RISKS Forum mailing list archives
Risks Digest 27.30
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 29 May 2013 16:29:13 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 29 May 2013 Volume 27 : Issue 30 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.30.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Resolved: The Internet is no place for Critical Infrastructure (Dan Geer) Online Currency Exchange Accused of Laundering $6 Billion (Santora et al. via Monty Solomon) The hazards of gambling (Stephen Unger) Employees clueless on cyber security (Chris J Brady) "Researchers find more versions of digitally signed Mac OS X spyware" (Lucian Constantin via Gene Wirchenko) "U.S. power companies under frequent cyber attack" (Jeremy Kirk via Gene Wirchenko) Disruptions: At Odds Over Privacy Challenges of Wearable Computing (Nick Bilton via Monty Solomon) Risks of reporting a bug to the wrong place (Paul Robinson) Lauren Weinstein <lauren () vortex com> Fed. Appeals Court Says Police Need Warrant to Search Phone (Slashdot) Anti-Risk? Google Maps updates bridge outage in map mode (Gene Wirchenko) Reporters use Google, find breach, get branded as "hackers" (Lauren Weinstein) Current disruptions of traffic to Google products and services (jidanni) Google announces open access to its research publications, now that ACM will permit it (Lauren Weinstein) Re: Curious press release (Peter Houppermans) Risks of spreadsheets (Steve Loughran) Re: spreadsheet errors (Dimitri Maziuk) Re: "Economic policy decisions may be affected by spreadsheet errors" (Gene Wirchenko) REVIEW: "The CERT Guide to Insider Threats" by Dawn Cappelli, Andrew Moore, and Randall Trzeciak (Richard Austin) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 28 May 2013 19:33:56 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Resolved: The Internet is no place for Critical Infrastructure (Geer) Dan Geer, who has a wonderful bent for things quantitative, has an article in ACM Queue, 2 April 2013, that we somehow missed in RISKS. Dan Geer, Resolved: The Internet is no place for critical infrastructure http://queue.acm.org/detail.cfm?id=2479677 Buried in the middle of the article is this wonderfully pithy paragraph: Risk is a consequence of dependence. Because of shared dependence, aggregate societal dependence on the Internet is not estimable. If dependencies are not estimable, then they will be underestimated. If they are underestimated, then they will not be made secure over the long run, only over the short. As the risks become increasingly unlikely to appear, the interval between events will grow longer. As the latency between events grows, the assumption that safety has been achieved will also grow, thus fueling increased dependence in what is now a positive feedback loop. Accommodating rejectionists preserves alternative, less complex, more durable means and therefore bounds dependence. Bounding dependence is the core of rational risk management. ------------------------------ Date: Wed, 29 May 2013 01:36:30 -0400 From: Monty Solomon <monty () roscom com> Subject: Online Currency Exchange Accused of Laundering $6 Billion Marc Santora, William K. Rashbaum and Nicole Perlroth, *The New York Times*, 28 May 2013 The operators of a global currency exchange ran a $6 billion money-laundering operation online, a central hub for criminals trafficking in everything from stolen identities to child pornography, federal prosecutors in New York said on Tuesday. The currency exchange, Liberty Reserve, operated beyond the traditional confines of United States and international banking regulations in what prosecutors called a shadowy netherworld of cyberfinance. It traded in virtual currency and provided the kind of anonymous and easily accessible banking infrastructure increasingly sought by criminal networks, law enforcement officials said. The charges announced at a news conference by Preet Bharara, the United States attorney in Manhattan, and other law enforcement officials, mark what officials said was believed to be the largest online money-laundering case in history. Over seven years, Liberty Reserve was responsible for laundering billions of dollars, conducting 55 million transactions that involved millions of customers around the world, including about 200,000 in the United States, according to prosecutors. ... http://www.nytimes.com/2013/05/29/nyregion/liberty-reserve-operators-accused-of-money-laundering.html ------------------------------ Date: Tue, 21 May 2013 21:02:19 -0400 (EDT) From: Stephen Unger <unger () cs columbia edu> Subject: The hazards of gambling At a time when we are still in deep economic trouble, with huge numbers of people unemployed, or under-employed, and with no serious effort to get corporations and the super-rich to pay more taxes, many states and municipalities are turning to gambling as a "painless" revenue source. We are seeing more state lotteries, licensing of casinos, etc., and the use of the internet to make it easier for people to gamble. Is this a good thing, or is there a serious down side? Place your bets as to what my position is on this. My analysis is accessible at: http://www1.cs.columbia.edu/~unger/articles/gambling.html Stephen H. Unger, Professor Emeritus, Computer Science and Electrical Engineering, Columbia University ------------------------------ Date: Mon, 27 