RISKS-LIST: Risks-Forum Digest Thursday 17 February 2005 Volume 23 : Issue 72
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/23.72.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Missile interceptor doesn't even leave its silo -- again (Jeremy Epstein)
Report on Patriot missile friendly fire over Iraq (PGN)
TCAS RA incident (Martyn Thomas)
Scammers access ChoicePoint data on 35,000 (Matt Hines via Monty Solomon)
Trees with concealed GSM antennas (Dan Jacobson)
German TollCollect charges double (Debora Weber-Wulff)
Wife broke law in using spyware (NewsScan)
Gas stations lose money due inadvertent low pricing (Arthur T.)
'Smart' driver's licenses a Trojan horse? (NewsScan)
"The Mother is Back!" Announcing "DayThink" Audio Features (Lauren Weinstein)
Limits of search-and-replace (Mike Albaugh)
I may know who handles Personal Certs at thawte (Ed Bruce)
Malware and Auto Electronics (Peter B. Ladkin)
Re: More uses of satnav/GPS (Paul E. Bennett)
New copy-proof DVDs on the way? (John Borland via Monty Solomon)
Re: The risk of high-speed CD/DVD-rom drives in PCs (Eben King, Jonathan Smith)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 14 Feb 2005 21:06:17 -0500
From: Jeremy Epstein <jeremy.epstein@private>
Subject: Missile interceptor doesn't even leave its silo -- again
As reported in RISKS 23.65 and 23.66, the Dec 15 test of the missile
interceptor system failed when it didn't lift off from the launchpad due to
a timing problem.
The 14 Feb test didn't do any better. CNN reports that "a spokesman for the
[Missile Defense] agency, Rick Lehner, said the early indications was that
there was a malfunction with the ground support equipment at the test range
on Kwajalein Island in the Marshall Islands, not with the missile
interceptor itself. If verified, that would be a relief for program
officials because it would mean no new problems had been discovered with the
missile."
That's good news?
In case you're keeping score, that's 6 failures out of 9 attempts since the
program started. And the three "successes" have been highly scripted.
Your tax dollars at work (at least for Americans).
------------------------------
Date: Mon, 14 Feb 2005 11:39:40 PST
From: "Peter G. Neumann" <neumann@private>
Subject: Report on Patriot missile friendly fire over Iraq
Nathan White was piloting a Navy plane at 33,000 feet over Iraq on 2 Apr
2003. He was shot down by a US Patriot missile. The summary of a report
released on 10 Dec 2004 concludes that White's plane was mistaken for a
nonexistent hostile missile, and that the Patriot's proper launch procedures
were violated. However, a redacted version of the report notes the Army's
difficulties in using the Patriot system, including gaps in crew training
and frequent appearance of false tracks (which in past RISKS items are
referred to as ghosts). "The issues show the unintended dangers that
computerized weapons systems can pose, and the need for better human
oversight." [Source: Palo Alto *Daily News*, 9 Feb 2005, p. 25; PGN-ed]
------------------------------
Date: Sun, 13 Feb 2005 16:41:09 -0000
From: "Martyn Thomas" <martyn@thomas-associates.co.uk>
Subject: TCAS RA incident
The latest CHIRP Feedback contains an interesting report. Two aircraft
crossed with 1000 feet vertical separation in UK airspace. The higher
aircraft had a (known) faulty transponder that was reporting 500 ft lower
than actual, so the crossing caused a TCAS resolution advisory to descend in
the lower aircraft. The crew of the lower aircraft point out that if the
faulty transponder had read 1500 feet low, the Advisory would have said
"Climb" and they would have climbed into the other aircraft.
------------------------------
Date: Tue, 15 Feb 2005 11:20:34 -0500
From: Monty Solomon <monty@private>
Subject: Scammers access ChoicePoint data on 35,000 (Matt Hines)
[Source: Matt Hines, news.com, 15 Feb 2005]
ChoicePoint confirmed on 15 Feb that criminals recently accessed its
database of consumer records, potentially viewing the personal data of about
35,000 Californians and resulting in at least one case of identity fraud.
