RISKS-LIST: Risks-Forum Digest Wednesday 29 June 2005 Volume 23 : Issue 92
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/23.92.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Single Point of Failure paralyzes Swiss Railsystem for 3 hours
(Debora Weber-Wulff, Anthony Thorn)
The continuing saga of the German unemployment scheme Hartz IV
(Debora Weber-Wulff)
New Heathrow Connect Trains - Now Can't Even Connect! (S Byers)
Flaw Is Found in Software Used to Accredit Hospitals (Milt Freudenheim
via Monty Solomon)
Robot runs riot at California hospital (Thom Kuhn)
Frozen Windows in Delivery Room (Charles Palmer)
Re: New Zealand Outage Shut Down Stock Exchange (Russell Smiley)
One Week to Shattered Security: Lessons from the Sony PSP Exploit
(Lauren Weinstein)
Encryption Illegal in Minnesota (James R. Cottrell Jr.)
U.K. firm boasts totally "hacker proof" ID card system (Ben Tudor via
Declan McCullagh) <declan@private>
CVS limits ExtraCare info access (Marion Davis via Monty Solomon)
Yahoo Filters Phish (B Brown)
Re: "Rumplestiltskin worm" on the loose? (Crispin Cowan)
Breach tracking (Adam Shostack)
REVIEW: "Spies Among Us", Ira Winkler (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 23 Jun 2005 20:56:34 +0200
From: Debora Weber-Wulff <D.Weber-Wulff@fhtw-berlin.de>
Subject: Single Point of Failure paralyzes Swiss Railsystem for 3 hours
On 22 Jun 2005 at 5.08pm, a power short occurred between Amsted (Canton Uri)
and Rotkreuz (Canton Zug, which in German means "train") on the Swiss train
line. The SBB (Schweizerischen Bundesbahnen) operated their own power
lines, and this short circuit caused a sharp drop in voltage, which quickly
spread throughout the ENTIRE country of Switzerland.
Trains were stalled in the middle of nowhere, with no air conditioning in
the heat of the summer. Some train doors could not be opened. More than
200,000 passengers were affected. It took about two hours to get everyone
out of the trains. SBB used busses to transport stranded passengers and
diesel locomotives to drag trains to the nearest station.
It took two more hours before enough power was restored in order for the
trains to begin moving. But the efficient Swiss worked all night moving
trains so that everything moved rather smoothly the next day.
There were allegedly no computers involved, but the single point of failure
was a vivid illustration of many RISKS concepts, not the least of which is:
don't throw out those diesel locomotives yet!
Debora Weber-Wulff, FHTW Berlin, FB 4, Intern.Medieninf. Treskowallee 8,
10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
------------------------------
Date: Thu, 23 Jun 2005 09:54:23 +0200
From: Anthony Thorn <anthony.thorn@private>
Subject: Single Point of Failure paralyzes Swiss Railsystem for 3 hours
[...] My concern --and arguably the risk-- is the impact of such an
incident on passenger trains in the new Gotthard "base"-tunnel which will
open in 2011. This will be 57 Km (35 miles) long and run at depths up to
2000 meters (7000 feet) which means that the tunnel temperature will exceed
45 C. (113 F). If a train is stopped in the tunnel a very rapid response
would be required to avoid a catastrophe.
------------------------------
Date: Sat, 25 Jun 2005 13:16:22 +0200
From: Debora Weber-Wulff <D.Weber-Wulff@fhtw-berlin.de>
Subject: The continuing saga of the German unemployment scheme Hartz IV
In our previous installments (RISKS-23.53 and 23.60), we heard about
problems with the new German combined unemployment and social fee scheme.
Because of so much public unrest about the scheme, the parliament decided to
pass new rules permitting people to earn a little bit more money each month
before the entitlement is cut off. Just a small program change, one would
think, and with time until 1 Oct 2005 it should be no problem.
The *Berliner Zeitung* reported on 25 Jun that the program change will not
be finished until early 2006. The new rules are too complicated for the
software authors, T-Systems, it seems:
* Everyone can earn 100 Euros a month additionally without penalty.
