RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 28.25

From: RISKS List Owner <risko () csl sri com>
Date: Tue, 9 Sep 2014 12:10:05 PDT
RISKS-LIST: Risks-Forum Digest  Tuesday 9 September 2014  Volume 28 : Issue 25

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.25.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Space station launches satellites without permission (Irene Klotz via
  Paul Saffo)
Hacker Breached HealthCare.gov Insurance Site (Monty Solomon)
Hackers Breach Security of a Health Exchange Server (Monty Solomon)
UCLA, Cisco & more join forces to replace TCP/IP (Lauren Weinstein)
Kill switches for weaponry (Jonathan Zittrain)
Fake cell towers discovered (PGN)
BBC: ISPs should assume that heavy VPN users are pirates (Lauren Weinstein)
"Apple iCloud backup quirk could have allowed hackers to access 'deleted'
  files" (John E. Dunn via Gene Wirchenko)
Apple Says It Will Add New iCloud Security Measures After Celebrity Hack
  (Brian X. Chen via Monty Solomon)
Redactions in U.S. Memo Leave Doubts on Data Surveillance Program
  (Monty Solomon)
Online Privacy: Maybe Not So Unreasonable, After All (NYT via Monty Solomon)
"Data shows Home Depot breach could be largest ever" (Jaikumar Vijayan via
  Gene Wirchenko)
"Data shows Home Depot breach could be largest ever" (Jaikumar Vijayan)
"Microsoft patch KB 2918614 triggers 'key not valid for use,' more errors"
  (Woody Leonhard via Gene Wirchenko)
GM to Introduce Hands-Free Driving in Cadillac Model (Gabe Goldberg,
  Phil Smith III)
Re: Software errors in Galileo Satellites (Erling Kristiansen)
Re: Regarding Tesla's cash cow (Richard I Cook, Erling Kristiansen)
Huffington continues trying to "disappear" their discredited
  "email creator" series (Lauren Weinstein)
"Why Is Huffington Post Running A Multi-Part Series To Promote The Lies Of A
  Guy Who Pretended To Invent Email?" (Techdirt via  Lauren Weinstein)
Re: zero-day bounties (Henry Baker)
Live Webinar: Building a Software Security Initiative (Cigital)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 6 Sep 2014 16:23:32 -0700
From: Paul Saffo <paul () saffo com>
Subject: Space station launches satellites without permission (Irene Klotz)

Irene Klotz, Space Station's Cubesat Launcher has Mind of its Own,
Discovery, 5 Sep 2014
http://news.discovery.com/space/space-stations-cubesat-cannon-has-mind-of-its-own-140905.htm

Last night, two more of Planet Lab's shoebox-sized Earth imaging satellites
launched themselves from aboard the International Space Station, the latest
in a series of technical mysteries involving a commercially owned CubeSat
deployer located outside Japan's Kibo laboratory module.

Station commander Steve Swanson was storing some blood samples in one of the
station's freezers Friday morning when he noticed that the doors on
NanoRack's cubesat deployer were open, said NASA mission commentator Pat
Ryan.

Flight controllers at the Johnson Space Center in Houston determined that
two CubeSats had been inadvertently released.

``No crew members or ground controllers saw the deployment. They reviewed
all the camera footage and there was no views of it there either,'' Ryan
said.

The satellites, owned by San Francisco-based Planet Labs, are part of a
planned 100-member network designed to collect images of the entire Earth
every 24 hours.

So far, 12 of 32 CubeSats delivered to the space station aboard a Cygnus
cargo ship in July have been deployed, including four launched
inadvertently, said NanoRacks spokeswoman Abby Dickes.

In addition to the two Planet Labs satellites launched Thursday night, two
more of the company's satellites were released accidentally 23 Aug, a NASA
status report shows.