May 2013 13:06:43 -0700 (PDT) From: Chris J Brady <chrisjbrady () yahoo com> Subject: Employees clueless on cyber security Half of employees never consider security when they upload or download data to their office PC or company smartphone, according to a survey. And 40 per cent of employees said they did not know about their company's security policy when using their phone. Many never consider the threat of cyber crime and are unfamiliar with company policies to protect their data, the poll of 1,200 officer workers found. http://www.modis.co.uk/resources/news/ http://www.standard.co.uk/business/business-news/half-of-workers-arent-aware-of-cyber-security-policies-8610358.html Staffing provider Modis said its research showed that even business owners did not think about the security of their organization's data when downloading or uploading information. http://metro.co.uk/2013/05/10/employees-clueless-on-cyber-security-3748202/ Roy Dungworth, of IT staffing provider Modis, which carried out the survey, said: ``The rise of flexible working and cloud computing has created a multitude of points at which cyber criminals can access a company's data.'' Half of workers do not know if their company has a policy on cyber crime and do not worry about security when they download data to their phone, according to a new study. http://uk.news.yahoo.com/employees-unaware-cyber-risks-231749012.html ------------------------------ Date: Tue, 28 May 2013 10:59:21 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Researchers find more versions of digitally signed Mac OS X spyware" Lucian Constantin, InfoWorld, 23 May 2013 The malware is connected to Indian cyberespioange operation and has been active since at least December 2012, researchers say http://podcasts.infoworld.com/d/security/researchers-find-more-versions-of-digitally-signed-mac-os-x-spyware-219245 selected text: The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won't immediately help existing victims, according to Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender. "Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed," Botezatu said Thursday via email. "If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines." ------------------------------ Date: Fri, 24 May 2013 10:14:15 -0700 From: Gene Wirchenko <genew () telus net> Subject: "U.S. power companies under frequent cyber attack" (Jeremy Kirk) Jeremy Kirk, InfoWorld, 22 May 2013 Legislation that would give the federal government power to oversee the protection of utilities has stalled http://www.infoworld.com/d/security/us-power-companies-under-frequent-cyber-attack-219118 ------------------------------ Date: Sun, 26 May 2013 23:12:45 -0400 From: Monty Solomon <monty () roscom com> Subject: Disruptions: At Odds Over Privacy Challenges of Wearable Computing (Nick Bilton) Nick Bilton, *The New York Times, 26 May 2013 Perhaps the best way to predict how society will react to so-called wearable computing devices is to read the Dr. Seuss children's story "The Butter Battle Book." The book, which was published in 1984, is about two cultures at odds. On one side are the Zooks, who eat their bread with the buttered side down. In opposition are the Yooks, who eat their bread with the buttered side up. As the story progresses, their different views lead to an arms race and potentially an all-out war. Well, the Zooks and the Yooks may have nothing on wearable computing fans, who are starting to sport devices that can record everything going on around them with a wink or subtle click, and the people who promise to confront violently anyone wearing one of these devices. I've experienced both sides of this debate with Google's Internet-connected glasses, Google Glass. Last year, after Google unveiled its wearable computer, I had a brief opportunity to test it and was awe-struck by the potential of this technology. A few months later, at a work-related party, I saw several people wearing Glass, their cameras hovering above their eyes as we talked. I was startled by how much Glass invades people's privacy, leaving them two choices: stare at a camera that is constantly staring back at them, or leave the room. ... http://bits.blogs.nytimes.com/2013/05/26/disruptions-at-odds-over-privacy-challenges-of-wearable-computing/ ------------------------------ Date: Tue, 28 May 2013 13:25:11 -0700 (PDT) From: Paul Robinson <rfc1394 () yahoo com> Subject: Risks of reporting a bug to the wrong place Today's software is layered. Your computer has a bios. Your operating system uses that bios. Your apps use the operating system. Any website's you connect to is a machine that uses a web server -- an app or "application program" -- to provide pages to you (the web server is usually Apache or IIS). The web server you connect to uses pages written using probably PHP, Perl or ASP to dynamically create pages. Those pages depend on PHP, Perl, or Visual Basic in Microsoft IIS to provide the underlying interpreter to render them. And then some websites (like Wikipedia) are scriptable, so the web pages running on PHP, which are running on Apache, which are running on Linux (or Windows), all provide interesting places to potentially have bugs. "Pick a card, any card." Now, when something is wrong, where is it? I'm doing a calendar test on Wikipedia, and I wrote a small piece of Wikimedia code (the macro syntax used by the software that runs Wikipedia). And it comes up wrong. You can see it in a sample template I did at http://en.wikipedia.org/w/index.php?title=Template:X8&oldid=557212409 It discovered that the dates rendered before January 1, 1600 are wrong. So if you place in a Wikipedia page the following macro to display the day of the week: {#time:l|1600-01-01}} It is correct, Saturday. Also, this macro call for today: Today: 2013-05-28 is {{#time:l|2013-05-28}} Which says Today: 2013-05-28 is Tuesday. But this: Year 1599 is {{#time:l|1599-01-01}} Says: Year 1599 is Saturday. What's the problem? 