[RISKS] Risks Digest 24.11

From: RISKS List Owner (risko@private)
Date: Wed Dec 07 2005 - 14:24:01 PST


RISKS-LIST: Risks-Forum Digest  Weds 7 December 2005  Volume 24 : Issue 11

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.11.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Hospital operates on wrong patient (Walter F. Roche Jr.)
Mercedes brake test fiasco (Andre Kramer)
Tens of thousands mistakenly put on terrorist watch lists (Anne Broache
  via Richard M. Smith)
Security Flaw Allows Wiretaps to Be Evaded, Study Finds (John Schwartz
  and John Markoff via David Farber)
DHS-Sponsored phishing report (Aaron Emigh)
Poorly designed online interfaces make identity theft simple (Marty Lyons)
School psychologist's student records accidentally posted online
  (Monty Solomon)
Plain-text passwords: as RISKy as you'd think (Steve Summit)
Y2K++ (Jim Horning)
Risks of naive date calculation (Mike Albaugh)
Bye Bye BlackBerry? (Ian Austen via Monty Solomon)
SafetyText (Nick Brown)
Data disasters dog computer users (Amos Shapir)
Online tax credit system closed (Amos Shapir)
Re: Some Fast Lane accounts double-billed (Steve Summit)
Stop speeding using a GPS? (Jeremy Epstein)
Re: In-car GPS navigation (Henry Baker, Derek P Schatz, Ian Chard,
  Jack Christensen)
Re: UK Police Vehicle Movement Database (Identity withheld, mathew)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 2 Dec 2005 9:16:32 PST
From: "Peter G. Neumann" <neumann@private>
Subject: Hospital operates on wrong patient

In 1999, a 47-year-old woman was diagnosed with breast cancer in
Magee-Womens Hospital (part of the U. Pittsburgh Medical Center), and
underwent a mastectomy.  It was later discovered that the hospital lab had
switched biopsy specimens.  Ten cases against the hospital are now pending
in state courts, even though the hospital has passed federal inspections.
Similar lawsuits and complaints name other medical centers.

* In Maryland, a hospital lab sent out hundreds of HIV and hepatitis test
  results despite data showing that the results might be invalid and
  mistakenly lead infected patients to believe they were disease-free. The
  same laboratory had just received a top rating from CAP inspectors.

* In Yakima, Wash., eight emergency room doctors walked off their jobs to
  protest hospital deficiencies they said included lab mistakes, such as
  mixed-up blood samples. CAP had declared the lab "in good standing" the
  year before.

* At the famed Mayo Clinic in Minnesota, an allegedly misdiagnosed gall
  bladder cancer case led to revelations of a close relationship between the
  clinic and CAP. A Mayo pathologist serving on a CAP advisory panel twice
  sought and obtained accreditation renewals despite unacceptable lab
  practices cited by CAP inspectors.

[Source: Walter F. Roche Jr., Lab Mistakes Threaten Credibility, Spur
Lawsuits: Some top medical facilities are scrutinized as errors mount and
oversight is questioned, *Los Angeles Times*, 2 Dec 2005; PGN-ed]
http://www.latimes.com/news/nationworld/nation/la-na-labs2dec02,0,3901421.story?coll=la-home-headlines
  [Thanks to Lauren Weinstein for contributing this article.  PGN]

------------------------------

Date: Thu, 1 Dec 2005 09:59:25 -0000
From: "Andre Kramer" <andre.kramer@private>
Subject: Mercedes brake test fiasco

*The Register* reports that an automotive journalist was fired for rigging a
radar enhanced (assumedly computer controlled) automobile brake system
demonstration. Apparently, the Mercedes engineers (under duress) helped
simulate the demonstration, which could not have worked in an enclosed
space, by manual braking. However, the demo went badly wrong and the article
  http://www.theregister.co.uk/2005/11/29/mercedes_brake_test_fiasco/
correctly identified the risk of false trust in a new system that would have
resulted from the attempted smoke and black mirrors going undetected. [Risks
of lack of feedback from expensive car suspension systems could also be
noted.]