The latest inadvertent deployment followed unsuccessful attempts Wednesday
night to return NanoRack's CubeSat dispenser to service.  efforts included
jiggling the small robotic arm holding the dispense in an attempt to get its
doors to open, Ryan added.

Flight control teams are assessing whether to bring the deployer back inside
the station or to try to release the remaining CubeSats still awaiting
launch.

------------------------------

Date: Thu, 4 Sep 2014 21:23:30 -0400
From: Monty Solomon <monty () roscom com>
Subject: Hacker Breached HealthCare.gov Insurance Site

The Hacker Uploaded Malicious Software, But Consumers' Personal Data
Didn't Appear to Be Taken

Danny Yadron, WSJ, 4 Sep 2014

A hacker broke into part of the HealthCare.gov insurance enrollment website
in July and uploaded malicious software, according to federal officials.

Investigators found no evidence that consumers' personal data were taken or
viewed during the breach, federal officials said. The hacker appears only to
have gained access to a server used to test code for HealthCare.gov, the
officials said.

The server was connected to more sensitive parts of the website that had
better security protections, the officials said. That means it would have
been possible, if difficult, for the intruder to move through the network
and try to view more protected information, an official at the Department of
Health and Human Services said. There is no indication that happened, and
investigators suspect the hacker didn't intend to target a HealthCare.gov
server. ...

http://online.wsj.com/articles/hacker-breached-healthcare-gov-insurance-site-1409861043

------------------------------

Date: Thu, 4 Sep 2014 23:39:39 -0400
From: Monty Solomon <monty () roscom com>
Subject: Hackers Breach Security of a Health Exchange Server

Hackers downloaded malicious software onto a test server of HealthCare.gov,
but did not steal any personal information on consumers, Obama
administration officials said.

http://www.nytimes.com/2014/09/05/us/hackers-breach-security-of-healthcaregov.html

  [up? down? which way does the staircase go?  PGN]

------------------------------

Date: Thu, 4 Sep 2014 16:38:05 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: UCLA, Cisco & more join forces to replace TCP/IP

UCLA, Cisco & more join forces to replace TCP/IP

*Network World* via NNSquad
http://www.networkworld.com/article/2602109/lan-wan/ucla-cisco-more-join-forces-to-replace-tcpip.html

  "Their aim is to put forth an Internet architecture that's more secure,
  able to support more bandwidth and friendlier to app developers.
  Cryptographic authentication, flow balance and adaptive routing/forwarding
  are among the key underlying principles."

 - - -

Except in some comparatively specialized scenarios and situations,
don't hold your breath for TCP/IP going away anytime soon.

------------------------------

Date: Wednesday, September 3, 2014
From: Jonathan Zittrain <zittrain () law harvard edu>
Subject: Kill switches for weaponry (via Dave Farber)

I just wrote a piece for Scientific American about kill switches for ...
medium and heavy weapons.  I know I've long inveighed against vendor (and,
by proxy, government) control over consumer technology, and I still think
that's a central threat to both open code and free speech.  But all of that
otherwise-worrisome tech applied to weapons seems to invert the equities.
http://www.scientificamerican.com/article/the-case-for-kill-switches-in-military-weaponry/
 [...]

Jonathan Zittrain, Harvard Law School | Harvard Kennedy School of Government
 | Harvard School of Engineering and Applied Sciences and
 Berkman Center for Internet & Society  http://cyber.law.harvard.edu>

------------------------------

Date: Sat, 6 Sep 2014 8:59:35 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Fake cell towers discovered

http://mobile.betanews.com/betanews/#!/entry/mystery-fake-cellphone-towers-discovered-across-america,54073a34e56d0bb8536684dd

------------------------------

Date: Mon, 8 Sep 2014 21:58:18 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: BBC: ISPs should assume that heavy VPN users are pirates

  "In a submission to the Australian Government on the issue of online
  piracy, the BBC indicates that ISPs should be obliged to monitor their
  customers' activities. Service providers should become suspicious that
  customers could be pirating if they use VPN-style services and consume a
  lot of bandwidth, the BBC says."   Torrent Freak via NNSquad
http://torrentfreak.com/bbc-isps-should-assume-heavy-vpn-users-are-pirates-140908/

 - - - =

And what should we assume the folks running the BBC are? Pick your synonym
for "dangerous fools" ...

