RISKS Forum mailing list archives
Risks Digest 27.67
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 1 Jan 2014 11:19:39 PST
RISKS-LIST: Risks-Forum Digest Wednesday 1 January 2014 Volume 27 : Issue 67 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.67.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Where are the 1984 Rose Bowl kids now? (PGN) Hackers target cash machines with USB sticks (Henry Baker) Matt Blaze on the `Alleged' RSA-NSA Scheming? (Dewayne Hendricks via Dave Farber) Daunting Mathematical Puzzle Solved, Enables Unlimited Analysis of Encrypted Data (Scientific Computing) IBM Earns Patent for 'Encrypted Blobs' (Ellen Messmer) Vint Cerf and Robert Kahn on the future of the Internet (John Markoff) On Security Architecture, The Panopticon, and "The Law" (arxlight via John Gilmore via Dave Farber) "The Real Purpose of Oakland's Surveillance Center" (Prashanth Mundkur) More on NSA surveillance (Henry Baker) Surveillance leads to censorship? (Robert Schaefer) Science humour that may disappear? (Martyn Thomas) REVIEW: Digital Archaeology: The Art and Science of Digital Forensics (Ben Rothke) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 1 Jan 2014 10:15:14 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Where are the 1984 Rose Bowl kids now? It's time for the Rose Bowl again today. The very first issue of RISKS-1.01 noted the very clever (especially at the time) hacking of the 1984 Rose Bowl scoreboard, which displayed the score as ``Caltech 38 MIT 9'', displayed ``Hi, Mom'' followed by two Caltech beavers on the scoreboard, and broadcast a Monty Python song over the stadium sound system. 1984 Rose Bowl hoax, scoreboard takeover ("Cal Tech vs. MIT") This was documented in the ACM SIGSOFT Software Engineering Notes vol 9 no 2, for which I was the editor. Today's issue of *The New York Times* (page B9 in my National Edition copy) has an (un-bylined) article (Some Pranksters with Panache) that revisits that Rose Bowl, and reminds us of the Caltech students, Dan Kegel and Ted Williams, who engineered the prank by building a small computer, hooking it into the junction box for the scoreboard, and managing to test it beforehand. The article points out that Williams now oversees the chips that go into Xbox consoles, and Kegel helped Google transition from 32- to 64-bit computers and now works at Oblong Industries, which served as a technological consulting for the film, *Minority Report*. This seemed innovative at the time. However, today's abilities to hack into automobile control systems and smart cards and just about everything else continue to be demonstrated, in our modern world of generally weak computer-communication security. Happy New Year! ------------------------------ Date: Tue, 31 Dec 2013 05:42:23 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: Hackers target cash machines with USB sticks So, the NSA's TAO/ANT group still thinks they're the only game in town? This gang also seems to have a better comprehension of computer security than does Target. http://www.telegraph.co.uk/technology/internet-security/10543850/Hackers-target-cash-machines-with-USB-sticks.html Matthew Sparkes, *The Telegraph*, 31 Dec 2013 A gang of thieves targeted cash machines belonging to an unnamed European bank by uploading malicious software that would spit out banknotes on command Criminals targeted a string of cash machines by cutting holes in the fascia to reach a USB port and upload malicious code that would spit out banknotes on command. Speakers at the Chaos Computing Congress in Hamburg described the attacks, which affected an unnamed European bank that noticed several cash machines had been entirely emptied without the safe at the rear being damaged. The bank increased security after the first attacks and were able to spot the gang drilling holes in the front of the machines, briefly inserting a USB flash drive and then patching up the damage afterwards to cover their tracks. They were then able to return at a later date and instruct the compromised machine to dispense a specific amount of cash. To gain access they had to enter a 12-digit code, followed by a second code this is believed to have been a failsafe to prevent individual members of the group from stealing money on their own. The second code constantly changed and the correct response could only be discovered by phoning another gang member. Researchers found that the software then showed how many of each denomination banknote were in the machine, and asked how much of each it should dispense. The BBC reports that the researchers, who asked to remain anonymous, said the gang must have had a ``profound knowledge'' of the workings of the cash machines in order to develop and successfully install the software. ------------------------------ Date: December 27, 2013 at 