------------------------------

Date: December 6, 2005 10:11:36 PM EST
From: "Richard M. Smith" <rms@private>
Subject: Tens of thousands mistakenly put on terrorist watch lists

http://www.nytimes.com/cnet/CNET_2100-7348_3-5984673.html?pagewanted=print

Tens of thousands mistakenly put on terrorist watch lists
Anne Broache, Staff Writer, CNET News.com
December 6, 2005

Nearly 30,000 airline passengers discovered in the past year
that they were mistakenly placed on federal "terrorist" watch lists, a
transportation security official said Tuesday.

Jim Kennedy, director of the Transportation Security Administration's
redress office, revealed the errors at a quarterly meeting convened here by
the U.S. Department of Homeland Security's Data Privacy and Integrity
Advisory Committee.

Marcia Hofmann, staff counsel at the Electronic Privacy Information Center,
said this appeared to be the first time such a large error has been
admitted. "It was a novel figure to me," Hofmann said. "The figure shows
that many more passengers than we've anticipated have encountered difficulty
at airports. The watch list still has a long way to go before it does what
it's supposed to do."

Kennedy said that travelers have had to ask the TSA to remove their names
from watch lists by submitting a "Passenger Identity Verification Form" and
three notarized identification documents. On average, he said, it takes
officials 45 to 60 days to evaluate the request and make any necessary
changes.

Travelers have been instructed to file the forms only after experiencing
"repeated" travel delays, he said, because additional screening can occur
for multiple reasons, including fitting a certain profile, flying on a
one-way ticket, or being selected randomly by a computer.  ...

EPIC_IDOF@private
https://mailman.epic.org/cgi-bin/mailman/listinfo/epic_idof

------------------------------

Date: Wed, 30 Nov 2005 06:54:22 -0500
From: David Farber <dave@private>
Subject: Security Flaw Allows Wiretaps to Be Evaded, Study Finds [from IP]

The technology used for decades by law enforcement agents to wiretap
telephones has a security flaw that allows the person being wiretapped to
stop the recorder remotely, according to research by computer security
experts who studied the system. It is also possible to falsify the numbers
dialed, they said.  Someone being wiretapped can easily employ these
"devastating countermeasures" with off-the-shelf equipment, said the lead
researcher, Matt Blaze, an associate professor of computer and information
science at the University of Pennsylvania.  "This has implications not only
for the accuracy of the intelligence that can be obtained from these taps,
but also for the acceptability and weight of legal evidence derived from
it," Mr. Blaze and his colleagues wrote in a paper that will be published
today in Security & Privacy, a journal of the Institute of Electrical and
Electronics Engineers.  [...]
[Source: John Schwartz and John Markoff, *The New York Times*, 30 Nov 2005]

------------------------------

Date: Tue, 29 Nov 2005 01:11:02 -0800
From: "Aaron Emigh" <aaron@private>
Subject: DHS-Sponsored phishing report

Online identity theft, a.k.a. "phishing," refers to attacks that exploit a
wide variety of RISKS, using both technology and social engineering, to
illicitly obtain and profit from confidential information.  A new report on
online identity theft, sponsored by the US Department of Homeland Security
and SRI International, provides a holistic treatment of the subject.  The
report discusses technologies used by phishers, breaks down the flow of
information in a phishing attack, identifies chokepoints at which an attack
can be thwarted, and discusses technical countermeasures that can be applied
at each chokepoint.  While technology alone cannot solve the phishing
problem, substantial opportunities to mitigate the losses are identified.

The report is titled "Online Identity Theft: Phishing Technology,
Chokepoints and Countermeasures," and is available at
http://www.anti-phishing.org/Phishing-dhs-report.pdf.

Aaron Emigh, Radix Labs, 415-297-1305

------------------------------

Date: Thu, 17 Nov 2005 13:11:22 -0800
From: Marty Lyons <marty@private>
Subject: Poorly designed online interfaces make identity theft simple

I recently had to renew my membership with the American Automobile
Association (the equivalent to the CAA in Canada, or the RAC in the UK).  In
the past there was no web interface, but AAA has now moved online.  To sign
up for an account, I needed to supply a membership number (printed on your
plastic member card), and my name (also printed on the card), along with an
email address, and a chosen account name.  A few seconds later, I was logged
in, and was able to check my account info, including mailing address, and
type of credit card used for membership.