------------------------------

Date: Fri, 05 Sep 2014 10:37:02 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Apple iCloud backup quirk could have allowed hackers to
  access 'deleted' files" (John E. Dunn)

John E. Dunn | Techworld, InfoWorld, 04 Sep 2014
iCloud on iOS secretly keeps last three backups, says Check Point
Software researcher
http://www.infoworld.com/d/mobile-technology/apple-icloud-backup-quirk-could-have-allowed-hackers-access-deleted-files-249749

------------------------------

Date: Sat, 6 Sep 2014 00:24:59 -0400
From: Monty Solomon <monty () roscom com>
Subject: Apple Says It Will Add New iCloud Security Measures After
 Celebrity Hack (Brian X. Chen)

Brian X. Chen, *NYTimes* blog, 4 Sep 2014

Apple said on Thursday that it would strengthen its security measures after
a recent episode where hackers broke into the Apple accounts of a number of
celebrities, stole their nude photos and leaked them on the Internet.

The company said it would add alerts to tell people about activities that
could be signs of a break-in.

Customers will receive emails and alerts called push notifications, which
are messages that show up prominently on iPhones and iPads, when someone
tries to change the password for their iCloud account, upload their
backed-up account data to a new device or log into their accounts for the
first time from an unknown device, the company said.  The notifications will
be added in two weeks. ...

http://bits.blogs.nytimes.com/2014/09/04/apple-says-it-will-add-new-security-measures-after-celebrity-hack/

------------------------------

Date: Sun, 7 Sep 2014 11:19:35 -0400
From: Monty Solomon <monty () roscom com>
Subject: Redactions in U.S. Memo Leave Doubts on Data Surveillance Program

Questions persist after the release of a newly declassified version of a
legal memo approving the National Security Agency's Stellarwind program, a
set of warrantless surveillance and data collection activities secretly
authorized after the terrorist attacks of Sept. 11, 2001.

http://www.nytimes.com/2014/09/07/us/redactions-in-us-memo-leave-doubts-on-data-surveillance-program.html

------------------------------

Date: Sun, 7 Sep 2014 11:24:49 -0400
From: Monty Solomon <monty () roscom com>
Subject: Online Privacy: Maybe Not So Unreasonable, After All

As our online personal information has become less and less personal, the
privacy pendulum may now ready to switch directions.

http://bits.blogs.nytimes.com/2014/09/07/rethinking-privacy-on-the-internet/

------------------------------

Date: Fri, 05 Sep 2014 10:34:59 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Data shows Home Depot breach could be largest ever"
  (Jaikumar Vijayan)

Jaikumar Vijayan | Computerworld, 03 Sep 2014
The breach occurred at nearly all of Home Depot's 2200 U.S. stores
http://www.infoworld.com/d/security/data-shows-home-depot-breach-could-be-largest-ever-249732

opening text:

It looks like Home Depot may have earned the dubious distinction of being
responsible for the biggest compromise ever involving credit and debit card
data.

------------------------------

Date: Mon, 08 Sep 2014 16:04:46 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft patch KB 2918614 triggers 'key not valid for use,'
  more errors" (Woody Leonhard)

Woody Leonhard | InfoWorld, 8 Sep 2014
August's Windows Installer Service patch causes wide range of
inscrutable problems on Windows 7 and Windows 8 machines
http://www.infoworld.com/t/microsoft-windows/microsoft-patch-kb-2918614-triggers-key-not-valid-use-more-errors-249973

------------------------------

Date: Mon, 08 Sep 2014 13:04:56 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Re: GM to Introduce Hands-Free Driving in Cadillac Model

"With Super Cruise, when there's a congestion alert on roads like
California's Santa Monica Freeway, you can let the car take over and drive
hands free and feet free through the worst stop-and-go traffic around,"
Barra said in the speech at Cobo Center in Detroit. "If the mood strikes you
on the high-speed road from Barstow, California, to Las Vegas, you can take
a break from the wheel and pedals and let the car do the work. Having it
done for you -- that's true luxury."