* If you earn up to 800 Euros you can keep 20%.
* If you earn more, you get to keep 10% of what you earn above that, until
your earnings reach the point where you no longer get the social fee.
About 700.000 people are affected, the administrative workers will have to
do the calculations by hand until the software is finished - meaning they
have no time to advise people on strategies for finding work.
Maybe I am being naive, but how difficult is it to set up a new table
"Earnings" with (Pnr, date, earnings) and fixing the method
"calculate_entitlement" to consult this table. There needs to be a screen
for entering in the data and recording who entered it in when.
This takes a large company > 6 months to fix?
http://www.berlinonline.de/berliner-zeitung/politik/460429.html
------------------------------
Date: 23 Jun 2005 03:56:57 -0700
From: "SB" <s_byers666@private>
Subject: New Heathrow Connect Trains - Now Can't Even Connect!
The new trains whilst widely advertised as 'Heathrow Connect' (in the local
press, on the HC website, etc.) have now stopped connecting to Heathrow
altogether!! Passengers are now being advised to detrain at Hayes &
Harlington - the local stop before - and catch a 140 bus to the
Airport. This only costs an additional 1.20 (pounds) rather than the 6
(pounds) - but entails negotiating a steep flight of steps - not easy with
heavy luggage and no station staff to help.
The reason for this curtailment is a signal fault - apparently when the
trains reach Heathrow the signalling system there wont change aspect to
let them back out again!!
Also the Heathrow Connect trains use the two local slow tracks in order to
stop at local stations. The other two tracks (there are four in total) are
for high-speed Intercity services. In order to swing off the local tracks
into/out of the Airport Branch the Connect Trains have to cross over the
Intercity tracks. This means stopping all other trains to allow them to do
so. This is playing havoc with the timekeeping for all of the other services
using this very busy route.
The Risks:
* Didn't the planners realise the operational (and safety) problems of
local trains crossing Intercity tracks every 30 minutes and thereby
holding up high speed (100 mph) trains?
* For a multi-million pound prestige project shouldn't there have been
something called 'UAT' (user acceptance testing)?
* Actually shouldn't there have been something called 'testing' prior to
launching such a high profile service?
* The other problem is the young staff checking tickets whilst ensuring that
bona-fide passengers have paid, are starting to get bullied by the local
feral youths who on the late evening trains are damned if they are going to
pay whatever.
* Meanwhile the many computerised on-board inane announcements are beginning
to grate for regular passengers and are still frequently wrong - and they
can't even be changed to omit 'Heathrow' from the current list of
destinations.
------------------------------
Date: Sat, 25 Jun 2005 02:29:17 -0400
From: Monty Solomon <monty@private>
Subject: Flaw Is Found in Software Used to Accredit Hospitals
Joint Commission Resources, a unit of the Joint Commission on Accreditation
of Healthcare Organizations that enforces quality standards for hospitals
found a flaw in software that it had sold to more than 1,000 hospitals that
helps qualify for accreditation and payments from Medicare. The problem was
a missing identification marker that alerts a hospital to the 250 standards
among the 1,300 that the commission and its auditors regard as essential.
[Source: Milt Freudenheim, *The New York Times*, 24 Jun 2005; PGN-ed]
http://www.nytimes.com/2005/06/24/technology/24glitch.html?ex=1277265600&en=ad248571c0f51b3d&ei=5090
------------------------------
Date: Sat, 25 Jun 2005 11:47:22 -0400
From: "Thom Kuhn" <tkuhn@private>
Subject: Robot runs riot at California hospital
Staff and patients at San Francisco's UCSF Medical Center were left fearful
and shaken last week, when a robotic nurse threw off its shackles and went
on the rampage.
http://www.theregister.co.uk/2005/06/15/psycho_robot/
Thomson Kuhn, American College of Physicians
------------------------------
Date: Thu, 23 Jun 2005 23:10:10 -0400
From: Charles Palmer <ccpalmer@private>
Subject: Frozen Windows in Delivery Room
As my dear laboring spouse was rolled into the O.R. to deliver twin boys
last month, all of the machines in the room were happily humming along,
including several displaying a far too familiar screensaver. Oone of the
attending physicians ordered "a quick ultrasound" to ensure things were
indeed as they should be. The nurse turned to one of the machines with
little windows flitting about on the screen. Just as she moved the mouse to
wake up the machine, the flitting stopped and the machine was no more. All
fifteen people in the room, including the soon-to-be mommy of plummeting
patience, then waited for the nurse to power-cycle the machine and await its
resurrection.
While this turned out not to be a life and death situation, it very well
could have been, especially with a multiple birth. In addition to checking
the background of physicians, do we now have to check what software they're
running???
PS: the twins Bennet and Bryan, while premature, are gonna be ok over time.
Charles C. Palmer, IBM Research
------------------------------
Date: Wed, 22 Jun 2005 15:03:11 -0400
From: "Russell Smiley" <smiley@private>
Subject: Re: New Zealand Outage Shut Down Stock Exchange
*The New Zealand Herald* 20 Jun 2005 had this explanation for the
telecommunications failure noted in RISKS-23.91:
A fibre "ring" exists between Auckland and Wellington running up the east
and west sides of the North Island. In theory at least if one cable fails
the other can continue at reduced capacity. Apparently in this case they
lost both cables - one to a contractor digging and the other possibly to a
rodent. http://www.nzherald.co.nz/index.cfm?c_id=1&ObjectID=10331826
------------------------------
Date: Wed, 22 Jun 2005 08:39:44 -0700
From: Lauren Weinstein <lauren@private>
Subject: One Week to Shattered Security: Lessons from the Sony PSP Exploit
Greetings. It only took around a week for the exploit to evolve from
unwieldy but powerful hack, to user-friendly production program, but the
"signed-code" security system of the Sony PSP Portable running 1.5 firmware,
designed to prevent the execution of pirated or other "unofficial"
(e.g. homebrew) code, appears to have been obliterated.
I note in:
"The Camel Fully Enters the Tent?":
( http://www.eepi.org/archives/eepi-discuss/msg00109.html )
that only about seven days after the release on the Internet of an exploit
permitting running of unsigned code via an "impractical for routine use"
memory-stick swapping technique, rumors were already circulating that a
program eliminating the stick swap was about to be released.
This appeared on schedule this morning, meaning that for all practical
purposes the widely available U.S. version of the Sony PSP with 1.5 firmware
is now as fully exploitable as the original limited-quantity Japanese-market
1.0 firmware units.
As mentioned in the referenced link above, Sony will attempt to minimize the
damage from these events. But any path they choose is strewn with potential
pitfalls. Newer firmware versions in shipped units may prove to be more
difficult or impossible to hack through non-hardware-invasive techniques.
But forcing firmware upgrades with new game releases may have the effect of
actually suppressing purchases of legitimate copies of games, and encourage
the use of pirated copies that won't trigger the firmware updates and the
likely loss of the ability to run unofficial, homebrew programs.
In an ever more pervasively Internet-connected world, it appears
increasingly likely that any error -- any opening -- in the implementation
of a security system for a "desirable target" will be quickly exploited and
that exploit widely distributed -- and probably much more rapidly than the
designers of the system would imagine in their worst nightmares. This is a
security vulnerability "sea change" that we really haven't come to grips
with either as technologists or as businesses, and it goes far beyond the
running of programs on a portable gaming device.
There's a key question that we need to explore. Given this new environment,
to what extent do "closed" systems still make sense? The answers will vary
between applications and situations, but it clearly is foolhardy in the
extreme to simply assume that security paradigms, even those based on the
most advanced encryption and signature models, will long remain invulnerable
to successful attacks. These penetrations will range from those initiated
by persons who are simply intellectually curious without evil or financial
motivations, to individuals who may have very dark intentions indeed.
Something to think about.
Lauren Weinstein, +1 (818) 225-2800 http://www.pfir.org/lauren
Co-Founder, PFIR People For Internet Responsibility http://www.pfir.org
Co-Founder, EEPI Electronic Entertainment Policy Initiative http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com
------------------------------
Date: Wed, 22 Jun 2005 13:03:47 -0400
From: "James R. Cottrell Jr." <jxc@private>
Subject: Encryption Illegal in Minnesota
Well the state of Minnesota had better start renting rooms in the prisons of
other states, since the Minnesota State Web site supports encryption. About
the third URL I tried after accessing the web site showed a secure URL.
https://www.officesupplyconnection.org/statemn/catalog.srv
Unless they have set up these computers in a different state or country that
allows the use of encryption! If that is the case, maybe the FBI would like
to get involved since they would have crossed state lines to avoid
prosecution.
------------------------------
Date: Wed, 29 Jun 2005 01:10:26 -0400
From: Declan McCullagh <declan@private>
Subject: U.K. firm boasts totally "hacker proof" ID card system [Politech]
[O UK ID? O U KID! Who U KIDding? PGN]
-------- Original Message --------
Date: Tue, 28 Jun 2005 20:05:49 +0100
From: Ben Tudor <Ben_Tudor@private>
Subject: Oh dear - Don't worry about UK ID card insecurity - here's a
totally 'hacker proof' system
This press release makes an IT journo's job look rather like shooting fin
tuna in a barrel. Using cluster bombs. There's so many holes in the
argument presented in this press release that I almost don't know where to
start. Now that I know a company has been working on 'hush-hush software',
of course, all my concerns about national ID cards have simply sloughed
away. Cheers, Ben
Ben Tudor, Features Editor, Computer Reseller News ben_tudor@private
http://crn.vnunet.com
Subject: Biometric ID Card breakthrough
PRESS RELEASE, June 29th 2005
Further information: 02476 236644
Press Office: John Fisher - 01785 840978
M: 07808 171 664
John.g.fisher@private
jfisher@private
http://www.senselect.com
Biometric Innovation Breakthrough answers UK ID Card Security Fears
A biometric identity card system that is hacker and thief-proof and puts
the missing privacy and security into the UK ID project - has been unveiled
today (Wednesday).
The British inventors of the BiometricPIN system say the system can be used
in the new UK ID cards, overcoming all security fears and objections and
putting control on the use of biometrics in the hands of the user. Instead
of using a single, easily lifted or stolen fingerprint, BiometricPIN will
allow any sequence of finger prints determined by the user. No one has been
able to achieve this so far and the implications will be global as spin-off
projects emerge.
The sequence creates a digital pattern that can only be recreated by the
user. When it is stored on a Government or central database it simply
becomes an unidentifiable "blob" that cannot be stolen.
Behind the world-first breakthrough is West Midlands biometric company,
Senselect Limited, which has been working on the hush-hush software-based
system for five years. John Topping, Managing Director of Senselect, said
BiometricPIN would have implications for everyday life across the world,
but the company has concentrated so far on the ID card security problem and
the "big brother" fears it instills in people.
"This is totally secure, fast and "hacker-proof", said Mr Topping. "The
sequence simply cannot be replicated by anyone other than by the user. It
also allows the user to determine just how much information others can see
about them. A doctor, for example, could be restricted to medical history
whilst a bartender will only get confirmation that the customer is over
18."
With BiometricPIN there will be no "big brother", said John Topping and
identities stored on Government databases are safe from theft. With single
finger biometrics everyone has a right to be scared because, while you can
change a pin number if you are compromised, fingerprints are for life.
Biometrics using single fingerprints as an identifier have been used for
some years, and despite them being capable of being "lifted", their use has
grown. Their use in government ID cards - even with the backup of iris and
facial biometrics - is considered a step backwards by many.
"With BiometricPIN there would be total security as the pattern decided on
uniquely by the user cannot be lifted from a single finger reader or hacked
from a database", said John Topping. "BiometricPIN produces a unique
biometric print that just cannot be copied. It also needs live fingers."
Mr Topping said BiometricPIN would solve a huge worldwide problem. Anyone
concerned that their ID could be copied can rest assured that this will
allay all their fears. Protecting peoples ID is already written into our
law but with BiometricPIN it will be in the hands of the user. Senselect
says BiometricPIN, because it is software-based, can be used in conjunction
with all existing technology, along with iris and facial biometric systems.
The company says it already has several European governments interested in
implementing BiometricPIN and Senselect has produced a set of security
standards for cross border biometric identification. This is now being
considered by the European Union for adoption.
Added John Topping: "We believe we have solved a huge problem for the world
and are ready to share our knowledge. This is the biggest breakthrough in
computer technology for many years and will have a huge impact on everyday
commerce as further applications for BiometricPIN emerge".
Senselect Limited, Coventry University Technology Park, The Innovation Centre
Puma Way, Coventry, UK, CV1 2TT http://www.senselect.com
For further information, please reply to john.g.fisher@private
------------------------------
Date: Wed, 29 Jun 2005 03:49:02 -0400
From: Monty Solomon <monty@private>
Subject: CVS limits ExtraCare info access (Marion Davis)
Marion Davis, pbn, 22 Jun 2005
The CVS Corp. has cut off Web access to ExtraCare card holders' detailed
purchase information after a consumer group showed reporters how easily an
intruder could log into the system and find out, say, how many condoms or
enema kits someone's bought. CVS has issued about 50 million of the loyalty
cards, which allow the drugstore chain to track each customer's purchases
and, in exchange, provide a 2-percent rebate on those purchases, along with
customized coupons. To log into your account on CVS.com, all you need is
the card number, your ZIP code, and the first three letters of your surname.
Even now, anyone with that information can easily find out the card holder's
home address, phone number, and total purchases each quarter. But until
last week, the Web site also allowed customers to request a detailed
purchase report to be e-mailed to them - to any address they put in. ...
http://www.pbn.com/contentmgr/showdetails.php/id/115431
------------------------------
Date: Wed, 29 Jun 2005 10:43:29 -0400
From: bbrown@private
Subject: Yahoo Filters Phish
I take phishing scams a little more seriously than other spam, and often
spend a few minutes directing complaints to the right places. A phishing
e-mail this week used a link in a domain registered using Yahoo's domain
registration. Pinging the domain name revealed an IP number that ARIN says
is Yahoo's. So, I sent off a copy of the message with full headers
etc. etc. to abuse@private It was rejected by Yahoo's spam filter
because, so the bounce said, it was a phishing e-mail. Well, duhhh!
Undeterred, I send another message to abuse@private, explaining that I had
received a phish that pointed to one of their machines and provided the URL
of a page that imitates an on-line payment service. It got an auto-response
that told me I needed to send the full message, including headers.
Double-duhhh!
No doubt Yahoo will be shocked, *shocked*! when a TV station or law
enforcement agency reveals that Yahoo's Web hosting service is being
employed to run scams, just as they were when a television station reported
last week that their user-created chat rooms were being used to attempt to
lure children into having sex with adults.
------------------------------
Date: Sat, 25 Jun 2005 10:09:51 -0700
From: Crispin Cowan <crispin@private>
Subject: Re: "Rumplestiltskin worm" on the loose? (Adams, RISKS-23.89)
> I'm sorry, but the Internet is not your private playground. If you have a
> spam problem, deal with it or buy your own intranet. Such "idealism" is
> what lets people use the Internet to communicate. <freedom argument
> continues>
This is so deeply wrong that I feel I must rebut.
Bandwidth-based DoS attacks are fundamentally impossible to stop. If an
attacker can compromise even a trivial fraction of the Internet, and then
command those nodes to all flood your site with traffic, then your site
collapses under the load, and no legitimate traffic can reach you because
your connection is full. There is nothing to be done except track down the
attacking nodes and have them shut down until they are cleaned up. This is
an extortion attack that is in widespread use now, particularly against
sites that have time sensitivity, such as gambling sites that hope to take
bets on some big game: pay up, or we DoS you into the ground during your
critical period.
Widely enforced Internet hygiene of some form would go a long way towards
stopping this kind of attack. At some point in the future, this DoS attack
is going to become so pervasive that there *will* be Internet hygiene rules
imposed. Get used to it.
Personally, I hope that it comes sooner than later. That would mean that it
is at least an industry self-imposed practice, rather than a government
requirement.
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix, a Novell Company http://immunix.com
------------------------------
Date: Fri, 24 Jun 2005 17:05:05 -0400
From: Adam Shostack <adam@private>
Subject: Breach tracking
Since many of the entries in RISKS have been on security breaches, I'd like
to draw your attention to my weblog: http://www.emergentchaos.com
I've been cataloging breaches, and the fairly extensive (albeit not
complete) is at http://www.emergentchaos.com/archives/cat_breaches.html
------------------------------
Date: Wed, 22 Jun 2005 08:24:57 -0800
From: Rob Slade <rslade@private>
Subject: REVIEW: "Spies Among Us", Ira Winkler
BKSPAMUS.RVW 20050531
"Spies Among Us", Ira Winkler, 2005, 0-7645-8468-5,
U$27.50/C$38.99/UK#16.99
%A Ira Winkler www.irawinkler.com
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2005
%G 0-7645-8468-5
%I John Wiley & Sons, Inc.
%O U$27.50/C$38.99/UK#16.99 416-236-4433 fax: 416-236-4448
%O http://www.amazon.com/exec/obidos/ASIN/0764584685/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0764584685/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0764584685/robsladesin03-20
%O Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation)
%P 326 p.
%T "Spies Among Us"
In the introduction, Winkler admits that the title is slightly misleading:
most surveillance is not done by international spies, but by common or
garden thieves, competitors, and so forth. The point that he is trying to
make is that non-terrorists can hurt you, although he raises the issue with
illustrations that are not completely clear.
Part one deals with espionage concepts. Chapter one reviews spying
terminology, but makes points about the process by explaining the jargon and
distinctions. Risk analysis is introduced in chapter two, but the
calculations used may not be clear to all readers. An attempt to assess the
value of information is made in chapter three. Chapter four outlines
threats (entities that might harm you) and five covers vulnerabilities--the
way your own operations can make you subject to attack.
Part two describes some case studies of spying. The content is interesting,
although the value is rather concentrated in the short "vulnerabilities
exploited" section at the end of each chapter. I must say that I've read
all manner of similar stories and case studies in various security books,
and Winkler's are more interesting than most.
Part three deals with protection. Chapter twelve lists a number of
countermeasures. These are described in a level of detail that is
appropriate for non-specialists (in security), although the content related
to technical safety might be a bit thin. How to plan and implement an
overall security program is outlined in chapter thirteen, which includes a
very interesting section on how the Department of Homeland Security has
taught us valuable lessons about how *not* to execute safeguards.
While not structured in a formal manner that would make for easier
reference, this book nonetheless has some excellent content. Like
Schneier's "Beyond Fear" (cf. BKBYNDFR.RVW), it is easy enough, and engaging
enough, for those outside of the security profession to read. Busy managers
may find the work a bit wordy and disorganized, but it makes useful points,
and has constructive suggestions. Home users and amateurs will find the
style most suited to them, although the recommended controls are aimed at
businesses. Security professionals will not (or should not) find anything
new here, but may appreciate the "war stories" and explanations that can be
employed in security awareness training.
copyright Robert M. Slade, 2005 BKSPAMUS.RVW 20050531
rslade@private slade@private rslade@private
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
------------------------------
Date: 29 Dec 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Mailman can let you subscribe directly:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
INFO [for unabridged version of RISKS information]
.UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 23.92
************************
This archive was generated by hypermail 2.1.3 : Wed Jun 29 2005 - 12:15:27 PDT