[RISKS] Risks Digest 23.70

From: RISKS List Owner (risko@private)
Date: Wed Feb 09 2005 - 16:51:57 PST


RISKS-LIST: Risks-Forum Digest  Weds 9 February 2005  Volume 23 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/23.70.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Off-by-one error: Evacuate the entire state! (Howard M Israel)
Food via inkjet printer (Joyce Scrivner)
An example of vulnerable OS creating havoc in new/unexpected locations
  (Karl Klashinsky)
What's Bugging the High-Tech Car? (Tim Moran via Howard M Israel)
Zuerich Main Railway Station Outage (Peter B. Ladkin)
Supermarket: Let your fingers do the paying (Monty Solomon)
How GPS Is Killing Lighthouses (sakshale)
J.K. Rowling denounces Internet fraudsters (NewsScan)
Most Dangerous Types Of Spyware Increasing, States SpyAudit Survey
  (Monty Solomon)
Spammers try a new tack (NewsScan)
Goofy account identification (Geoff Kuenning)
The Land Registry (Ben Laurie)
Weak on the concept (Elias Levy via PGN)
U of Calgary adding spam and spyware (Rob Slade)
Re: Thief-proof' car key cracked. What, already?  (Steve Wildstrom)
Re: It's a feature, not a bug! (Kees Huyser)
Re: 'Hot' URLs in e-mail (William L Anderson)
Balancing security and our lives (Jeremy Epstein)
REVIEW: "Managing Security with Snort and IDS Tools", Cox/Gerg (Rob Slade)
COMPSAC 2005: Extended deadline for paper submission (Yuen Tak YU)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 2 Feb 2005 11:33:13 -0500
From: Howard M Israel <hisrael@private>
Subject: Off-by-one error: Evacuate the entire state!

Connecticut state emergency management officials said a worker entered the
wrong code during the weekly test of the emergency alert system, leading
television viewers and radio listeners to believe that the state was being
evacuated: "Civil authorities have issued an immediate evacuation order for
all of Connecticut, beginning at 2:10 p.m. and ending at 3:10 p.m."  The
code that was mistakenly entered appeared on a monitor one line above the
intended code for the test.  As soon as the error was detected, faxes went
out to every police department in the state.

Source: Emergency broadcast test mistakenly calls for evacuation, AP item
[PGN-ed], The Hartford Courant, 1 Feb 2005, http://www.ctnow.com/
http://www.nynewsday.com/news/local/wire/ny-bc-ct---evacuationerror0201feb01,0,6738941.story

------------------------------

Date: Fri, 04 Feb 2005 11:24:48 -0600
From: Joyce Scrivner <kscriv@private>
Subject: Food via inkjet printer

Moto, a Chicago restaurant, serves "sushi" with maki-like images printed
with a Canon i560 inkjet printer using organic food-based inks jetted onto
edible "paper" made from soybeans and cornstarch and flavored with powdered
soy and seaweed seasonings.  Even the menu is edible.  

http://www.nytimes.com/2005/02/03/technology/circuits/03chef.html?ei=5088&en=86bc342e2ce05d47&ex=1265086800&partner=rssnyt&pagewanted=print&position=

 [This article has been severely PGN-ed.  Actually, squid ink might be an
  interesting choice, unless it would clog the jets.  Joyce wondered whether
  a diner could be poisoned by the inkjet food.  But perhaps the menu is
  also printed from the same printers, using the same inks, and not used for
  other porpoises?  You might ask, what do they do for cuttlery?  (That's a
  pun, not a mispeling; a cuttlefish has 10 arms, and is related to the
  squid.  A live one might make an interesting array of chopsticks.)  And,
  if you knew Sushi like I know Sushi, you might want to Moto-r on over.  Or
  maybe not.  It might be overpriced, but not overriced.  And the chef will
  maki-a-velli nice presentation.  PGN]

------------------------------

Date: Wed, 26 Jan 2005 16:02:43 -0800
From: Karl Klashinsky <klash@private>
Subject: An example of vulnerable OS creating havoc in new/unexpected locations