But...

GM's Super Cruise technology is not a self-driving car and the feature will
require drivers to remain alert and ready to take the wheel if traffic
conditions become too complex, Lauckner told reporters at a briefing before
Barra's speech.

http://www.bloomberg.com/news/2014-09-07/gm-to-introduce-hands-free-driving-in-cadillac-model.html

Let the car do the work ... BUT remain alert.

"What could possibly go wrong?" seems a profoundly inadequate degree of
skepticism.

Comments on the article question the ability of a company that for many
years shipped faulty ignition switches to get this bit of technology right.

Gabriel Goldberg, Computers and Publishing, Inc.       gabe () gabegold com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

------------------------------

Date: Mon, 8 Sep 2014 14:07:45 -0400
From: "Phil Smith III" <phs3 () akphs com>
Subject: Re: GM to Introduce Hands-Free Driving in Cadillac Model (Jclcabal)

We have dynamic cruise on our Sienna, and it's great on the highway.
Doesn't function below 28mph, alas.

But on the Interstate, I get behind someone I like going fast enough and not
weaving/etc., lock it in a click or two above their speed, and now it's just
steering, not playing with the gas. Really makes long trips less stressful.

------------------------------

Date: Fri, 05 Sep 2014 15:53:13 +0200
From: Erling Kristiansen <erling.kristiansen () xs4all nl>
Subject: Re: Software errors in Galileo Satellites (RISKS-28.24)

The title of this item is misleading: As you can read in the linked article,
the fault causing the satellites to be injected into the wrong orbit was in
the launcher, not the satellites.

You may consider this a technicality. But since the launcher and the
satellites come from different manufacturers, I think it is important to
point to the right entity when discussing the failure.

------------------------------

Date: Fri, 5 Sep 2014 09:11:05 +0200
From: Richard I Cook MD <ricookmd () gmail com>
Subject: Re: Regarding Tesla's cash cow (Burstein, RISKS-28.23)

Comments on solar power:


Aside from the general economic issue, the big concern is that solar power
is intermittent and can cut out at any second.


Actually, solar power is about a reliable and predictable a source of energy
delivery in a usable form that I can imagine. The yearly flux of solar
illumination is almost constant.

More to the point, a lot of energy is used in areas where the usable
intensity is low for half a year and high for the other half. Weather
effects that exacerbate this are, on average, quite regular on a yearly
basis.

It is true that energy storage is challenging and is likely to remain so for
the foreseeable future.

There is great potential in the equatorial regions, most notably the great
deserts. Building large collection systems there would make solar generation
nearly independent of the time of year, although occasional violent weather
would continue to be a problem. At least as important as producing huge
amounts of power on a regular schedule, adopting such a scheme could become
an economic engine that might offset the disproportionate effect of climate
change on equatorial peoples.

------------------------------

Date: Fri, 05 Sep 2014 16:12:03 +0200
From: Erling Kristiansen <erling.kristiansen () xs4all nl>
Subject: Re: Regarding Tesla's cash cow  (Anthony, RISKS 28.24)


Solar panels do actually work tolerably well in cloudy conditions, and it's
pretty rare for a cloud to cover an entire country.


Solar panels do, indeed, produce power also in cloudy conditions, but
"tolerably well"?

My experience is:
Lightly overcast: ~30% of peak power
Thick clouds:     ~10% of peak power
Rainy, cloudy winter day: Below threshold at which converter switches on.
In winter, even at the best, sunny days, power is well below summer peak
  level (~50%) due to the low sun.

