Risks Digest 27.42

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Sunday 18 August 2013  Volume 27 : Issue 42

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.42.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Lamp-post lamp-oon (Gary Hinson)
Online search for pressure cooker leads to police visit (Peter Houppermans)
Four people can cut off a whole city from the railways: Getting sick
  (Lothar Kimmeringer)
ReKords of the Keystone Kops (Richard A. O'Keefe)
You can't make up the solution (Jeremy Epstein)
Boston Public Schools lose flash drive with data on 21,000 students
  (Jonathan Kamens)
Don't charge to see the last few lines of an obituary (jidanni)
Researchers reveal how to hack an iPhone in 60 seconds (Violet Blue
  via Monty Solomon)
Android one-click Google authentication method puts users,
  businesses at risk (Lucian Constantin via Monty Solomon)
Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent looking
  devices (Darlene Storm via Monty Solomon)
The devil is in the subscription-licensing details" (Robert L. Mitchell
  via Gene Wirchenko)
"Outsourced software project with 6,000 pages of specs ends badly"
  (Patrick Thibodeau via Gene Wirchenko)
"What's worse than a system failure? What you say about it" (Matt Prigge
  via Gene Wirchenko)
"Dangerous Linux Trojan could be sign of things to come" (Jon Gold via
  Gene Wirchenko)
"Anonymous is not anonymous" (Roger A. Grimes via Gene Wirchenko)
"AARP website hacked" (Woody Leonhard via Gene Wirchenko)
"Video: Watch what happens when a Prius gets hacked" (Pete Babb via
  Gene Wirchenko)
Re: Xerox scanners/photocopiers randomly alter numbers (T Byfield)
Re: The Public/Private Surveillance Partnership (Kelly Bert Manning)
Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (Danny Burstein)
Re: Download manager takes Web site down (Chris Adams)
Re: How a Misplaced Reef on a Digital Chart Destroyed a Minesweeper
  (Jeffrey Alexander)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 1 Aug 2013 09:41:12 +1200
From: "Gary Hinson" <Gary () isect com>
Subject: Lamp-post lamp-oon

"An electricity company is apologising after it sent a letter to a lamp-post
and threatened to cut its power off.  Meridian Energy apparently believed
someone was living in the pole."

<http://www.stuff.co.nz/oddstuff/8988229/Meridian-finally-sees-the-light>

Asked who might be occupying the light, Clive Saleman (the neighbour who
received the letter) said "Well he'd have to be very tall and skinny.  I
suspect he sleeps all day because the light's on all night.  So maybe he's a
night owl.  I have a suspicion he could be a being of pure energy actually,
and not actually human, but I'm just not sure.  But, whatever, he's not
paying his power bill."

Risk: being lampooned for a data integrity failure.

Dr Gary Hinson, IsecT CEO  isect.com  http://www.iso27001security.com/
NoticeBored.com  SecurityMetametrics.com  ISO27001security.com

------------------------------

Date: Thu, 01 Aug 2013 19:52:22 +0200
From: Peter Houppermans <ph () privacyclub ch>
Subject: Online search for pressure cooker leads to police visit

Honestly, this raises such a massive amount of questions, I don't quite
know where to begin..

  A New York woman says her family's interest in the purchase of pressure
  cookers and backpacks led to a home visit by six police investigators
  demanding information about her job, her husband's ancestry and the
  preparation of quinoa.

  Michele Catalano, who lives in Long Island, New York, said her web
  searches for pressure cookers, her husband's hunt for backpacks, and her
  `news junkie' son's craving for information on the Boston bombings had
  combined somewhere in the Internet ether to create a `perfect storm of
  terrorism profiling'.

Anyone any recipes?

Peter Houppermans  /Others take your privacy - we give it back to you/

------------------------------

Dae: Thu, 08 Aug 2013 21:26:52 +0200
From: Lothar Kimmeringer <lothar () kimmeringer de>
Subject: Four people can cut off a whole city from the railways: Getting sick

Not terrorists but a group of four people that work at the railway control
center being responsible for the railway network in and around Mainz were
the reason why trains weren't able to get to Mainz anymore.

