RISKS Forum mailing list archives

Risks Digest 27.66

From: RISKS List Owner <risko () csl sri com>
Date: Thu, 26 Dec 2013 12:27:29 PST
RISKS-LIST: Risks-Forum Digest  Thursday 26 December 2013  Volume 27 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.66.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Belgian card payment network crashes two days after record usage (Peter Sayer
  via Jim Reisert)
Programmed Interlocks remain a hazard (Bob Gezelter)
Cryptolocker ransomware has 'infected about 250,000 PCs' (Leo Kelion,
  Brian Randell, Eric Burger)
Target leaks credit card stripe data during Black Friday rush (Bob Gezelter)
Security versus Countersecurity (Dick Mills)
Secret contract tied NSA and RSA (Joseph Menn)
Data brokers won't even tell the government how it uses, sells your data
  (Casey Johnston via Dewayne Hendricks)
NSA oversight panel recommends more privatization of spying
  (Eli the Bearded)
AT&T follows Verizon's lead, will start publishing law enforcement request
  data in early 2014 (Verge via Lauren Weinstein)
Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis (Henry Baker)
Silver Bullet 93: Yoshi Kohno (Gary McGraw)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 25 Dec 2013 15:01:08 -0700
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Belgian card payment network crashes two days after record usage
  (Peter Sayer)

Peter Sayer, *PC World*, 24 Dec 2013

Belgium's card payment network failed on Monday night, leaving millions of
Belgians unable to pay at stores or to withdraw cash from ATMs and
self-service terminals inside banks.

Atos subsidiary Worldline, operator of Belgium's Bancontact-Mister Cash
payment network, reported on its website that it was difficult for
cardholders throughout the country to make payments or withdrawals from
around 4 p.m. local time on Monday. Local media reported long lines to make
cardless withdrawals at bank counters.

Worldline put its business continuity plan into effect, and payment
traffic began to recover from 5.15 p.m., returning to near-normal
levels from 6.30 p.m., the company said in a statement. ...
The outage came just two days after the Belgian payment network celebrated
its busiest ever day, processing 5,499,709 electronic payments on
Saturday. The previous record, of 5,314,820 transactions, was set on
Dec. 22, 2012, also a Saturday.

http://www.pcworld.com/article/2082920/belgian-card-payment-network-crashes-two-days-after-record-usage.html

------------------------------

Date: Fri, 20 Dec 2013 06:17:49 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: Programmed Interlocks remain a hazard

It should be no surprise that interlock mechanisms relying on program
control can be compromised by a program bug (e.g., the well-documented
Therac-25 incidents) or by the same means through re-programming (e.g.,
malware).  A team at JHU has demonstrated that it is possible to activate
the camera on a Macbook while suppressing illumination of the "camera
active" LED. It should come as no surprise that programmable controllers can
be reprogrammed to behave in ways other than intended. It is not surprising
that the operating system apparently did not provide sufficient protection
to ensure that non-kernel components do not gain uncontrolled access to a
physical device, a failure on several fronts.  Better software integrity is
one answer. Regrettably, it is also arguable that the lesson for systems
designers is that required privacy interlocks should be implemented in
non-bypassable hardware circuitry, not as programmable displays. From a
consumer standpoint, the best interlock to covert audio/visual capture is
external devices that can be physically unplugged.  The JHU paper can be
found at:
https://jscholarship.library.jhu.edu/handle/1774.2/36569?show=full - Bob
Gezelter, http://www.rlgsc.com

------------------------------

Date: Tuesday, December 24, 2013
From: *Dewayne Hendricks*
Subject: Cryptolocker ransomware has 'infected about 250,000 PCs'
  (Leo Kelion via Steve Goldstein via DH via Dave Farber)

[Note:  This item comes from friend Steve Goldstein.  DLH]

Leo Kelion, BBC, 24 Dec 2013
<http://www.bbc.co.uk/news/technology-25506020>

A virulent form of ransomware has now infected about quarter of a million
Windows computers, according to a report by security researchers.
Cryptolocker scrambles users' data and then demands a fee to unencrypt it
alongside a countdown clock.