There was no verification of identity at all during account establishment.
At a minimum, mandating that a user-entered postal code match the AAA
database prior to creating the account would have afforded some protection.

So with a AAA member number and name, someone is well on their way to
identity theft -- the rest of your wallet not required.  Since many places
take AAA cards to provide discounted services (hotels, car repair,
restaurants, movie theatres, etc.) you can imagine the RISK.  I've sent a
letter to the organization letting them know their web registration needs to
be redesigned.

------------------------------

Date: Sat, 3 Dec 2005 13:47:29 -0500
From: Monty Solomon <monty@private>
Subject: School psychologist's student records accidentally posted online

A school psychologist's records detailing students' confidential information
and personal struggles were accidentally posted to the school system's Web
site and were publicly available for at least four months.  A reporter for
*The Salem News* [Mass.] discovered the records last week and alerted school
officials, the newspaper said in a story Friday.  To protect students'
privacy, the newspaper said it withheld publishing the story until the
documents were removed from the Internet, which occurred Wednesday.  [...]
[Source: *The Boston Globe*, 2 Dec 2005; PGN-ed]
http://www.boston.com/news/education/k_12/articles/2005/12/02/school_psychologists_student_records_accidentally_posted_online/

------------------------------

Date: Fri, 18 Nov 2005 12:55:57 -0500
From: Steve Summit <scs@private>
Subject: Plain-text passwords: as RISKy as you'd think

A nice report of an investigation into how many plain-text passwords one can
almost trivially sniff in public-access places like hotels, conference
centers, and open wireless hotspots:

  http://www.infoworld.com/article/05/11/04/45OPsecadvise_1.html

The article also makes the point that although the passwords so sniffed are
often "unimportant" ones, for services such as mere e-mail access or
gambling site logins, people are often known to use their same passwords for
these and for their "secure" systems such as Windows network logins.

I came across this link in Bruce Schneier's excellent "Crypto-Gram"
newsletter at http://www.schneier.com/crypto-gram.html, which I'm sure is
known to many RISKS readers, but which I had neglected to read in a while.
It's worth keeping up with.

------------------------------

Date: Wed, 30 Nov 2005 11:53:33 -0800
From: "Jim Horning" <Jim.Horning@private>
Subject: Y2K++

My employer has outsourced the administration of its 401(k) plan to
TruSource, a division of Union Bank of California, N.A.  This week I
received annual enrollment material from TruSource.  It contains generic
blurbs about 401(k)s and retirement planning, in addition to material
particular to our plan.  Part of the latter is a summary page for each of
the available investment options.  These pages are clearly labeled
"Copyright (c) Standard & Poor's, a division of The McGraw-Hill Companies."

The page for each fund contains a graph of "GROWTH OF $10,000."  I think the
format and content are specified by the SEC, and they are presumably
automatically generated from some kind of database.  For some reason, I
happened to look more closely than usual at one of the charts, and noticed
something odd about the labeling of the year axis, and started inspecting
them all.  Most of them contain dates in the 31st and 41st centuries!

For example, the chart for the Pioneer High Yield Fund "(SINCE 03/31/98)" is
labeled with consecutive years

  4098 3099 2000 1001 4001 4002 2003 1004 4004 3005

Apparently the dates escaped the notice of the humans (if any) at
McGraw-Hill and TruSource who were in the loop in the preparation of these
documents.  It is interesting to speculate what combination of programming
errors would yield this precise sequence of dates.

Jim H.  http://horning.blogspot.com

------------------------------

Date: Wed, 23 Nov 2005 12:48:48 -0700
From: Mike Albaugh <albaugh@private>
Subject: Risks of naive date calculation

 I have in my possession a box of Nyakers (that should be an A-ring, BTW)
"Authentic Swedish Apple Snaps" that is

BEST BEFORE 29 FEB 2006

Lazy Programmer? Faulty date-manipulation library?  Or do the Swedes know
something about the depths to which lawmakers will stoop in calendar
manipulation?

