RISKS Forum mailing list archives
Risks Digest 29.59
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 28 Jun 2016 20:30:30 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 28 June 2016 Volume 29 : Issue 59 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/29.59.html> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Petition for second EU referendum may have been manipulated (Nicola Slawson via Henry Baker) FAA Officials Discuss Standards to Neutralize Cyberattacks (Gabe Goldberg) Healthcare workers prioritize helping people over information security (BoingBoing) Hacker Advertises Slew of Alleged Healthcare Organization Records (Motherboard) Clinton's private e-mail was blocked byspam filters, so State IT turned them off (Sean_Gallagher) Woman Wins $10,000 From Microsoft After Unwanted Windows 10 Upgrade (Gizmodo) "Swagger stumbles: Flaw enables remote code execution" (Fahmida Y. Rashid) "Severe flaws in widely used open source library put many projects at risk" (Lucian Constantin) "Over half of world's top domains weak against email spoofing" (Charlie Osborne) "US Customs wants foreign nationals to reveal their social media handles" (Chris Duckett) What are the risks guns could be banned from video games? (Paul Robinson) Vacationing Security Researcher Exposes Austrian ATM Skimmer (SlashDot) Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes (SlashDot) Yet another study showing old hard drives should be destroyed (Benoit Goas) Cryptography pioneer Marty Hellman calls for compassion in personal, cyber, and international threats (TechCrunch) Crypto Ransomware Attacks Have Jumped 500% In The Last Year (SlashDot) Why You Should Stop Using Telegram Right Now (SlashDot) More Redacted Redactions (LA Times via Henry Baker) The "Cobra Effect" that is disabling paste on password fields (Troy Hunt) Writing aid for the blind provides a case study for "compassionate engineering" at Carnegie Mellon (TechCrunch) What if we're all forced to be average? (IEEE Spectrum via Bob Frankston) Re: Tesla Model X autonomously crashes into building (Amos Shapir) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 26 Jun 2016 07:04:07 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Petition for second EU referendum may have been manipulated FYI -- This particular type of voting fraud is only one of the most obvious risks of online voting. "over 39,000 residents of Vatican City [pop. 800] appeared to have signed the petition" http://www.theguardian.com/politics/2016/jun/26/petition-for-second-eu-referendum-may-have-been-manipulated Petition for second EU referendum may have been manipulated Data shows people from countries including Iceland and Tunisia backed petition that should only be signed by Britons and UK residents Nicola Slawson @nicola_slawson, *The Guardian*, 26 Jun 2016 A petition calling for a second EU referendum which has gained more than 3 million signatures appears to have been manipulated. The request on parliament's official petitions website should have been signed only by British citizens and UK residents. However, the petition's data shows signatories from countries around the world, including Iceland, the Cayman Islands and Tunisia, and in some cases there are more signatures than total population. [...] [Lots of anecdotal stuff deleted. PGN] ------------------------------ Date: Thu, 23 Jun 2016 09:43:03 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: FAA Officials Discuss Standards to Neutralize Cyberattacks WASHINGTON Even as U.S. and European regulators jointly pursue ways to fend off cyberattacks against aviation, they are increasingly focused on devising standards to ensure that any successful hackers will be detected and neutralized. Those twin goals are being widely discussed at an international safety conference here this week, while new details emerge about proposed safeguards being developed by a Federal Aviation Administration-created panel of government and industry officials. <http://www.wsj.com/articles/panel-reaches-preliminary-agreement-on-airliner-cybersecurity-standards-1465848030> <http://www.wsj.com/articles/u-s-panel-aims-to-shield-planes-from-cyberattack-1435537440> http://www.wsj.com/articles/faa-officials-discuss-standards-to-neutralize-cyberattacks-1466081595 or if that doesn't work because of paywall, try this ugly URL: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjw2av-or7NAhXDbiYKHY5YDL0QFggcMAA&url=http%3A%2F%2Fwww.wsj.com%2Farticles%2Ffaa-officials-discuss-standards-to-neutralize-cyberattacks-1466081595&usg=AFQjCNE7IXDL1EOXGxJ26OUCZ31uM_6oOA&sig2=YeflpvBDLuJrA3FvpQRGWA ------------------------------ Date: Tue, 28 Jun 2016 09:33:49 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Healthcare workers prioritize helping people over information security [disaster ensues] NNSquad http://boingboing.net/2016/06/28/healthcare-workers-prioritize.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+boingboing%2FiBag+%28Boing+Boing%29 These workarounds were driven by clinicians' need to get their jobs done and by IT's failure to understand what that entailed. For example, IT's imposition of password rotation schedules meant that no one knew what their passwords were from moment to moment, forcing them to write them down and share them (in some cases, IT might have had this policy set by vendors or regulators/insurers). Aggressive timeouts on terminals meant that clinicians spent an undue amount of time logging in, making it impossible to get their work done. Other IT-based checks forced even-more-dangerous workarounds, like the system that wouldn't let doctors save work without ordering potentially lethal blood thinners, which they'd have to remember to log back in and cancel, or kill their patients. A thumbprint-based signing system for death certificates only accepted thumbprints from one doctor, meaning that his signature was on every death certificate, regardless of whose patient the deceased had been. Let's be 100% clear about this lethal situation. It is 100% the fault of the IT industry for creating systems that are so abysmally suited to the tasks at hand that healthcare workers need to behave these ways to get their jobs done and save lives. ------------------------------ Date: Tue, 28 Jun 2016 11:51:50 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Hacker Advertises Slew of Alleged Healthcare Organization Records Motherboard via NNSquad http://motherboard.vice.com/read/hacker-advertises-slew-of-alleged-healthcare-organization-records A hacker is advertising hundreds of thousands of alleged records from healthcare organizations on a dark web marketplace, including social security and insurance policy numbers. The data could be used for anything from getting lines of credit to opening bank accounts to carrying out loan fraud and much more, the hacker selling the data, who goes by the handle "thedarkoverlord," told Motherboard. News site Deep Dot Web first reported the news on Saturday. The breaches supposedly come from three different healthcare organizations: one in Farmington, Missouri with 48,000 records; another in Atlanta, Georgia with 397,000 entries, and the third in the Central/Midwest US with 210,000 records. Thedarkoverlord has decided to not name the organizations, as he has threatened each with a ransom demand. ------------------------------ Date: Thu, 23 Jun 2016 10:42:59 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Clinton's private e-mail was blocked byspam filters, so State IT turned them off (Sean_Gallagher) Sean Gallagher, *Ars Technica*, 23 Jun 2016 Documents recently obtained by the conservative advocacy group Judicial Watch show that in December 2010, then-Secretary of State Hillary Clinton and her staff were having difficulty communicating with State Department officials by e-mail because spam filters were blocking their messages. To fix the problem, State Department IT turned the filters off -- potentially exposing State's employees to phishing attacks and other malicious e-mails. The mail problems prompted Clinton Chief of Staff Huma Abedin to suggest to Clinton, "We should talk about putting you on State e-mail or releasing your e-mail address to the department so you are not going to spam." Clinton replied, "Let's get [a] separate address or device but I don't want any risk of the personal [e-mail] being accessible." http://arstechnica.com/information-technology/2016/06/clintons-private-e-mail-was-blocked-by-spam-filters-so-state-it-turned-them-off/ ------------------------------ Date: Mon, 27 Jun 2016 09:10:38 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Woman Wins $10,000 From Microsoft After Unwanted Windows 10 Upgrade (Gizmodo) Gizmodo via NNSquad http://gizmodo.com/woman-wins-10-000-from-microsoft-after-unwanted-window-1782666146 A California woman has won a $10,000 judgment from Microsoft after the company dropped its appeal in a case in which she alleged that her work computer became slow and unreliable after automatically upgrading itself to Windows 10. Class action suit, anyone? [Gene Wirchenko also spotted more: http://www.seattletimes.com/business/microsoft/microsoft-draws-flak-for-pushing-windows-10-on-pc-users/ http://www.theregister.co.uk/2016/06/27/woman_microsoft_windows_10_upgrades/ ] ------------------------------ Date: Tue, 28 Jun 2016 10:51:47 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Swagger stumbles: Flaw enables remote code execution" (Fahmida Y. Rashid) Fahmida Y. Rashid, InfoWorld, 27 Jun 2016 Swagger's code generators and parsers forgot the core tenet of software development, which is never to trust user input http://www.infoworld.com/article/3088569/security/swagger-stumbles-flaw-enables-remote-code-execution.html selected text: Because Swagger's generators and parsers don't verify input when generating code, a maliciously-crafted Swagger document can result in remote code execution, Rapid7 said in a blog post disclosing the vulnerability. ------------------------------ Date: Fri, 24 Jun 2016 10:26:07 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Severe flaws in widely used open source library put many projects at risk" (Lucian Constantin) When was the last time you heard the Open Source saw about number of eyeballs? Lucian Constantin, InfoWorld, 22 Jun 2016 Input validation flaws in libarchive could lead to remote code execution http://www.infoworld.com/article/3087347/security/severe-flaws-in-widely-used-open-source-library-put-many-projects-at-risk.html selected text: Libarchive ... provides real-time access to files compressed with a variety of algorithms, ... The library is used by file and package managers included in many Linux and BSD systems, as well as by components and tools in OS X and Chrome OS. The Cisco Talos researchers found an integer overflow, a buffer overflow, and a heap overflow in the libarchive code that handles 7-Zip, mtree and rar files, respectively. ------------------------------ Date: Fri, 24 Jun 2016 11:06:48 -0700 From: Gene Wirchenko <genew () telus net> Subject: "Over half of world's top domains weak against email spoofing" (Charlie Osborne) Charlie Osborne for Zero Day, ZDN, 23 Jun 2016 Misconfigured email servers could prompt spoof emails being 'sent' from legitimate services. http://www.zdnet.com/article/over-half-of-worlds-top-email-services-weak-to-spoofing/ selected text: By using only a few lines of Python, the firm's researchers found that over 50 percent of top 500 Alexa websites were vulnerable to spoofing -- either through having no authentication configured or by having settings misconfigured. ------------------------------ Date: Tue, 28 Jun 2016 11:03:27 -0700 From: Gene Wirchenko <genew () telus net> Subject: "US Customs wants foreign nationals to reveal their social media handles" Chris Duckett, ZDNet, 27 Jun 2016 Travelers looking to enter the United States will be asked by US Customs for their social media IDs under a new proposal. http://www.zdnet.com/article/us-customs-wants-foreign-nationals-to-reveal-their-social-media-handles/ selected text: US Customs and the Department of Homeland Security (DHS) want to ask foreign nationals entering the United States to hand over their social media handles at a cost of almost $300 million a year. According to a notice posted on the US federal register, travelers would be asked to "Please enter information associated with your online presence -- Provider/Platform -- Social media identifier". Responding to the question would be optional. And how long would this be optional? ------------------------------ Date: Sat, 25 Jun 2016 06:28:02 +0000 (UTC) From: Paul Robinson <rfc1394 () yahoo com> Subject: What are the risks guns could be banned from video games? Some people have wondered, because of the public shootings that occur every so often, including the most recent ones in Orlando and Germany, is there a risk that computer games might be forbidden to show weapons - specifically guns - or that video games that show guns being used to wound or kill people, especially in apocalyptic or "collapse of civilization" scenarios, where players might engage in rampages, including the potential for the killing of soldiers and police officers, could be banned or prohibited from distribution? Short version: The various governments of the United States -- which means: the federal government and both a state government and a sub agency of a state government such as a county or city - lack the power to prohibit a maker of a video game from including guns in a video game, the use of guns in a video game, the use of guns on a video game to kill people, or the use of video games to kill soldiers, uniformed police officers, or even a protected class of people or an identifiable minority or religious group such as blacks, Jews, Catholics, Muslims, Protestants, gays, whites, American Indians, men, women, or children. [Long version much too long for RISKS. Truncated. PGN] ------------------------------ Date: Sun, 26 Jun 2016 21:01:19 +0200 From: Werner <werneru () gmail com> Subject: Vacationing Security Researcher Exposes Austrian ATM Skimmer (SlashDot, 26 Jun 2016) (Posted by EditorDavid on Sunday June 26, 2016) <https://news.slashdot.org/story/16/06/25/1945233/vacationing-security-researcher-exposes-austrian-atm-skimmer> While vacationing with his family in Vienna, Ben Tedesco (from security company Carbon Black) discovered an ATM skimmer "in the wild", perfectly crafted to look like the original card reader. (<https://www.carbonblack.com/2016/06/24/finding-atm-skimmer-pays-paranoid/>) New submitter rmurph04 shares Ben's story: I went to grab some cash from an ATM. Being security paranoid, I repeated my typical habit of checking the card reader with my hand as I have hundreds of times. Today's the day when my security awareness paid off! Ben's blog post includes a video demonstrating the ATM skimmer, as well as close-ups showing the device had its own control board, strip reader, and even its own battery. ------------------------------ Date: Sun, 26 Jun 2016 21:18:33 +0200 From: Werner <werneru () gmail com> Subject: Lenovo Warns Users To Upgrade Pre-Installed Tool With Severe Security Holes (SlashDot) <https://tech.slashdot.org/story/16/06/25/1844252/lenovo-warns-users-to-upgrade-pre-installed-tool-with-severe-security-holes> (Posted by EditorDavid on Saturday June 25, 2016) Long-time SlashDot reader itwbennett writes: Lenovo is advising users to upgrade to version 3.3.003 of Lenovo Solution Center (LSC) <https://support.lenovo.com/us/en/product_security/len_7814>, which includes fixes for two high-severity vulnerabilities in the tool <http://www.csoonline.com/article/3088526/security/lenovo-patches-two-high-severity-flaws-in-pc-support-tool.html>. [The tool] allows users to check their system's virus and firewall status, update their Lenovo software, perform backups, check battery health, get registration and warranty information and run hardware tests. The CVE-2016-5249 vulnerability allows an attacker who already has control of a limited account on a PC to execute malicious code via the privileged LocalSystem account. And the CVE-2016-5248 vulnerability allows any local user to send a command to LSC.Services.SystemService in order to kill any other process on the system, privileged or not. ------------------------------ Date: Tue, 28 Jun 2016 22:05:29 +0200 From: Benoit Goas <goasben () hawk iit edu> Subject: Yet another study showing old hard drives should be destroyed I just read about another study on what can be recovered from old hardrives. Risks are obvious! See at http://www.theregister.co.uk/2016/06/28/ebay_hard_drives_still_contain_sensitive_data_study/ ------------------------------ Date: Mon, 27 Jun 2016 16:52:15 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Cryptography pioneer Marty Hellman calls for compassion in personal, cyber, and international threats (TechCrunch) https://techcrunch.com/2016/06/27/cryptography-pioneer-marty-hellman-on-using-compassion-in-personal-cyber-and-international-threats/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 Hellman no longer does crypto research, though he retains a position at Stanford; instead, he has been advocating for changes in policy that acknowledge the new, more interconnected global community. "I see cyberweapons as very similar to nuclear weapons," he said. "Early on we had a monopoly on nuclear weapons so we thought they were the greatest thing going. But unlike a nuclear weapon, a cyberweapon doesn't destroy itself, so like with Stuxnet, our adversaries were able to take it apart and figure out how it works. We need to start thinking this through more carefully." ------------------------------ Date: Sun, 26 Jun 2016 21:25:38 +0200 From: Werner <werneru () gmail com> Subject: Crypto Ransomware Attacks Have Jumped 500% In The Last Year <https://it.slashdot.org/story/16/06/25/157247/crypto-ransomware-attacks-have-jumped-500-in-the-last-year> (Posted by EditorDavid on Saturday June 25, 2016) Kaspersky Lab is reporting that the last year saw a 500% increase in the number of users who encountered crypto ransomware. Trailrunner7 shares an article from On The Wire: Data compiled by Kaspersky researchers from the company's cloud network shows that from April 2015 to March 2016, the volume of crypto ransomware encountered by users leapt from 131,111 to 718,536 <https://www.onthewire.io/crypto-ransomware-attacks-jump-nearly-500/>. That's a massive increase, especially considering the fact that ransomware is a somewhat mature threat. It didn't just burst onto the scene a couple of years ago. Kaspersky's researchers said the spike in crypto ransomware can be attributed to a small group of variants. "Looking at the malware groups that were active in the period covered by this report, it appears that a rather short list of suspects is responsible for most of the trouble caused by crypto-ransomware..." It's difficult to overstate how much of an effect the emergence of ransomware has had on consumers, enterprises, and the security industry itself. The FBI has been warning users about crypto ransomware for some time now, and has consistently advised victims not to pay any ransoms. Security researchers have been publishing decryption tools for specific ransomware variants and law enforcement agencies have had some success in taking down ransomware gangs. Enterprise targets now account for 13% of ransomware attacks, with attackers typically charging tens of thousands of dollars, the article reports, and "Recent attacks on networks at the University of Calgary <https://news.slashdot.org/story/16/06/12/082234/ransomware-thieves-cost-canada-university-c20000-in-bitcoin> and Hollywood Presbyterian Medical Center <https://yro.slashdot.org/story/16/02/18/0253216/la-hospital-pays-off-ransomware-thieves-to-reclaim-its-network> have demonstrated the brutal effectiveness of this strategy." ------------------------------ Date: Sun, 26 Jun 2016 21:37:10 +0200 From: Werner <werneru () gmail com> Subject: Why You Should Stop Using Telegram Right Now (SlashDot) <https://yro.slashdot.org/story/16/06/25/155214/why-you-should-stop-using-telegram-right-now> (Posted by manishs on Saturday June 25, 201) Earlier this week, The Intercept evaluated the best instant messaging clients from the privacy standpoint <https://it.slashdot.org/story/16/06/22/1934232/battle-of-the-secure-messaging-apps-signal-triumphs-over-whatsapp-allo>. The list included Facebook's WhatsApp, Google's Allo, and Signal -- three apps that employ end-to-end encryption. One popular name that was missing from the list was Telegram. A report on Gizmodo sheds further light on the matter, adding that Telegram is riddled with a wide range of security issues, and "doesn't live up to its proclamations as a safe and secure messaging application." Citing many security experts, the report states <http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415>: One major problem Telegram has is that it doesn't encrypt chats by default, something the FBI has advocated for. "There are many Telegram users who think they are communicating in an encrypted way, when they're not because they don't realize that they have to turn on an additional setting," Christopher Soghoian, Principal Technologist and Senior Policy Analyst at the American Civil Liberties Union, told Gizmodo. "Telegram has delivered everything that the government wants. Would I prefer that they used a method of encryption that followed industry best practices like WhatsApp and Signal? Certainly. But, if it's not turned on by default, it doesn't matter." The other issue that security experts have taken a note of is that Telegram employs its own encryption, which according to them, "is widely considered to be a fatal flaw when developing encrypted messaging apps." The report adds: "They use the MTproto protocol which is effectively homegrown and I've seen no proper proofs of its security," Alan Woodward, professor at the University of Surrey told Gizmodo. Woodward criticized Telegram for their lack of transparency regarding their home cooked encryption protocol. "At present we don't know enough to know if it's secure or insecure. That's the trouble with security by obscurity. It's usual for cryptographers to reveal the algorithms completely, but here we are in the dark. Unless you have considerable experience, you shouldn't write your own crypto. No one really understands why they did that." The list goes on and on. <http://gizmodo.com/why-you-should-stop-using-telegram-right-now-1782557415> ------------------------------ Date: Mon, 27 Jun 2016 16:25:37 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: More Redacted Redactions FYI -- If you accidentally redact a redaction, you get the original back! Another example of the Streisand effect. http://www.latimes.com/politics/la-na-benghazi-democrats-20160627-snap-story.html "Democrats released but redacted a transcript of Clinton confidant Sidney Blumenthal answering the committee's questions ... But the redaction marks are easily erased by anyone able to use a computer's cut-and-paste function." ------------------------------ Date: Mon, 27 Jun 2016 21:03:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The "Cobra Effect" that is disabling paste on password fields TroyHunt via NNSquad https://www.troyhunt.com/the-cobra-effect-that-is-disabling/ Unfortunately, the enterprising locals saw things differently and interpreted the "cash for cobras" scheme as a damn good reason to start breeding serpents and raking in the dollars. Having now seen the flaw in their original logical, the poms quickly scrapped the scheme meaning no more snake bounty. Naturally the only thing for the locals to do with their now worthless cobras was to set them free so that they may seek out a nice cosy British settlement somewhere. This became known as the Cobra Effect or in other words, a solution to a problem that actually makes the whole thing a lot worse. Here's a modern day implementation of the Cobra Effect as it relates to the ability to paste your password into a login field ... The inability to paste into a password field drives me bats. It makes security *worse*, not better! ------------------------------ Date: Mon, 27 Jun 2016 17:27:48 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Writing aid for the blind provides a case study for "compassionate engineering" at Carnegie Mellon (TechCrunch) NNSquad https://techcrunch.com/2016/06/27/writing-aid-for-the-blind-provides-a-case-study-for-compassionate-engineering-at-carnegie-mellon/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29 New mobile games and robot butlers are all well and good, but there are also many applications for the latest technology in poverty-stricken school districts and in the service of the disabled. A Carnegie Mellon project that targets both of those things is described by its creators as an exercise in what they call "compassionate engineering." ------------------------------ Date: 22 Jun 2016 16:51:08 -0400 From: "Bob Frankston" <Bob19-0501 () bobf frankston com> Subject: What if we're all forced to be average? The AI Dashcam App That Wants to Rate Every Driver in the World http://spectrum.ieee.org/cars-that-think/transportation/sensors/the-ai-dashcam-app-that-wants-to-rate-every-driver-in-the-world/?utm_source=CarsThatThink&utm_medium=Newsletter&utm_campaign=CTT06222016 Imagine if everyone is held to the letter of the law by a world of minders? Just with DRM what happens if we talk rules that works socially and remove human discretion? If meaning comes from context there is a major risk in all these efforts to enforce the letter of the law. One of the big advantages of the US has been our ability to reinvent ourselves. ------------------------------ Date: Fri, 24 Jun 2016 13:44:30 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Tesla Model X autonomously crashes into building, owner claims (Macky, RISKS-29.58)
Teslas are instrumented. When there's a crash like this one, it's probably a good idea to wait until the log contents are revealed before repeating the driver's claims; the logs often show the opposite.
But then if a crossed wire or some other bug causes pressure on the brake to be misinterpreted by the system as pressure on the accelerator, the logs would also show that the accelerator was pressed! The question is, are the logs generated by the same system that we want to debug? ------------------------------ Date: Tue, 10 May 2016 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => OFFICIAL ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html --> VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) <http://the.wiretapped.net/security/info/textfiles/risks-digest/> *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 29.59 ************************
Current thread:
- Risks Digest 29.59 RISKS List Owner (Jun 28)