The topic of software flaws in the embedded systems within modern
automobiles has been discussed in RISKS several times.  But here's a new
twist (to me, at least), a case where the on-vehicle software is corrupted
by a virus, inserted into the automobile's computing systems, via a
blue-tooth enabled cell-phone:

http://www.infosecnews.com/news/index.cfm?fuseaction=newsDetails&newsUID=bc5789cf-e448-4a6e-bee9-a5dd291405ed&newsType=News

[ Same article in shorter URL: http://tinyurl.com/5p3jh ]

There's the obvious risk here... a vehicle can be infected by the cell-phone
in the vehicle next to you while stopped in traffic or sitting in a parking
lot.  As this vulnerability becomes known in the cracker community, how long
before someone tailors a virus specific to a vehicular target -- perhaps
creating runaway-vehicle scenarios similar to the "faulty cruise control"
incidents reported here in RISKS.

------------------------------

Date: Mon, 7 Feb 2005 09:29:29 -0500
From: Howard M Israel <hisrael@private>
Subject: What's Bugging the High-Tech Car? (Tim Moran)

Tim Moran, What's Bugging the High-Tech Car? *The New York Times*, 6 Feb 2005
http://www.nytimes.com/2005/02/06/automobiles/06AUTO.html?oref=3Dlogin

On a hot summer trip to Cape Cod, the Mills family minivan did a peculiar
thing. After an hour on the road, it began to bake the children. Mom and Dad
were cool and comfortable up front, but heat was blasting into the rear of
the van and it could not be turned off.  Fortunately for the Mills children,
their father - W. Nathaniel Mills III, an expert on computer networking at
I.B.M. - is persistent. When three dealership visits, days of waiting and
the cumbersome replacement of mechanical parts failed to fix the problem, he
took the van out and drove it until the oven fired up again. Then he rushed
to the mechanic to look for a software error.

"It took two minutes for them to hook up their diagnostic tool and find 
the fault," said Mr. Mills, senior technical staff member at I.B.M.'s T. 
J. Watson Research Center in Hawthorne, N.Y. "I can almost see the 
software code; a sensor was bad."

------------------------------

Date: Tue, 08 Feb 2005 11:49:54 +0100
From: "Peter B. Ladkin" <ladkin@private-bielefeld.de>
Subject: Zuerich Main Railway Station Outage

On Monday, 7th February the central computer at the rail control center for
Zuerich main station in Switzerland failed.  The outage was noticed at
08:40, and had deleterious consequences for further control centers which
were dependent on the Zuerich center.  It was partially back on-line at
13:40. No cause has yet been announced.

Zuerich is the largest city in Switzerland, and the train lines converging
on the main railway station are fairly complicated. Chaos was reported. The
Associated Press reported that trains between Zuerich and Pfaeffikon, a
commuter line on the left bank of Lake Zuerich, were all canceled for nearly
four hours. Buses were used to ameliorate the situation, for example for
trains in the direction of Chur. The Swiss television SF-DRS was reporting
on its WWW site that many commuters were delayed by two and a half
hours. Also that the trip between Lachen SZ and Zuerich, normally 45
minutes, took four hours.

The Swiss railway is renowned for its punctuality. They are amongst the
foremost, maybe the foremost, in the world in research into railway
scheduling and its implementation in the RAIL 2000 program.  I heard a talk
at the FORMS/FORMAT 2004 conference from Oskar Stalder about experiments in
continual punctuality information transfer to drivers, which enabled the
equipped trains to maintain a schedule on certain main lines to within a
ten-twenty-second margin of error - almost unthinkable. This incident will
worsen the stats for 2005 just a little.

The information about the outage came from
http://www.sfdrs.ch/system/frames/news/sda-news/index.php?/content/news/sda-news/meldung.php?docid=20050207d395595158238553833

Peter B. Ladkin, University of Bielefeld, Germany  www.rvs.uni-bielefeld.de

------------------------------

Date: Wed, 2 Feb 2005 02:04:53 -0500
From: Monty Solomon <monty@private>
Subject: Supermarket: Let your fingers do the paying

Excerpted from an article by Jo Best, news.com, 1 Feb 2005

A supermarket has given its customers the choice of paying by fingerprint at
a store in the state of Washington--and has found them surprisingly willing
to use the biometric system.  U.S. chain Thriftway introduced the system,
which uses technology from Pay By Touch, in its store in the Seattle area in
2002. It said it now sees thousands of transactions a month using the
payment method.  Once people have enrolled in the Pay By Touch system, they
have their fingerprint scanned as verification of identity at the
checkout. They then choose which credit card they want to pay the bill with,
having already registered the credit cards with the store.