The computer scientist in me wants to know if the comparison to a
(currently) non-existent date should:

 * always fail (Cookies are stale now),
 * always succeed (Cookies will never get stale)
 * throw an exception (Cookies should not exist in this universe)

------------------------------

Date: Sun, 4 Dec 2005 01:45:19 -0500
From: Monty Solomon <monty@private>
Subject: Bye Bye BlackBerry?

A ``long-running patent infringement battle between the maker of BlackBerry,
Research In Motion, and NTP, a tiny patent holding company, might cause a
service shutdown, perhaps within a month. ...  R.I.M., which is based in
Waterloo, Ontario, promises it has a solution that will keep its beloved
BlackBerries humming even in the face of an injunction. While most analysts
view the prospects of a shutdown as unlikely, they have little faith in the
proposed solution, which has potential legal pitfalls of its own. What's
more, the history of the struggle between the companies means that no
outcome is certain.''  [Source: Ian Austen, Bye Bye BlackBerry?, What if
your BlackBerry screen went dark?  *The New York Times*, 3 Dec 3005; PGN-ed]
http://www.nytimes.com/2005/12/03/technology/03blackberry.html?ex=1291266000&en=df205fd24ccb8593&ei=5090

------------------------------

Date: Mon, 28 Nov 2005 17:17:20 +0100
From: Nick Brown <Nick.BROWN@private>
Subject: SafetyText

A new UK-based service called SafetyText (http://www.safetytext.com/)
enables you to send a text message which will be delivered after a certain
delay unless canceled.

The idea seems to be that, before exposing yourself to danger, you send a
text - say, "Help, I'm being attacked by rabid bats" before entering a cave
- and then it will be sent if you don't emerge from the cave in time to
cancel it.

The risks are left as an exercise to the reader, but here are some pointers
to get you started:

- SMS messaging delivery is inherently unreliable, so maybe your "help"
  text won't get through...

- ... or maybe your "cancel" text won't get through.

- Many people receiving such a text, regardless of how it's phrased, will
  tend to assume the worst (despite the "don't panic" instructions on the
  service's Web site) and will send in the emergency services on a possibly
  unnecessary search for someone who just happens to be out of GSM service
  range.

I'm also slightly worried that the same short number used for the SafetyText
service - 63344 - appears in the banner advert above the site's start page,
which at the present time invites me to send the name of Coldplay's lead
singer to win tickets to see them in concert.  I hope they don't launch a
particularly popular game while I'm being attacked by the rabid bats.

------------------------------

Date: Wed, 07 Dec 2005 14:58:20 +0200
From: "Amos Shapir" <amos083@private>
Subject: Data disasters dog computer users

A laptop crammed with dead cockroaches tops a list of data disasters
compiled by computer experts.
  http://news.bbc.co.uk/go/em/-/2/hi/technology/4500482.stm

  [That would be a tough roach to hoe.  PGN]

------------------------------

Date: Mon, 05 Dec 2005 17:12:37 +0200
From: "Amos Shapir" <amos083@private>
Subject: Online tax credit system closed

Organised fraud forces HM Revenue and Customs to stop accepting online
applications for tax credits.  Full story:
  http://news.bbc.co.uk/go/em/-/2/hi/business/4493008.stm

------------------------------

Date: Sun, 04 Dec 2005 14:17:37 -0500
From: Steve Summit <scs@private>
Subject: Re: Some Fast Lane accounts double-billed (Solomon, RISKS 24.09)

Monty Solomon forwarded an item to RISKS 24.09 about a batch of
Massachusetts Turnpike drivers who were doubly charged for their
electronic tolls, due to one day's worth of records being mistakenly
processed twice.

If anyone's keeping a canonical list of "bugs that are way easy to
make and deserve special handling", this scenario clearly belongs.
We've been hearing variations on the same song for decades: it used
to be the phone company accidentally double-running a billing tape
containing the call records from a long-distance switch, but to this day
it can still easily happen any time there are batches of transactions
created by system A and later processed or reconciled on separate system
or subsystem B.  (And I can't personally be at all smug about this: in a
former life I ran a small, simple, homebrew, but high-volume e-commerce
site, and I committed this same mistake once or twice myself.  Fortunately
I was also in a position to synthesize and inject automatic refunds to
the credit card accounts of affected customers, well before most of them
even noticed.)

