RISKS Forum mailing list archives
Risks Digest 34.13
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 4 Apr 2024 12:59:43 PDT
RISKS-LIST: Risks-Forum Digest Thursday 4 April 2024 Volume 34 : Issue 13 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.13> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Review of the Summer 2023 Microsoft Exchange Online Intrusion (CISA) China's Advancing Efforts to Influence U.S. Election (NYTimes) RMV warning customers of scams amid statewide outage (The Boston Globe) Missouri county declares state of emergency amid suspected ransomware attack (ArsTechnica) Tech Glitch Upends Financial Aid for About a Million Students (WSJ) Did One Guy Just Stop a Huge Cyberattack? (NYTimes) Carmakers give up on software that avoids kangaroos (ArsTechnica) Browsing in Google Chrome's incognito mode doesn't protect you as much as you might think (The Boston Globe) Google Deepmind CEO says AI industry is full of 'hype' and 'grifting' (ReadWrite) The wonders of AI! (Lauren Weinstein) AI that targets civilians: 'The machine did it coldly': Israel used AI to identify 37,000 Hamas targets (The Guardian via Lauren Weinstein) Washington state judge blocks use of AI-enhanced video as evidence in possible first-of-its-kind ruling (NBC News) Amazon's AI-powered "Just Walk Out" checkout option turns out to be 1000 workers watching you shop (BoingBoing) This tool makes AI models hallucinate cats to fight copyright infringement (NBC News) An unending array of jailbreaking attacks could be the death of LLMs (Gary Marcus) When AI Meets Toast (Lauren Weinstein) Medicare forced to expand forms to fit 10-digit bill a penny shy of $100M (ArsTechnica) The FTC is trying to help victims of impersonation scams get their money back (The Verge) Google Maps for CarPlay is a disaster compared to the Android Auto app (9-to-5 Google) Indian company sold contaminated shrimp to U.S. grocery stores, 'whistleblower' says (NBC News) CA Governor to install 480 new Flock LPR cameras (ACLU via Henry Baker) Your boss could forward a mail message to you that shows you text he won't see, but you will (Lutrasecurity) Should we be rethinking using Outlook at work? (Victor Miller) Man pleads guilty to stealing former coworker's identity for 30 years? (ArsTechnica) Re: xz (Victor Miller et al.) Re: Ross Anderson (Wendy M. Grossman) Re: The race between positive and negative applications of GenAI (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 3 Apr 2024 09:43:54 -0400 From: Monty Solomon <monty () roscom com> Subject: Review of the Summer 2023 Microsoft Exchange Online Intrusion (CISA) https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf [This is a remarkably well-constructed multilateral analysis, and well worthy of running extensively in RISKS. PGN] In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor—known as Storm-0558 and assessed to be affiliated with the People’s Republic of China in pursuit of espionage objectives—accessed the accounts using authentication tokens that were signed by a key Microsoft had created in 2016. This intrusion compromised senior United States government representatives working on national security matters, including the email accounts of Commerce Secretary Gina Raimondo, United States Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon. Signing keys, used for secure authentication into remote systems, are the cryptographic equivalent of crown jewels for any cloud service provider. As occurred in the course of this incident, an adversary in possession of a valid signing key can grant itself permission to access any information or systems within that key’s domain. A single key’s reach can be enormous, and in this case the stolen key had extraordinary power. In fact, when combined with another flaw in Microsoft’s authentication system, the key permitted Storm-0558 to gain full access to essentially any Exchange Online account anywhere in the world. As of the date of this report, Microsoft does not know how or when Storm-0558 obtained the signing key. This was not the first intrusion perpetrated by Storm-0558, nor is it the first time Storm-0558 displayed interest in compromising cloud providers or stealing authentication keys. Industry links Storm-0558 to the 2009 Operation Aurora campaign that targeted over two dozen companies, including Google, and the 2011 RSA SecurID incident, in which the actor stole secret keys used to generate authentication codes for SecurID tokens, which were used by tens of millions of users at that time. Indeed, security researchers have tracked Storm-0558’s activities for over 20 years. On August 11, 2023, Secretary of Homeland Security Alejandro Mayorkas announced that the Cyber Safety Review Board (CSRB, or the Board) would “assess the recent Microsoft Exchange Online intrusion . . . and conduct a broader review of issues relating to