8:56:38 AM EST From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Matt Blaze on the `Alleged' RSA-NSA Scheming? [Remember J Edgar Hoover's excesses? PGN] How Worried Should We Be About the Alleged RSA-NSA Scheming? Matt Blaze, *WiReD*, 27 Dec 2013 <http://www.wired.com/opinion/2013/12/what-we-really-lost-with-the-rsa-nsa-revelations/> A Reuters news story published a week ago raised disturbing questions about the relationship between the NSA and RSA Security (now a division of EMC), a prominent vendor of cryptographic technologies. The article claims that RSA entered into a $10 million contract that required, among other things, that RSA make the (not yet standardized) DUAL_EC_DRBG random number generator the default in its widely used BSAFE cryptographic library. BSAFE is used internally for RSA's products as well as by other vendors, who license it from RSA to develop their own products around it. A couple days later, RSA issued a response, in which it denies that it deliberately weakened its products, but is silent about most of the claims in the Reuters piece. Random numbers in cryptographic libraries are a big deal. The security of many of the most widely used cryptographic protocols -- particularly those involved in key generation and initial session setup -- utterly depends on an unpredictable source of random numbers. If that source is predictable to an adversary, the security of the entire system collapses completely. And DUAL_EC_DRBG is widely and very credibly suspected of containing a subtle backdoor that allows the NSA (or anyone else) to predict its output under certain conditions. It's still unclear exactly why RSA agreed to make DUAL_EC_DRBG the default in BSAFE -- whether they understood from the outset that it was likely compromised or were somehow hoodwinked by NSA. But it is clear that it remained BSAFE's default random number generator from 2004 until September of this year; there's an instructive timeline and analysis unraveling what happened here. RSA says it trusted the NSA in 2004, and that it ``continued to rely upon'' NIST (the federal agency concerned with, among other things, cryptographic standards for the federal government) as the ``arbiter'' of the algorithm's security after concerns about a backdoor were publicly raised in 2007. I believe RSA richly deserves criticism for, at best, abdicating its responsibility to customers to critically evaluate what it sells. But that's not the main point of this post. Rather, the central question here is: Just how worried we should be about the NSA's apparent sabotage of BSAFE's random numbers? Unfortunately, right now the answer is not very comforting. What Exactly Has Been Compromised Here? DUAL_EC_DRBG lies in a peculiar corner of a peculiar class of random number generators. Its algorithm is deterministic, which means here that its output is entirely determined by an initial ``seed'' parameter (that has to come from some other source of random bits that, for security, must be unpredictable and kept secret). If you know the seed value, you can re-run the algorithm and get the same random output every time. So if an adversary learns the seed value, the random numbers aren't secure. This isn't in and of itself a problem; in fact, any purely algorithmic random number generator has this property. (These algorithms are also sometimes called ``pseudorandom'' for that reason.) The critical thing for security purposes is that it not be possible to ``reverse'' the algorithm to discover the seed value or otherwise predict future output bits just by looking at the random output. There are a number of widely-analyzed cryptographic pseudorandom number generators that have been developed by the crypto community. Typically, they're built on other cryptographic algorithms, such as secret-key ciphers or hash functions. But DUAL_EC_DRBG is somewhat unusual because it's based not on a secret key cipher or hash function but on the public key (``number theoretic'') technique called elliptic curve cryptography. Public key cryptography is an unusual choice for a random number generator function because it is much slower than corresponding secret key techniques; each random bit requires much more computation to produce than it would in a generator based on traditional secret key techniques. Under limited circumstances, however, there may be legitimate reasons for a designer to prefer a public-key based random number generator (having to do with specific hardware designs or other algorithms a system uses). So, standardizing a public-key based scheme as an option is not in and of itself an unreasonable thing to do. NIST held a public workshop in 2004 at which DUAL_EC_DRBG was proposed for consideration as a standard. (That's around when RSA incorporated it as the default for BSAFE.) NIST officially recommended it as a standard option in 2006. Unfortunately, however, DUAL_EC_DRBG's design turns out to have a serious potential flaw depending on how it is used. [...] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: Mon, 30 Dec 2013 12:51:44 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: Daunting Mathematical Puzzle Solved, Enables Unlimited Analysis of Encrypted Data https://www.scientificcomputing.com/news/2013/12/daunting-mathematical-puzzle-solved-enables-unlimited-analysis-encrypted-data IBM inventors have received a patent for a breakthrough data encryption technique that is expected to further data privacy and strengthen cloud computing security. The patented breakthrough, called "fully homomorphic encryption," could enable deep and unrestricted analysis of encrypted information -- intentionally scrambled data - without surrendering confidentiality. IBM's solution has the potential to advance cloud computing privacy and security by enabling vendors to perform computations on client data, such as analyzing sales patterns, without exposing or revealing the original data. IBM's homomorphic encryption technique solves a daunting mathematical puzzle that confounded scientists since the invention of public-key encryption over 30 years ago. Invented by IBM cryptography Researcher Craig Gentry, fully homomorphic encryption uses a mathematical object known as an "ideal lattice" that allows people to interact with encrypted data in ways previously considered impossible. The breakthrough facilitates analysis of confidential encrypted data without allowing the user to see the private data, yet it will reveal the same detailed results as if the original data was completely visible. IBM received U.S. Patent #8,565,435: Efficient implementation of fully homomorphic encryption for the invention, which is expected to help cloud computing clients to make more informed business decisions, without compromising privacy and security. "Our patented invention has the potential to pave the way for more secure cloud computing services - without having to decrypt or reveal original data," said Craig Gentry, IBM Researcher and co-inventor on the patent. "Fully homomorphic encryption will enable companies to confidently share data and more easily and quickly overcome challenges or take advantage of emerging opportunities." Following the initial revelation of the homomorphic encryption breakthrough in 2009 Gentry and co-inventor Shai Halevi began testing, refining and pursuing a working implementation of the invention. In 2011, the scientists reported a number of optimizations that advanced their goal of implementing of the scheme. The researchers continue to investigate homomorphic encryption and test its practical applicability. IBM invests more than $6 billion annually in R&D and consistently explores new approaches to cloud computing that will deliver a competitive advantage to the company and its clients. For 20 consecutive years, IBM has topped the list of U.S. patent recipients. The company's invention and patent leadership is illustrated at http://ibm.co/11k6fRn. IBM has a tradition of making major cryptography breakthroughs, such as the design of the Data Encryption Standard (DES); Hash Message Authentication Code (HMAC); the first lattice-based encryption with a rigorous proof-of-security; and numerous other solutions that have helped advance data security. More information about how IBM inventors are propelling cloud computing innovations is available at http://ibm.co/174A8tS. ------------------------------ Date: Fri, 27 Dec 2013 11:36:15 PST From: "Peter G. Neumann" <neumann () csl sri com> Subject: IBM Earns Patent for 'Encrypted Blobs' (Ellen Messmer) Ellen Messmer, *Network World*, 19 Dec 2013 IBM cryptography researchers have fine-tuned their approach to keeping data encrypted and processing it at the same time. The researchers say they have developed a data-scrambling technique in which encrypted data can be processed without having to decrypt it first. The technology is known as fully homomorphic encryption, and is described as a way to create encrypted blobs that can be combined and processed with other encrypted blobs and obtain identical results as if the processes were not encrypted. IBM, which received a patent for the technology, continues to test for practical applications, but believes it could be especially useful for sensitive data such as financial information, particularly in cloud environments. "Our patented invention has the potential to pave the way for more secure cloud computing services--without having to decrypt or reveal original data," says IBM researcher and 2010 ACM Grace Murray Hopper Award recipient Craig Gentry, co-inventor named on the patent with fellow researcher Shai Halevi. http://www.networkworld.com/news/2013/121913-ibm-patent-277118.html ------------------------------ Date: Mon, 30 Dec 2013 21:35:46 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Vint Cerf and Robert Kahn on the future of the Internet (John Markoff) "When Edward J. Snowden, the disaffected National Security Agency contract employee, purloined tens of thousands of classified documents from computers around the world, his actions - and their still-reverberating consequences - heightened international pressure to control the network that has increasingly become the world's stage. At issue is the technical principle that is the basis for the Internet, its "any-to-any" connectivity. That capability has defined the technology ever since Vinton Cerf and Robert Kahn sequestered themselves in the conference room of a Palo Alto, Calif., hotel in 1973, with the task of interconnecting computer networks for an elite group of scientists, engineers and military personnel." [Nice interviews with both Vint and Bob. PGN] (John Markoff in *The New York Times* Science Tuesday via NNSquad) http://j.mp/1cDXKWd ------------------------------ Date: Fri, 27 Dec 2013 20:02:07 -0500 From: Dave Farber <dave () farber net> Subject: [IP] On Security Architecture, The Panopticon, and "The Law" - - -------- Forwarded message ---------- From: *John Gilmore* Date: Friday, December 27, 2013 Subject: [Nsa-spying] On Security Architecture, The Panopticon, and "The Law" for IP, forwarded from the Cryptography mailing list Date: Thu, 26 Dec 2013 02:25:10 +0100 From: arxlight <arxlight () arx li <javascript:;>> To: Cryptography <cryptography () metzdowd com <javascript:;>> Subject: [Cryptography] On Security Architecture, The Panopticon, And "The Law" Obviously, I applaud the herculean efforts the list members have (even just in the last few months) exerted in the service of reforming "the practice" in light of the labyrinthine mess we have all been recently presented with. That said, and at the risk of running afoul of the list's core charter on Christmas Day, I would like to explore some of the higher level questions of architecture and design as they relate to the legal schema that presently underpins the intelligence apparatus of the West. (Mostly because I am an awful coder and I like the way big words look in print). For better or worse (and mostly for worse at this point) the legal schema that drives almost 100% of the global threat model stems from the United States. No, no... we shall brook no whining my dear EU and UK subjects... this will not do at this stage. You get the worldwide governance you deserve in the end, and by permitting a hegemonic, global panopticon to emerge unchallenged over the last many years (is that an NSA facility on your soil? What? Is that ANOTHER ONE?), even in the midst of a supposed "democracy" you have effectively waived your standing to contest it now by legal means. (What, Chancellor? They have been listening to your cellphone? You know what, fuck you and your coalition for signing off on Teufelsberg's funding every year). So what now? Well, from whence, we may ask, does the global panopticon derive its surveillance power? We could likely fill several volumes in the course of recording the discourse on this topic. Being that our time together is short, shall we instead focus on a few key points? Yes? Good. Third Parties -- At least to my way of thinking one of the foremost issues that mucks the entire schema up is the concept of "knowing exposure" of data that might otherwise be shrouded in the "expectation of privacy." An exploration of Katz v. United States and the esteemed cases that later purport to suss out the bounds of the "expectation of privacy" in the jurisprudence of the United States is probably beyond the scope of this discussion, but it probably bears notice to observe that such data as you (oh, noble Citizen of the United States) convey to "third parties" has long been branded as data for which you have waved your "expectation of privacy." One does not, after all, brag about liaisons with illicit lovers to third parties if one expects such details to be kept "unter vier Augen." [under four eyes] This would be less daunting if it were possible to do more without conveying critical data to third parties. But it isn't. The perverse rise of SaaS offerings and the dependence on large carriers to convey data that should require none such has created an environment where nearly everything is conveyed to a third party. Everything. Ah, the client-server model of computing, may it burn in hell. May I just ask: How could an industry once so attached to redundancy and distributed infrastructure become so taken with creating massive, single points of failure and a critical reliance on trusted third parties? Was there some massive Facebook founder's share give away? What happened to the