Dell Secureworks said that the US and UK had been worst affected.  It added
that the cyber-criminals responsible were now targeting home Internet users
after initially focusing on professionals.  The firm has provided a list of
net domains that it suspects have been used to spread the code, but warned
that more are being generated every day.

Ransomware has existed since at least 1989, but this latest example is
particularly problematic because of the way it makes files inaccessible.
"Instead of using a custom cryptographic implementation like many other
malware families, Cryptolocker uses strong third-party certified
cryptography offered by Microsoft's CryptoAPI," said the report.

"By using a sound implementation and following best practices, the malware
authors have created a robust program that is difficult to circumvent."

Ransom dilemma

The first versions of Cryptolocker appear to have been posted to the net on
5 September.  Early examples were spread via spam e-mails that asked the
user to click on a Zip-archived extension identified as being a customer
complaint about the recipient's organisation.

Later it was distributed via malware attached to e-mails claiming there had
been a problem clearing a cheque. Clicking the associated link downloaded a
Trojan horse called Gameover Zeus, which in turn installed Cryptolocker onto
the victim's PC.

By mid-December, Dell Secureworks said between 200,000 to 250,000 computers
had been infected.  It said of those affected, "a minimum of 0.4%, and very
likely many times that" had agreed to the ransom demand, which can currently
only be paid in the virtual currencies Bitcoin and MoneyPak. [...]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>

------------------------------

Date: Wednesday, December 25, 2013
From: *Brian Randell*
Subject: Cryptolocker ransomware has 'infected about 250,000 PCs'

My immediate reaction to reading that Cryptolocker is very difficult to
combat, because it uses "strong third-party certified cryptography offered
by Microsoft's CryptoAPI", was to think what a glorious opportunity for NSA
to come to our collective rescue - by demonstrating publicly how great its
skills are! :-)

------------------------------

Date: Thu, Dec 26, 2013 at 8:14 AM
From: Eric Burger <eburger () cs georgetown edu>
Subject: Cryptolocker ransomware has 'infected about 250,000 PCs'

The really sad thing is that [that] is what the Information Assurance
Division [of NSA] *is* supposed to be doing for us.  It is the logic behind
having the *protect American networks* in the same organization that
*attacks foreign networks.*  If you know how to break *them*, you can tell
*us* how to protect ourselves.

------------------------------

Date: Fri, 20 Dec 2013 05:40:18 -0700
From: "Bob Gezelter" <gezelter () rlgsc com>
Subject: Target leaks credit card stripe data during Black Friday rush

Target stores have reportedly experienced a wide-spread compromise of credit
card swipe data during the peak shopping season. While the technical details
of how the data was compromised remain under investigation, several recent
cases have pointed to malware on Point-of-Sale systems or compromised card
scanning terminals.  Point-of-Sales systems (and other process control
systems) should never have unbridled access to Internet-accessible
systems. They should be located in firewalled cul-de-sacs that prevent all
but those accesses absolutely required by their function (an observation
that I have been making in the "Computer Security Handbook" since the Third
Edition (1995) and reiterate in the soon to be released Sixth Edition.
Similarly, communications between Point-of-Sale card terminals, registers,
and upstream systems should be carefully managed and strongly encrypted,
with properly managed keys.  In the long run, preventative measures are
cheaper than the financial side effects of personal data compromises.
Recent articles are at:
http://www.nytimes.com/2013/12/20/technology/target-stolen-shopper-data.html
http://online.wsj.com/news/articles/SB10001424052702304773104579266743230242538#!
Bob Gezelter, http://www.rlgsc.com

  [Gene Wirchenko noted a similar article by John Ribeiro in InfoWorld,
  "Target says 40 million cards likely skimmed in security breach".  PGN]
http://www.infoworld.com/d/security/target-says-40-million-cards-likely-skimmed-in-security-breach-232946

------------------------------

Date: Mon, 23 Dec 2013 15:46:09 -0500
From: Dick Mills <dickandlibbymills () gmail com>
Subject: Security versus Countersecurity

In the aftermath of the Snowden revelations, our focus has been on details
of who did what and how we can place limits on the NSA and others.  But
details aside, there is a higher level conceptual conflict; namely, the
fundamental incompatibly of security and cyber-warfare.