cloud-based identity and authentication infrastructure affecting applicable cloud service providers and their customers.” The Board conducted extensive fact-finding into the Microsoft intrusion, interviewing 20 organizations to gather relevant information (see Appendix A). Microsoft fully cooperated with the Board and provided extensive in-person and virtual briefings, as well as written submissions. The Board also interviewed an array of leading cloud service providers to gain insight into prevailing industry practices for security controls and governance around authentication and identity in the cloud. The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on: 1. the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed; 2. Microsoft’s failure to detect the compromise of its cryptographic crown jewels on its own, relying instead on a customer to reach out to identify anomalies the customer had observed; 3. the Board’s assessment of security practices at other cloud service providers, which maintained security controls that Microsoft did not; 4. Microsoft’s failure to detect a compromise of an employee's laptop from a recently acquired company prior to allowing it to connect to Microsoft’s corporate network in 2021; 5. Microsoft’s decision not to correct, in a timely manner, its inaccurate public statements about this incident, including a corporate statement that Microsoft believed it had determined the likely root cause of the intrusion when in fact, it still has not; even though Microsoft acknowledged to the Board in November 2023 that its September 6, 2023 blog post about the root cause was inaccurate, it did not update that post until March 12, 2024, as the Board was concluding its review and only after the Board’s repeated questioning about Microsoft’s plans to issue a correction; 6. the Board's observation of a separate incident, disclosed by Microsoft in January 2024, the investigation of which was not in the purview of the Board’s review, which nation-state actor to access highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems; and 7. how Microsoft’s ubiquitous and critical products, which underpin essential services that support national security, the foundations of our economy, and public health and safety, require the company to demonstrate the highest standards of security, accountability, and transparency. Throughout this review, the Board identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management. To drive the rapid cultural change that is needed within Microsoft, the Board believes that Microsoft’s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products. The Board recommends that Microsoft’s CEO hold senior officers accountable for delivery against this plan. In the meantime, Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made in order to preclude competition for resources. In all instances, security risks should be fully and appropriately assessed and addressed before new features are deployed. Based on the lessons learned from its review and its fact-finding into prevailing security practices across the cloud services industry, the Board, in addition to the recommendations it makes to the President of the United States and Secretary of Homeland Security, also developed a series of broader recommendations for the community focused on improving the security of cloud identity and authentication across the government agencies responsible for driving better cybersecurity, cloud service providers, and their customers. • Cloud Service Provider Cybersecurity Practices: Cloud service providers should implement modern control mechanisms and baseline practices, informed by a rigorous threat model, across their digital identity and credential systems to substantially reduce the risk of system-level compromise. • Audit Logging Norms: Cloud service providers should adopt a minimum standard for default audit logging in cloud services to enable the detection, prevention, and investigation of intrusions as a baseline and routine service offering without additional charge. • Digital Identity Standards and Guidance: Cloud service providers should implement emerging digital identity standards to secure cloud services against prevailing threat vectors. Relevant standards bodies should refine, update, and incorporate these standards to address digital identity risks commonly exploited in the modern threat landscape. • Cloud Service Provider Transparency: Cloud service providers should adopt incident and vulnerability disclosure practices to maximize transparency across and between their customers, stakeholders, and the United States government, even in the absence of a regulatory obligation to report. • Victim Notification Processes: Cloud service providers should develop more effective victim notification and support mechanisms to drive information-sharing efforts and amplify pertinent information for investigating, remediating, and recovering from cybersecurity incidents. • Security Standards and Compliance Frameworks: The United States government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings following especially high-impact situations. The National Institute of Standards and Technology should also incorporate feedback about observed threats and incidents related to cloud provider security. [...] ------------------------------ Date: Wed, 3 Apr 2024 10:57:14 PDT From: Peter Neumann <neumann () csl sri com> Subject: China's Advancing Efforts to Influence U.S. Election (NYTimes) Tiffany Hsu and Steven Lee Meyers, *The New York Times, 2 Apr 2024 Adopting the same tactics Russia used in 2016 Covert Chinese accounts are masquerading ..., promoting conspiracy theories, stoking domestic divisions, and attacking the President. ... ------------------------------ Date: Wed, 3 Apr 2024 21:48:19 -0400 From: Monty Solomon <monty () roscom com> Subject: RMV warning customers of scams amid statewide outage (The Boston Globe) The Massachusetts Registry of Motor Vehicles was essentially shut down statewide on 3 Apr for all transactions. https://www.boston.com/news/local-news/2024/04/03/rmv-warning-customers-of-scams-amid-statewide-outage/ ------------------------------ Date: Wed, 3 Apr 2024 22:33:46 -0400 From: Monty Solomon <monty () roscom com> Subject: Missouri county declares state of emergency amid suspected ransomware attack (ArsTechnica) https://arstechnica.com/?p=2014470 ------------------------------ Date: Wed, 3 Apr 2024 21:57:18 -0400 From: Monty Solomon <monty () roscom com> Subject: Tech Glitch Upends Financial Aid for About a Million Students (WSJ) Inaccurate tax data could cost some students aid, though others might benefit from the error https://www.wsj.com/personal-finance/fafsa-college-financial-aid-incorrect-tax-data-612e0bed ------------------------------ Date: Thu, 4 Apr 2024 07:18:16 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: Did One Guy Just Stop a Huge Cyberattack? A Microsoft engineer noticed something was off on a piece of software he worked on. He soon discovered someone was probably trying to gain access to computers all over the world. https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html [Also, Spotting a Bug That May Have Been Meant to Cripple the Internet (no byline, San Francisco, the NYTimes National Print Edition, 4 Apr 2024, Andres Freund is the MS programmer who stumbled on the hidden backdoor, with ``intuition, obsessive attention to detail, and a dose of luck.''< PGN] ------------------------------ Date: Tue, 2 Apr 2024 20:01:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Carmakers give up on software that avoids kangaroos (ArsTechnica) https://arstechnica.com/?p=2014220 [Let's not wait for the Kangarooster cross-breed, which would be continually crossing the road, playing chicken with the cars. PGN] ------------------------------ Date: Wed, 3 Apr 2024 22:23:44 -0400 From: Monty Solomon <monty () roscom com> Subject: Browsing in Google Chrome's incognito mode doesn't protect you as much as you might think (The Boston Globe) https://www.boston.com/news/technology/2024/04/03/browsing-in-google-chromes-incognito-mode-doesnt-protect-you-as-much-as-you-might-think/ ------------------------------ Date: Tue, 2 Apr 2024 09:05:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google Deepmind CEO says AI industry is full of 'hype' and 'grifting' (ReadWrite) Ya' don't say? -L https://readwrite.com/google-deepmind-ceo-says-ai-industry-is-full-of-hype-and-grifting/ ------------------------------ Date: Thu, 4 Apr 2024 10:46:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The wonders of AI! The wonders of AI! It can help you create convincing lies on your resume, AND target thousands of civilians for death! Thanks a bunch Big Tech. May your AI projects get you all that you deserve. -L ------------------------------ Date: Thu, 4 Apr 2024 10:18:19 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: AI that targets civilians: 'The machine did it coldly': Israel used AI to identify 37,000 Hamas targets AI may turn out to be the most horrific tech creation in history. It doesn't need to take over the world itself -- all it needs is humans acting on its advice. -L https://www.theguardian.com/world/2024/apr/03/israel-gaza-ai-database-hamas-airstrikes Lauren added this comment to that: Why AI is so dangerous I don't buy into the "AI will take over the world" sci-fi scenarios. I consider AI to be so incredibly dangerous because of how it is being developed, deployed, and used by HUMAN BEINGS. The combination of fallible AI and fallible human animals is potentially more dangerous to our world than every hydrogen bomb warhead on every ICBM in every missile silo on the planet. -L ------------------------------ Date: Tue, 2 Apr 2024 11:10:16 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Washington state judge blocks use of AI-enhanced video as evidence in possible first-of-its-kind ruling (NBC News) A Washington state judge overseeing a triple murder case barred the use of video enhanced by artificial intelligence as evidence in a ruling that experts said may be the first-of-its-kind in a United States criminal court. https://www.nbcnews.com/news/us-news/washington-state-judge-blocks-use-ai-enhanced-video-evidence-rcna141932 ------------------------------ Date: Wed, 3 Apr 2024 16:54:21 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Amazon's AI-powered "Just Walk Out" checkout option turns out to be 1000 workers watching you shop (BoingBoing) Amazon is to end the AI-powered "Just Walk Out" checkout option in its Amazon Fresh stores. It turns out that "AI" means "Actually, Indians" and it isn't working out. https://boingboing.net/2024/04/03/amazons-ai-powered-just-walk-outcheckout-option-turns-out-to-be-1000-workers-watching-you-shop.html ------------------------------ Date: Thu, 4 Apr 2024 09:23:08 -0400 From: Monty Solomon <monty () roscom com> Subject: This tool makes AI models hallucinate cats to fight copyright infringement (NBC News) Nightshade aims to help artists prevent image generators from easily reproducing their work, but the researchers behind it warn more intellectual property safeguards are needed. https://www.nbcnews.com/tech/ai-image-generators-nightshade-copyright-infringement-rcna144624 ------------------------------ Date: Tue, 2 Apr 2024 17:20:05 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: An unending array of jailbreaking attacks could be the death of LLMs (Gary Marcus) Most IT professional are worried about the security of LLMs. They have every right to be. There seems to be an endless number of ways of attacking them. https://garymarcus.substack.com/p/an-unending-array-of-jailbreaking ------------------------------ Date: Tue, 2 Apr 2024 09:55:04 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: When AI Meets Toast Seeing a video of Mark Zuckerberg "using AI" to tell him when his toast is ready instantly invokes this uber-classic scene from a 1991 episode of the wonderful British parody sci-fi series "Red Dwarf". When reality catches up with fiction in the most nightmarish kinds of ways! https://www.youtube.com/watch?v=LRq_SAuQDec [Put he puts a little sauce on it, Mark might like Ragumuffins. PGN] ------------------------------ Date: Tue, 2 Apr 2024 20:02:33 -0400 From: Monty Solomon <monty () roscom com> Subject: Medicare forced to expand forms to fit 10-digit bill a penny shy of $100M (ArsTechnica) https://arstechnica.com/?p=2014290 ------------------------------ Date: Tue, 2 Apr 2024 19:55:22 -0400 From: Monty Solomon <monty () roscom com> Subject: The FTC is trying to help victims of impersonation scams get their money back https://www.theverge.com/2024/4/1/24118030/ftc-impersonation-rule-businesses-government-artificial-intelligence ------------------------------ Date: Tue, 2 Apr 2024 20:12:01 -0400 From: Monty Solomon <monty () roscom com> Subject: Google Maps for CarPlay is a disaster compared to the Android Auto app (9-to-5 Google) https://9to5google.com/2024/04/02/google-maps-apple-carplay-android-auto/ ------------------------------ Date: Thu, 4 Apr 2024 09:20:13 -0400 From: Monty Solomon <monty () roscom com> Subject: Indian company sold contaminated shrimp to U.S. grocery stores, 'whistleblower' says (NBC News) Congress is looking into allegations of antibiotic-positive shrimp at a Choice Canning factory that supplies Walmart, Aldi and other supermarkets. https://www.nbcnews.com/news/indian-company-sold-contaminated-shrimp-us-grocery-stores-whistleblowe-rcna144082 [... and one bad shrimp is enough to do you in for quite a while. PGN] ------------------------------ Date: Tue, 02 Apr 2024 13:40:08 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: CA Governor to install 480 new Flock LPR cameras Effectively, Gov. Newsom is saying to Californians: "Flock Franklin!" "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety." - B. Franklin https://www.aclu.org/news/privacy-technology/communities-should-reject-surveillance-products-whose-makers-wont-allow-them-to-be-independently-evaluated "One example of a company refusing to allow independent review of its product is the license plate recognition company Flock, which is pushing those surveillance devices into many American communities and tying them into a centralized national network. (We wrote more about this company in a 2022 white paper.) Flock has steadfastly refused to allow the independent security technology reporting and testing outlet IPVM to obtain one of its license plate readers for testing, though IPVM has tested all of Flock's major competitors. That doesn't stop Flock from boasting that "Flock Safety technology is best-in-class, consistently performing above other vendors." Claims like these are puzzling and laughable when the company doesn't appear to have enough confidence in its product to let IPVM test it." https://www.eff.org/deeplinks/2020/09/flock-license-plate-reader-homeowners-association-safe-problems "The False Promise of ALPRs" "Like all machines, ALPRs make mistakes" California Governor announces contract to install 480 new cameras in Oakland https://www.securitysystemsnews.com/article/california-governor-announces-contract-to-install-480-new-cameras-in-oakland [...] ------------------------------ Date: Thu, 4 Apr 2024 10:29:04 -0400 From: Tom Van Vleck <thvv () multicians org> Subject: Your boss could forward a mail message to you that shows you text he won't see, but you will (Lutrasecurity) Suppose you get mail from your boss, and it says "pay these folks a million dollars." You contact the boss and say, "did you really send that mail?" and the boss says "yes, handle it." What the boss saw and forwarded was a mail message that said "please send me a catalog." Your are both using HTML mail.. and the mail contains CSS that hides some HTML from the original receiver, but shows it to receivers of a forwarded copy. There are probably lots of ways to do this. https://lutrasecurity.com/en/articles/kobold-letters/ ------------------------------ Date: Thu, 4 Apr 2024 05:58:03 -0700 From: Victor Miller <victorsmiller () gmail com> Subject: Should we be rethinking using Outlook at work? https://proton.me/blog/outlook-is-microsofts-new-data-collection-service ------------------------------ Date: Wed, 3 Apr 2024 22:31:56 -0400 From: Monty Solomon <monty () roscom com> Subject: Man pleads guilty to stealing former coworker's identity for 30 years? https://arstechnica.com/?p=2014676 ------------------------------ Date: Tue, 2 Apr 2024 10:44:16 -0700 From: Victor Miller <victorsmiller () gmail com> Subject: Re: xz Here's a lot more about the xz debacle. https://research.swtch.com/xz-timeline Reflections on distrusting xz https://joeyh.name/blog/entry/reflections_on_distrusting_xz/ https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/ [Dan Geer noted that the first URL above led him to https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor and https://lcamtuf.substack.com/p/oss-backdoors-the-allure-of-the-easy Also, from Dan: Patrick / Risky Business #743 -- A chat about the xz backdoor with the guy who found it: https://risky.biz/RB743/ PGN... Someone needs an XorZism?] ------------------------------ Date: Mon, 1 Apr 2024 22:16:33 -0400 From: wendyg () pelicancrossing net Subject: Re: Ross Anderson (RISKS-34.12) I thought you might like to see my obit for Ross Anderson: https://netwars.pelicancrossing.net/2024/03/31/rip-ross-j-anderson/ [Rebecca Mercuri noted that in the article below Ross was fighting forced retirement. Ironically. That's why he was also a prof at Edinburgh. Furious professors brand Cambridge University ‘ageist’ as retirement age set at 67. Astha Saxena, Cait Findlay, 24 Nov 2023. https://www.express.co.uk/news/uk/1838755/professor-cambridge-university-ageist PGN] [Incidentally, I had Ross's age mistyped in RISKS-34.12, and it is now corrected in the SRI and NCL archives. 67 is correct, and I had my fingers one key to the left. PGN] [Li Gong noted Ross's obit: https://www.theregister.com/2024/04/03/ross_anderson_obit/ Also see https://www.computerweekly.com/news/366577932/Obituary-Professor-Ross-Ander= son-pioneer-in-security-engineering-and-campaigner PGN] ------------------------------ Date: Tue, 2 Apr 2024 09:59:16 -0700 From: Rob Slade <rslade () gmail com> Subject: Re: The race between positive and negative applications of GenAI (Risks Digest 34.12) Well, actually two or three postings, such as:
From: "Gabe Goldberg" <gabe () gabegold com>
From a security perspective, that's terrifying. If lots of code gets written, fast, but that code is riddled with security problems, the net advantage on the positive side of the ledger may be less than anticipated. As noted here before, one study indicates that code quality is going down. and
From: ACM TechNews <technews-editor () acm org> Subject: U.S. Military's Investments into AI Skyrocket (Will Henshall)
The Brookings Institution reported a nearly 1,200% surge in the potential value of AI-related U.S. government contracts, from $355 million in the year ending in August 2022 to $4.6 billion in the year ending in August 2023. But, hey, not to worry. We just run all the genAI code through a genAI tool to find all the vulnerabilities, right? (No, I'm not serious. But I think I will have a heart attack and die from *not* being surprised when some vendor starts selling such a tool ...) ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.13 ************************
Current thread:
- Risks Digest 34.13 RISKS List Owner (Apr 04)