old manta "Trusted third parties aren't"? How did the remnants of the cypherpunk movement (forgive me the sentimental nostalgia of youth) lay so utterly dormant as large, centralized providers came to dominate the storage and transmission of critical data? Where, at least, was the tool of end-to-end encryption in this co-opted intermediary world? How, after a few compromises of root certificate authorities (that we know of) did X.509 survive for more than six more months? And so now the panopticon has only to co-opt a couple dozen large enterprises, many of which are deeply dependent on the largess of central government in the burgeoning crony-capitalist West, to find itself in possession of the vast majority of private communications without issue, notice, or objection. We cannot, surely, blame the panopticon. With that juicy of a target concentrated in a corporate surface area so small what else did we expect? And someone does keep funding her, year in and year out, no? And so I submit: The reliance on third parties must end. It is not enough simply to mandate that your data reside on third parties you deem slightly more trustworthy than others (we're looking at you, European Union, and particularly at you, Germany). May we be so bold as to point out that trusted third parties that are vulnerable to being co-opted by national sovereigns cannot be trusted? May we, by extension, point out that it is rather difficult to describe a trusted third party that is not vulnerable to being co-opted by national sovereigns? Must we draw a diagram of the inevitable conclusion that follows from these two observations? Alright, if you insist: Stop trusting third parties, dammit. [More truncated for RISKS] Legal Protections -- [...] Face it. Digital liberty has lost the Lawfare fight. It must win the technical fight. How? [...] ------------------------------ Date: Fri, 27 Dec 2013 23:42:09 -0800 From: Prashanth Mundkur <prashanth.mundkur () gmail com> Subject: "The Real Purpose of Oakland's Surveillance Center" News about surveillance by local law enforcement may be getting lost in the attention captured by the ongoing NSA revelations. In recent local news, documents show that the surveillance targets of an elaborate system being built by Oakland are not criminals, but protesters and large demonstrations. The Real Purpose of Oakland's Surveillance Center Darwin BondGraham and Ali Winston, in *East Bay Express* http://www.eastbayexpress.com/oakland/the-real-purpose-of-oaklands-surveillance-center/Content?oid=3789230&showFullText=true Oakland's citywide surveillance system, the Domain Awareness Center, or DAC, gained national notoriety earlier this year when some city residents voiced strong concerns about the project's privacy and civil rights implications. City officials and supporters of the DAC have responded by contending that objections over privacy and civil rights issues are overblown and that the true purpose of the surveillance center is to help Oakland finally deal with its violent crime problem. But thousands of pages of emails, meeting minutes, and other public documents show that, behind closed doors, city staffers have not been focusing on how the DAC can lower Oakland's violent crime rate. [...] The Domain Awareness Center is being built in stages and will merge OPD's existing license-plate scanners and gunshot detectors with video feeds from hundreds of surveillance cameras -- many already in place and some to be installed in the future by several different agencies throughout the city -- into a central hub. Oakland police will monitor this "flood of data," as one DAC project presentation called it. Originally limited to monitoring the Port of Oakland, the DAC has since expanded to encompass the entire city. The Oakland Privacy Working Group, an activist coalition opposed to the DAC, obtained thousands of pages of emails and other public records related to the project from the city via a California Public Records Act request. The privacy group then shared the documents -- which cover the period from August 2012 through September 2013 -- with us. While the emails reveal a great deal about the DAC, they are also notable for what they do not talk about. Among the hundreds of messages sent and received by Oakland staffers and the city's contractor team responsible for building the DAC, there is no mention of robberies, shootings, or the 138 homicides that took place during the period of time covered by the records. City staffers do not discuss any studies pertaining to the use of surveillance cameras in combating crime, nor do they discuss how the Domain Awareness System could help OPD with its longstanding problems with solving violent crimes. In more than 3,000 pages of emails, the terms "murder," "homicide," "assault," "robbery," and "theft" are never