RISKS-LIST: Risks-Forum Digest Monday 12 January 2004 Volume 23 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/23.12.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: U.S. FAA warns of EFIS system fault (Peter B. Ladkin) B747-400 Electronic flight displays rendered inoperative (Peter B. Ladkin) Happy 2**30'th birthday, time_t! Now go patch Pro/ENGINEER (Paul Eggert) Danish PM's private communications disclosed by MS Word (Theodor Norup) Anti-spam law enacted -- so what's all this junk in my in-box? (NewsScan) Want chips with that burger? (Jim Schindler) Suing the customers (Joyce Scrivner) Burger King wireless risk (Robert Franchi) AP accidentally distributes celebrity phone numbers (Robert Franchi) 'Unfixable' Word password hole exposed (Brett McCarron) VoteHere there and everywhere (Rebecca Mercuri) More voting snafus in Palm Beach and Broward Counties (Alan Fullilove) Correction re: Australian Voting (Eric Ulevik) Re: Electronic car doors trap man (Ian Mitchell) The dangers of PGN-ing (Simon Hogg) COMPSAC 2004 Call for Contributions (Yuen Tak Yu) EUSPRIG CFP July 2004 Klagenfurt (Patrick O'Beirne) REVIEW: "Ben Franklin's Web Site", Robert Ellis Smith (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 07 Jan 2004 07:02:33 +0100 From: "Peter B. Ladkin" <ladkin@private-bielefeld.de> Subject: U.S. FAA warns of EFIS system fault According to *Flight International*, 2-8 December 2003, p34, the U.S. FAA "has warned operators of Chelton Flight Systems FlightLogic [electronic flight information system] EFIS avionics that the equipment can provide misleading guidance under certain circumstances." The system is used on many aircraft in Alaska operating under Phase 2 of the FAA's general aviation Capstone program, which uses GPS to provide flight guidance and to track aircraft in flight. Apparently, the system indicates a uniform rate of climb of 300 ft/min for guidance in departure procedures, but some departure procedures require a higher climb rate for obstacle avoidance. ------------------------------ Date: Wed, 07 Jan 2004 06:54:18 +0100 From: "Peter B. Ladkin" <ladkin@private-bielefeld.de> Subject: B747-400 Electronic flight displays rendered inoperative On 2 December, 2003, the U.S. National Transportation Safety Board issued Recommendations A-03-55 and A-03-56. The short document may be read at www.ntsb.gov/Recs/letters/2003/A03_55_56.pdf "On January 23, 2003, a Singapore Airlines (SIA) Boeing 747-400 experienced a complete loss of information on all six integrated display units (IDU) on the flight deck instrument panels while in cruise flight from Singapore to Sydney, Australia. The pilots flew the airplane for 45 minutes using standby flight instruments while they communicated with SIA maintenance personnel about the problem. SIA maintenance personnel advised the flight crew to pull out then push back in (or cycle) the circuit breakers for the EFIS/EICAS interface units (EIU), which returned the IDUs to normal operation. The flight continued to Sydney and landed without further incident." "A similar event occurred on another SIA B747-400 on November 6, 2001 ..." while on a Sydney to Singapore flight, during an emergency descent because of an cabin pressure warning. Maintenance personnel recycled the EIU circuit breakers on the ground and restored the IDUs to normal operation. "The six IDUs ... include the captain's Primary Flight Display (PFD) and Navigation Display (ND), the first officer's PFD and ND, and the main and auxiliary engine indicating and crew alerting system (EICAS) displays. The PFD and ND displays [sic] provide the pilots with attitude, altitude, airspeed, heading, and rate of climb and descent information. The EICAS displays provide the flight crew with the airplane's engine indicating information and annunciate advisories, cautions and warnings. Without these displays, the flight crew is required to use standby flight instruments, which consist of an altimeter, airspeed indicator, and artificial horizon/attitude indicator; the Boeing B747-400 does not have standby engine instruments. The loss of the IDUs would also eliminate the flight crew's access to data from the traffic alert and collision avoidance system, enhanced ground proximity warning system, and weather radar." The EIUs are apparently responsible for data display on all six IDUs and preliminary investigation has indicated that all six IDUs blanked because all three EIUs stopped transmitting data. The EIUs are identical devices; the architecture is triple-redundant. The cause of this loss of data has not been determined, and no countermeasures have yet been identified that could inhibit the loss of all six IDUs again. Boeing recommended cycling the EIU circuit breakers in such an event, and the NTSB recommended that this procedure be included in the quick-reference handbook used by the flight crew to access procedures in an emergency. The NTSB letter was also reported in *Flight International*, 9-15 December 2003, p13; and by Frances Fiorino on p31 of Aviation Week and Space Technology, December 15, 2003. A similar loss of data to displays on an Airbus A340 in 1994 has been reported in Risks (Hatton, RISKS-16.92; Ladkin, Rushby, RISKS-16.96), as also on a Boeing B767 in 1996 (Ladkin, RISKS-18.19). EFIS failure was also initially suspected in a turboprop accident in Zürich in 2000 (Ladkin, RISKS-20.78) but the final report fingers pilot error and not technical problems, according to the Neue Zürcher Zeitung, also 2 December 2003, www.nzz.ch/2003/12/02/english/page-synd4505738.html There are lots of things one could say about such flight information display system architectures. All of them rely on the mechanical principles of the older mechanical systems, but add a layer of electronic display technology that was not present in the older systems, which drove the displays directly. This extra layer, most obviously, introduces categories of failure that were not present in the original systems, such as the failures exhibited in these incidents. I shall not address here the question of whether the benefits of such systems outweigh the risks. The industry seems to be moving towards replacing the mechanical standby flight instruments, built to designs that have functioned well for upwards of a century now, by electronic displays. Electronic standby instrument displays are available and are being advertised for many business jets. Peter B. Ladkin, University of Bielefeld, www.rvs.uni-bielefeld.de ------------------------------ Date: Fri, 09 Jan 2004 17:10:24 -0800 From: Paul Eggert <eggert@private> Subject: Happy 2**30'th birthday, time_t! Now go patch Pro/ENGINEER. About 13 hours ago, the POSIX time_t counter exceeded 2**30, thus reaching half its useful positive range (which counts seconds since 1970) on traditional hosts with 32-bit signed integer time_t. Unfortunately, some software produced by Parametric Technology Corp. was using that 2**30 bit in time values, so today's milestone introduced timeout glitches into unpatched installations of PTC's Pro/ENGINEER, Pro/INTRALINK, and Windchill products. PTC has made patches available to all users, regardless of maintenance status; see <http://www.ptc.com/go/timeout/index.htm>. I still do much of my computing on hosts with 32-bit time_t. I expect this to change in the next few years as 64-bit hosts take over, but I wonder: how many applications will break in January 2038 when time_t exceeds 2**31, even though the underlying hardware and OS works correctly? Mark your calendars. ------------------------------ Date: Mon, 5 Jan 2004 23:10:34 +0100 From: "Theodor Norup" <thno@private> Subject: Danish PM's private communications disclosed by MS Word The Danish newspaper Politiken cites a Ritzau (Danish telegram bureau) telegram on Sun 4 Jan 2004 The Danish Prime Minister's Office has tightened IT Security with immediate effect following the disclosure of the origins of the document containing the New Year's speech of prime minister Anders Fogh Rasmussen. The speech had been written in a document originally authored by Christopher Arzrouni, head of the Trade and Industry Law section of the Association of Danish Industries ("Dansk Industri"). Till now, the ministry has distributed Anders Fogh Rasmussen's speeches to the press and others in word files but in two independent cases, just a few clicks on the computer did reveal the document's origin or which changes had been made. Therefore, the PM's office instituted a new procedure on Friday. "We will in the future distribute speeches as PDF files so that such things will not happen" says ministry spokesman Michael Kristiansen. At the same time, the ministry has begun checking its web site security. (my own translation) Since the said Arzrouni chairs a well-known ultraliberalist (in the european sense) discussion society and since the PM does his best to convince voters that he himself has left former ultraliberalist convictions alone, the disclosure is very interesting at least. One wonders what state secrets have been published by the government being blatantly ignorant to a very well-known MS word problem. And why an inappropriate word processor choice leads to a completely unrelated check of web site security. The RISK: Wrongly believing that the higher echelons of governments and their technical support has more than a faint idea of IT security. On the positive side: This may give some publicity to that infamous word problem. ------------------------------ Date: Mon, 12 Jan 2004 10:15:53 -0700 From: "NewsScan" <newsscan@private> Subject: Anti-spam law enacted -- so what's all this junk in my in-box? The new federal anti-spam law went into effect Jan. 1, but consumers report their inboxes are more cluttered than ever -- what's going on? Critics say the new law doesn't actually ban spam but rather provides guidelines for sending junk e-mail legally. "Now we have a green light for what would come to be called 'legal spam,'" says ePrivacy Group CEO Vincent Schiavone. John Levine, a board member of the Coalition Against Unsolicited Commercial E-Mail, concurs: "Basically, it's a bill of rights for companies that want to send junk e-mail." In addition, the federal law supercedes stricter laws recently passed in several states, such as California. "Everyone was planning for this California law, which was so draconian," says a California lawyer who defends accused spammers. "Once the federal government passed the federal law, everyone was kind of relieved." And while technology firms are eagerly pursuing new ways of blocking spam, skeptics say the ultimate solution won't be technological or legal, but will depend on developing more savvy users. Mary Youngblood, abuse team manager at EarthLink, suggests putting numbers in the middle of your e-mail address to make it more difficult to guess and using a separate address for online shopping and newsgroup postings. [AP, Jan 11 2004; NewsScan Daily, 12 Jan 2004] http://apnews.excite.com/article/20040111/D800O3P00.html ------------------------------ Date: Mon, 12 Jan 2004 10:10:40 -0800 From: Jim Schindler <Jimschin@private> Subject: Want chips with that burger? (Simson Garfinkel) Weblog: A Chip for Your Hamburger: Can radiofrequency I.D. devices help stop the spread of beef tainted by mad cow disease? [MIT Technology Review blog item] Well, not quite, but this article in the RFID Journal indicates that both official[s] and the industry are now thinking of using RFID chips to enable greater tracking of meat through the food supply. This will help track things like infected beef (e.g., ground mad cows). What the article doesn't say is that this will also help protect against a terrorist attack --- or at least allow the tracking and faster recovery if terrorists go after the food supply. Simson Garfinkel [Topic: Security and Defense ] http://www.uptilt.com/c.html?rtr=on&s=5fo,4qkw,4rw,ij9s,j8tx,i328,m8yb> http://www.technologyreview.com/blog/blog.asp?blogID=1227&trk=nl [Might this require edible RFID microchips that survive meat grinders and wind up in each hamburger patty? PGN] ------------------------------ Date: Mon, 12 Jan 2004 13:10:23 -0600 From: Joyce Scrivner <kscriv@private> Subject: Suing the customers Rockwell, is suing a law firm that is currently suing Rockwell's customers. The law firm says that Rockwell has infringed on a patent. (I'm uncertain what relationship the law firm has to the patent holder.) The law firm appears to assume that suing Rockwell's customers will get more money than suing Rockwell. Rockwell sees this as blackmail/threat because the law firm has not -- and cannot (without suing Rockwell) -- prove that the patent is or is not infringed. So Rockwell is now suing the law firm. Rather nasty. In Rockwell Automation Inc. v. Schneider Automation Inc., 02-01195, Rockwell says its technology is not covered by the Solaia patent, and rather than battling that issue out in court, Niro Scavone and its clients have sought to "'shakedown' manufacturers through threats of potential business interruption or catastrophic damages." http://www.law.com/jsp/article.jsp?id=1039054478800 ------------------------------ Date: Fri, 9 Jan 2004 16:53:35 -0500 From: "Franchi, Robert" <Robert.Franchi@private> Subject: Burger King wireless risk Burger King Customer being told they are too fat to order a Whopper by hackers into the wireless speaker system at the drive through window! http://www.ananova.com/news/story/sm_853744.html?menu=news.latestheadlines ------------------------------ Date: Fri, 9 Jan 2004 17:00:01 -0500 From: "Franchi, Robert" <Robert.Franchi@private> Subject: AP accidentally distributes celebrity phone numbers The Associated Press sent out a list of 250 celebrities' phone numbers by mistake. Many of the numbers are old and some of the celebrities are dead, but you can see the potential annoyance. http://www.sltrib.com/2004/Jan/01092004/utah/127432.asp ------------------------------ Date: Fri, 09 Jan 2004 10:31:46 -0800 From: "Brett McCarron" <MCCARBWM@private> Subject: 'Unfixable' Word password hole exposed The password used to "protect" a Microsoft Word form can be revealed with a simple text editor, according to a recent BugTraq article. The RISK in this case goes beyond the ability to edit a protected document (you can bypass this anyway with Edit > Select All > Copy, open a new document and Paste). The real RISK is that the user's password is so easy to discover. Ideally, users would protect a form with a password that is different from their network authentication password(s). But in the real word ... News Story http://news.zdnet.co.uk/software/windows/0,39020396,39118935,00.htm=20 BugTraq Article http://www.securityfocus.com/archive/1/348692/2004-01-02/2004-01-08/0 ------------------------------ Date: Tue, 06 Jan 2004 19:25:05 -0500 From: Rebecca Mercuri <notable@private> Subject: VoteHere there and everywhere There's an interesting statement in the Volume 2, Number 1, January 4, VerifiedVoting.org newsletter regarding the VoteHere break-in. VoteHere's website says that they sell a product called RemoteVote (c) "an e-voting election system that supports the convenience, ease-of-use, and mobility of online voting. It's unique in delivering best-of-breed security and information technology practices, easy to administer and easy to use - and has been praised for its effect on voter turnout and overall voter satisfaction." But VerifiedVoting.org's news item says: "VoteHere, a Bellevue, Washington company developing security technology for electronic voting "suffered an embarrassing hacker break-in." The electronic intruder broke into the company's system last October and has now been identified, according to the company's CEO Jim Adler. This event got a lot of news coverage, but we're not sure of its significance, since VoteHere says they are going to release all their software." Wait a second, we're not sure of its significance? VoteHere is selling an Internet voting product but they apparently aren't capable of protecting their own network from attack and their sensitive files from theft. That certainly sounds significant to me, and this has absolutely nothing to do with whether their software is publicly accessible or not. The USA Today report quoted Adler as saying "the break-in did not affect the integrity of its voting technology." This certainly should reassure the "large and small corporations, professional associations, unions, cooperatives, universities, political organizations and government groups" that VoteHere is marketing RemoteVote that their product is not more vulnerable than the insecure platform it is running on top of. I know that I feel much better knowing that the hacker (and probably also his pals) has a copy of the source code. ------------------------------ Date: Sat, 10 Jan 2004 14:30:55 -0500 From: Alan Fullilove <a.c.fullilove@private> Subject: More voting snafus in Palm Beach and Broward Counties Seems Palm Beach and Broward counties can't certify a recent election. The "winner" of the election won by 12 votes out of 10,844 cast. 137 votes were blank ballots. From the PalmBeachPost newspaper: "Florida law requires a manual or hand recount of all "under-votes" and "over-votes" in an election decided by less than 0.25 percent. But touch-screens leave behind nothing to count by hand. " Oops ! http://www.palmbeachpost.com/politics/ content/auto/epaper/editions/saturday/news_f3ff583cd1c3223d00af.html ------------------------------ Date: Sat, 10 Jan 2004 20:34:50 +1100 From: "Eric Ulevik" <eulevik@private> Subject: Correction re: Australian Voting (Williams, RISKS-23.10) I would like to correct some previous misinformation regarding the Australian electoral system. In Australia, the law requires every person on the electoral roll to submit a valid vote. Simply getting your name checked off and leaving may result in the Electoral Commission staff recording a failure to vote. Note that the staff do not examine the votes before they are placed in the ballot box - meaning there is no enforcement of the validity requirement. In the state of NSW, in my case, the penalty for not voting was a $120 fine. I intended to refuse to pay the fine on principle as I do not believe in compulsory voting. However, the alternative penalty in the case was canceling my driving license. Hence I voted 'donkey' - giving my preference by order on the ballot (which is determined randomly). Donkey votes are typically 5-10% of the Australian vote. The clear risk here is that attempting to enforce democratic principles increases the influence of random chance on the final results. ------------------------------ Date: Mon, 5 Jan 2004 14:03:54 -0600 From: "Mitchell, Ian (MED, nVISIA)" <W.Ian.Mitchell@private> Subject: Re: Electronic car doors trap man (Healy, RISKS-23.06) I own a CRV 4WD. The way out in a situation such as this is probably through the rear window. Unlike the side windows, this is not electric. It is released by a button under the dash that connects to the window lock via a cable. Once released, the window can be pushed open from the inside. This completely mechanical system would presumably still function even when underwater, although if totally submerged it may be necessary for the water inside the vehicle to reach a certain level before the pressure can be overcome and the window opened. ------------------------------ Date: 07 January 2004 22:18 From: Simon Hogg <seth@private> Subject: The dangers of PGN-ing (Re: RISKS-23.11) [PGN note: I messed up my PGN-ed version of the item with Subject line "Bank of England falls victim as e-mail scams rise by 400%" It might more accurately have been titled "Visa customers hit by phishing expedition seemingly from Bank of England" Oops! PGN] As I'm sure many of the RISKs readers are aware, the Bank of England is a Central Bank and hence does not issue its own Visa (or any other credit cards) at least for consumers. Similarly, it doesn't operate consumer bank accounts. I suppose you could say that the Bank of England is equivalent to the Federal Reserve, *not* Bank of America. Therefore the BoE is unlikely to be a 'victim' in the ordinary sense of the word. Therefore, I thought there was something a bit fishy with the PGN version saying that the "This was reportedly the first time BoE was victimized by a "phishing" expedition that apparently fooled about 5% of their Visa customers into divulging their card and PIN numbers." Looking at the original news story the 'phishing' quote apparently relates to a different episode, "A campaign that targeted Visa credit card holders was said to have fooled one in 20 victims into divulging their personal details, including their card and pin numbers" *i.e. not the BoE e-mail itself*. The point of the story is to say that lots of people were sent an e-mail with an executable attachment with the message "Please install our special software, that will remove all the keyloggers and backdoors from your computer." The implication (for the sender the hopeful implication) was that since the e-mail was apparently from the BoE, the software was in some way 'official'. Imagine the same e-mail in the US from someone@federal-reserve.gov. I think the problem here is wider than a standard someone@private e-mail since it is apparently from a 'trusted' central bank (the one who controls the 'normal' banks) but it doesn't cause any direct 'damage' to the apparent sending agency. So, three apparent risks; 1. Mis- / Dis-information (scaremongering?), accidental or otherwise, caused by incorrect summary of other news stories. 2. E-Mails apparently from a trusted source (common / usual RISKs here, but the 'trusted source' in this case is a 'super-trusted source'). 3. For me the most worrying RISK is that the UK's "National High-Tech Crime Unit" came out with the very enlightening statement "We have opened the attachment, but we have so far not been able to find out what it does, if anything." How many programmers does it need to be able to analyse a piece of code to be able to work out what it does? Anti-virus labs are pretty good at this, so why not the Government-funded anti-crime 'specialists'? At least they are apparently being honest here(!). ------------------------------ Date: Sun, 11 Jan 2004 19:38:55 +0800 (CST) From: CS Asst Prof Dr Yuen Tak YU <ytyu@private> Subject: COMPSAC 2004 Call for Contributions http://www.cs.cityu.edu.hk/~ytyu COMPSAC 2004 The 28th IEEE Annual International Computer Software and Applications Conference September 27-30, 2OO4, HONG KONG http://rachel.utdallas.edu/compsac Major theme: DEVELOPING TRUSTWORTHY SOFTWARE SYSTEMS 15 Jan 2004: Deadline for WORKSHOP and PANEL PROPOSALS 15 Mar 2004: Deadline for REGULAR and WORKSHOP PAPERS PROGRAM CO-CHAIRS: W. Eric Wong, University of Texas at Dallas, USA, Email: ewong@private Karama Kanoun,LAAS-CNRS, France, Email: Karama.Kanoun@private ------------------------------ Date: Wed, 07 Jan 2004 14:07:50 +0000 From: "Patrick O'Beirne" <mail2@private> Subject: EUSPRIG CFP July 2004 Klagenfurt EuSpRIG 2004: Spreadsheet Risks, Development and Audit Methods Theme: Risk Reduction in End-User Computing Best practice for spreadsheet users in the new Europe Thursday July 15th - Friday July 16th 2004 Klagenfurt University, Klagenfurt, AUSTRIA For submission instructions, details of formatting, handling of illustrations etc. download guidelines from www.eusprig.org Patrick O'Beirne, European Spreadsheet Risks Interest Group ------------------------------ Date: Fri, 2 Jan 2004 07:56:31 -0800 From: Rob Slade <rslade@private> Subject: REVIEW: "Ben Franklin's Web Site", Robert Ellis Smith BKBNFRWS.RVW 20031013 "Ben Franklin's Web Site", Robert Ellis Smith, 2000, 0-930072-14-6, U$24.50/C$32.25 %A Robert Ellis Smith ellis84@private %C P. O. Box 28577, Providence, RI 02908 %D 2000 %G 0-930072-14-6 %I Privacy Journal %O U$24.50/C$32.25 401-274-7861 orders@private %O http://www.amazon.com/exec/obidos/ASIN/0930072146/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0930072146/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0930072146/robsladesin03-20 %P 407 p. %T "Ben Franklin's Web Site" In the introduction, Smith notes that Americans are both (and simultaneously) interested in protecting their privacy, and very curious about others. This work is a social history of American thought and feelings about privacy. The chapters are not numbered, but named. There is an attempt to assign date ranges to periods of events and opinion, but this effort is pretty much exhausted by the time the book ends. "Watchfulness," from the late seventeenth to the early eighteenth century, notes an age of church based communities and close living. Fear of the government registration is suggested to be primarily based on anxiety about the fact that a low population (or other indicator of lack of wealth) would reflect badly on the locale (or locals). "Serenity" links geographic isolation with privacy, but mostly concentrates on early enumeration operations. The post office, more about the census, and the beginnings of information technology with Hollerith and Morse is in a chapter called "Mistrust." "Space" outlines the degradations of slavery, factories, and workhouses. "Curiosity" looks at gossip and the popular press. A chapter called "Brandeis" doesn't talk about him or his essay (with Warren in the Harvard Law Review) as much as the intellectual environment and subsequent debate. Another reviews decisions and government actions in regard to different types of surveillance. It is difficult to say what a chapter called "Sex" has to do with privacy, and it reuses a lot of material from "Serenity," "Curiosity," and "Brandeis." "Torts" examines various lawsuits related to invasion of privacy. Politicking on the Supreme Court in cases possibly related to privacy populates a chapter called "Constitution." "Numbers," unlike "Census," discusses the improper use of the Social Security Number, as well as the concept of a national identity card. Credit reporting agencies are examined in "Databanks." "Cyberspace" touches on a number of Internet related topics. "Ben Franklin's Web Site" attempts to guess what Franklin's "Poor Richard's Almanac" would say about privacy, in pithy aphorisms: a kind of Poor Robert's list of privacy protecting guidelines. Smith's book is certainly an entertaining read, and does provide the occasional lost nugget of significant information on the development of thought in regard to privacy. It is, however, difficult to say how useful the work is for practical endeavours in pursuit of the protection of privacy, or development of current privacy policy. copyright Robert M. Slade, 2003 BKBNFRWS.RVW 20031013 rslade@private slade@private rslade@private http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 7 Oct 2003 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.12 ************************
This archive was generated by hypermail 2b30 : Mon Jan 12 2004 - 15:40:21 PST