To avoid getting tied up in semantics, let me make two definitions for the
purpose of this post.  Let G stand for the aggregate of all programs, all
agencies, all levels, of governments, and international alliances of
governments.  Let the words secure and security stand for any level of
protection that G finds inconvenient to penetrate with slight effort.

One goal of G is to be able to intercept the electronic communications of
bad guys, anywhere, anytime, anyplace.  But any organization, public or
private, that has secure communications could be infiltrated or exploited by
bad guys.  Therefore, the need to intercept bad guys translates to the need
to intercept everyone.  Universal bulk surveillance is the only assured way
to achieve that goal all the time.

A second goal of G is the ability to wage offensive cyberwar.  G must be
able to launch effective cyber attacks on short notice against any future
enemy.   But there is no way to be sure in advance who those enemies might
be, or what hardware and software the enemy might choose.  Therefore, the
practical way to attain that goal is to obtain the ability to successfully
attack anyone good or bad.  Deciding who is good and bad can be postponed.

Probably the most pragmatic way to foster both these goals is to weaken
security standards and to install back doors in every security related
system.  Traditional methods of breaching security like social engineering
must be applied case-by-case, and thus can't reach everyone.  Only bulk
methods meet the requirements.

Security experts may warn us that weaknesses and back doors will eventually
be discovered and that the bad guys will turn them against us.   Ignoring
that, our defensive strategy seems to be secrecy (i.e. security via
obscurity) combined with budgets so big that the bad guys can't match them.

Assured offensive capability is synonymous with assuredly ineffective
defensive capability.

As someone concerned with critical infrastructure protection (CIP), I'm
horrified by the conflicted motivations of G.  The same G which demands that
I partner with them to make CIP secure, is also vested in the requirement
that my systems are not secure enough to thwart their surveillance and not
secure enough to repel their cyberwar attacks. After all, if CIP were to
become secure enough to foil G, then I might freely share that expertise
with CIP experts worldwide.  Worse, bad guys might become employees of CIP
organizations here and abroad and use CIP security to cloak their activities
from G. CIP must be secure --- CIP may not be secure, both according to G.

As I see it, the concepts of universal surveillance, offensive cyber war
capabilities, and security are irreconcilable at the highest level;
technical details be damned.

Dick Mills, Sailing Vessel Tarwathie

------------------------------

Date: Mon, 23 Dec 2013 10:14:12 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Exclusive: Secret contract tied NSA and security industry pioneer
  (Joseph Menn)

  [Thanks to George Ledin for spotting this item.]

Exclusive: Secret contract tied NSA and security industry pioneer
Obama on surveillance: "There may be another way of skinning the cat"
Joseph Menn, Reuters, San Francisco, 20 Dec 2013
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

(Reuters) - As a key part of a campaign to embed encryption software that it
could crack into widely used computer products, the U.S. National Security
Agency arranged a secret $10 million contract with RSA, one of the most
influential firms in the computer security industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the NSA
created and promulgated a flawed formula for generating random numbers to
create a "back door" in encryption products, the New York Times reported in
September. Reuters later reported that RSA became the most important
distributor of that formula by rolling it into a software tool called Bsafe
that is used to enhance security in personal computers and many other
products.

Undisclosed until now was that RSA received $10 million in a deal that set
the NSA formula as the preferred, or default, method for number generation
in the BSafe software, according to two sources familiar with the
contract. Although that sum might seem paltry, it represented more than a
third of the revenue that the relevant division at RSA had taken in during
the entire previous year, securities filings show.