Thriftway President Paul Kapioski said rather than shying away from 
the technology because of concerns about protecting their privacy, 
customer demand ensured that the biometric payment system made it 
past the pilot stage.  ...

http://news.com.com/2100-1029-5559074.html

------------------------------

Date: Tue,  8 Feb 2005 18:08:43 -0500
From: sakshale@private
Subject: How GPS Is Killing Lighthouses

Spiegel Online has an article about the impact of GPS systems on
Lighthouses.  They claim that the popularity of the satellite-based global
positioning system has led to the closure of lighthouses along the German
coast. Critics question whether the new system is reliable and safe enough
to warrant the closure of these historical beacons of safety.

http://service.spiegel.de/cache/international/0,1518,340729,00.html

------------------------------

Date: Wed, 02 Feb 2005 12:09:39 -0700
From: "NewsScan" <newsscan@private>
Subject: J.K. Rowling denounces Internet fraudsters

J.K. Rowling, author of the mega-popular Harry Potter series, is warning
fans to beware of Internet "phishing" scams claiming to sell electronic
copies of her latest book, "Harry Potter and the Half-Blood Prince." "The
only genuine copies of Harry Potter remain the authorized traditional book
or audio tapes/CDs distributed through my publishers," says Rowling, and her
copyright lawyer, Neil Blair, notes that Rowling has never granted licenses
for electronic versions of her books. "Please, please protect yourselves,
your computers and your credit cards and do not fall for these scams," says
Rowling. Police say they suspect organized crime gangs in Eastern Europe are
behind the fraudulent e-mail offers.  [Reuters/*The Washington Post*,
2 Feb 2005; NewsScan Daily, 2 Feb 2005]
  http://www.washingtonpost.com/wp-dyn/articles/A56379-2005Feb2.html

------------------------------

Date: Wed, 2 Feb 2005 09:35:22 -0500
From: Monty Solomon <monty@private>
Subject: Most Dangerous Types Of Spyware Increasing, States SpyAudit Survey

The most malicious forms of spyware, system monitors and Trojans, increased
in the last three months of 2004, according to the quarterly SpyAudit
report, the nation's next-generation Internet Service Provider, and Webroot
Software, a producer of award-winning privacy, protection and performance
software. The report also documents the complete SpyAudit results for 2004,
which tracked the growth of spyware on consumer PCs since the report's
inception on January 1, 2004.  It shows the instances of system monitors
rose 230 percent, while the instances of Trojans rose 114 percent from
October 2004 to December 2004. Trojans, keystroke loggers and system
monitors are capable of capturing keystrokes, online screenshots, and
personally identifiable information like your social security number, bank
account numbers, logins and passwords, or credit card numbers.

The number of SpyAudit scans performed during the fourth quarter also rose
with an increase of 72 percent from October 2004 through December 2004. In
total for 2004, more than 4.6 million scans were performed, discovering
approximately 116.5 million instances of spyware, adware or potentially
unwanted software. An average of 25 traces were found per SpyAudit scan for
2004. The complete report is available at
http://www.earthlink.net/spyaudit/press .  ...

PR Newswire, 2 Feb 2005
  http://finance.lycos.com/home/news/story.asp?story=46604321

------------------------------

Date: Fri, 04 Feb 2005 10:02:08 -0700
From: "NewsScan" <newsscan@private>
Subject: Spammers try a new tack