I live in The Netherlands, where it is not so rare that a cloud covers the
entire country, and more. But it is, of course, a small country.

------------------------------

Date: Sun, 7 Sep 2014 17:04:18 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Huffington continues trying to "disappear" their discredited
  "email creator" series (via NNSquad)

"Huffington" is continuing trying to "disappear" their discredited five part
series on the "creator" of e-mail. You'll recall that yesterday the links to
the five stories at:
  http://www.huffingtonpost.com/news/the-history-of-email/
led to a sort of editorial apology. Today, four of the five stories have
vanished from the page entirely -- leaving a big white gap -- and search
results that previously pointed at them now appear to be 404.  And in case
you don't remember what this page looked like originally, I made a
screenshot of it yesterday, because I anticipated something like this.

Screenshot at: (G+): https://plus.google.com/+LaurenWeinstein/posts/f5i8tB4bveC

------------------------------

Date: Wed, 3 Sep 2014 08:11:03 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: "Why Is Huffington Post Running A Multi-Part Series To
        Promote The Lies Of A Guy Who Pretended To Invent Email?"

Techdirt via NNSquad
https://www.techdirt.com/articles/20140901/07280928386/huffpo-publishes-bizarre-misleading-factually-incorrect-multi-part-series-pretending-guy-invented-email-even-though-he-didnt.shtml

  "Again, that might make for a nice story line if there were some factual
  basis behind it, but there isn't. The history of e-mail is well-documented
  from multiple sources and it began way, way before 1978. And while early
  versions were somewhat crude, by 1978 they had basically everything that
  Ayyadurai claims to have invented (it is entirely believable that
  Ayyadurai, as a bright kid, independently came up with the same ideas, but
  he was hardly the first). There was a messaging system called MAILBOX at
  MIT in 1965. You can read all the details of it here, including source
  code. Ray Tomlinson is frequently credited with inventing the modern
  concept of email for the Internet by establishing the @ symbol (in 1972)
  as a way of determining both the user and which computer to send the email
  to. By 1975, there were things like email folders (invented by Larry
  Roberts) and some other basic email apps. As is noted, by 1976 -- two
  years before Ayyadurai wrote his app -- email was 75% of all ARPANET
  traffic."

 - - -

Why? Because Huffington is only interested in the clicks, that's why, and
if they thought they could get more clicks by claiming Caligula invented
e-mail, they'd be running those stories too.

------------------------------

Date: Fri, 05 Sep 2014 11:54:51 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: zero-day bounties (Mills, RISKS-28.24)


"Since the vendors pay for the bounty, introducing bugs into their own
code is counterproductive" (Mills, RISKS-28.24)


Hmmm...  Let's see.  Suppose employee A works for company M which boasts of
a bug bounty.  Freelancer J colludes with employee A to either induce A to
purposely create a bug, or at least provide information about where such
bugs can be found.  Freelancer J gets bug bounty from M, and shares it with
employee A.  Rinse & repeat.  Everybody wins, except for the poor customers
and their credit ratings after being hacked.

Such collusion is legal when A is a law-maker and J is a lobbyist, and such
collusion is rampant and extremely profitable.  Sometimes, A and J are even
the same people, which is called the "revolving door" of agencies such as
the FCC and now, apparently, the NSA (Alexander).


"the Moral Hazard theory doesn't seem to apply here" *jericho, RISKS-28.24)


The biggest moral hazard is caused by computer hardware & software vendors
who sell software that they're not willing to stand behind; i.e., they use
their own customers as alpha and beta testers (aka "human shields" aka
"collateral damage", in the case of computer hacking & ID theft).  Dan Geer
has already discussed this issue.