The earlier disclosures of RSA's entanglement with the NSA already had
shocked some in the close-knit world of computer security experts. The
company had a long history of championing privacy and security, and it
played a leading role in blocking a 1990s effort by the NSA to require a
special chip to enable spying on a wide range of computer and communications
products.

RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to
stop using the NSA formula after the Snowden disclosures revealed its
weakness.

RSA and EMC declined to answer questions for this story, but RSA said in a
statement: "RSA always acts in the best interest of its customers and under
no circumstances does RSA design or enable any back doors in our products.
Decisions about the features and functionality of RSA products are our own."

The NSA declined to comment.

The RSA deal shows one way the NSA carried out what Snowden's documents
describe as a key strategy for enhancing surveillance: the systematic
erosion of security tools. NSA documents released in recent months called
for using "commercial relationships" to advance that goal, but did not name
any security companies as collaborators.

The NSA came under attack this week in a landmark report from a White House
panel appointed to review U.S. surveillance policy. The panel noted that
"encryption is an essential basis for trust on the Internet," and called for
a halt to any NSA efforts to undermine it.

Most of the dozen current and former RSA employees interviewed said that the
company erred in agreeing to such a contract, and many cited RSA's corporate
evolution away from pure cryptography products as one of the reasons it
occurred.

But several said that RSA also was misled by government officials, who
portrayed the formula as a secure technological advance.

"They did not show their true hand," one person briefed on the deal said of
the NSA, asserting that government officials did not let on that they knew
how to break the encryption.

STORIED HISTORY

Started by MIT professors in the 1970s and led for years by ex-Marine Jim
Bidzos, RSA and its core algorithm were both named for the last initials of
the three founders, who revolutionized cryptography.  Little known to the
public, RSA's encryption tools have been licensed by most large technology
companies, which in turn use them to protect computers used by hundreds of
millions of people.

At the core of RSA's products was a technology known as public key
cryptography. Instead of using the same key for encoding and then decoding a
message, there are two keys related to each other mathematically. The first,
publicly available key is used to encode a message for someone, who then
uses a second, private key to reveal it.

 From RSA's earliest days, the U.S. intelligence establishment worried it
would not be able to crack well-engineered public key cryptography.  Martin
Hellman, a former Stanford researcher who led the team that first invented
the technique, said NSA experts tried to talk him and others into believing
that the keys did not have to be as large as they planned.

The stakes rose when more technology companies adopted RSA's methods and
Internet use began to soar. The Clinton administration embraced the Clipper
Chip, envisioned as a mandatory component in phones and computers to enable
officials to overcome encryption with a warrant.

RSA led a fierce public campaign against the effort, distributing posters
with a foundering sailing ship and the words "Sink Clipper!"

A key argument against the chip was that overseas buyers would shun
U.S. technology products if they were ready-made for spying. Some companies
say that is just what has happened in the wake of the Snowden disclosures.

The White House abandoned the Clipper Chip and instead relied on export
controls to prevent the best cryptography from crossing U.S.  borders. RSA
once again rallied the industry, and it set up an Australian division that
could ship what it wanted.

"We became the tip of the spear, so to speak, in this fight against
government efforts," Bidzos recalled in an oral history.

RSA EVOLVES

RSA and others claimed victory when export restrictions relaxed.

But the NSA was determined to read what it wanted, and the quest gained
urgency after the September 11, 2001 attacks.

RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to
concentrate on VeriSign, a security certificate company that had been spun
out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to
Massachusetts, and many top engineers left the company, several former
employees said.

And the BSafe toolkit was becoming a much smaller part of the company.  By
2005, BSafe and other tools for developers brought in just $27.5 million of
RSA's revenue, less than 9% of the $310 million total.

"When I joined there were 10 people in the labs, and we were fighting the
NSA," said Victor Chan, who rose to lead engineering and the Australian
operation before he left in 2005. "It became a very different company later
on."