Tired of being blocked by "blacklists," spammers are turning to a new
technique -- routing it directly through the computers of their Internet
service providers, rather than sending it from individual machines. The
result poses a dilemma: to block spam coming directly from an ISP's servers
would mean blocking all its mail, crippling the system. "From what we've
seen, the volumes of this type of spam are going up dramatically," says
Steve Linford, who heads up the Spamhaus Project. "We're really looking at a
bleak thing" if ISPs don't quickly deploy countermeasures, he adds. Such
measures could include more aggressive monitoring and limiting how much mail
is being sent from individual machines on their networks. In addition, ISPs
should beef up efforts to authenticate mail they pass on through their own
computers, says Linford. A study released yesterday estimates that deleting
spam costs nearly $22 billion per year in lost productivity, based on a
survey of 1,000 adults who said they spend about three minutes per day
trashing spam when they check their e-mail. (*The Washington Post*, 4 Feb
2005; NewsScan Daily, 4 Feb 2005)
  http://www.washingtonpost.com/wp-dyn/articles/A61901-2005Feb3.html

------------------------------

Date: 01 Feb 2005 23:30:25 +0100
From: Geoff Kuenning <geoff@private>
Subject: Goofy account identification

To make a fairly long detective story very short, I have discovered that
amazon.com uses not only your e-mail address, but also your password, to
uniquely identify your account.  It is perfectly possible to have two
completely different accounts under the same e-mail address, distinguished
only by the password.

Huh?

My guess is that Amazon does this to make it possible for people who share a
single e-mail account to have different accounts at Amazon.  But it's not
documented anywhere, and can lead to great confusion for those who forget
that they have an account, create a new one, and later use the original
one's password.

And I wonder what happens when you click on the "Forgot your password?"
link.  Do they reset the passwords on all accounts?  When I have a bit more
time, I might set up some accounts on a dummy e-mail address to answer to
latter question.  -- Geoff Kuenning geoff@private
http://www.cs.hmc.edu/~geoff/

------------------------------

Date: Tue, 01 Feb 2005 22:33:56 +0000
From: Ben Laurie <ben@private>
Subject: The Land Registry

The UK Government has decided to make the Land Registry available online.
For those who don't know, this says who owns a property, what the property
is (i.e., the boundary), who has charges on the property, similarly whether
covenants apply, and so forth.

I suppose this risk isn't new, since this information was available offline,
but ... one of the people with a charge on your house is your mortgage
lender.  This is clearly stated in the Land Registry document.  What an
excellent resource for phishing and other fraud - both via e-mail and more
personal contact.

The relevant Land Registry data is available to all comers for 2 pounds. No
restrictions. And now, much easier to get.

http://www.apache-ssl.org/ben.html http://www.thebunker.net/

------------------------------

Date: Tue, 1 Feb 2005 17:15:39 PST
From: "Peter G. Neumann" <neumann@private>
Subject: Weak on the concept

Elias Levy (Symantec) noted a cute illustration of the weakest link in a
would-be security system:
  http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg

------------------------------

Date: Sun, 6 Feb 2005 16:53:48 -0800
From: Rob Slade <rslade@private>
Subject: U of Calgary adding spam and spyware

The University of Calgary is back at it again.

http://www.cbc.ca/story/canada/national/2005/02/05/email-course050205.html
http://pages.cpsc.ucalgary.ca/~aycock/
aycock@private, barker@private

(Interesting that his homepage is entitled "Unfettered by Content."  He
certainly seems to be unfettered by logic.)

This time they are adding spam and spyware to the curriculum.

I can vaguely see a dim advantage to having students write viruses in order
to understand them (rather inefficiently, in terms of time spent), but
getting them to write a spamming program in order to understand how to fight
spam seems even less effective.

As previously noted, John Aycock doesn't seem to have any credentials in
security or malware (no papers published prior to the virus course, nobody
in the field seems to know him), so why he, and the university, chose to do
this, other than pure self-promotion, is completely beyond me.

I am somewhat relieved by the fact that the paper submitted to EICAR shows
that a modicum of thought was given to the security of the laboratory.  The
irrelevance of the measures undertaken is no great surprise.  The
bibliography is interesting: Lugwig's second edition is there, along with
Mitnick's "19 chapters of gotcha," but on the AV side Cohen's 1994 edition
stands alone with Skoudis' rather pathetic work.  I would have thought that
anyone with even a pretence of academic intentions would have consulted
Ferbrache, and possibly Nazario's pompous but flawed attempt at worm
analysis.  Given Aycock's involvement in a rather banal crypto lab, I'm a
bit surprised that he hasn't tried to create Young and Yung's proposed
crypto-nasties.

rslade@private      slade@private      rslade@private
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

------------------------------

Date: Mon, 7 Feb 2005 11:05:27 -0500
From: "Steve Wildstrom" <steve_wildstrom@private>
Subject: Re: Thief-proof' car key cracked. What, already?  (RISKS 23:69)

I'm late reading and others have probably pointed this out, but Chris Leeson
misstates the purpose of the RFID chip in car keys. These are "immobilizer"
systems, designed to keep the car from starting, even with a physical key
present, unless the RFID tag responds correctly to a crypto challenge.

The full paper, by Steve Bono, Matthew Green, Adam Stubblefield, and Avi
Rubin of Johns Hopkins and Ari Juels and Michael Szydlo of RSA, is
available at http://rfid-analysis.org <http://rfid-analysis.org/>  .

Steve Wildstrom, BusinessWeek 1200 G St NW Suite 1100, Washington, DC 20005
www.businessweek.com/technology/

  [Also noted by Alexandre Peshansky.  PGN]

------------------------------

Date: Wed, 2 Feb 2005 01:28:18 +0100
From: Kees Huyser <kees@private>
Subject: Re: It's a feature, not a bug! (Weber-Wulff, RISKS-23.69)

> a non-printable PDF file 

ehhh... non-printable? Hit "print screen"... If you want it to look nicer,
OCR the screendump.  Even the press should be able to figure this one
out. Obviously the Govt. agency responsible for the mess hasn't, which could
explain why it is such a mess...  

  [Dag-Erling Smørgrav says use GNU Ghostscript.  PGN]

------------------------------

Date: Wed, 02 Feb 2005 11:16:56 -0500
From: William L Anderson <band@private>
Subject: Re: 'Hot' URLs in e-mail (Ashworth, RISKS-23.69)

There's a small fact error in this piece:

  Mozilla Thunderbird is an e-mail client.
  Mozilla Firebird (and Camino (for the Mac)) are the browsers.

------------------------------

Date: Wed, 2 Feb 2005 11:23:32 -0500
From: Jeremy Epstein <jeremy.epstein@private>
Subject: Balancing security and our lives

In RISKS-23.68 I wrote about security problems with changing my address
online through Bank of New York, and in 23.69 Robert Ellis Smith
(justifiably) criticized my original action, saying "We gotta resist, this
so that organizations are sensitized to the risks of using SSNs."

After feeling suitably red-faced about my error, I pondered his point.  How
much can and should we, as the cognoscenti, do in our every day lives to
fight silly security?  I know full well that most of the airport security is
useless (Schneier and others have done a great job pointing this out), but I
don't have the luxury of fighting it every time I make a trip.  While I
might object to showing an ID, unlike John Perry Barlow, I need to earn a
living.  I don't have the financial or time option of fighting a court
case because I think the rule is wrong.  I don't even have the time to
argue with the underpaid TSA person about the rules, which say you don't
have to take off your shoes (but woe be unto you if you refuse).

This was recently driven home to me as I helped my daughter with college
applications, which routinely ask for SSNs.  We compromised that when the
form is asking about financial information, we'd provide the SSN, since
they're asking for copies of tax returns which have the SSN anyway, but we
wouldn't put the SSN on the general application for admission.  Is this the
right tradeoff?  If she weren't asking for financial aid, I'd probably
refuse to provide the SSN at all.

What are some *practical* measures that we can and should be doing as
computer security professionals to help further understanding?  I agree with
Robert Ellis Smith that I shouldn't provide the information I did to
change an address, but I need to get the procedure done, and not spend a
week arguing that they shouldn't need my SSN to do a change of address.

I suggest that we'd be more effective if we all tried to do *something*,
rather than despairing about our inability to accomplish all the changes
we'd like to see.  Smith's web page has a good list
(http://www.privacyjournal.net/bio.htm); how many of us have the time &
energy to do more than a handful of them?  He hits the nail on the head when
he says ``Choose your battles. Not every collection of personal
information or every intrusion is worth expending your energy. Decide which
information is most sensitive to you and which moments in your life are most
important to protect.''

Where can and should working security professionals draw the line?

------------------------------

Date: Wed, 9 Feb 2005 08:20:13 -0800
From: Rob Slade <rslade@private>
Subject: REVIEW: "Managing Security with Snort and IDS Tools", Cox/Gerg

BKMSWSIT.RVW   20041106

"Managing Security with Snort and IDS Tools", Kerry Cox/Christopher
Gerg, 2004, 0-596-00661-6, U$39.95/C$57.95
%A   Kerry Cox
%A   Christopher Gerg
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2004
%G   0-596-00661-6
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$57.95 800-998-9938 fax: 707-829-0104 nuts@private
%O  http://www.amazon.com/exec/obidos/ASIN/0596006616/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0596006616/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596006616/robsladesin03-20
%O   tl a rl 2 tc 3 ta 3 tv 2 wq 2
%P   269 p.
%T   "Managing Security with Snort and IDS Tools"

Chapter one explains what Snort, and network intrusion detection, is.  The
basics of network traffic sniffing and analysis, and the operation of
tcpdump and ethereal, are described in chapter two.  Installation, options,
and the basic operation of Snort are outlined in chapter three.  Chapter
four details the different types of blackhat and intruder activity in terms
of network intrusion.  Chapter five details the configuration file and
choices.  How, and where, to use and set up Snort is the topic of chapter
six.  Snort rules are explained in chapter seven, which also outlines the
system for creating them.  Snort can also be used for intrusion prevention,
as chapter eight points out.  Tuning sensitivity, and establishing
thresholds and clipping levels, is discussed in chapter nine.  Chapter ten
reviews the use of ACID (Analysis Console for Intrusion Detection) as a
management console.  An alternative program is SnortCenter, described in
chapter eleven, and more options are listed in twelve.  Chapter thirteen
notes possibilities for the use of Snort in high bandwidth situations.

For those interested in the standard intrusion detection program, here is a
set of useful explanations for its use and operation.

copyright Robert M. Slade, 2004   BKMSWSIT.RVW   20041106
rslade@private      slade@private      rslade@private
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

------------------------------

Date: Tue, 8 Feb 2005 05:40:18 +0800 (HKT)
From: CS Asst Prof Dr Yuen Tak YU <ytyu@private>
Subject: COMPSAC 2005: Extended deadline for paper submission

The 29th Annual International Computer Software and Applications Conference
                           COMPSAC 2005 
                 Edinburgh, Scotland, July 25-28, 2005 
                http://aquila.nvc.cs.vt.edu/compsac2005
         The major theme will be HIGH ASSURANCE SOFTWARE SYSTEMS.
  
Please note that the deadlines for submission of both regular and
workshop papers to COMPSAC 2005 have recently been extended.
The EXTENDED deadline for paper submission is only three weeks away:

** Extended deadline for conference papers: Feb 28, 2005 **
** Extended deadline for  workshop  papers: Feb 28, 2005 **
   Deadline for fast abstracts (unchanged): Mar 21, 2005

E-mail enquiries
-Program Co-Chairs: irchen@private  rni@private  meih@private
-Workshop Chair:             ewong@private
-Fast Abstract Co-Chairs:    xie@private  ylei@private 
-Steering Committee Chair:   yau@private

Y T Yu, Publicity Chair, COMPSAC 2005
Department of Computer Science, City University of Hong Kong 
csytyu@private  http://www.cs.cityu.edu.hk/~ytyu 

COMPSAC is a major international forum for researchers, practitioners,
managers, and policy makers interested in computer software and
applications. It was first held in Chicago in 1977, and since then it has
been one of the major forums for academia, industry, and government to
discuss the state of art, new advances, and future trends in software
technologies and practices.  The technical program includes keynote
addresses, research papers, industrial case studies, panel discussions and
fast abstracts. It also includes a number of workshops on emerging important
topics.

For more detailed and updated information, please refer to 
http://aquila.nvc.cs.vt.edu/compsac2005

For further information, please contact: 
Stephen S. Yau, Arizona State University, USA
E-mail: yau@private

------------------------------

Date: 29 Dec 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   Mailman can let you subscribe directly:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

   INFO     [for unabridged version of RISKS information]
 .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 23.70
************************



This archive was generated by hypermail 2.1.3 : Wed Feb 09 2005 - 17:56:14 PST