1599 started on a Friday. I reported it to the Wikipedia Foundation on their bug tracker, but it occurred to me it might be an error in PHP, the underlying software that Wikimedia is written in. So I wrote a small program, which, since I have hosting -- I run my own blog -- I can question is why this bug exists in the first place? I think the algorithm, Zeller's Congruence, for getting the day of the week works for all Gregorian dates, and the Gregorian calendar started in 1583, 17 years earlier. [1] https://bugs.php.net/bug.php?id=61599=0A ------------------------------ Date: Sat, 18 May 2013 09:45:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Fed. Appeals Court Says Police Need Warrant to Search Phone "In a decision that's almost certainly going to result in this issue heading up to the Supreme Court, the Federal 1st Circuit Court of Appeals [Friday] ruled that police can't search your phone when they arrest you without a warrant. That's contrary to most courts' previous findings in these kinds of cases where judges have allowed warrantless searches through cell phones." http://j.mp/YQOoQl (Slashdot via NNSquad) ------------------------------ Date: Mon, 27 May 2013 22:02:44 -0700 From: Gene Wirchenko <genew () telus net> Subject: Anti-Risk? Google Maps updates bridge outage in map mode On May 23rd, an overloaded truck struck support trusses for a bridge over the Skagit River on Interstate 5 between Burlington and Mount Vernon, WA. This is an important route, and since I will be going that way in August, I was concerned about making alternative plans. Washington State Department of Transportation has this data on it: http://www.wsdot.wa.gov/Projects/I5/SkagitRiverBridgeReplacement/default.htm Google Maps does not show the bridge now in map mode (though it is still shown in satellite mode). Getting directions between Vancouver, BC and Seattle, WA shows a detour off I-5 by the ex-bridge. It is nice to see that the Google Maps people are on the ball. ------------------------------ Date: Wed, 22 May 2013 22:31:26 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Reporters use Google, find breach, get branded as "hackers" However, Vcare and the two telecom companies assert that the reporters "hacked" their way into the data using "automated" methods to access the data. And what was this malicious hacking tool that penetrated the security of Vcare's servers? In a letter sent to Scripps News by Jonathan D. Lee, counsel for both of the cell carriers, Lee said that Vcare's research had shown that the reporters were "using the 'Wget' program to search for and download the Companies' confidential data." GNU Wget is a free and open source tool used for batch downloads over HTTP and FTP. Lee claimed Vcare's investigation found the files were bulk-downloaded via two Scripps IP addresses. http://j.mp/10onoVP (ars technica via NNSquad) - - - Ah yes -- wget -- more dangerous to mankind than General Zod! ------------------------------ Date: Wed, 22 May 2013 20:19:15 +0800 From: jidanni () jidanni org Subject: Current disruptions of traffic to Google products and services http://www.google.com/transparencyreport/traffic/ etc. etc. ------------------------------ Date: Wed, 29 May 2013 15:10:06 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google announces open access to its research publications, now that ACM will permit it http://j.mp/10IAcXg (Google+ via NNSquad) "The Association for Computing Machinery (ACM) recently announced a new option for publication rights management, wherein researchers can choose to pay for the public to have perpetual open access to the publication ( http://goo.gl/OXlYp ). Google applauds this new option, and today we are announcing that we will pay the open access fees for all articles by Google researchers that are published in ACM journals. IEEE ( http://goo.gl/qqeka ) also has an open access option for some of its publications, and we also pay the open access fee for them and for publications in like organizations." ------------------------------ Date: Sun, 26 May 2013 11:19:04 +0200 From: Peter Houppermans <peter () houppermans net> Subject: Re: Curious press release (Seecrypt et al., RISKS-27.29) I'm skipping over the usual observations about the need to get the legal framework right first before you offer crypto products (flogging a dead horse etc) - I have a simple answer why I personally would not be that interested in security products from Seecrypt (abridged version): bushido:~ peter$ dig seecrypt.com mx ;; QUESTION SECTION: ;seecrypt.com. IN MX ;; ANSWER SECTION: seecrypt.com. 7200 IN MX 5 ALT1.ASPMX.L.GOOGLE.com. seecrypt.com. 7200 IN MX 10 ASPMX2.GOOGLEMAIL.com. seecrypt.com. 7200 IN MX 1 ASPMX.L.GOOGLE.com. seecrypt.com. 7200 IN MX 5 