The unidentified individuals posed as legitimate businesspeople in order to
breech its defenses. Chuck Jones, a company spokesman, said that roughly 50
fraudulent accounts were set up by the schemers, through which they could
view the data of California residents.
News of the crime first surfaced when ChoicePoint sent an e-mail to
individuals potentially affected by the attack last week. Among the data
available through the company's services, and possibly accessed by the
criminals, are consumers' names, addresses, Social Security numbers and
credit reports.
http://news.com.com/2100-1029-5577122.html
------------------------------
Date: Wed, 16 Feb 2005 00:47:06 +0800
From: Dan Jacobson <jidanni@private>
Subject: Trees with concealed GSM antennas
"The product used in Palm antennas is formed by the tree itself and the
fronds". http://www.preservedpalm.net/gsm.shtml
GSM base stations are camouflaged in specially preserved palm trees, with
antennas that look like palm fronds with internal steel-bar reinforcements
for structural rigidity, and with cable works inside the trunk. [PGN-ed]
I suppose the risk here is assuming the plants aren't doing anything
special.
[They won't be doing much by themselves after they've been eviscerated.
But they could serve other purposes as well. This is another variation on
an old theme, so we'll add it to our Fronds List. PGN]
------------------------------
Date: Thu, 17 Feb 2005 18:22:23 +0100
From: Debora Weber-Wulff <weberwu@fhtw-berlin.de>
Subject: German TollCollect charges double
The Berlin daily Newspaper "Berliner Zeitung" keeps beating
up on the German TollCollect system.
http://www.berlinonline.de/berliner-zeitung/berlin/422264.html
[Note, the author is Peter Neumann, but not PGN!]
On Feb. 16, 2005 they report on a trucking company who was charged for the
same truck at the same time for two different pieces of Autobahn, while a
short time later they were charged for driving on some street that is not a
toll road. The winning charge is for going from Kurt-Schumacher-Damm to
Saatwinkler Damm (about 1.5 km as the crow flies) to the tune of 49
kilometers. According to the booking list the truck drove around town twice
and used the Avus, apparently turning on the autobahn to continue
.... [Maybe these are the same folks that programmed the MSN map from
Haugesund to Trondheim in Norway, via the continent
http://www.englishrules.com/archives/miscellany/index.php - dww]
On Feb. 17, 2005 they have a nice report about how easy it is to jump paying
for the toll.
http://www.berlinonline.de/berliner-zeitung/politik/422488.html
It seems that there are just 300 of these bridges that are controlling
bridges, the rest are just for calculating the fare. And the specifications
say that a 10% check is done, so there are only ever 30 of them on at a time
because the machines do the checking but human intervention is necessary to
flag down a toll jumper. In addition to which, the mobile checkers only work
day shifts, while a lot of trucking takes place at night. A federal trucking
organization took some test drives at night in the East to see if they got
hooked - negative. So here we have all this expensive technology and these
ugly bridges, and it still doesn't really work.
Prof. Dr. Debora Weber-Wulff FHTW Berlin, Internationale Medieninformatik
10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
------------------------------
Date: Wed, 16 Feb 2005 09:42:15 -0700
From: "NewsScan" <newsscan@private>
Subject: Wife broke law in using spyware
A Florida appeals court has ruled that a suspicious wife, who installed
spyware on her husband's computer to secretly monitor and record his
electronic interactions with another woman, violated Florida's wiretapping
law. The law says anyone who "intentionally intercepts" any "electronic
communication" commits a criminal act. The wife had argued that her use of
Spector spyware should be viewed as similar to reading a stored file on her
husband's computer. But Judge Donald Grincewicz wrote that "because the
spyware installed by the wife intercepted the electronic communication
contemporaneously with transmission, copied it and routed the copy to a file
in the computer's hard drive, the electronic communications were intercepted
in violation of the Florida Act." [CNet News.com 15 Feb 2005; NewsScan
Daily, 16 Feb 2005]
http://news.com.com/Court+Wife+broke+law+with+spyware/2100-1030_3-5577979.html
------------------------------
Date: Sun, 13 Feb 2005 18:59:06 -0500
From: "Arthur T." <myspamtrap01@private>
Subject: Gas stations lose money due inadvertent low pricing
A (presumably self-service) gas station went all night with gas priced at
$.19/gallon instead of $1.83/gallon. The owner didn't know about it until
reporters asked him about the low price. He corrected the price only after
1200 gallons had been pumped.
It was blamed on a "computer glitch", but could easily have been a
data-entry error. The article mentions another case of a misplaced decimal
point in gas pricing.
The Risks are more human than computer. If you're going to leave the gas
station unattended, double-check your prices. (Although, I admit, it would
be nice to have the computer sanity-check your price.) Note: The article
doesn't say the station was unattended during the time the low price was in
effect, but I don't want to believe that any attendant could have let this
continue.
URL of story (beware of line-wrap):
http://story.news.yahoo.com/news?tmpl=story&cid=816&ncid=816&e=8&u=/ap/20050211/ap_on_fe_st/really_cheap_gas
------------------------------
Date: Mon, 14 Feb 2005 10:42:11 -0700
From: "NewsScan" <newsscan@private>
Subject: 'Smart' driver's licenses a Trojan horse?
A move by Congress to endorse a Republican-backed measure that would compel
states to redesign their driver's licenses by 2008 to comply with standards
for making them electronically readable has critics questioning government's
motives, saying it gives the Department of Homeland Security carte blanche
to do nearly anything "to protect the national security interests of the
United States." Rep. Ron Paul (R-Texas) says, "Supporters claim it is not a
national ID because it is voluntary. However, any state that opts out will
automatically make nonpersons out of its citizens. They will not be able to
fly or to take a train." Proponents of the Real ID Act say it reflects the
recommendations of the 9/11 Commission and will help in the battle against
terrorism and efforts to identify illegal immigrants. But Paul says, "In
reality, this bill is a Trojan horse. It pretends to offer desperately
needed border control in order to stampede Americans into sacrificing what
is uniquely American: our constitutionally protected liberty." [CNet
News.com 14 Feb 2005; NewsScan Daily, 14 Feb 2005]
http://news.com.com/From+high-tech+drivers+licenses+to+national+ID+cards/2100-1028_3-5573414.html
------------------------------
Date: Tue, 15 Feb 2005 22:49:47 -0800 (PST)
From: Lauren Weinstein <lauren@private>
Subject: "The Mother is Back!" Announcing "DayThink" Audio Features
Greetings. I'm pleased to announce "DayThink" -- a new series of very brief
(one-minute) MP3 audio features illuminating a wide range of relevant and
important topics. Each day's feature will focus on one specific issue
affecting our lives -- issues definitely worth thinking about. Many of
these segments will deal directly with the impacts of technology on
individuals and society.
DayThink features can be accessed via the DayThink main page at:
http://daythink.vortex.com
The debut segment is titled:
"The Mother is Back!"
and looks at the current round of telecom mergers and what they may mean for
us all.
A notification mailing list has been established that will send out a brief
message to subscribers as each new feature becomes available (never more
than one per day), including the segment title, a brief description, and a
link to the feature audio itself that can be played at one's leisure.
Subscriptions to that list can be established via:
http://lists.vortex.com/mailman/listinfo/daythink
or by simply sending a note (no subject or body necessary) to:
daythink-subscribe@private
I hope that these features will be of some value in helping folks wade
through the maze of many important issues.
Thanks very much.
Lauren Weinstein lauren@private lauren@private lauren@private
1 818-225-2800 http://www.pfir.org/lauren Fact Squad - http://www.factsquad.org
------------------------------
Date: Mon, 14 Feb 2005 14:33:40 -0700
From: Mike Albaugh <albaugh@private>
Subject: Limits of search-and-replace
I dug a few nifty Alphanumeric displays out of the scrap bin, and wanted to
use them in a sculpture. A few minutes searching on the web produced a
datasheet and application-notes for a plausibly similar device, but were I
too literal, I'd be perplexed.
The application-note claims that the sample code scrolls "AGILENT
TECHNOLOGIES" across the display, but the 8741 sample source code does not
include a general-pupose character generator and literal string. Rather,
there is a table of hexadecimal values, each row encoding the pixels of one
character. The end-of-line comments confirm the suspicion that a glance at
the table raises. Had I actually copied this code, I would see "HEWLETT
PACKARD"
The RISK here is only one of embarrassment, but imagine this sort of thing
happening in code for a device (e.g. many PC graphics cards) which uses
manufacturer's name or model number as a "key" to enable operation.
------------------------------
Date: Wed, 16 Feb 2005 10:46:01 -0500
From: Ed Bruce <ebruce@private>
Subject: I may know who handles Personal Certs at thawte
My personal e-mail cert from thawte is expiring soon. Thawte sent me an
e-mail informing me of this containing "links" to their web page on how to
extend it. Problem is I forgot my password and clicked on a link provided
to help me recover my password. It didn't work. I'm using Mozilla
Thunderbird, which displays the actually link at the bottom of the display.
This is what I saw:
file:///C:\Documents and Settings\jwolvaardt\Local Settings\Temporary
Internet Files\Local Settings\Temporary Internet Files\OLK3C\Expiring
personal Certs March.doc
I guess you don't need to just post Word documents to reveal information.
------------------------------
Date: Sun, 13 Feb 2005 08:14:49 +0100
From: "Peter B. Ladkin" <ladkin@private-bielefeld.de>
Subject: Malware and Auto Electronics (Klashinsky, Risks 23.370)
Karl Klashinsky reported in Risks 23.70 about:
a case where the on-vehicle software is corrupted by a virus, inserted
into the automobile's computing systems, via a blue-tooth enabled
cell-phone
and suggested the scenario:
As this vulnerability becomes known in the cracker community, how long
before someone tailors a virus specific to a vehicular target -- perhaps
creating runaway-vehicle scenarios similar to the "faulty cruise control"
incidents reported here in RISKS.
Interestingly, a day before I had been pointed to an article in a South
African newspaper about just such a migration, and there was also something
about viruses spreading from cell phones to cars in an article in the
*International Herald Tribune*, which I read daily.
There is a wonderful cartoon from the German computer magazine *c't* pinned
to my group's noticeboard. A passenger is sitting in an airliner using his
laptop, and on the screen appears:
Bluetooth: new device found: Airbus A310
In one journal it's a cartoon, and in the other journal it's news. What's
going on? I made some inquiries.
The punch-line first. Ross Anderson pointed me to
http://www.engadget.com/entry/1234000760029037/
which reports on someone asking Eugene Kaspersky of Kaspersky Labs about how
to cure a virus that ``infected the onboard computers of automobiles Lexus
LX470, LS430, Landcruiser 100 via a cell phone.'' Apparently there are some
communicating systems on board those cars which use Symbian (one of the
mobile-phone OS's) and are bluetooth-enabled, and Kaspersky conjectured that
this could be a infection route. The article, from Donald Melanson, suggests
that it is not clear whether this has actually happened or not. The South
African article, and the other articles besides the IHT mentioned Kaspersky
Labs, so this seems to be the source of the "news".
The IHT commented on a document issued Wednesday by IBM Security
Intelligence, the Security Threats and Attack Trends Report, which said:
Beware viruses that spread to cellphones, hand-held computers, wireless
networks and embedded computers that are increasingly used to run basic
automobile functions
http://www.iht.com/articles/2005/02/09/business/virus.html
Nothing much there.
Ross also told me of a discussion at the Electronic Security in Cars
conference about a (different) major car company which used a T39 mobile
phone with a linux card running Apache for managing over-the-air software
upgrades in some high-end models.
So it seems as if two car companies use GSM communication over OTS
communicators for some on-board systems. Obviously those systems *could* be
infected by viruses targeted to those devices, and someone asked Kaspersky
about it. That it has actually happened is questionable; that it could
happen is not, for those systems, for those cars.
What is there to say about likelihoods? Let me restrict myself to critical
systems (chassis, especially brakes and steering; and engine control). Nav
systems and in-car entertainment are not critical.
First, the critical on-board systems people (chassis systems, engine
systems) build separate systems from others on-board. If they use common
busses, those busses (usually CAN, about to become FlexRay or TTP) are
hard-real-time and the architectures are explicitly designed to inhibit
inter-application interference. The critical systems themselves are
hand-designed, often hand-coded, running on small processors built for
hard-real-time systems use, although they may migrate to special-purpose
OS-based SW in the future. There are many such systems, they are all
different from each other at present, and they are proprietary. You can't
easily get a copy to play with, just as you can't easily get a copy of
Airbus critical-system code to play with. It may be even harder, since the
companies are all in heavy competition with each other for their continued
existence (see below) and they are aware of industrial theft and sabotage
issues.
I don't know of any such system which installs upgrades over standard mobile
phones. There may be some, but the people I deal with on critical systems
are all more or less aware of security issues. Furthermore, at least in
Germany, such systems in the future will have to demonstrate that they have
been developed according to the precepts of the IEC 61508 standard on
functional safety in E/E/PE systems (roughly, systems which use programmable
electronic components). That standard explicitly covers maintenance, and it
does not condone upgrading critical systems using OTS communication channels
vulnerable to known security problems such as malware transmission.
Which doesn't mean that no one is going to try it. But it does suggest that
such an effort would not last long, would end in tears, and would preclude a
repeat.
Why would it end in tears? Well, few people have remarked it so far, but
auto manufacturers are at the sharp end of progress in SW safety and
reliability (components of dependability). A model such as the Ford Focus
sells a million cars a year. Each of those cars can be expected to drive
300-500 hours a year, and the cars themselves are standardly taken to have a
3-5 year service lifetime. So one model-year alone can be expected to
accumulate between 9 x 10exp8 and 2.5 x 10exp9 hours of service. Add to that
that systems for such cars are often built by component manufacturers such
as Bosch, who install that system or closely similar systems in other cars
also, and you are looking at attempting to attain an actual dependability of
the order of one critical failure in 10exp10 hours of service.
In aerospace, taken by many to be the industrial pinnacle of critical
systems engineering, single-point-of-failure critical systems are built to a
nominal standard of one catastrophic failure (loss of the airplane) in
10exp9 operational hours. And that is notional; it is intended to be higher
than the cumulative service life of the entire model fleet. Whereas the
10exp9 to 10exp10 operational hours in automobile electronics is actual.
Now, nobody actually knows how to manufacture SW that is guaranteed to be
that dependable (that is, one may achieve it, but one cannot know or prove
that one has done it). Current limits (through exhaustive testing of the
final product) seem to be about 10exp5 operational hours. That is the
theoretical limit of certainty through practical testing (Bayesian
calculations by Littlewood and Strigini). People are scratching their
heads. Heavily. And occasionally asking me and my colleagues to scratch
ours.
Serious problems are occurring. Each problem will lead to a recall, and I am
told that a minimal cost for a recall (SW upgrade, for example) is EUR 50
per auto (Mike Ellims, Pi Technology, personal communication). Mercedes
recently had to recall 600K autos for a brake-system SW upgrade (a counter
that they thought would not run over between services did, in two instances,
and they had to recall all cars with that SW). We could thereby reckon that
that cost EUR 30 million, or thereabouts. Given that profit margins amongst
those manufacturers that actually do make a real profit are in the low USD
10exp8 region, if that high, a single recall cuts seriously into profit.
(According to the Economist's survey of 4 September 2004, at
http://www.economist.com/surveys/showsurvey.cfm?issue=20040904 which cites a
study by Maxton and Wormald for Goldman Sacks entitled "Time for a Model
Change", there are only only 8 car companies above the curve of
cost-of-capital versus revenue per unit, namely Porsche, Nissan, Honda,
Toyota well above, and Mercedes, BMX, PSA and Hyundai barely making it
over.)
Recalls are not the only cost. There is also the cost of recompensing
the victims of accidents in which system malfunction was a causal factor.
So there is plenty of motivation to make auto critical electronics the most
dependable SW-based systems the world has ever seen. We are a long way from
it, but I don't think we are going to be seeing critical systems upgraded
through gratuitously insecure channels. Except for the exceptions, of
course.
If I were to bet today, I'd bet on the cartoon staying a cartoon.
Peter B. Ladkin, University of Bielefeld, Germany www.rvs.uni-bielefeld.de
------------------------------
Date: Sun, 13 Feb 2005 11:20:16 +0000
From: "Paul E. Bennett" <peb@private>
Subject: Re: More uses of satnav/GPS (Magda, RISKS-23.71)
It seems that some solutions have more "sex appeal" than others and hence
get considered for adoption over and above obviously saner solutions.
In respect of trains, as they run on rails, it should be very easy to use
the trackside equipment and links to the train to determine that the train
is where it should be at that moment in time. It is not as though the
trains will be running off the tracks at any time during its journey (unless
derailed of course in which case it is definitely going to be late).
Paul E. Bennett http://www.amleth.demon.co.uk/ peb@private
Forth based HIDECS Consultancy Mob: +44 (0)7811-639972
------------------------------
Date: Tue, 15 Feb 2005 11:23:55 -0500
From: Monty Solomon <monty@private>
Subject: New copy-proof DVDs on the way? (John Borland)
Macrovision is expected to release a new DVD copy-protection technology
Tuesday in hopes of substantially broadening its role in Hollywood's
antipiracy effort. The content-protection company is pointing to the
failure of the copy-proofing on today's DVDs, which was broken in 1999.
Courts have ordered that DVD-copying tools be taken off the market, but
variations of the software remain widely available online.
[Source: John Borland, news.com, 14 Feb 2005]
http://news.com.com/2100-1026-5576375.html
------------------------------
Date: Sun, 13 Feb 2005 11:29:31 -0500 (EST)
From: Eben King <eben1@private>
Subject: Re: The risk of high-speed CD/DVD-rom drives in PCs (RISKS-23.71)
You quote Drew Dean as saying: "I believe programs such as Exact Audio Copy
(EAC) do slow down the drive, and most CD/DVD burning software can write at
slower speeds, but I'm not aware of any interface to tell an OS to always
slow down reading."
"Nero CD-DVD Speed" makes the maximum speed of the CD/DVD drive lower. I
use it on my DVR to quiet down (and prevent the "spin up - fill up cache -
play from cache - spin down" cycle) to slow down my 52x drive to 8x or so.
[Also noted by David DiGiacomo and by Serguei Patchkovskii (who also
provided a URL
http://www.cdspeed2000.com/go.php3?link=download.html
and advice for Linux users: you already have the needed tool installed.
At the command line, to get 4x CD-ROM speed,
eject -x 4 /dev/cdrom
PGN]
------------------------------
Date: Tue, 15 Feb 2005 12:16:44 -0500 (EST)
From: Jonathan Smith <josmith7@private>
Subject: Re: The risk of high-speed CD/DVD-rom drives in PCs (RISKS-23.71)
I know that for years Plextor CD rom drives have come with a windows taskbar
utility that allows the user to force the drive to run at a lower speed
along with adjusting other settings.
I ended up needing to use this utility on occasion with the then extremely
high-speed 12x CD-Rom drive I owned. CDs built for 1x or 2x drives,
including my copy of Windows 95 would vibrate so much in a 12x drive at full
speed that the computer case would also vibrate and no data could be read.
Forcing the drive down to 4x would fix the problem.
------------------------------
Date: 29 Dec 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Mailman can let you subscribe directly:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
INFO [for unabridged version of RISKS information]
.UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 23.72
************************
This archive was generated by hypermail 2.1.3 : Thu Feb 17 2005 - 12:00:30 PST