By the first half of 2006, RSA was among the many technology companies
seeing the U.S. government as a partner against overseas hackers.

New RSA Chief Executive Art Coviello and his team still wanted to be seen as
part of the technological vanguard, former employees say, and the NSA had
just the right pitch. Coviello declined an interview request.

An algorithm called Dual Elliptic Curve, developed inside the agency, was on
the road to approval by the National Institutes of Standards and Technology
as one of four acceptable methods for generating random numbers. NIST's
blessing is required for many products sold to the government and often sets
a broader de facto standard.

RSA adopted the algorithm even before NIST approved it. The NSA then cited
the early use of Dual Elliptic Curve inside the government to argue
successfully for NIST approval, according to an official familiar with the
proceedings.

RSA's contract made Dual Elliptic Curve the default option for producing
random numbers in the RSA toolkit. No alarms were raised, former employees
said, because the deal was handled by business leaders rather than pure
technologists.

"The labs group had played a very intricate role at BSafe, and they were
basically gone," said labs veteran Michael Wenocur, who left in 1999.

Within a year, major questions were raised about Dual Elliptic Curve.
Cryptography authority Bruce Schneier wrote that the weaknesses in the
formula "can only be described as a back door."

After reports of the back door in September, RSA urged its customers to stop
using the Dual Elliptic Curve number generator.

But unlike the Clipper Chip fight two decades ago, the company is saying
little in public, and it declined to discuss how the NSA entanglements have
affected its relationships with customers.

The White House, meanwhile, says it will consider this week's panel
recommendation that any efforts to subvert cryptography be abandoned.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCoo.)

------------------------------

Date: Saturday, December 21, 2013
From: *Dewayne Hendricks*
Subject: Data brokers won't even tell the government how it uses,
  sells your data (Casey Johnston)

They do disclose consumer types like "credit reliant" and "resilient renter."
Casey Johnston, Ars Technica, 21 Dec 2013
http://arstechnica.com/business/2013/12/data-brokers-wont-even-tell-the-government-how-it-uses-sells-your-data/

A Senate committee released a report this week that goes to great lengths
to determine all of the things that data brokers, the companies that trade
in consumer data, don't want to talk about. The 35-page report describes
some of the companies' strategies for collecting and organizing data, but
significant portions of the report discuss what the companies are unwilling
to talk about: namely, where they get a lot of their data and where that
data is going.

Companies covered in the report include well-known firms, like Datalogix
and Acxiom, as well as credit reporting companies that also trade in
consumer data, like Experian and TransUnion. In the report, the committee
sets out to answer four questions: what data is collected, how specific it
is, how it's collected, and how it's used. While the first two questions
turned out to be reasonably easy to answer, the companies all but
stonewalled the committee on substantial answers to the latter two.

The report harkens back repeatedly to the good old days of data collection,
when many of the same companies queried used demographic information like
zip codes to help marketers figure out where to send catalogs or area codes
to figure out which towns to telemarket to. These days, our many
interactions with the Internet -- particularly financial ones -- have
resulted in an onslaught of data for these data brokers to not only collect,
but to resell to interested parties.

Datalogix claimed to the committee that it has data on ``almost every US
household,'' while Acxiom's databases cover 700 million people worldwide.
Types of data collected include consumer purchase and transaction
information, available methods of payment, types of cars consumers buy,
health conditions, and social media usage. Equifax specified that it knew
such specific details as whether people have bought a particular kind of
shampoo or soft drink in the last six months, how many whiskey drinks a
person has had in the last month, or how many miles they've traveled in the
last four weeks.

What the companies would not specify in full were their sources for consumer
data.  Three companies, Acxiom, Experian, and Epsilon, would not reveal the
sources of their data, citing confidentiality clauses as the reason.

The other data brokers said that their data comes from free government and
public databases, along with purchase or license data from retailers,
financial institutions, and other data brokers, which were otherwise
described as `third-party partners'.

The report mentions that companies acquire social media data specifically
for inclusion in their databases. However, this information is difficult to
connect to a profile without access to much of the metadata logged by the
sites providing those services. Those sites even discourage trying to source
that information outside their official avenues; as the report states,
Facebook once asked data broker Rapleaf to dispose of data it had obtained
by crawling the website. On the other hand, it's well-known that companies
like Facebook and Google re-sell `anonymized' data fed to their services by
customers to third parties like these data brokers.

Acxiom also gets data from websites that collect data in exchange for
coupons, discounts, or health insurance quotes. Beyond that, Acxiom only
stated cryptically that ``there are over 250,000 websites who state in their
privacy policy that they share data with other companies for marketing
and/or risk mitigation purposes.'' [...]

------------------------------

Date: Fri, 20 Dec 2013 02:34:48 -0500 (EST)
From: Eli the Bearded <*@eli.users.panix.com>
Subject: NSA oversight panel recommends more privatization of spying

The final report of the NSA oversight panel has been released.
http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf

It's very long (300ish pages) and I have read only a small amount. But this
bit struck me as very wrong.

  Recommendation 5

  We recommend that legislation should be enacted that terminates the
  storage of bulk telephony meta-data by the government under section 215,
  and transitions as soon as reasonably possible to a system in which such
  meta-data is held instead either by private providers or by a private
  third party. Access to such data should be permitted only with a section
  215 order from the Foreign Intelligence Surveillance Court that meets the
  requirements set forth in Recommendation 1.

As this is comp.risks and not comp.privacy.privatization, I'll just ask what
risk is posed by the government buying bulk telephony meta-data from private
third parties? Does this create a market for additional, meta-data
collection and data collectors? Will this mean many more systems to protect
from criminal parties? Will this mean private third parties will be more
easily able to interfere for their own benefit in government intelligence
operations?

------------------------------

Date: Fri, 20 Dec 2013 11:57:49 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: AT&T follows Verizon's lead, will start publishing law enforcement
  request data in early 2014

http://j.mp/1drP3fm  (*Verge* via NNSquad)

  "Never let it be said that AT&T and Verizon don't follow each other's
  leads. Just one day after Verizon announced it would start publishing a
  semiannual transparency report that details all of the law enforcement
  requests it receives, AT&T announced that it would being doing the same in
  early 2014. The carrier's report will include info on the total number of
  law enforcement data requests received from the government in criminal
  cases, the number of subpoenas, court orders, and warrants received, and
  the total number of customers affected. The first report issued should
  cover all of the requests from 2013."

------------------------------

Date: Sun, 22 Dec 2013 19:03:28 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
  (RISKS-27.65)

Before anyone sniffs at the Genkin/Shamir/Tromer method as being limited to
4 meters, consider the following LED microphone bug hack:

  An ordinary LED light bulb could be hacked to use 'microphonics' to
  pulse-width modulate the light.  With a proper telescope, this mechanism
  could be used to 'listen' to someone's computer from many miles away --
  perhaps even from a drone above...

LED's might be hacked to be even smarter -- e.g., 10Mbits/second "LiFi" --
in order to snoop on a WiFi connection:
  http://visiblelightcomm.com/

------------------------------

Date: Tue, 24 Dec 2013 13:49:09 -0500
From: Gary McGraw <gem () cigital com>
Subject: [SC-L] Silver Bullet 93: Yoshi Kohno

Here is Silver Bullet episode 93.  The podcast features a discussion with
Yoshi Kohno (a cigital alum) who is now a computer science professor at
University of Washington.

You've probably heard of Yoshi's car hacking stuff (or maybe even seen it on
Nova).  Yoshi has one of the best vulnerability finding minds in the
business.

  http://www.cigital.com/silver-bullet/show-093/

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.66
************************
Current thread:

Risks Digest 27.66 RISKS List Owner (Dec 26)