Bug bounties don't "drain the swamp", but perversely create an industry
dependent upon the existence of the swamp.  The FBI loves the swamp, because
it enables them to manufacture crimes and once in a while produce a pelt.
The NSA loves the swamp, because it enables them to monitor "terrorists",
and the bigger the swamp, the larger the NSA's budget.

There's also the problem of price.  A hundred dollars for a Twitter bug is
an LOL joke; the cost of such a bug to a large corporate user might be
millions of dollars.  Even $100k for a significant bug pales in comparison
to the millions of dollars that such a bug is worth to a criminal or
nation-state.

Do you ever wonder why the Apple goto-fail bug lasted so long?

Let's assume that some bounty-hunter actually *did* notice Apple's goto-fail
behavior.  Any bounty-hunter worth his salt would quickly check for the
existence of this bug on other Apple devices & versions and notice how
extensive this bug was.  A quick calculation would reveal that the bug was
worth multiple millions of dollars to the right customer.  It's entirely
possible that some bounty-hunter was keeping such a bug in his inventory for
this big pay day.

Consider the recent JP Morgan attacks.  These "Willie Sutton" hackers were
apparently going after serious money, and were obviously willing to expend
considerable resources in the process.  What kind of a bounty would it take
to buy them off?  My best guess: $1 billion.

Talk like a Pirate Day is in 2 weeks (Sept. 19th).  We all know about
pirates (the real kind, who sink ships and murder people, not the MPAA faux
rhinestone kind).  These pirates started off as legal "privateers", but
often ended up being hanged for piracy after the govt stopped its privateer
program.

https://en.wikipedia.org/wiki/Privateer
https://en.wikipedia.org/wiki/William_Kidd

This current bug-bounty-hunting privateer movie isn't going to end any
better than the seafaring privateer movie.  Besides, Errol Flynn and Johnny
Depp will never look as good wielding a mouse and a keyboard.

However, I do *not* recommend paying larger bounties, even though there are
bugs worth far more money.

I *do* recommend spending *just as much money* -- i.e., *billions* of
dollars -- on *formal methods* which are the only known way to *guarantee*
the lack of certain types of bugs.

I agree with Dan Geer that we need to loose the real privateers -- the
plaintiffs bar -- on the computer hardware and software industry, so that we
can finally start draining the swamp and make the Internet "safe at any
speed".

https://en.wikipedia.org/wiki/Unsafe_at_Any_Speed

Given the "fat tail" distribution of harm from computer bugs, it's only a
matter of time before the first $1 BILLION loss is incurred (assuming that
it hasn't *already* occurred -- in secret -- e.g., in Sept 2008), and a
large company loses 50% or more of its market value as a result of being
hacked.

Wouldn't it be preferable to spend $1 billion *proving programs correct*
than a far larger amount to criminals and/or bounty-hunters ?

------------------------------

Date: Fri, 05 Sep 2014 14:10:52 -0400
From: Cigital <communications () cigital com>
Subject: Live Webinar: Building a Software Security Initiative

Webinar: Building a Software Security Initiative
Thursday, September 25, 2014 1:00 - 2:00 PM EDT
Register:
http://discover.cigital.com/e/28332/tration-html-sco-id-1218490076/3kzhjz/848842747

The increasing frequency and costs of security breaches are driving
customers, senior executives, and board of directors to demand evidence of a
formal program to address software security. Do you know how to start
building a scalable software security initiative?

Join Cigital and Tyler Shields, Senior Analyst at Forrester Research, Inc.,
for a live webinar exploring what it takes to create, restart, or mature a
software security initiative, including:

* Strategies for securing budget and support to build a software security
  initiative
* Identifying foundational components required for an effective software
  security initiative
* Distinguishing key attributes of a scalable software security
  initiative
* Tactics to enable management, security, and engineering groups to make
  immediate software security improvements

Cigital, 21351 Ridgetop Circle, Suite 400, Dulles, VA 20166

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.25
************************
Previous By Date Next
Previous By Thread Next

Current thread: