RISKS Forum mailing list archives

Risks Digest 28.26

From: RISKS List Owner <risko () csl sri com>
Date: Thu, 11 Sep 2014 15:55:33 PDT
RISKS-LIST: Risks-Forum Digest  Thursday 11 September 2014 Volume 28 : Issue 26

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.26.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Nancy Pelosi urges FCC to reclassify broadband as a utility (Verge)
"Microsoft patch KB 2918614 triggers 'key not valid for use,' more errors"
  (Woody Leonhard via Gene Wirchenko)
Apple - Update to Celebrity Photo Investigation (Monty Solomon)
Apple Announces Apple Pay (Monty Solomon)
iPod classic is dead, and the 30-pin connector along with it
  (Casey Johnston via Monty Solomon)
Re: Apple Says It Will Add New iCloud Security Measures After Celebrity Hack
  (Kurt Seifried)
Amazon's Fire Phone falls to 99 cents on a two-year contract (Roy Amadeo
  via Monty Solomon)
Feds say NSA "bogeyman" did not find Silk Road's servers (David Kravets via
  Monty Solomon)
AT&T/Verizon say 10Mbps is too fast for "broadband," 4Mbps is enough
  (Jon Brodkin via Monty Solomon)
Penalty for driving while texting in Long Island-a disabled cell phone
  (David Kravets via Monty Solomon)
NOBUS BOGUS: "Do You Feel Lucky, Punk?" (Henry Baker)
The Case for Resign Switches for Politicians (Henry Baker)
"Predictive" Technology Used to ID Troubled Cops (Henry Baker)
Re: GM to Introduce Hands-Free Driving in Cadillac Model (Gabe Goldberg)
Re: This chart shows the world's Internet usage shifting to smartphones
  (Rodney Van Meter)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 8 Sep 2014 16:21:13 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Nancy Pelosi urges FCC to reclassify broadband as a utility

Verge via NNSquad
http://www.theverge.com/2014/9/8/6123801/pelosi-urges-title-ii-classification-of-broadband

  A good number of politicians have recently made statements in favor of net
  neutrality, but House Minority Leader Nancy Pelosi is going further than
  most of them today and asking that the Federal Communications Commission
  reclassify broadband as a utility using Title II of the Communications Act
  -- exactly what net neutrality advocates have been pushing for. In a
  letter to FCC chair Tom Wheeler, Pelosi writes that Title II is "an
  appropriate tool to refine modern rules," and that it can do so without
  the FCC overburdening broadband providers.

------------------------------

Date: Mon, 08 Sep 2014 16:04:46 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Microsoft patch KB 2918614 triggers 'key not valid for use,'
  more errors" (Woody Leonhard)

Woody Leonhard | InfoWorld, 08 Sep 2014
August's Windows Installer Service patch causes wide range of
inscrutable problems on Windows 7 and Windows 8 machines
http://www.infoworld.com/t/microsoft-windows/microsoft-patch-kb-2918614-triggers-key-not-valid-use-more-errors-249973

------------------------------

Date: Mon, 8 Sep 2014 23:39:55 -0400
From: Monty Solomon <monty () roscom com>
Subject: Apple - Update to Celebrity Photo Investigation

Apple Media Advisory
Update to Celebrity Photo Investigation
http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

We wanted to provide an update to our investigation into the theft of photos
of certain celebrities. When we learned of the theft, we were outraged and
immediately mobilized Apple's engineers to discover the source. Our
customers' privacy and security are of utmost importance to us. After more
than 40 hours of investigation, we have discovered that certain celebrity
accounts were compromised by a very targeted attack on user names, passwords
and security questions, a practice that has become all too common on the
Internet. None of the cases we have investigated has resulted from any
breach in any of Apple's systems including iCloud or Find my iPhone. We are
continuing to work with law enforcement to help identify the criminals
involved.

To protect against this type of attack, we advise all users to always use a
strong password and enable two-step verification. Both of these are
addressed on our website at http://support.apple.com/kb/ht4232 .

------------------------------

Date: Tue, 9 Sep 2014 22:30:34 -0400
From: Monty Solomon <monty () roscom com>
Subject: Apple Announces Apple Pay

Transforming Mobile Payments with an Easy, Secure & Private Way to Pay

CUPERTINO, California--September 9, 2014--Apple today announced Apple Pay, a
new category of service that will transform mobile payments with an easy,
secure and private way to pay. Apple Pay works with iPhone 6 and iPhone 6
Plus through a groundbreaking NFC antenna design, a dedicated chip called
the Secure Element, and the security and convenience of Touch ID. Apple Pay
is easy to set up, so hundreds of millions of users can simply add their
credit or debit card on file from their iTunes Store account. Apple Pay will
also work with the newly announced Apple Watch, extending Apple Pay to over
200 million owners of iPhone 5, iPhone 5c and iPhone 5s worldwide.

Apple Pay supports credit and debit cards from the three major payment
networks, American Express, MasterCard and Visa, issued by the most popular
banks including Bank of America, Capital One Bank, Chase, Citi and Wells
Fargo, representing 83 percent of credit card purchase volume in the US.* In
addition to the 258 Apple retail stores in the US, some of the nation's
leading retailers that will support Apple Pay include Bloomingdale's, Disney
Store and Walt Disney World Resort, Duane Reade, Macy's, McDonald's,
Sephora, Staples, Subway, Walgreens and Whole Foods Market. Apple Watch will
also work at the over 220,000 merchant locations across the US that have
contactless payment enabled. Apple Pay is also able to make purchases
through apps in the App Store. ...

http://www.apple.com/pr/library/2014/09/09Apple-Announces-Apple-Pay.html

  [Given the troubles around the world with online payments, this might be
  an invitation to disaster.  PGN]

------------------------------

Date: Tue, 9 Sep 2014 22:41:21 -0400
From: Monty Solomon <monty () roscom com>
Subject: iPod classic is dead, and the 30-pin connector along with it
  (Casey Johnston)

Casey Johnston, Ars Technica, 9 Sep 2014,
This marks a complete transition to Lightning connectors, in just two years.

When apple.com returned after the event announcing Apple's new iPhone 6, 6
Plus, and Apple Watch, one of its longest-standing members was gone: the
iPod classic. Along with it goes the 30-pin dock connector, marking a
complete transition to the Lightning connector for Apple's entire mobile
device fleet in exactly two years. ...

http://arstechnica.com/gadgets/2014/09/ipod-classic-is-dead-and-the-30-pin-connector-along-with-it/

------------------------------

Date: Tue, 9 Sep 2014 15:54:23 -0600
From: Kurt Seifried <kurt () seifried org>
Subject: Re: Apple Says It Will Add New iCloud Security Measures After
  Celebrity Hack (Chen, RISKS-28.25)

I'm glad they're not actually fixing the root problems like strengthening
authentication or making brute force attacks harder, now as long as nobody
goes on vacation or doesn't check email for a few days we'll all be safe!

BTW if someone is attacking my iCloud account what exactly can I do about
it? Randomly change my password and hope for the best? Is there any way to
contact apple? Nope!

------------------------------

Date: Tue, 9 Sep 2014 22:56:15 -0400
From: Monty Solomon <monty () roscom com>
Subject: Amazon's Fire Phone falls to 99 cents on a two-year contract
  (Roy Amadeo)

After reports of it struggling in the market, the device gets a $200 price cut.
Ron Amadeo, Ars Technica, 8 Sep 2014
http://arstechnica.com/gadgets/2014/09/amazons-fire-phone-falls-to-99-cents-on-a-two-year-contract/

------------------------------

Date: Tue, 9 Sep 2014 00:52:56 -0400
From: Monty Solomon <monty () roscom com>
Subject: Feds say NSA "bogeyman" did not find Silk Road's servers
  (David Kravets)

David Kravets, *Ars Technica*, 6 Sep 2014
FBI says it found main server via a "misconfiguration" of the login interface.

The FBI easily found the main server of the now-defunct Silk Road online
drug-selling site, and didn't need the National Security's help, federal
prosecutors said in a Friday court filing.

The underground drug website, which was shuttered last year as part of a
federal raid, was only accessible through the anonymizing tool Tor. The
government alleges that Ross Ulbricht, as Dread Pirate Roberts, "reaped
commissions worth tens of millions of dollars" through his role as the
site's leader. Trial is set for later this year.

The authorities said Friday that the FBI figured out the server's IP address
through a misconfiguration in the site's login window. They said that a US
warrant wasn't required to search the Icelandic server because "warrants are
not required for searches by foreign authorities of property overseas."  ...

http://arstechnica.com/tech-policy/2014/09/feds-say-nsa-bogeyman-did-not-find-silk-roads-servers/
http://cdn.arstechnica.net/wp-content/uploads/2014/09/silkroaddoc.pdf

------------------------------

Date: Tue, 09 Sep 2014 13:52:20 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Tech industry groups ask U.S. Senate to 'swiftly pass' NSA curbs"
  (John Ribeiro)

John Ribeiro, Infoworld, 09 Sep 2014
A coalition of tech industry groups writes a letter to Senate leaders
saying an erosion of trust is affecting their business abroad
http://www.infoworld.com/t/federal-regulations/tech-industry-groups-ask-us-senate-swiftly-pass-nsa-curbs-250096

------------------------------

Date: Wednesday, September 10, 2014
From: *Chris Beck* <cbeck () pacanukeha net>
Subject: 5 million leaked gmail usernames and passwords (Daily Dot)

News surfaced yesterday in Russia about this leak (via Dave Farber)
Apparently you can check if you are on it at isleaked.com, but it's under a
lot of load and in Russian.  There is a text box and a button and you want
to see in the green box.
http://www.dailydot.com/crime/google-gmail-5-million-passwords-leaked/

------------------------------

Date: Tue, 09 Sep 2014 13:55:02 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Comcast's open Wi-Fi hotspots inject ads into your browser"
  (Ian Paul)

Ian Paul, PC World, InfoWorld, 09 Sep 2014
By injecting JavaScript ads into your browser, Comcast could be
creating unintended security vulnerabilities
http://www.infoworld.com/d/networking/comcasts-open-wi-fi-hotspots-inject-ads-your-browser-250141

------------------------------

Date: Tue, 09 Sep 2014 13:53:28 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Salesforce.com warns customers of malware attack"

Lucian Constantin, InfoWorld, 09 Sep 2014
A new version of the Dyreza online banking Trojan is stealing
Salesforce.com log-in credentials
http://www.infoworld.com/d/security/salesforcecom-warns-customers-of-malware-attack-250140

------------------------------

Date: Tue, 9 Sep 2014 00:45:03 -0400
From: Monty Solomon <monty () roscom com>
Subject: AT&T/Verizon say 10Mbps is too fast for "broadband," 4Mbps is enough
  (Jon Brodkin)

Cable lobby also implores FCC not to change definition of broadband.
Jon Brodkin, *Ars Technica*, 8 Sep 2014

AT&T and Verizon have asked the Federal Communications Commission not to
change its definition of broadband from 4Mbps to 10Mbps, saying many
Internet users get by just fine at the lower speeds. ...

http://arstechnica.com/business/2014/09/att-and-verizon-say-10mbps-is-too-fast-for-broadband-4mbps-is-enough/

------------------------------

Date: Tue, 9 Sep 2014 22:39:50 -0400
From: Monty Solomon <monty () roscom com>
Subject: Penalty for driving while texting in Long Island-a disabled cell
 phone (David Kravets)

David Kravets, Ars Technica, 9 Sep 2014
New York prosecutor says driving while texting is as dangerous as drunk
driving.

Motorists popped for texting-while-driving violations in Long Island could
be mandated to temporarily disable their mobile phones the next time they
take to the road.

That's according to Nassau County District Attorney Kathleen Rice, who says
she is moving to mandate that either hardware be installed or apps be
activated that disable the mobile phone while behind the wheel. The district
attorney likened the texter's punishment to drunk drivers who sometimes are
required to breathe into a device before turning on the ignition. ...

http://arstechnica.com/tech-policy/2014/09/penalty-for-driving-while-texting-in-long-island-a-disabled-cell-phone/

------------------------------

Date: Mon, 08 Sep 2014 14:33:34 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: NOBUS BOGUS: "Do You Feel Lucky, Punk?"

One major risk in the cyberwar arena is overplaying one's own hand.

Here's a little calculation that I did last week that I hope might sober some people up a bit.

NOBUS BOGUS: "Do You Feel Lucky, Punk?"

Gen. Michael Hayden, former director of the NSA, has put forward the concept
of "NOBUS" ("Nobody But US").

According to *The Washington Post*:

"To a certain extent, this NOBUS idea reflects the weighing of the dual
defensive and offensive mission of the NSA. ...  But we're talking about the
same agency that reportedly has a 600-some elite offensive hacker squad,
Tailored Access Operations or TAO, working out of its headquarters.  And
NOBUS also raises a lot of questions about how the intelligence agency
determines if something is likely to be exploited by adversaries."

http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/

Hayden's NOBUS concept depends critically on the U.S. having an overwhelming
advantage in terms of *computer power* relative to its competitors --
particularly China.

Hayden: "If there's a vulnerability here that weakens encryption but you
still need four acres of Cray computers in the basement in order to work it
you kind of think 'NOBUS' and that's a vulnerability we are not ethically or
legally compelled to try to patch -- it's one that ethically and legally we
could try to exploit in order to keep Americans safe from others."

China can obviously afford to build any computer it wants; it owns ~$1.3T of
US debt, and China already makes many of the components needed for such
computers.  So "four acres of Cray computers" isn't much of a show-stopper
for the Chinese.

http://www.treasury.gov/ticdata/Publish/mfh.txt

But based upon most reports of computer hacking I've read, the essential
element for hacking success isn't *computer* power, but *hacker* power;
i.e., human intelligence & hacking skill.  Yes, the NSA might well have
brute-forced a "collision attack" for STUXNET with four acres of Crays, but
such brute force attacks are rare simply because there are so many other --
& far cheaper -- hacks readily available.

So, given the current level of IQ and STEM education in the U.S., "NOBUS"
might just be a hollow (and therefore very dangerous) conceit.

In order to gain some better insight, I've developed a simple model of
hacker skill analogous to *chess ratings*.  Of course, there's no studies
showing any correlation between chess ratings and hacker skills, nor even
studies showing that the probability distributions of chess skills and
hacker skills are similar.

https://en.wikipedia.org/wiki/Elo_rating_system

Nevertheless, I speculate that hacker skills are indeed distributed in a
manner similar to chess skills, and that hacker competitions might show
similar statistics to chess competitions.

Using these assumptions, I've done some calculations based on the
mathematics of chess ratings (developed by Zermelo, a half-century before
Elo).

http://www.glicko.net/research/preface-z28.pdf

If hacker skills were distributed *logistically* like chess ratings, then
one could calculate the probability of hacker A beating hacker B by looking
at the arithmetic *difference* of a chess-like hacker rating.

https://en.wikipedia.org/wiki/Logistic_distribution

Chess ratings seem to have a mean of perhaps 1130, and a standard deviation
of perhaps 315.  Since the probability of winning at chess is based only on
the rating *differences*, we don't care very much about the mean.

A chess rating deficit of 382 gives a 10% chance of winning.
A chess rating deficit of 798 gives a 1% chance of winning.
A chess rating deficit of 1200 gives a .1% chance of winning.

We can rescale a chess rating-like system to a distribution that looks a lot
more like an IQ distribution by setting the mean=100 and the 2.275% quantile
at 130; i.e., only 2.275% of the population has an IQ greater than 130.
(With this rescaling, the logistic distribution "s" parameter is about 8.0.)

Let's call this rating system "HQ", for "Hacker Quotient", and I will
presume that this HQ rating captures hacking skill levels.

An HQ deficit of 17.6 gives a 10% chance of winning.
An HQ deficit of 36.8 gives a 1% chance of winning.
An HQ deficit of 55.3 gives a .1% chance of winning.

China's population is ~1.355 billion, while the US population is ~318.679
million (Wikipedia).  If N=600 is the size of NSA's TAO group, then TAO
presumably represents the best 1.883x10^-4 % of the US population.  But
N=600 represents the best 4.428x10^-5 % of the Chinese population.  If the
tails of the distributions are thin, then the upper tail of a larger
population will have a larger mean than that of a smaller population.

If China's mean HQ is 100, and the US's mean HQ is 98 (following the IQ
difference between China and the US), the HQ deficit for the US TAO v. the
Chinese TAO is 13.58, hence the US's chance of winning a hacker war is only
15.5%.

If both the US and China's mean HQ is 100, the HQ deficit for the US TAO is
only 11.58, hence the US's chance of winning a hacker war is then 19%.

The core insight is that due to the 4.25x population advantage, the top N
(N=600) hackers in China are better than the top N hackers (i.e., NSA's TAO)
in the US.  If there is also a difference in the population mean HQ, then
this effect is additive to the deficit due to population size.

Since we are dealing with the sparse *tails* of these distributions, the
uncertainty of these calculations is very high.  Nevertheless, the overall
conclusion is similar: *population size matters* when looking at extreme
tails.

I should also point out that the US Internet infrastructure is far more
extensive than the Chinese infrastructure, so the US is a much juicer target
for any hacking.  The US would suffer substantially greater damage from any
maliciousness -- particularly on a relative basis -- and hence "people who
live in glass houses shouldn't throw stones".

I'm not so sure that the US wants to continue talking like Dirty Harry with
long odds such as these.

It would also behoove the US to *harden* all that glass -- not just against
nation-states, but against *all* malicious actors.

------------------------------

Date: Tue, 09 Sep 2014 13:12:43 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: The Case for Resign Switches for Politicians (Re: Zittrain, R-28.25)

FYI -- I don't know about kill switches for weapons, but I think that quite
a number of us voters would like to see "automatic resign switches" for
politicians who violate their campaign promises.

I think that most of us would agree that lying and out-of-control
politicians have done far more damage than any number of captured weapons.
In particular, politicians are "captured" all the time by special interests.
Wouldn't it be nice for the voters to be able to (Eric) Cantorize a
politician who got too big for his/her britches?

This wouldn't require any Constitutional or legal changes, but merely a
computer-controlled lock box containing an irrevocable letter of
resignation, which would be automatically and immediately opened by an
online voting system after it tallied a simple majority "no confidence" vote
of the electorate of his/her district/state/country.

A politician could sign up for this service and tout it in his/her
advertising.  Otherwise, voters could safely assume that the politician was
merely "blowing smoke".

A more geeky solution could be developed using the Bitcoin blockchain &
scripting language.

http://www.nytimes.com/2014/09/09/us/politics/a-president-whose-assurances-have-come-back-to-haunt-him.html

------------------------------

Date: Wed, 10 Sep 2014 06:29:17 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: "Predictive" Technology Used to ID Troubled Cops

FYI -- But these systems don't work.  But expect them to be used even more
after Ferguson, even though (particularly because??) they don't work.  These
expensive systems are complete scams, but govts buy them to cover their
asses (see, we've used "best practices").

Tami Abdollah, Technology Used to ID Troubled Cops, Sep 4 2014
http://www.officer.com/news/12001926/technology-used-to-id-troubled-cops

Police departments across the U.S. are using technology to try to identify
problem officers before their misbehavior harms innocent people, embarrasses
their employer, or invites a costly lawsuit -- from citizens or the federal
government.

While such "early warning systems" are often treated as a cure-all, experts
say, little research exists on their effectiveness or -- more importantly --
if they're even being properly used.

Over the last decade, such systems have become the gold standard in
accountability policing with a computerized system used by at least 39
percent of law enforcement agencies, according to the most recent data from
the U.S. Bureau of Justice Statistics.

The issue of police-community relations was thrust into the spotlight after
an officer fatally shot Michael Brown in Missouri.  Since then, departments
have held public forums to build trust with residents.  Some are testing
cameras mounted to officers to monitor their interactions with the public.

Experts say the early warning system can be another powerful tool to help
officers do their jobs and improve relations, but it is only as good as the
people and departments using it.  "It's not a guarantee that you will catch
all of those officers that are struggling," said Jim Bueermann of the
nonprofit Police Foundation, which is dedicated to better policing.  "These
systems are designed to give you a forewarning of problems and then you have
to do something."

  [Long item truncated for RISKS.  PGN]

------------------------------

Date: Mon, 08 Sep 2014 15:01:06 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Re: GM to Introduce Hands-Free Driving in Cadillac Model (R-28.25)

But you're steering and thus presumably watching the road.

"Let the car do the work ... BUT remain alert" -- currently people already
drift off, lose focus, get hypnotized, and text while supposedly still
driving. Increased automation (auto-mation?) and hands/foot-free driving
can't help but worsen attention paid to driving. Alert? Not likely.

------------------------------

Date: Thu, 11 Sep 2014 11:37:53 -0400
From:  Rodney Van Meter <rdv () sfc wide ad jp>
Subject: Re: This chart shows the world's Internet usage shifting to smartphones

http://thenextweb.com/shareables/2014/08/19/watch-world-move-towards-smartphones-one-simple-chart/

I saw this plot when it first arrived on the web a few weeks ago (courtesy
of Dave Farber's IP, IIRC).

It takes only a minute or two to see that the animation is far more glitzy
than accurate.

For starters, it is clear that most of the national lines are extrapolated
from a very small number of data points.  Moreover, the few data points are
likely derived from surveys with very different methodologies; the
discrepancies are substantial.

A clear example is India, in the lower left.  It appears to be composed of
three data points:

  date      PC   mobile
  3/2011  36.9%  22.9%
  3/2013  10.6%  12.8%
  3/2014  11.3%  22.1%

These numbers are simply not plausible.  I have seen other Internet
penetration numbers for India recently, that placed it at around 17%
(independent of method).  My *guess* is that the 2011 numbers actually
represent growth rate, rather than %age of the population!

Practically every country in the data shows some anomalous behavior.
Indonesia shows an outright U-turn; Argentina and Thailand appear to suffer
substantial declines in the actual number of Internet users via any
platform, which seems unlikely.  Korea shows a sudden sharp drop in PC use,
over 10% in a year.  Japan has an odd kink in its line in 2012, q declining
10% in six months but then recovering.

Bottom line, I think this pretty hopeless.

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.26
************************
Current thread:

Risks Digest 28.26 RISKS List Owner (Sep 11)