It's vacation time and four of the remaining people had to call in sick
today leaving DB Die Bahn with not enough people who are capable of
operating the system.  This situation will last for a couple of days at
least and might take up until the end of August.

Next week school season will start again, so the biggest chaos is still to
come if not enough qualified people are back on duty.

Risk here: Having a mission critical system with a single
point of failure: People that can become sick at the same
time, which can happen quite easily if all of them are working
in the same room.

------------------------------

Date: Fri, 9 Aug 2013 19:51:48 +1200
From: "Richard A. O'Keefe" <ok () cs otago ac nz>
Subject: ReKords of the Keystone Kops

I mentioned recently that New Zealand is trying to modernise its justice
system.  Part of that is introducing a system of Audio-Visual links between
prisons and courts in order to improve safety and reduce costs by having
prisoners stay in prison and make their appearance in court electronically.
The new system is already being rolled out.

Of course, in order to know how much the new system is saving, you need
to know how much the old system was costing.

They don't.

> From the *Otago Daily Times* front page, 29 Jul 2013, the Police and
prison system

 * do not know how much they spent transporting prisoners between
   the new jail and courts since the new jail opened in 2007;
 * do not know how much it cost last year;
 * do not know what the annual budget for transport is/was.

The newspaper was told that

 "the [prison] department cannot readily extract ... the costs or budgets
  relating to the transportation of prisoners ... from our electronic
  records ... of wider offender transportation costs.  ... we would be
  required to manually review a large number of files"

They don't know what it costs now, but they are quite certain there will be
50% to 70% savings (however much that is...)

The computer-related part of this is that in an age of manual records,
regional information would be kept locally, and only summaries
aggregated nationally.  Now, the details can be kept nationally,
making regional summaries extremely difficult to extract.

Of course, it's always possible that their data base _does_ support
ad hoc queries, and they are just lying (:-).

------------------------------

Date: Fri, 9 Aug 2013 21:59:44 -0400
From: Jeremy Epstein <jeremy.j.epstein () gmail com>
Subject: You can't make up the solution

In an earlier, simpler day, notes between a publisher and reviewers and the
public took a while, and there was plenty of time for proofreading.

Not so today, with the increasing speed of publishing, which the publishers
of Organometallics discovered the hard way.  A note suggesting that data
could be fabricated to fill in a gap appeared in an online version of an
article.

The RISK is simply that there are more mistakes possible as we speed up the
publication process - both the mistakes from pressure to publish quickly,
and the mistakes of not checking what you're releasing before you do the
release.  (NSA learned this lesson some years ago in Word documents, and
more recently with redaction of PDF documents - although this case is at a
higher level of the "stack", its' a variation of the problem that with all
electronic documents, it's sometimes hard to see what's being released.)

http://sciencecareers.sciencemag.org/career_magazine/previous_issues/articles/2013_08_08/caredit.a1300167

------------------------------

Date: Tue, 13 Aug 2013 11:15:32 -0400
From: Jonathan Kamens <jik () kamens us>
Subject: Boston Public Schools lose flash drive with data on 21,000 students

A flash drive containing Boston Public Schools ID badge PDFs was lost en
route to the printing vendor. The PDFs contain student name, age, grade,
school, ID number, library card number, CharlieCard number, and (in some)
photo. The drive was apparently not encrypted. BPS thinks the drive was
lost, not stolen, but can't be sure. BPS is redesigning the cards and
changing the ID numbers that can be changed to minimize the likelihood of
harm from the breach.

The drive was lost on Aug 9, and BPS families were notified just three
days later, on Aug 12. The notification was clear and detailed.  As far
as I can tell, BPS's handling of the breach has been perfect.

Having said that, the big remaining question is why the flash drive wasn't
encrypted. I've emailed Superintendent John McDonough and asked him that
question, as well as encouraging him to ensure that flash drives en route to
vendors are encrypted as a matter of policy in the future.

Although the flash drive had no confidential information on it, as the
parent of a BPS parent whose data was lost, I am still concerned, because
the information on the drive can be used in social engineering attacks, not
to mention that names, ages, schools, grades, and photos is just the kind of
information a pedophile would need to pick out attractive targets.

Details:

http://www.boston.com/yourtown/news/allston_brighton/2013/08/boston_public_schools_vendor_loses_flash_drive_with_data_on.html

------------------------------

Date: Fri, 16 Aug 2013 12:06:19 +0800
From: jidanni () jidanni org
Subject: Don't charge to see the last few lines of an obituary

[Sent to American Chemical Society:]

Your Society should really consider the public relations value of not
charging users to see the last few lines of an obituary.

I'm sure your members would have never dreamed when they were alive that
half of it would be in Google and could be shared publicly. But when
80 years later someone wanted to see those last few lines, out comes the
collection plate.

And if I link to http://pubs.acs.org/doi/abs/10.1021/cen-v010n006.p073b
from my http://jidanni.org/me/ancestors.html all I would be doing is
creating more dismayed relatives.

So thanks for sending it to me so I now finally see what it says, but I
still cannot legally share it in its full form.

------------------------------

Date: Mon, 5 Aug 2013 01:42:46 -0400
From: Monty Solomon <monty () roscom com>
Subject: Researchers reveal how to hack an iPhone in 60 seconds (Violet Blue)

Violet Blue for Zero Day, 31 Jul 2013

Summary: Three Georgia Tech hackers have disclosed how to hack iPhones and
iPads with malware in under sixty seconds using a "malicious charger."
UPDATED.

Three Georgia Tech hackers have revealed how to hack iPhones and iPads with
malware imitating ordinary apps in under sixty seconds using a "malicious
charger."

Today at a Black Hat USA 2013 press conference, the researchers revealed for
the first time exactly how the USB charger they built can compromise iOS
devices in less than a minute.

Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary
looking charger into a malicious vector for transmitting malware using an
open source BeagleBoard, available for $125 (similar to a Raspberry Pi).

For the demonstration, the researchers used an iPhone. They plugged in the
phone, and when the passcode was entered, the sign-code attack began.

For the demo, the Facebook app was used as an example.

Within seconds of plugging in the charger, the Facebook app was invisibly
removed from the device and seamlessly replaced with a Facebook app
imitation with a malicious payload.

The app's icon was in the exact same spot as it was before the attack -
there is no way of knowing the application is not malware. ...

http://www.zdnet.com/researchers-reveal-how-to-hack-an-iphone-in-60-seconds-7000018822/

------------------------------

Date: Mon, 5 Aug 2013 01:39:04 -0400
From: Monty Solomon <monty () roscom com>
Subject: Android one-click Google authentication method puts users,
  businesses at risk (Lucian Constantin)

Lucian Constantin, PCWorld, 4 Aug 2013

A feature that allows Android users to authenticate themselves on Google
websites without having to enter their account password can be abused by
rogue apps to give attackers access to Google accounts, a security
researcher showed Saturday at the Defcon security conference in Las Vegas.

The feature is called "weblogin" and works by generating a unique token that
can be used to directly authenticate users on Google websites using the
accounts they have already configured on their devices.

Weblogin provides a better user experience but can potentially compromise
the privacy and security of personal Google accounts, as well as Google Apps
accounts used by businesses, Craig Young, a researcher at security firm
Tripwire, said during his talk.

Young created a proof-of-concept rogue app that can steal weblogin tokens
and send them back to an attacker who can then use them in a Web browser to
impersonate a victim on Google Apps, Gmail, Drive, Calendar, Voice and other
Google services.

The app was designed to masquerade as a stock viewing app for Google Finance
and was published on Google Play, with a description that clearly indicated
it was malicious and shouldn't be installed by users. ...

http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html

------------------------------

Date: Mon, 5 Aug 2013 01:49:33 -0400
From: Monty Solomon <monty () roscom com>
Subject: Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent
 looking devices (Darlene Storm)

Darlene Storm, 1 Aug 2013

A trio of researchers presented "Mactans: Injecting Malware into iOS Devices
via Malicious Chargers" at Black Hat, demonstrating how an "iOS device can
be compromised within one minute" after plugging into a maliciously crafted
charger. Until Apple patches the vulnerability that allows the exploit, all
iPhone or iPad users are vulnerable as the device does not need to be
jailbroken for the attack to work. It takes advantage of an iOS flaw that
allows pairing without any notification to the user.

Their proof-of-concept charger, dubbed Mactans, was built using a $45
BeagleBoard. As soon as an iOS device is plugged in, the fake charger
instantly captures the Unique Device Identifier (UDID). Then it connects to
Apple's developer support website and submits that UDID for a "provisioning
profile." The charger installs code and the attacker now has full control of
the device. GTISC associate director Paul Royal said, "Getting the UDID is
trivial, and getting a provisioning profile is easy and automated."

In one demonstration of what an attacker could do remotely, the researchers
plugged an iPhone 5 into the charger, hid the iPhone Facebook app and
installed a malicious copy over it that launched before the legitimate
"hidden" copy. The Mactans' malicious payload could be about anything, from
allowing "a remote attacker to make an unauthorized phone call from the iOS
device" to taking "a screenshot whenever the user enters a password or other
sensitive information."  Basically it turns an iOS device into a spy tool.
...

http://blogs.computerworld.com/cybercrime-and-hacking/22579/wolf-sheeps-clothing-black-hat-getting-pwnd-innocent-looking-devices

------------------------------

Date: Thu, 15 Aug 2013 13:00:32 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "The devil is in the subscription-licensing details"
  (Robert L. Mitchell)

Robert L. Mitchell | Computerworld, 13 Aug 2013
The transition to cloud-based services is ratcheting up traditional
enterprise software costs and adding layers of complexity

------------------------------

Date: Fri, 16 Aug 2013 10:24:02 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "More Android malware distributed through mobile ad networks"
  (Lucian Constantin)

http://www.infoworld.com/d/mobile-technology/more-android-malware-distributed-through-mobile-ad-networks-224815
Lucian Constantin | IDG News Service, InfoWorld, 13 Aug 2013
Security researchers from Palo Alto Networks found Android apps
downloading malware from rogue mobile ad networks

------------------------------

Date: Thu, 15 Aug 2013 12:47:58 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Outsourced software project with 6,000 pages of specs ends badly"
  (Patrick Thibodeau)

http://www.infoworld.com/t/outsourcing/outsourced-software-project-6000-pages-of-specs-ends-badly-224777
Patrick Thibodeau | Computerworld, 13 Aug 2013
Orange County files lawsuit to recover damages from offshore firm
Tata in tax system rewrite

------------------------------

Date: Thu, 15 Aug 2013 12:43:18 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "What's worse than a system failure? What you say about it"
  (Matt Prigge)

http://www.infoworld.com/d/data-explosion/whats-worse-system-failure-what-you-say-about-it-224751
Matt Prigge, Infoworld, 13 Aug 2013
Communicating well in emergencies is often just as important as
working to end the emergency

------------------------------

Date: Thu, 15 Aug 2013 12:29:36 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Dangerous Linux Trojan could be sign of things to come" (Jon Gold)

http://www.infoworld.com/d/security/dangerous-linux-trojan-could-be-sign-of-things-come-224649
Jon Gold | Network World, 12 Aug 2013
'Hand of Thief' Trojan specifically targets Linux but operates a lot
like similar malware that targets Windows machines

------------------------------

Date: Thu, 15 Aug 2013 12:25:39 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Anonymous is not anonymous" (Roger A. Grimes)

http://www.infoworld.com/d/security/anonymous-not-anonymous-224783
Roger A. Grimes | InfoWorld, 13 Aug 2013
At this point, most of us would welcome shelter from the gaze of
government cyber spies. Here are six reasons why that may be unattainable

------------------------------

Date: Wed, 14 Aug 2013 12:49:01 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "AARP website hacked" (Woody Leonhard)

Woody Leonhard | InfoWorld
Now would be a good time to change your passwords

------------------------------

Date: Wed, 14 Aug 2013 12:46:22 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Video: Watch what happens when a Prius gets hacked" (Pete Babb)

http://www.infoworld.com/t/hacking/video-watch-what-happens-when-prius-gets-hacked-224270
Pete Babb | InfoWorld, 07 Aug 2013
Security engineers take over the various computerized systems of a
Toyota hybrid and wirelessly control it

------------------------------

Date: Sun, 18 Aug 2013 09:54:01 -0400
From: t byfield <tbyfield () panix com>
Subject: Re: Xerox scanners/photocopiers randomly alter numbers (RISKS-27.41)

Glynn Clements <glynn () gclements plus com> wrote:

> Any scanner has limits to its accuracy, and any form of lossy compression
> has some loss. But unlike e.g. JPEG, where the artifacts are often clearly
> visible, there is no indication of the degree of uncertainty involved.

Therein lies the real innovation: arbitrary textual variations that can't be
detected by the human eye. This kind of technique can and, I expect, will be
used to serialize documents by introducing subtle variations into each
instance of them -- to trace leaks, for example.

> -- From a legal perspective, the mere fact that such scanners exist brings
> into question the authenticity of any document unless its entire history
> is known.

One way to establish that provenance is to ensure that each instance
of a document is unique -- by serializing it!

------------------------------

Date: Sun, 18 Aug 2013 12:55:09 -0400 (EDT)
From: bo774 () freenet carleton ca (Kelly Bert Manning)
Subject: Re: The Public/Private Surveillance Partnership (RISKS-27.41)

I carry a cell phone only when my employer pays for it, and pays me to carry
it. The battery in the work phone lasts longer with GPS and blue tooth
turned off.

The GPS is supposed to activate automatically if I press 911.  GPS is a real
time compute intensive application. In other words a battery drainer for
mobile devices.

Walking around, or commuting by transit I often feel that I an in the middle
of some science fiction story, surrounded by people largely oblivious to
what is going on around them, eyes focused on a display screen and their
hearing blocked by ear buds or by a phone held to their head. Pedestrians
often seem oblivious to traffic or sidewalk hazards while they focus on a
display or a conversation.

RAND Emeritus Willis H. Ware, an ACM and IEEE Fellow, who chaired the
committee which wrote the "Records, Computers, and the Rights of Citizens"
HEW report, might have an interesting perspective on radio location,
identification and tracking.

I have read that during the 2nd World War Dr. Ware did classified work on
advanced Radio Location and Identify Friend or Foe transponders.

I am old enough to remember politicians making a big deal of the fact that
that citizens don't have to carry Internal Passports with them at all times,
even within the same city, unlike folks in Moscow. Seemed like a killer
argument to me at the time. Now you can't get on an intercity bus without
identifying yourself.

If you drive a private car, it may have built in GP. Your license plate may
be scanned as you leave town, drive along the highway, or enter a new town.
We saw that used by police in Boston earlier this year, in combination with
phone location tracking.

How times have changed.

www.worldcat.org/title/records-computers-and-the-rights-of-citizens/oclc/251870191/editions?referer=di&editionsView=true

------------------------------

Date: Sun, 18 Aug 2013 10:31:15 -0400 (EDT)
From: Danny Burstein <dannyb () panix com>
Subject: Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (R-27.41)

> "The District has also recently been installing next-generation speed
> cameras that use infrared light instead of a visible flash when
> photographing vehicles. This means drivers will have no way of knowing
> whether they will receive a ticket until weeks after the alleged
> violation."