mentioned. [...] During construction of the first phase of the DAC, from roughly August 2012 to October 2013, city staffers repeatedly referred to political protests as a major reason for building the system. Emails to and from Lieutenant Christopher Shannon, Captain David Downing, and Lieutenant Nishant Joshi of OPD and Ahsan Baig, Oakland's technical project leader on the DAC, show that OPD staffers were in the surveillance center during the Trayvon Martin protests this year, and that they may have been monitoring marches in Oakland. In the same chain of emails, Shannon asked if the Emergency Operations Center and the DAC control room's layout had "changed much since May Day," referring to yet another large political rally in Oakland when the DAC appears to have been used by OPD to monitor demonstrations. The article also notes: And cameras are just the beginning: Documents mention monitoring "social media," "web feeds," and "text messaging." Large surveillance centers are becoming increasingly common nationwide: They now exist in New York City; Chicago; Baltimore; Washington, DC; and Hudson County, New Jersey. ------------------------------ Date: Mon, 30 Dec 2013 15:06:59 -0800 From: Henry Baker <hbaker1 () pipeline com> Subject: More on NSA surveillance FYI -- What if these folks spent even 1% of their cleverness on protecting American citizens & businesses from actual criminals ? Inside TAO: Documents Reveal Top NSA Hacking Unit, Der Spiegel, 29 Dec 2013 The NSA's TAO hacking unit is considered to be the intelligence agency's top secret weapon. It maintains its own covert network, infiltrates computers around the world and even intercepts shipping deliveries to plant back doors in electronics ordered by those it is targeting. ... http://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969-druck.html ------------------------------ Date: Mon, 30 Dec 2013 15:40:28 -0500 From: Robert Schaefer <rps () haystack mit edu> Subject: Surveillance leads to censorship? [PGN retitling] In this December's IEEE *Computer* magazine, in the column titled "The Intimidation Factor: How a Surveillance State Can Affect What You Read in Professional Publications", Hal Berghel says that he was forced to pull a screenshot of a powerpoint slide Edward Snowden leaked to The Washington Post. The screenshot appeared in the his July column printed version but was removed from the IEEE digital library version. Berghel writes: "Pull up a chair and let me tell you a story..." The full article is behind a paywall: http://www.computer.org/csdl/mags/co/2013/12/mco2013120091-abs.html Robert Schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 781-981-5767 http://www.haystack.mit.edu ------------------------------ Date: Mon, 30 Dec 2013 10:18:06 +0000 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Science humour that may disappear? http://www.theguardian.com/science/2013/dec/29/scientists-favourite-jokes The RISK is that we may be the last generation who find this one funny ... The floods had subsided, and Noah had safely landed his ark on Mount Sinai. "Go forth and multiply!" he told the animals, and so off they went two by two, and within a few weeks Noah heard the chatter of tiny monkeys, the snarl of tiny tigers and the stomp of baby elephants. Then he heard something he didn't recognise... a loud, revving buzz coming from the woods. He went in to find out what strange animal's offspring was making this noise, and discovered a pair of snakes wielding a chainsaw. "What on earth are you doing?" he cried. "You're destroying the trees!" "Well Noah," the snakes replied, "we tried to multiply as you bade us, but we're adders... so we have to use logs." *contributed by Alan Turnbull**, National Physical Laboratory ------------------------------ Date: Sun, 29 Dec 2013 08:59:55 -0500 From: Ben Rothke <brothke () hotmail com> Subject: REVIEW: Digital Archaeology: The Art and Science of Digital Forensics The book Digital Archaeology: The Art and Science of Digital Forensics starts as yet another text on the topic of digital forensics. But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts. Archaeology is defined as the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts architecture, biofacts and cultural landscapes. The author uses archeology and its associated metaphors as a pervasive theme throughout the book. While most archeology projects require shovels and pickaxes, digital archeology requires an entirely different set of tools and technologies. The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media. Full review at: http://www.rsaconference.com/blogs/455/rothke/digital-archaeology-the-art-and-science-of-digital-forensics ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.67 ************************
Current thread:
- Risks Digest 27.67 RISKS List Owner (Jan 01)