I'm sure that any organization large enough to address this risk
responsibly has implemented the obvious sorts of double-checks (perhaps
involving explicit batch serial numbers which are logged and checked
by the processing system, in order to reject inadvertent duplicates).
But since the need for such double-checks is all too likely to be
recognized only *after* the double-billing problem has bitten a
particular system at least once, and since new systems having this
vulnerability are continually being written, it's a problem that,
unfortunately, will continue to happen.

------------------------------

Date: Sun, 4 Dec 2005 15:06:26 -0500
From: Jeremy Epstein <jeremy.epstein@private>
Subject: Stop speeding using a GPS?

Transport Canada is testing a device that figures out where you are using
GPS, and causes your car to increase the resistance in the gas pedal if you
try to exceed the speed limit.

Bad idea.  I'm not an expert in GPS systems, but I've seen them get
confused, especially when there are nearby parallel roads.  I wouldn't want
it to hold my speed to 25 MPH because it thinks I'm on the dirt road that
runs parallel to a highway.  And if the device changes its mind suddenly,
the results could be catastrophic - I'm pushing hard on the accelerator
because (for whatever reason) I decide to exceed the speed limit, and
suddenly it decides the speed limit has increased - now I'm flooring the car
because it reduces its resistance factor.  Conversely, if I have a normal
pressure on the accelerator, and the speed limit drops, the device might
cause my speed to drop precipitously.  I'm sure there are lots of other
GPS-based risks - what does the device do if it can't find a GPS signal?

Hopefully the designers of the device considered the risks, but the article
doesn't mention any - only the advantages of improved road safety, reduced
fuel usage, etc.

Article at http://www.cnn.com/2005/AUTOS/12/01/canada_gps_speed/index.html
which references a Toronto Globe & Mail article at
http://www.globetechnology.com/servlet/story/RTGAM.20051128.gtsmartcars28/BNPrint/Technology/

------------------------------

Date: Sun, 27 Nov 2005 18:09:42 -0800
From: Henry Baker <hbaker1@private>
Subject: Re: In-car GPS navigation (Scott, RISKS-24.10)

For the last year or so, if you rented a Hertz car with its "Neverlost"
(Magellan) GPS system, you couldn't get out of Boston's Logan Airport -- at
least if you listened to the "Neverlost" system.  It tried to route you onto
a one-way street in the airport itself (the other direction was closed off
due to construction).  Now everyone who has been in Boston in the last
several years knows about the construction at the airport and the Big Dig,
but here's a system that clearly is failing in its primary task!

On the whole, GPS is a very big win, but you do have to take every
"recommendation" it gives you with some level of skepticism.  Within the
canyons of Manhattan, the GPS system often thinks that you are in the middle
of Central park.  Also around NYC (and probably many other places), the GPS
system isn't accurate enough to get you into the correct lane for turning,
which sometimes means that you get off at the wrong exit or get onto the
wrong level of the George Washington Bridge.  The net result is that you end
up in New Jersey instead of Manhattan.

------------------------------

Date: Wed, 23 Nov 2005 11:43:24 -0800
From: "Schatz, Derek P" <Derek.P.Schatz@private>
Subject: Re: In-car GPS navigation (Scott, RISKS-24.10)

Mike Scott appears to be making issue of something that the GPS navigator
companies have already clearly avoided liability for.  Every mapping system
I've ever seen warns that map results may not be completely accurate and
that you need to verify things for yourself.  Those of us who have been
driving for many years have learned the hazards of taking your eyes off the
road to futz with something inside the car (then again, some still haven't).
I don't see a risk with the GPS system here, but rather a risk with the
son's friend's driving abilities.  Besides, it takes London cabbies years to
learn the intricacies of the city's streets (some 400 years of intricacy) --
how could we expect a GPS system to have that same knowledge?

Now, it might be a different situation if the car had an auto-pilot system
relying on that GPS guidance...

------------------------------

Date: Thu, 24 Nov 2005 09:33:21 +0000
From: Ian Chard <ian.chard@private>
Subject: Re: In-car GPS navigation (Scott, RISKS-24.10)

The disclaimers displayed by such systems (including the one I use, Tomtom)
aren't just there to get the manufacturers out of trouble.  One-way systems
change so frequently that there's no reasonable way you could expect a sat
nav device to be completely up-to-date.  I've been asked to drive through
buildings, across fields and against traffic restrictions, but as the driver
I have ultimate control and therefore ultimate responsibility.

To misquote the age-old schoolboy admonition, "if a sat nav system told you
to jump off a cliff, would you do it?" :)

Ian Chard, Unix & Network Administrator, Systems and Electronic Resources
Service Oxford University Library Services 80587 / (01865) 280587

------------------------------

Date: Sat, 26 Nov 2005 17:18:48 -0500
From: "Jack Christensen" <j.christensen@private>
Subject: Re: In-car GPS navigation (Scott, RISKS-24.10)

I had a friend whose vehicle had a built-in GPS navigation and map system.
When you started the vehicle, the first thing on the screen was a disclaimer
(which, if I recall correctly, had a fair amount of similarity to that of
the Garmin unit.)  The unit would not go into operational mode until you
touched a button on the screen to "acknowledge" the disclaimer.

At first, I laughed at this, but upon thinking about it a little more, I
wasn't so surprised.  I am not a lawyer, so I don't know the actual legal
worth of this approach, or how it might fare in court.

Jack Christensen, Grand Blanc, MI, USA  j.christensen@private

------------------------------

Date: Sun, 20 Nov 2005 9:42:58 PST
From: Identity withheld by request
Subject: Re: UK Police Vehicle Movement Database (RISKS-24.09)

The vehicle isn't flagged when the "tax" (Vehicle Excise Licence) is
renewed, so this is a misunderstanding of how the system works.  The "VEL
expired" marker is only added, retrospectively, some time after the renewal
falls due, and only if it isn't relicensed as expected.  So there is a
delay before such a marker is removed following relicensing, but from the
foregoing readers can see that a vehicle with an unbroken relicensing
history is therefore never added to the database.

> He then had to spend 5 mins filling in a form as this had to be regarded
> as an official "stop" event...

Yes, the real value of this is highly questionable (he's fast, if he
completed the form in only 5 minutes), and as one stop form has to be
completed for each member of a group, you might want to ask your MP if it's
a good use of police time to spend up to an hour standing in the street
filling in the forms if, say, an officer checks a group of half-a-dozen
youths who are the subject of a complaint by a local resident...  But that's
the reality for officers, and it has been imposed to fulfill a political
agenda irrespective of the actual financial cost, the opportunity costs, or
the inconvenience to those being spoken to (who, of course, don't actually
need to give their details - but the forms still have to be filled in...).

------------------------------

Date: Sun, 4 Dec 2005 12:44:29 -0600
From: mathew <meta@private>
Subject: Re: UK Police Vehicle Movement Database

 > Hence technology + Automation + DVLA = 5 mins wasted police time

It could be worse. In Massachusetts, cities charge you excise tax each year
if you own a vehicle.

When you register a vehicle with the Massachusetts Registry of Motor
Vehicles (RMV), they inform the city you live in that you have a vehicle and
should pay tax.

When you de-register a vehicle--e.g. move to another state, sell the
vehicle, return your license plates, and so on--the RMV doesn't bother to
inform the city you were in of the new information.

Hence when I bought a car and left Massachusetts permanently, almost a year
later I got a completely incorrect tax bill which had been sent to the wrong
address. (This was the first I had heard about excise tax, in fact.) MA
expected me to pay the incorrect bill and then argue with them to get the
money back, or else pay extra non- payment fees. What's more, because they
had sent the bill to the wrong address, it had taken so long to arrive I was
already subject to non-payment fees.

I can only imagine that this brokenness is deliberate because it monetarily
favors the state.

------------------------------

Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 24.11
************************



This archive was generated by hypermail 2.1.3 : Wed Dec 07 2005 - 15:04:21 PST