source; Henry Fountain,
*The New York Times*, 20 Mar 2013, PGN-ed]

------------------------------

Date: Thu, 21 Mar 2013 12:21:49 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Weapons Experts Raise Doubts About Israel's Antimissile System
  (William J. Broad)

Israeli officials have been claiming success rates up to 90 percent.
Analysis by weapons experts suggests it is more likely 40 percent at best,
with some incoming rockets merely crippled or deflected and still able to do
considerable damage.  [Source: William J. Broad, *The New York Times*, 21
Mar 2013, PGN-ed]

  [This of course should remind readers of Ted Postol's efforts at MIT in
  demonstrating that the Patriot defenses were perhaps at best 20% effective
  rather than the officially regarded 95% -- i.e., mostly failing to
  properly eliminate the scud missiles (R 13 19 and R 13 32).  PGN]

------------------------------

Date: Thu, 21 Mar 2013 12:21:49 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Computer Networks in South Korea are Paralyzed in Cyberattack
  (Choe Sang-Hun)

Computer networks running three major South Korean banks and two of the
country's largest broadcasters were paralyzed on 20 Mar 2013 in DarkSeoul
virus attacks suspected of originating from North Korea.  This affected
ATMs, newcasters staring at blank screens, and so on.  DarkSeoul is malware
designed to evade popular anti-viral products.  Kim Jong-Un was quoted as
threatening to destroy government installations in the South and American
bases in the Pacific.  [Source; Choe Sang-Hun, *The New York Times*, 21 Mar
2013, PGN-ed]

------------------------------

Date: Wed, 20 Mar 2013 08:22:57 +0000
From: Richard Irvin Cook <rcook () kth se>
Subject: Hospital computer outage does not compromise patent safety

Boulder, CO newspaper "The Daily Camera" reports that the Boulder Community
Hospital was without a functioning clinical healthcare information system
for several days (http://www.dailycamera.com/news/boulder/ci_22819319). The
outage effected the hospital, eight laboratories, and six imaging centers,
according to the article. The hospital is: "using manual paper
record-keeping systems and traditional paper charts for its inpatients.
Hospital officials say the system allows them to continue treating patients,
provide diagnostic services and collect important clinical information that
will be entered later into each patient's electronic health record."

Although a hospital physician reportedly said he doesn't think the outage is
compromising the health or safety of patients, the backup system "seems a
little haphazard, and it's not an organized plan."

One patient is reported to have commented "If they can't keep their computer
system running, how can we trust them to perform surgery?"

"We apologize for the delays, but this was an unavoidable situation," a
hospital official reportedly said.

COI declaration: I was the lone dissenting opinion in the Institute of
Medicine's report on clinical healthcare information technology (available
at http://www.ctlab.org/documents/CookDissent.pdf). Clinical healthcare
information technology (CHIT) is a complex endeavor and there are wide
differences between the good CHIT and the bad CHIT.

Richard I Cook, MD, Professor of Healthcare System Safety
STH (Skolan f?r teknik och h?lsa)
KTH (Kungliga Tekniska h?gskolan)
Alfred Nobels All? 10, 141 52 Huddinge, SWEDEN mobile: +46 70 190 42 16
email: rcook () kth se<mailto:rcook () kth se>

------------------------------

Date: Wed, 20 Mar 2013 21:23:58 -0400
From: Steve Golson <sgolson () trilobyte com>
Subject: Outage at Alchemy Communications data center in Irvine, California

As reported by DreamHost:

http://www.dreamhoststatus.com/2013/03/19/power-disruption-affecting-us-west-data-center-irvine-ca/

Update from our CEO on the March 19/20, 2013 power outages affecting
services in our US-West (Irvine, CA) Data Center

I would like to share more details with our customers concerning the power
outages and resulting network and systems issues that impacted our services
on March 19/20 in our US-West (Irvine, CA) Data Center (the Irvine DC for
short).

A third party, Alchemy Communications, manages the Irvine DC. We lease a
large secure space in their facility. Alchemy is responsible for providing
power, cooling, security and related infrastructure services and
maintenance. The facility has a good track record on all of these
responsibilities -- including providing reliable power. However, yesterday
at approximately 3pm Pacific Daylight Time (PDT), there was a failure in
their Uninterruptible Power Supply (UPS) system that completely shut down
power to all network and systems housed in the Irvine DC. This power outage
affected all tenants and was not limited to just DreamHost's equipment.

The power systems at the Irvine DC are designed to be redundant. The UPS
system is in-line and in the event the power grid feeds go down, the UPS
provides power until the diesel-powered generators kick in. We believe, at
this time, that Alchemy was performing unannounced maintenance on their UPS
systems and the systems failed -- resulting in a complete power outage. In
addition to their UPS systems failing, their generators did not kick in.

The power failure lasted just a few minutes, however it created a number of
major issues with our network and systems in the Irvine DC that took many
hours for our operations teams to recover from. Not the least of which was
the loss of several critical pieces of networking hardware which did not
survive the power event. Complete details of these issues will be shared
once we have completed a detailed review over the next couple of days.

All customer-facing systems were largely restored from the first power
outage by early this morning 20 Mar 2013 PDT.

After the first power outage, we were assured by Alchemy that their power
systems would not be worked on further until a detailed, tested plan was in
place that would guarantee no additional loss of power. However, at sometime
around 4:30am PDT today their UPS system failed for a second time. This
resulted in another complete power outage and another intense period of
reboots, restores and system checks from our team. The time to restore most
services in the wake of this second power outage was much quicker, mainly
because there were no resulting hardware failures and we had learned from
the first failure. Alchemy has opted to run the Irvine DC on generators
until the UPS issues are fully identified and resolved, and we are
monitoring the situation closely to do our best to ensure that there are no
further power outages or issues that will affect our services in the Irvine
DC.

Corrective Action: Alchemy has a team of UPS specialists and Edison power
engineers on site who have identified potential points of failure in the
existing UPS infrastructure. They are currently in the planning phases of a
repair to the UPS systems. The proposed power system enhancements will be
subject to rigorous review and testing before being implemented. If all goes
as planned, the facility will be able to switch back from generators to
grid/UPS power. At this time, we do not believe that a public grid power
failure contributed to either of these incidents.

DreamHost will have additional network, systems and data center engineers
assigned to monitor all systems in the Irvine DC during the UPS system
upgrade. We also have oversight of the proposed UPS system repair plan being
structured by Alchemy. We will post an update on dreamhoststatus.com as soon
as the timing of any planned power system maintenance is known. We are
working diligently to ensure that the planning and implementation of any UPS
upgrades, maintenance and/or the cut back to grid/UPS power will not affect
continuous power to our systems and will not impact our customers.

Last, but not least, I want to apologize for these service disruptions. I
know how critical our services are to our customers and their livelihood. I
fully recognize that any disruption to services can affect important
production environments and projects. Our team will work diligently to
ensure that we mitigate the power issues going forward, including a full
audit of all facilities that house DreamHost customer data. We will learn
from this event and continuously improve our operations and services.

All customers impacted by these service issues can apply for credits or
refunds in accordance with our guaranteed uptime policy by contacting
support through the panel.

Simon Anderson, CEO, DreamHost

------------------------------

Date: Mon, 18 Mar 2013 14:22:22 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Cyberattack on Florida election raises questions

http://www.cnn.com/2013/03/18/tech/web/florida-election-cyberattack/index.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+rss%2Fcnn_us+%28RSS%3A+U.S.%29

------------------------------

Date: Wednesday, March 20, 2013
From: Dewayne Hendricks
Subject: Details on the denial of service attack that targeted Ars Technica

  [From Dave Farber's IP and elsewhere]

Sean Gallagher on Brian Krebs, 18 Mar 2013
Take a "booter" site survey, earn attacks like ones that targeted Ars,
http://arstechnica.com/security/2013/03/details-on-the-denial-of-service-attack-that-targeted-ars-technica/

Last week, Security Editor Dan Goodin posted a story about the "swatting" of
security reporter Brian Krebs and the denial of service attack on Krebs'
site. Soon after, Ars was targeted by at least one of the individuals behind
the Krebs attack. On Friday, at about noon Eastern Daylight Time, a denial
of service attack struck our site, making connectivity to Ars problematic
for a little less than two hours.

The attack continued to run throughout Friday. At 9pm EDT, when our hosting
provider brought down one of the filters that had been put in place to
thwart it, it quickly became apparent that the attack was still underway,
and the filter was restored. The most aggressive filters were finally
removed on Saturday.

At least in part, the offensive used the same attack tool and user
credentials that were involved in the denial-of-service (DoS) attack on
Krebs On Security, as Krebs himself revealed in a blog post. The attackers
used multiple accounts on TwBooter, a "booter" site that provides denial of
service attacks as a paid service (ostensibly for security testing
purposes), to launch an automated, denial of service attack on Ars. And at
least one of those logins was also used to attack Krebs' site.

TwBooter masks all of the complexity of launching attacks against sites.
Users of the site can, depending on how much they pay, launch up to three
simultaneous automated attacks against sites through a simple Web
interface. TwBooter users can even set up multiple accounts and fill up the
queue of the service's "attack server."

It doesn't cost much to get in on the ground floor with TwBooter -- an
account with rights to a single automated attack of up to 60 seconds in
length is $10 for a month. This means you can launch as many 60 second
attacks as you want, one at a time, all month long. The "license" to launch
up to three attacks at a time of up to two hours duration is $169 a month --
but there's a 20 percent discount if you pay through Liberty Reserve instead
of PayPal.  There's also a free plan that allows for attacks up to 300
seconds long.  That service requires users to pick an attack type from a
pull-down menu in a Web form.

PayPal payments for the site are routed to Sebastien Lariviere, a former IT
technician for the county government (MRC) of Pierre-De Saurel in Quebec
(now operating as Lariviere Security). Lariviere did not respond to e-mails
from Ars for comment.

Obviously, sites like TwBooter generate a lot of ill will and are ironically
the target of DoS attacks themselves. Like many legitimate and "black hat"
sites -- such as the site exposed.su, a website that recently posted the
personal information of many public figures -- TwBooter runs behind the
CloudFlare content delivery network as a way of shielding itself from
attacks.

TwBooter may not have been the only service used to launch the attacks on
Ars and Krebs. "There are dozens of these booter services out there, most
of them based on the same source code," Krebs told Ars. But Krebs received
a tip pointing to a dump of TwBooter's customer database -- openly accessible
on the services' website. It's clear the TwBooter site was part of the
attack. A snippet from the SQL dumps Krebs provided to Ars show that
multiple attacks (including Slowloris, TCP amplification, and SYN flood
attacks) were queued up by multiple accounts on the site. [...]

------------------------------

Date: Mon, 18 Mar 2013 16:00:44 -0400
From: "Bob Frankston" <Bob19-0501 () bobf frankston com>
Subject: The ephemeral Internet

http://forum.icann.org/lists/comments-closed-generic-05feb13/pdfVMmmFgwpbw.pdf

Disappointing - no sense that the DNS is problematic because it guarantees
the Internet will unravel. How can we have any long term persistence when
the very bonds that hold the Internet together a designed to melt away like
surgical thread. I understand that ICANN profits form leasing our identities
and thus has every incentive to continue this practice but where is the
pushback for a problem so real and obvious?

There are other issues in the document like the assumption that words can
have persistent meaning out of context like "For example, when you go to a
.map domain name you will be confident that you will see some sort of map."
The Google search team knows how difficult it is to pin down meaning.

But for the moment the high order bit is the lack of stable identifiers.

Bob Frankston  http://frankston.com

------------------------------

Date: Thu, 21 Mar 2013 10:51:53 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: TSA tested program that tracked Bluetooth devices

  [FYI -- Didn't Google just get into a heap of hot water over doing exactly
  the same thing with WiFi?]

Scott MacFarlane, WPXI, 20 Mar 2013
TSA tested, scrapped program that tracked Bluetooth devices
http://www.wpxi.com/news/news/local/tsa-tested-scrapped-program-tracked-bluetooth-devi/nWyfh/


Lines can be long at airport security. The Transportation Security
Administration knows too. Documents obtained by Eyewitness News showed TSA
tested a project to measure how long.

Sensors in the terminal found Bluetooth devices, honed in on the signals and tracked how long it took people to get 
through security.

An internal TSA document stated it worked by ``detecting signals broadcast to
the public by individual devices and calculating a wait time as the signal
passes sensors positioned to cover the area in which passengers may wait in
line.''

It said the information would be encrypted and destroyed within two hours to
protect people's privacy. TSA tested the technology in 2012 in Las Vegas and
Indianapolis, but bailed on it.

``This is an expensive and needlessly complicated way of estimating wait
times, compared with say a ticket agent writing the time at the front of the
line," said Julian Sanchez, author of "Wiretapping the Internet.''

TSA has taken criticism in the recent months for its handling of passenger
privacy, including enhanced pat downs and whole body scanners.

A spokesman for the Association of Airline Passengers Rights said his group
isn't comfortable with Bluetooth tracking and TSA has a history of saying
it's keeping passenger information private and then changing its story.

TSA documents show the agency considered posting warning signs alerting
passengers that Bluetooth sensors were active, but officials didn't return
comment when Eyewitness News asked if the signs were posted at the cities
where the technology was tested.

A spokesman confirmed they've scrapped the program before it became public.

------------------------------

Date: Thu, 21 Mar 2013 12:03:27 -0700
From: Lauren Weinstein PRIVACY Forum <privacy () vortex com>
Subject: Tom Coburn Amendment Limiting National Science Foundation
   Research Funding Passes Senate

  "Adoption of this amendment is a gross intrusion into the
  widely-respected, independent scholarly agenda setting process at NSF that
  has supported our world-class national science enterprise for over sixty
  years," the association said in a statement. "The amendment creates an
  exceptionally dangerous slippery slope. While political science research
  is most immediately affected, at risk is any and all research in any and
  all disciplines funded by the NSF. The amendment makes all scientific
  research vulnerable to the whims of political pressure."
  http://j.mp/Z3sWWY  (Huffington)

 - - -

An information and research control abomination by the Senate, in the
finest tradition of Stalinist thinking, Comrade Coburn.

------------------------------

Date: Wed, 20 Mar 2013 15:56:36 -0400
From: Sam Steingold <sds () gnu org>
Subject: Re: Hacking the Papal Election (Schneier, RISKS-27.20)

This article reminded me of a wonderful historical episode described by
Bazhanov - directly relevant to the voting security.

In 1920-ies the Soviet citizens were divided into 2 classes: Party
members, who enjoyed full democratic freedoms, and non-members, who were
completely at the mercy of the political police.

Policy decisions were made by party members by voting on a platform (the
Central Committee platform vs the Opposition platform).  So, each local
organization voted on the issue and sent the results to the Central
Committee, and these results were published in the official newspaper
Pravda.

Stalin, who, allegedly, later said that "it matters who counts the
votes, not who votes", came up with a brilliant scheme: Pravda published
all results as if they came in favor of the Central Committee platform.
E.g., if the local organization A voted 11 votes for CC, 17 votes for
Opposition and organization B voted 20 votes for CC and 12 votes for the
Opposition, then B was reported as is and the votes in A were switched
and reported as if 17 voted for CC and 11 for the Opposition.
This way the appearance was that the Central Committee's platform was
clearly more popular, and if the chief of A noticed the "typo" and
complained, the next issue would carry a small apology (obviously not as
prominent as the election results).

This way the Party was constantly bombarded by "evidence" that the Central
Committee's platform was more popular, which would swing the opportunist
vote (also there was always a risk that the supporters of the Opposition
might be expelled from the Party).

Sam Steingold (http://sds.podval.org/)
http://www.childpsy.net/ http://iris.org.il http://dhimmi.com
http://www.PetitionOnline.com/tap12009/ http://pmw.org.il http://truepeace.org

------------------------------

Date: Mon, 18 Mar 2013 15:26:36 -0400
From: Neil Maller <neil () nmaller net>
Subject: Re: Hacking the Papal Election (Schneier, RISKS-27.20)

As a postscript to Bruce Schneier's fascinating "Hacking the Papal Election"
analysis (RISKS-27.20), I would add that it has been widely reported that
Vatican authorities laid a false floor in the Sistine Chapel to cover
electronic jamming equipment.  This was intended to protect against
electronic eavesdropping...or unauthorized Cardinal tweets.

See:
<http://www.theverge.com/2013/3/10/4086176/radio-jammers-in-the-sistine-chapel-will-protect-secrecy-of-papal>.

------------------------------

Date: Mon, 18 Mar 2013 22:01:37 +0100
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des () des no>
Subject: Re: Boeing 787s to create half a terabyte of data per flight

"Bob Frankston" <bob2-39 () bobf frankston com>
I'm not sure what the worry is since we are collecting much of this
already.

Steve Loughran <steve.loughran () gmail com> writes:
In Risks 27.19, Dag-Erling Smorgrav considers the fact that the Boeing
787s will generate 0.5TB of data per flight, and asks "what could
possibly go wrong"?

You both missed the most important part of the quote I provided:

  "every piece of that plane has an Internet connection"

I sincerely hope Bulman misspoke, and that these devices are in fact
connected to a closed network, although that is no guarantee in itself.

Dag-Erling Sm=C3=B8rgrav - des () des no

------------------------------

Date: Mon, 18 Mar 2013 22:53:29 +0100
From: PK <djc () resiak org>
Subject: Re: Boeing 787s to create half a terabyte of data per flight

If the half-terabyte of data per Boeing 787 flight is going to be used for
anything important, I'd want it to be kept forensically secure, certain that
the data kept are the data gathered, unmodified.  And that, I think, is a
solvable problem.

I'd say the same should go for any important black box data, including cars
and trains.

------------------------------

Date: Mon, 18 Mar 2013 21:47:17 +0100
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des () des no>
Subject: Re: Fake silicone fingers strike again (Mann, RISKS-27.20)

The only surprise here is that anyone should consider this news.  And
you don't need an expensive 3D printer and the complex software and
know-how to operate it to create a prosthesis.  In this case, I suspect
they just took casts (since they were impersonating accomplices rather
than victims).  However, given a good copy of the victim's fingerprint,
a hundred dollars' worth of hobby electronics supplies and a teaspoon of
,liquid latex, you can trivially create a piece of prosthetic skin which,
when glued onto your own finger, will fool fingerprint scanners with
liveness detection.  Allegedly, some scanners can even be defeated by
pressing a balloon filled with warm water onto the sensor plate, causing
it to scan the latent fingerprint left behind by the previous user...

Dag-Erling Sm=C3=B8rgrav - des () des no

------------------------------

Date: Mon, 18 Mar 2013 15:10:22 -0400
From: Jonathan Kamens <jik () kamens us>
Subject: Re: "Attorney General's testimony on Aaron Swartz raises more
  questions than answers" (Samson, RISKS-27.20)

Both Senator Cornyn and the Ted Samson at InfoWorld display a marked lack of
understanding in how sentencing for federal criminal convictions works.

The news media is very bad about this in general, and has been very bad
about it specifically with regards to the Aaron Swartz case.

Ken White at the Popehat blog wrote a clear, detailed explanation of how
sentencing works and why it's almost always completely bogus to look at the
maximum possible sentences for all of the crimes someone has been indicted
for, add them all together, and pretend the total bears any relation
whatsoever to how long the defendant's sentence will actually be if s/he is
convicted.

This is required reading for anyone who wants to be an educated news
consumer who deals in facts rather than baseless hyperbole:

http://www.popehat.com/2013/02/05/crime-whale-sushi-sentence-eleventy-million-years/

------------------------------

Date: Mar 21, 2013 2:59 PM
From: "Joe Touch" <touch () isi edu>
Subject: Sorry Google; you can Keep it to yourself

  [Relatively self-contained response to a message in Dave Farber's IP
  distribution.]

Not sure what the surprise here is.

If you don't control your information, you don't *control* your information.

That's why I waited for Palm when many others were using dedicated
phonebook/note devices - it was open enough that I could backup and view the
info. When Palm went to a cloud-only solution, I switched to the iPhone. I
bought ToDo for it to manage reminders because Apple won't back them up
locally; when an update to ToDo required cloud-backup, I ceased tracking
updates.

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.21
************************


Current thread: