[risks] Risks Digest 23.19

From: RISKS List Owner (risko@private)
Date: Wed Feb 18 2004 - 13:45:36 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 23.20"

    RISKS-LIST: Risks-Forum Digest  Weds 18 February 2004  Volume 23 : Issue 19
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
      http://catless.ncl.ac.uk/Risks/23.19.html
    The current issue can be found at
      http://www.csl.sri.com/users/risko/risks.txt
    
      Contents:
    Mississippi voids November 2003 e-vote election for errors (Steve Corrick)
    Canadian medical tests give reversed results (Danny Burstein)
    911 mistake: Wisconsin rescuers go to wrong town; victim dies (David LaRue)
    Interesting device to steal ATM accounts (Mabry Tyson)
    Officials Say Mob Stole $200 Million Using Phone Bills (William K Rashbaum
      via Monty Solomon)
    Amazon reviewers identified -- as the authors! (NewsScan)
    Alleged Trojan horse in Israeli anti-ballistic missile system (Gadi Evron)
    GAO Report Warns of Airline Security Shortcomings (Lillie Coney)
    GE says blackout bug patched (Kevin L. Poulsen)
    Strategic planning for VeriSign restart of "Site Finder" (Lauren Weinstein)
    FTC warning about private no-spam registry (NewsScan)
    TiVo's privacy policy (Terence Eden)
    Re: Privatization vs privacy (Aaron)
    Challenge/Response spam blocking (Thomas Harrington)
    Social Security number as identity: not secure (Carl Fink)
    Re: Spirit Rover humbled (Timothy Prodin)
    Sputnik & garage door openers (Kyle York)
    Re: SPF and its critics (Lawrence Kestenbaum)
    Exploiting software (Gary McGraw)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Sun, 15 Feb 2004 08:52:44 EST
    From: GardenEarth@private
    Subject: Mississippi voids November 2003 e-vote election for errors
    
      [via Rebecca Mercuri <notable@private>   PGN]
    
    So the election machine companies say no one has every proved vote fraud on
    the voting machines. However, the same cannot be said of massive machine
    error.  Here's a real clincher to the line about voting machines being the
    safest, most secure form of voting ever devised.
    
    Mississippi Senate Declares Last November's Election Invalid
    
    In the November 2003 election, Hinds County, Mississippi used the WINnVote
    touchscreen machine (the same as the one used in Fairfax County, Virginia
    disastrous election). Poll workers had trouble starting the machines, some
    of the machines overheated and had to be taken out of service, poll workers
    were scrambling to find enough paper ballots, and many voters left with
    polls without voting because of the long delays.
      <http://www.clarionledger.com/news/0311/04/mvproblems.html>
    
    The problems were investigated by a Mississippi Senate committee, and on
    January 19, it recommended invalidating the outcome of the race for the
    District 91 Senate seat and holding the election over. Two days later, the
    Senate approved the recommendation. The new election is set for February 10.
    The last we heard the Democratic candidate, Dewayne Thomas, was considering
    pulling out of the race and conceding to his opponent, Richard White. We
    hope Thomas doesn't allow faulty machines to determine an outcome that
    should be decided by the voters.
      <http://www.clarionledger.com/news/0401/21/ma04.html>
    
    Oh, and just for good measure...
    
      Venezuela had to cancel its 2000 national election because of voting
      machine problems
        http://news.bbc.co.uk/1/low/world/americas/764372.stm
    
    Let all our votes be counted,
    
    Steve Corrick <OperationEnduringVote.org>
    
    ------------------------------
    
    Date: Fri, 7 Nov 2003 23:50:38 -0500 (EST)
    From: danny burstein <dannyb@private>
    Subject: Canadian medical tests give reversed results
    
      [Apologies to Danny for this item taking so long to surface.  PGN]
    
    About 3,000 people got opposite results when they were tested for gonorrhea
    and chlamydia over an 18-month period.  Because of a faulty diagnostic
    machine in Cranbrook (southeastern British Columbia), positive and negative
    test results for the two sexually transmitted diseases were reversed.
    
    About 3,000 people were tested. The 83 that were positive were incorrectly
    told they were clean. The 2,900 or so that were negative were told they were
    positive and were given the standard treatments.  From a health standpoint
    the 83 sick folks come out the worst, because their treatment was delayed
    for months or years. But even the folk who were well went through the drug
    protocols and other exams and treatments -- which have their own secondary
    effects, plus, of course, the social/inter-personal problems which being
    (mis)diagnosed with an STD will cause, especially with regard to patient
    partner tracking.
    
    One Would Have Thought that someone in the medical office or the lab or the
    insurance or the pharmacy or somewhere..., looking at 3,000 test results,
    would have quickly noticed that instead of finding a positive rate of 3%
    these tests were coming back at 97%. One would Also Have Thought that enough
    of these people would have gotten a second set of tests so as to raise
    eyebrows a lot earlier.
    
    [Thousands Given Wrong STD Results (Associated Press, 30 Oct 2003; PGN-ed
    from Danny's initial abstracting]
      http://www.newsday.com/news/health/wire/
      sns-ap-std-tests-reversed,0,3203781,print.story?coll=sns-ap-health-headlines
    
    Also, see US Gov't FDA recall notice (which suggests there were similar
    incidents in other places) :
      http://www.fda.gov/cdrh/recalls/recall-072103.html
    
    Canadian local coverage:
      http://cnews.canoe.ca/CNEWS/Canada/2003/10/29/240955-cp.html
    
    ------------------------------
    
    Date: Thu, 12 Feb 2004 23:26:15 -0500 (EST)
    From: "David LaRue" <Huey.DLL@private>
    Subject: 911 mistake: Wisconsin rescuers go to wrong town; victim dies
    
    Rescue personnel from the Neenah-Menasha Fire Rescue service responded to a
    911 emergency call for a possible heart attack victim within two minutes.
    However, it was the right address in the wrong town.  (Both towns had the
    identical address.)  [Source: An AP article (from the *Star Tribune*,
    datelined Neenah, Wisconsin) PGN-ed.]
    
    Whereas there are procedures and database checks to prevent incorrect
    locations in the 911 databases, it is still possible for neighboring cities
    to have identical addresses.  The risks here are that the data may look
    correct and even validate, but still be wrong.
    
      [We have reported at least one similar case previously.  PGN]
    
    ------------------------------
    
    Date: Fri, 13 Feb 2004 16:40:46 -0800
    From: Mabry Tyson <Tyson@private>
    Subject: Interesting device to steal ATM accounts
    
    Bank ATMs Converted to Steal Bank Customer IDs
    http://www.utexas.edu/admin/utpd/atm.html
    
    A team of organized criminals is installing equipment on legitimate bank
    ATMs in at least 2 regions to steal both the ATM card number and the
    PIN. The team sits nearby in a car receiving the information transmitted
    wirelessly over weekends and evenings from equipment they install on the
    front of the ATM (see photos). If you see an attachment like this, do not
    use the ATM and report it immediately to the bank using the 800 number or
    phone on the front of the ATM.
    
    The equipment used to capture your ATM card number and PIN is cleverly
    disguised to look like normal ATM equipment. A "skimmer" is mounted to the
    front of the normal ATM card slot that reads the ATM card number and
    transmits it to the criminals sitting in a nearby car.
    
    At the same time, a wireless camera is disguised to look like a leaflet
    holder and is mounted in a position to view ATM PIN entries.
    
    The thieves copy the cards and use the PIN numbers to withdraw thousands
    from many accounts in a very short time directly from the bank ATM.
    
    ------------------------------
    
    Date: Thu, 12 Feb 2004 03:11:31 -0500
    From: Monty Solomon <monty@private>
    Subject: Officials Say Mob Stole $200 Million Using Phone Bills (Rashbaum)
    
    New York organized crime figures reportedly bilked millions of unsuspecting
    consumers out of more than $200 million over five years by piggybacking
    bogus charges on their telephone bills ("cramming").  [Source: William
    K. Rashbaum, *The New York Times*, 11 Feb 2004; PGN-ed]
      http://www.nytimes.com/2004/02/11/nyregion/11MOB.html
    
    ------------------------------
    
    Date: Tue, 17 Feb 2004 07:59:24 -0700
    From: "NewsScan" <newsscan@private>
    Subject: Amazon reviewers identified -- as the authors! (NewsScan)
    
    Authors in the news -- unintentionally
    
    A software glitch exposed the real identities of book reviewers at Amazon's
    Canadian Web site -- thereby revealing that some authors are in the practice
    of posting anonymous glowing reviews of their own work.  [Surprise.]  One
    defender of the practice is author John Rechy, who wrote a favorable review
    of his latest book, posting the review anonymously as "A Reader From
    Chicago."  Rechy says: "That anybody is allowed to come in and anonymously
    trash a book to me is absurd.  How to strike back?  Just go in and rebut
    every single one of them."  The glitch has since been unglitched.  [AP/*San
    Jose Mercury News*, 14 Feb 2004; NewsScan Daily, 17 Feb 2004]
      http://www.siliconvalley.com/mld/siliconvalley/7955264.htm
    
    ------------------------------
    
    Date: Wed, 18 Feb 2004 18:36:02 +0200
    From: Gadi Evron <ge@private>
    Subject: Alleged Trojan horse in Israeli anti-ballistic missile system
    
    On 15 Feb 2004, an article appeared in one of Israel's leading newspapers,
    *Maariv*, claiming a Trojan horse _might_ have been installed by Egypt in
    the Israeli Arrow anti-ballistic missile system.  You can find an article I
    wrote on the subject, specifying the known facts at:
      http://www.math.org.il/arrow-trojan.html
    
    Also solarday@private  +972-50-428610 (Cell)
    http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
    
    ------------------------------
    
    Date: Thu, 12 Feb 2004 10:23:30 -0500
    From: Lillie Coney <lillie.coney@private>
    Subject: GAO Report Warns of Airline Security Shortcomings (*LATimes*)
    
    In its report (released on 13 Feb 2004), a General Accounting Office study
    notes that CAPPS II (intended to pick out potential terrorists from among
    millions of air passengers) has run into "significant challenges" posing
    "major risks" to its deployment and public acceptance.  Problems include
    overall system reliability and false positives, and resolving the rights of
    those falsely identified.  Passenger-provided information would be
    outsourced to government contractors for analysis, the government would
    check supposedly validated identities against a watch list, and the result
    would be a green, yellow, or red risk rating for each would-be passenger.
    Allegedly only about 4% would be rated yellow, and "an average of only one
    or two people a day" would be rated red.  [Remember that even a 1% false
    positive rate would mistakenly identify tens of thousands of travelers.]
    
    "But the GAO report found that the agency has not adequately addressed seven
    of eight concerns raised by Congress.  These include preventing abuses,
    protecting privacy, creating an appeals process, assuring the accuracy of
    passenger data, testing the system, preventing unauthorized access by
    hackers and setting out clear policies for the system."  GAO investigators
    concluded that, though the agency was making advances in all these areas,
    progress was incomplete.  [Source: Ricardo Alonso-Zaldivar, *Los Angeles
    Times*, 12 Feb 2004; PGN-ed]
      www.latimes.com/technology/la-na-profiling12feb12,1,3293045.story
      ?coll=la-headlines-technology
    
    ------------------------------
    
    Date: Thu, 12 Feb 2004 16:08:13 -0800
    From: "Kevin L. Poulsen" <klp@private>
    Subject: GE says blackout bug patched (Re: RISKS-23.18)
    
    GE Energy has now acknowledged the bug reported by SecurityFocus earlier
    this week ("Software bug contributed to blackout," RISKS-23.18).
    The AP reports that the company says it distributed an advisory and a
    fix to more than 100 utility customers last fall.
    
    http://www.securityfocus.com/news/8032
    
    ------------------------------
    
    Date: Tue, 10 Feb 2004 17:17:27 PST
    From: Lauren Weinstein <lauren@private>
    Subject: Strategic planning for VeriSign restart of "Site Finder"
    
    Given that VeriSign is strongly hinting that they'd like to soon restart
    their notorious and disruptive Site Finder domain diversion scheme
    (see: http://www.washingtonpost.com/wp-dyn/articles/A25819-2004Feb9.html),
    I believe it would be prudent for the Internet community to begin
    planning now for appropriate legal, business, and technical actions and
    reactions for that or related possible eventualities.
    
    The PFIR Forum on "E-Mail Issues, Problems, and Solutions":
      http://forums.pfir.org
    is available immediately for this purpose as a starting point (even though
    Site Finder issues transcend e-mail).  I can spin off a separate forum for
    this discussion later if traffic and circumstances warrant it.  We need to be
    discussing these issues now so that if and when VeriSign starts the clock on
    a Site Finder reactivation we won't be blindsided again.
    
    Also, any e-mail on this topic that is not suitable for the public
    discussion forum is invited at: 
      vs@private
    
    Lauren Weinstein lauren@private  lauren@private  lauren@private
    Tel: +1 (818) 225-2800 http://www.pfir.org/lauren http://www.factsquad.org
    >>> "The VeriSign Song": http://www.pfir.org/vs-song <<<
    
    ------------------------------
    
    Date: Tue, 17 Feb 2004 07:59:24 -0700
    From: "NewsScan" <newsscan@private>
    Subject: FTC warning about private no-spam registry
    
    The Federal Trade Commission has cautioned computer users not to fall victim
    a Web site claiming to offer an e-mail version of the federal do-not-call
    registry.  Despite the official-looking appearance of the site's URL, the
    "Do Not E-mail Registry" has no affiliation with the U.S. government, and is
    apparently a scam for collecting e-mail addresses on behalf of spammers.
    However, the site's operators say their registry serves "legitimate direct
    marketers" who want to make sure their mailings don't go to spam opponents.
    The e-mail addresses collected by the registry are made available to bulk
    mailers in an encrypted form allowing them to check for any overlap with
    their own mailing lists without seeing the actual addresses.  [*The
    Washington Post*, 15 Feb 2004; NewsScan Daily, 17 Feb 2004]
      http://www.washingtonpost.com/wp-dyn/articles/A41490-2004Feb14.html
    
    ------------------------------
    
    Date: Fri, 13 Feb 2004
    From: Terence Eden
    Subject: TiVo's privacy policy
    
    TiVo has always been very open about its data retention policy.  It has the
    ability to review every IR command sent to the box and can track what people
    watch and how they watch certain programmes.  When signing up to the TiVo
    service, people are explicitly asked if they want to opt-***IN*** to the
    monitoring scheme.  Anecdotally, most people are happy to be monitored in
    the hope of improving the quality of TV programming.
    
    The RISK?  Assuming that all data retention is unasked for, unwarranted and
    unhelpful!
    
    ------------------------------
    
    Date: Fri, 13 Feb 2004 17:27:07 -0700
    From: Aaron <aaron@private>
    Subject: Re: Privatization vs privacy (Knauss, RISKS-23.18)
    
    > [The previous item] exemplifies some of the risks of allowing private
    > corporations to manage sensitive data without adequate government oversight.
    
    The item has nothing to do with government/private interaction, except
    for the fact that it was a government/private interaction.
    
    The risks apply to *any* sensitive database, public or private.  Should we
    be asking for "adequate government oversight" of *private* databases?
    
    Trying to get sensitive work done on the cheap, without oversight, without
    verifying qualifications, is asking for trouble no matter who owns the
    database, no matter what's in the database.  If the agency couldn't afford
    proper maintenance, the solution should have been to not have the database
    at all.
    
    The current administration does not have a monopoly on stupidity; it's quite
    abundant in the universe and easy to stumble over.  Politicizing the risk
    only obscures the issue.
    
    ------------------------------
    
    Date: Thu, 12 Feb 2004 18:30:18 -0700
    From: Thomas Harrington <tph@private>
    Subject: Challenge/Response spam blocking
    
    Many of you have probably noticed that people who use Earthlink can now 
    opt for a challenge/response spam-protection system.  As Earthlink 
    implements this, the first time you send an e-mail to someone using this 
    feature, you get an autoresponse directing you to a web page where 
    you're supposed to prove yourself to be human, providing your name and 
    optionally a short message.  Do so and the message goes through.
    
    To defeat auto-completion of this web page by scripts they include an 
    image showing five random letters, which is distorted in the hope of 
    defeating OCR software.  You're supposed to type in the five letters in 
    a box in the web form.
    
    Only those images aren't all that random.
    
    Because of some business requirements I won't go into just now, I end 
    up confronting this page quite frequently.  And my web browser 
    auto-completes forms-- which is nice, since I'm inevitably filling in 
    the same information.  What's surprising is that when doing this, my 
    web browser often fills in the "random" image text correctly.  It's not 
    always right at first, but if I type the first letter (or sometimes the 
    first two), it completes the rest of the letters correctly.
    
    Some experimenting indicates that in dozens of visits to this challenge
    page, I've only seen about a dozen distinct "random" text images.  I hardly
    ever type more than the first one or two letters showing anymore.  Getting
    one of 12 right on a random guess is a low success rate by most measures.
    But consider that the spammers who are supposed to be blocked by this are
    already operating a business model where one success in several million is
    reputedly enough to be profitable.
    
    Addendum 15 Feb 2004: Challenge/Response spam blocking
    
    I just wanted to add some additional information that's come to light in the
    past few days.
    
    1. Earthlink's challenge-response system seems to be buggy.  Today, despite
    numerous attempts, it keeps telling me I've misread the letters image, for
    multiple e-mails I'm trying to send.  I have a couple of customers at
    Earthlink who are probably going to think I'm ignoring them, but Earthlink
    is just not letting me send them messages.  After doing this a few times I
    decided to try their help link for visually-impaired people (I'm not
    visually impaired, but saw no other option).  This directed me to an online
    web-based chat from which I was repeatedly disconnected until I gave up.
    Hopefully this customer won't be too upset at what would look to him like
    I'm not listening to him...  Right now Earthlink's spam-blocker is so
    effective that it's preventing even legitimate e-mail from getting through.
    
    2. As a side-effect of this I've discovered what happens if you enter the
    image text incorrectly (or at least the server thinks you've entered it
    incorrectly): You get to try again, apparently as many times as you like.
    Given my previously-discovered non-randomness of the challenge images, it'd
    be short work for a spammer to load up a script with a collection of correct
    answers to the challenge, and just have it keep trying until it gets the
    right one.  As I've described previously, the set of correct answers is very
    small, so this would be nowhere near as challenging as a typical
    dictionary-style attack.
    
    ------------------------------
    
    Date: Thu, 12 Feb 2004 22:01:35 -0500
    From: Carl Fink <carl@private>
    Subject: Social Security number as identity: not secure
    
    I needed to use my corporate travel web site today, after not using it since
    I first signed up.  As you might expect, I had forgotten my password.
    
    To have a password mailed to me, I enter my user ID and request it.  No
    problem, except the user ID is my Social Security number, and the password
    is mailed back unencrypted.
    
    In other words, anyone who knows my SSID and has access to the corporate
    mail system can hijack my account.  My employer's travel web site is a
    service of getthere.com.
    
    Carl Fink <carl@private>  http://www.jabootu.com
    
      [We've been over this topic many times here, but the message still 
      needs to be reinforced.  PGN]
    
    ------------------------------
    
    Date: Tue, 03 Feb 2004 22:24:51 -0500
    From: "Prodin, Timothy (T.R.)" <tprodin@private>
    Subject:  Re: Spirit Rover humbled (RISKS-23.15)
    
    What the Rovers do not have is a simple precaution that would prevent the
    continuous reset loop that Spirit went through.  A simple counter that
    tracked the number of resets per Sol, the mission timekeeping unit, would
    have allowed the Rover to degrade gracefully to an "Operator Intervention
    Required" state.  The current strategy came close to putting Spirit into an
    unrecoverable condition; cut into useful life of the mission; and, most
    importantly, obscured valuable diagnostic information.
    
    The RISK?  Using a reset to clear from unrecoverable errors can get you
    in trouble if the reset does not clear the root cause of the error state.
    
    ------------------------------
    
    Date: Tue, 17 Feb 2004 09:24:02 -0800
    From: Kyle York <kyork@private>
    Subject: Sputnik & garage door openers (Re: RISKS-23.18)
    
    > Things have improved enormously since the early garage-door openers, many
    > of which opened and closed each time the orbiting Russian Sputnik went
    > overhead.  I have not noted that marvelous case here since RISKS-8.38,  PGN]
    
    This piqued my curiosity so I thought I'd look around.  I've not found the
    Sputnik/garage door opening to be more than an urban legend and was
    wondering if you've references to the contrary.  Most of what I've found
    seems to derive from the same source.  It seems sunspots are a more logical
    conclusion.
    
      From alt.folklore.urban:
    
    The full link if you're interested:
    <http://www.google.com/groups?threadm=3BDFE8A4.3BE6D2FF%40midway.uchicago.edu>
    
      The 20MHz frequency of Sputnik was not used for things like garage door
      openers, which probably used the 27MHz frequency band (the same one used
      by CB in later years). That band was allocated by the FCC for low-power
      devices (under 100 milliwatt), including remote controls, and cheap toy
      walkie-talkies. It continued to be used for walkie talkies after CB became
      big, but other remote-controlled devices were moved off this band up into
      the VHF frequencies after the CB craze hit.
    
      [Can anyone provide evidence that this is NOT an urban legend?  PGN]
    
    ------------------------------
    
    Date: Fri, 13 Feb 2004 01:49:33 -0500 (EST)
    From: Lawrence Kestenbaum <polygon@private>
    Subject: Re: SPF and its critics (RISKS-23.18)
    
    Ian Jackson and Markus Fleck-Graffe (in RISKS 23.18) offer some technical
    criticisms of the SPF proposal.  I am not competent to judge the networking
    pros and cons, but the e-mail system as it exists is most assuredly broken.
    
    My e-mail address has been public for years, and appears on my web site,
    which gets hundreds of thousands of visitors per month.  I get a steady
    stream of unsolicited (yet valuable) personal mail from web site users.  And
    I do get at least a couple hundred spam and virus/worm e-mails per day.  I
    cope.
    
    But the junk has suddenly reached a new level.
    
    Starting in early January, some spamhaus started using my e-mail address in
    the From: and Reply-to: lines of a large quantity of bulk messages
    advertising a product claimed to change the size of a body part.  As a
    result, I received thousands of bounce and rejection notices from all over
    the world.  The flow diminished for a couple of days, then resumed in full
    force, as the spammer sent out new waves of bulk mail, now advertising a
    get-rich-quick scheme.  It's February 13 now, and the bounces are still
    pouring in.
    
    Of course the actual miscreant is hidden because the spams themselves are
    originated from what are probably DSL or cable modem connected Windows
    machines under remote control by the spammers.  For a while, I read headers
    and sent complaints about obviously compromised machines to abuse@ the
    applicable ISP, but some of those bounced, and most of the rest ignored me.
    Of course a lot of the spam-bounce messages didn't send enough of the
    headers back to even figure out who I could complain to.
    
    Especially annoying are nastygrams from spam detection services, which
    should know that spam headers are forged.  I have also received rejection
    notices which announce that the e-mail was refused because it originated at
    or forwarded through a spammer-compromised server -- so why are they sending
    ME a rejection notice?
    
    On top of this came the MyDoom outbreak.  Almost every Windows-based virus
    or worm scans browser caches for e-mail addresses, where (mostly) webmaster
    addresses are to be found.  Therefore, when an outbreak occurs, anyone with
    a popular web site suddenly gets thousands of copies of the latest plague.
    
    I can cope with that.  But the malware ALSO uses the same list of found
    addresses to forge From: lines.  Hence, thousands of virus/worm e-mails
    generated in other places have my address in the header.  And when the
    recipient isn't deliverable, thousands of bounce messages come to me, and
    are obviously harder to filter out than the actual virus.
    
    Worse yet are virus protection programs which generate autoreplies to the
    forged address, to inform me that my server (a Unix box) is infected with
    MyDoom.  Um, if your software is smart enough to recognize MyDoom (or any
    other virus of recent years), why is it too dumb to know that the From: line
    has nothing to do with the origin of the item?
    
    The critics of SPF suggest that spammers would simply find or invent other
    addresses to use.  Frankly, I don't care about that, so long as they stopped
    plastering my personal address on hundreds of thousands of fraudulent and
    disreputable spam messages and viruses, and clogging my server's net
    connection with vast piles of misdirected bounces.
    
    Lawrence Kestenbaum, P.O. Box 2563, Ann Arbor MI 48106, polygon@private
    The Political Graveyard, http://politicalgraveyard.com
    
    ------------------------------
    
    Date: Wed, 18 Feb 2004 14:32:49 -0500
    From: "Gary McGraw" <gem@private>
    Subject: Exploiting software
    
    What are the RISKS of publishing a book on how to break software?  What are
    the RISKS of pretending software exploits are really dumb and building lame
    technology to "stop" them?  How do these RISKS trade off?  Judge for
    yourself by reading *Exploiting Software* by Greg Hoglund and Gary McGraw
    (Addison-Wesley 2004).
    
    Early review:
    http://www.ieee-security.org/Cipher/BookReviews/2004/Hoglund_by_bruen.html
    
    Gary McGraw  CTO, Cigital  http://www.cigital.com
    
    ------------------------------
    
    Date: 28 Jan 2004 (LAST-MODIFIED)
    From: RISKS-request@private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-request@private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomo@private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshall@private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
       http://www.CSL.sri.com/risksinfo.html
     The full info file may appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
     *** NEW: Including the string "notsp" at the beginning or end of the subject
     *** line will be very helpful in separating real contributions from spam.
     *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version
       of the most recent RISKS issue and a WAP version that works for many but
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 23.19
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Feb 18 2004 - 14:22:05 PST