About 30 years ago (where does the time go?) I read a snippet in New
Scientist that their Spy Folk accidentally released some of their super
duper sekrit tech tricks. Per the article, the Brits had patented a "near
infrared" [a] flash unit assembly for their spooks that hooked into a
surveillance camera, letting them take nighttime photograph license plates
of the folk they were watching without warning them.

So... unless the folk on this side of the pond are paying royalties, they
might get hit with Patent Trolls!

- I was heavily into photography back then and had my very own Wratton 87C
(infrared) filters for my lights, was using Kodak's B&W and colour IR
recording film, had the books, etc.

[a] "near infrared" is the part of the spectrum just beyond standard and
visible red light. It looks... black to the human eye since we can't see
that far up the scale.

"Far infrared" (or usually, just "infrared" by itself) refers to heat. I'm
highly doubtful consumer level speed cameras are using temperature readings
for license plate number catching, and doubt it would even work.

------------------------------

Date: Sat, 3 Aug 2013 13:41:31 -0400
From: Chris Adams <chris () improbable org>
Subject: Re: Download manager takes Web site down (Kuenning, RISKS-27.40)

> RISK: The TCP/IP specification is extensive and explicit, but doesn't
> address simultaneous connections from the same client.  ...

I'm not sure this can really be blamed on TCP/IP: in the specific example
above, the HTTP specification both recommends a connection limit (2,
although common convention has adjusted up to 6 over the last few years) and
does offer the convention of quickly returning HTTP 503 errors when the
server is over capacity.

The problem, however, is that this is neither effective nor desirable in
practice because by now it's quite rare for the hard limit to actually be
the number of simultaneous connections rather than the total bandwidth
available -- it's quite easy to end up with, say, a hundred slow connections
using as much bandwidth as one connection from someone with a gigabit link
and modern web servers can easily handle many tens of thousands of
simultaneous connections. Total capacity is also affected by traffic using
protocols other than HTTP, or even TCP, so effective flow control has to
happen at a lower level: there's an existing standard called ECN
(http://en.wikipedia.org/wiki/Explicit_Congestion_Notification), which
provides a mechanism for a router to inform clients that the upstream path
is congested. This problem is also more crudely but effectively solved on
the client by adjusting the connection count and speed based on measured
performance and error rates.

Unfortunately, as the example illustrates there's no way to handle this
situation nicely when faced with clients which are buggy and do not follow
either standards or accepted best practices. As described above, IDM
obviously does not follow standard HTTP conventions, honor ECN, or even
throttle or retry failed attempts (a ridiculous lapse for a download
manager). There's simply no way to handle that kind of badly broken client
without deploying some sort of fair-queuing system on either your servers
or, better, the upstream router to avoid clogging the pipe with
likely-doomed packets. A good queuing system, possibly combined with a
robust fronting cache like Varnish, would also tend to keep the connections
from timing even when they become quite slow by ensuring that each
connection doesn't go too long without receiving at least a few bytes.

Chris

P.S. As an aside, http://iotta.snia.org/ does not appear to support HTTP
byte ranges, which more intelligent clients can use to resume partial
transfers. While this obviously can't help with broken clients I have found
this quite effective for retrieving files over unstable links as something
wget or curl can repeatedly retry as needed until they've retrieved every
chunk of the file.

------------------------------

Date: Fri, 9 Aug 2013 06:11:57 +0000
From: Jeffrey Alexander <jeffrey.alexander () sri com>
Subject: Re: How a Misplaced Reef on a Digital Chart Destroyed a Minesweeper
  (Saffo, RISKS-27.13)

[Jeff missed Paul Saffo's earlier posting in RISKS-27.13, Jan 2013,
having sent in an incremental item.  He then responded to my response.]

Perhaps of greater interest is the link to the site with the official report
on the incident, completed in May 2013:

  http://www.cpf.navy.mil/foia/reading-room/

Jeffrey Alexander, Assoc.Dir. Research & Analytics, Center for Science,
Technology & Economic Development, SRI Arlington VA http://csted.sri.com

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.42
************************