ALT2.ASPMX.L.GOOGLE.com. seecrypt.com. 7200 IN MX 10 ASPMX3.GOOGLEMAIL.com. I would not be terribly inclined to do business with Seecrypt: they use Google as e-mail provider, which is IMHO not exactly a great approach to protecting client confidentiality. Case closed. ------------------------------ Date: Sat, 18 May 2013 13:36:26 -0700 From: Steve Loughran <stevel () apache org> Subject: Risks of spreadsheets For anyone interested in quantifying the risks of spreadsheet errors, the European Spreadsheet Risks Interest Group, "eusprig" http://www.eusprig.org/ They not only have a set of horror stories, but cite a lovely 2002 paper, Spreadsheet Engineering: A Research Framework, by Thomas A. Grossman. http://arxiv.org/ftp/arxiv/papers/0711/0711.0538.pdf The author makes the point that spreadsheets are a declarative programming tool, programmed by people who have understanding of the problem domain, but of what software engineers would consider a process for writing correct spreadsheets. This appears to be due as much to the different psychological outlook of "software developers" from "spreadsheet developers" -- something noted by Bonnie Nardi and Jim Miller in 1990 [Nardi90] -- as to the weak tooling in spreadsheets for delivering high quality applications. There is also the lack of significant work in the software engineering community, where we are more concerned with the correctness of our IDE-written, SCM managed code, than in spreadsheets. "This class of programming -- high stakes, high speed coding with strategic implications -- appears to be absent from the software engineering literature. There are many interesting issues regarding this sort of programming, particularly how to design a spreadsheet to ensure flexibility and reduce the likelihood of errors." To add insult to injury, the fact that artifact delivery is often by multihop email attachments without adequate provenance or updating means that even knowing where your application has got to is unknown -making maintenance that much harder. Collaborative server-based spreadsheets -- MS sharepoint, google applications, etc,, may handle distribution, but don't appear to addresss the other risks described in [Grossman02]. In fact, even for those of us who do understand software development and naming, spreadsheet development as a workflow of copy-existing-file-and-change is dangerously close to the "copy and edit" process that software engineering has long recognized as creating maintenance grief downstream. Of course, this lack of focus on quality development techniques in what could well be largest programming tools used round the world does present some interesting opportunities for anyone wanting to fix this. The open source developers of Apache Open Office would no doubt welcome anyone willing to address this in their software. [Grossman02]: Grossman, Spreadsheet Engineering: A Research Framework. http://arxiv.org/ftp/arxiv/papers/0711/0711.0538.pdf [Nardi90] : B.A. Nardi, J.R. Miller: An ethnographic study of distributed problem solving in spreadsheet development http://www.hpl.hp.com/techreports/90/HPL-90-08.html http://www.darrouzet-nardi.net/bonnie/pdf/Nardi_spreadsheet.pdf ------------------------------ Date: Mon, 20 May 2013 12:55:39 -0500 From: Subject: Re: spreadsheet errors (Hacher, RISKS-27.28) As a middle-aged ex-smoker I remember very well the brouhaha around passive smoking, with all the studies that found correlations below the margin of accuracy and all those calls for retractions (e.g. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC188394/) and lawsuits and great fun's been had by all. I'm sure other RISKS readers have other examples of studies whose conclusions were tailored to support the author's initial premise (though perhaps few with as much media coverage). The only difference is this time we're blaming Excel. Come on, you lost me at "global economic crisis modeled in Excel program". Dimitri Maziuk, Programmer/sysadmin BioMagResBank, UW-Madison -- http://www.bmrb.wisc.edu PS. here's another example, this is getting little PR in the USA for some reason: http://en.wikipedia.org/wiki/Gun_politics_in_Australia#Research "It is always unpleasant to acknowledge facts that are inconsistent with your own point of view." ------------------------------ Date: Sun, 19 May 2013 19:05:54 -0700 From: Gene Wirchenko <genew () telus net> Subject: Re: "Economic policy decisions may be affected by spreadsheet errors" (Hamilton, RISKS-27.28) >> I would be surprised if this feature does not exist in the >> still-popular Excel 2003.' It exists in Excel 97. I have never used it since I do not make complex spreadsheets. I tried it, and it worked, but it is of limited use, because I can not find out what a name means. At least, I could not find it which is about the same. It is easier, then, for me to verify a co-ordinate range because I can check those cells, but what does "TTT" mean? If I do not know what it means, then I can not check that it is correct. 'It seems that, in this case, Kohne's observations about folks lacking a combination of subject-matter expertise and fluency with chosen digital tools is more compelling than dwelling on the absence of features that are actually present.' There is the problem of a tool not having all of the pieces necessary for it to be truly useful. Or that the features are not obvious. ------------------------------ Date: Tue, 28 May 2013 17:50:33 -0600 From: "Cipher Editor" <cipher-editor () ieee-security org> Subject: REVIEW: "The CERT Guide to Insider Threats" by Dawn Cappelli, Andrew Moore and Randall Trzeciak (Richard Austin) Book Review By Richard Austin, May 23, 2013 [Extracted From IEEE TCSP CIPHER, Issue 114, May 28, 2013. A very valuable resource, Cipher is published 6 times per year. The entire newsletter is at http://www.ieee-security.org/cipher.html. PGN] Dawn Cappelli, Andrew Moore and Randall Trzeciak The CERT Guide to Insider Threats Addison-Wesley 2012. ISBN 978-0-321-81257-5 amazon.com USD 35.88, Table of Contents: http://www.pearsonhighered.com/educator/product/CERT-Guide-Insider-Threats-How-Prevent-Detect-and-Respond-Information-Technology-Crimes-Theft-Sabotage-Fraud/9780321812575.page#table-of-contents This was a hard book to review - it is intended to be introductory and targeted at a non-technical reader, a decision which led to a glacial pace of presentation and frustratingly shallow detail in many areas. However, it also has the huge plus of being based on analysis of 700+ cases of insider abuse collected by CERT over a ten-year period. For that reason alone, I respectfully recommend it to your attention. The term "insider threat" can have many meanings so the authors clearly set their scope as "a current or former employee, contractor or business partner who has or has had authorized access to an organization's network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity or availability of information or information systems" (p. xx). That definition earns the authors bonus credit for including both contractors and business partners. Based on their analysis, the authors identify three profiles for insider threats: IT sabotage, Theft of intellectual property, Fraud. As security professionals, our goals for insider threats are to identify the factors that make the threat likely to occur (the authors call these "predispositions"), to recognize that the threat has been instantiated, and to mitigate the threat or its effects. The authors address those goals by abstracting the results of their analysis of insider threat into the MERIT model ("Management and Education of the Risk of Insider Threat"). MERIT is a system dynamics model and some readers may benefit from a more substantial introduction to the topic (e.g., Meadows, D. H. [2008]. "Thinking in Systems: A Primer". Chelsea Green Publishing). Each threat profile is described in its own chapter where the model for that threat is presented. For example, the authors found that cases involving theft of intellectual property (IP) fit two general patterns: "entitled independent" and "ambitious leader". The "entitled independent" is, for example, the engineer who feels a proprietary ownership in the new product she developed and feels "entitled" to take the design with her when her position is eliminated during an economic downturn. The "ambitious leader" recruits a group of insiders to pilfer intellectual property for a share in the financial reward. The MERIT model for these patterns portrays the factors and relationships that give rise to the threat and shows where organizational responses can be most effectively applied. For example, the desire to steal for an "entitled independent" arises from the interplay between their contribution to the IP and feelings of ownership and precipitating events such as dissatisfaction or a job offer from a competitor. There's obviously a tension here where even though the feeling of entitlement predisposes the engineer to potentially steal the product, the organization benefits from the engineer's substantial contributions to the product and feelings of ownership. The models recognize this tension by suggesting that organizations include recognition of precipitating events as triggers for defensive measures such as increased behavioral monitoring. After working through the threat models, the authors turn their attention to detection and prevention. Chapter 6 reviews 16 best practices (ranging from consistently enforcing policies to effective monitoring). The best practices are each presented in a "how to" followed by a "what happens if you don't" case study. The list of best practices contains no surprises but a reexamination of "the usual suspects" from an insider-threat perspective is useful. Chapter 7, "Technical Insider Threat Controls", provides managerially-focused readers with a brief introduction to how intrusion detection systems (IDS), network flow data, security information and event management (SIEM), etc., can be effectively used in detecting instantiation of insider threats. For technical professionals, the takeaways from this book revolve around the MERIT model and its way of looking at insider threats. The authors provide footnote references to the papers that back up the book chapters, and much of the lamented missing details are found in those papers. For managerial professionals, this is an excellent introductory book for understanding the scope of the insider threat and what organizations can do to predict, recognize and mitigate the threat. [It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org .] ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.30 ************************
Current thread:
- Risks Digest 27.30 RISKS List Owner (May 29)