RISKS-LIST: Risks-Forum Digest Friday 10 March 2006 Volume 24 : Issue 19
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/24.19.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Technical Problems Cause Errors in SAT Test Scores (Karen W. Arenson via PGN)
Officials Say Scoring Errors for SAT Were Understated (Karen W. Arenson via
Monty Solomon)
Watered-Down SAT Scores! (Chuck Weinstock)
Complexity causes 50% of product returns (PGN)
Onboard Emissions Chip Major Malfunction (Colin Brayton)
Excel garbles microarray experiment data (Mark Liberman)
Citibank Blocks Some Debit-Card Use Abroad (Monty Solomon)
Government surplus sale yields personal data (Karl Klashinsky)
Australian National Credit Union Limits Internet Passwords (evant)
More stupid high-tech legislation in NJ (Walter Dnes, Tanner Andrews,
Rex Black)
Re: On learning from accidents (Martyn Thomas, Jerome Ravetz, Perry Bowker,
Richard Karpinski)
Insecure APC BioPod (Gabe Goldberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 8 Mar 2006 15:30:27 PST
From: "Peter G. Neumann" <neumann@private>
Subject: "Technical Problems Cause Errors in SAT Test Scores"
On the order of 4000 students taking the October 2005 Scholastic Aptitude
Tests (SATs) received scores lower than they should have been, due to
unexplained "technical problems". Some scores on the reasoning section were
as much as 100 points too low (out of 800). This may be unfortunate for
those students, considering that the final acceptances and rejections are
being decided before the affected universities have been notified. Similar
scanning problems were noted in an earlier SAT chemistry test, although on a
smaller scale. [Source: Karen W. Arenson, *The New York Times*, 8 Mar 2006,
National Edition A16; PGN-ed]
http://www.nytimes.com/2006/03/08/education/08sat.html
------------------------------
Date: Thu, 9 Mar 2006 10:17:18 -0500
From: Monty Solomon <monty@private>
Subject: Officials Say Scoring Errors for SAT Were Understated
A day after the College Board notified colleges that it had misreported the
scores of 4,000 students who took the SAT exam in October, an official of
the testing organization disclosed that some of the errors were far larger
than initially suggested. ... Chiara Coletti, the College Board's vice
president for public affairs, said that 16 students out of the 495,000 who
took the October exam had scores that should have been more than 200 points
higher. "There were no changes at all that were more than 400 points."
[Source: Karen W. Arenson, *The New York Times*, 9 Mar 2006]
http://www.nytimes.com/2006/03/09/education/09sat.html?ex=1299560400&en=ada0b50e98bcfb5f&ei=5090
------------------------------
Date: Fri, 10 Mar 2006 09:12:11 -0500
From: Chuck Weinstock <weinstock@private>
Subject: Watered-Down SAT Scores!
Pearson Educational Measurement suggests that wet weather may have caused
the 4000 affected test results, blaming abnormally high moisture for
expanding the paper so that it could not be read properly at a scanning
center in Austin TX. The test on 8 Oct 2005 coincided with the beginning of
heavy rains in the Northeast, from where most of those tests came. (As much
as 10 inches fell on New Jersey.) [Source: AP item on 10 Mar 2006.]
------------------------------
Date: Thu, 9 Mar 2006 14:23:39 PST
From: "Peter G. Neumann" <neumann@private>
Subject: Complexity causes 50% of product returns
Perhaps relevant to Don Norman's research on human interfaces, Elke den
Ouden's thesis at the Technical University of Eindhoven concluded that half
of all supposedly malfunctioning products returned to stores were in reality
in full working order, but just too complex to be operated successfully.
She also noted that the average U.S. consumer will spend a maximum of about
20 minutes trying to get a newly acquired electronics device to work before
giving up.
http://abcnews.go.com/Technology/wireStory?id=1693288
------------------------------
Date: Wed, 8 Mar 2006 15:21:05 -0500
From: "Colin Brayton" <cbrayton@private>
Subject: Onboard Emissions Chip Major Malfunction
Drivers in Missouri discovered that the onboard chips that monitored their
auto emissions could fail, causing certification failure, and could then
then be an unbelievable bother to reset:
Alter got a "drive cycle," or a step-by-step recipe to reset the car's
computer by driving 10 minutes or more at 50 to 65 mph, then coasting down
to 15 mph without hitting the brakes until the car reaches 20 mph. Then he
had to stop and let the car idle for 50 seconds or more before taking the
car back up to highway speeds, then gradually slowing until the car came to
a stop.
Nothing. The car still was rejected. Nine times in all.
"It was like, well, what do I do now?" he said. "I am driving around, doing
this, putting (a couple hundred) miles on it. So is it inconvenient? Yeah.
A big inconvenience. The amount of gas I wasted. And my time."
Finally, he discovered a shop whose repair technician drove his car while
monitoring its readiness codes with a mobile computer. Once the codes reset,
the technician took the car for a test.
The cost: $120 for two hours of the technician's time. Illinois test
officials say they see the problem in about 1 percent to 2 percent of all
on-board diagnostic tests.
Sources: *St. Louis Dispatch*, 25 Feb 2006
<http://www.stltoday.com/stltoday/news/stories.nsf/stlouiscitycount=y/story/C1B49084DF769D42862571200022E77F?OpenDocument>
New Market Machines <http://blogalization.nu/marketmachines/?p=3D1495>(my blog)
------------------------------
Date: Fri, 10 Mar 2006 8:31:32 PST
From: "Peter G. Neumann" <neumann@private>
Subject: Excel garbles microarray experiment data
[TNX to Fernando Pereira for putting me on to this one.]
http://itre.cis.upenn.edu/~myl/languagelog/
http://itre.cis.upenn.edu/~myl/languagelog/archives/002912.html
The December 1 DWIM effect [The Cupertino effect, 9 Mar 09, 2006]
The damage done by well-intentioned (mis)features of MS Office is not
limited to occasional dadafication of EU bureaucratese
<http://itre.cis.upenn.edu/%7Emyl/languagelog/archives/002911.html>.
According to Barry R Zeeberg, Joseph Riss, David W Kane, Kimberly J Bussey,
Edward Uchio, W Marston Linehan, J Carl Barrett and John N Weinstein,
"Mistaken Identifiers: Gene name errors can be introduced inadvertently when
using Excel in bioinformatics
<http://www.biomedcentral.com/1471-2105/5/80>", BMC Bioinformatics 2004,
5:80:
When we were beta-testing [two new bioinformatics programs] on microarray
data, a frustrating problem occurred repeatedly: Some gene names kept
bouncing back as "unknown." A little detective work revealed the reason:
... A default date conversion feature in Excel ... was altering gene names
that it considered to look like dates. For example, the tumor suppressor
DEC1 [Deleted in Esophageal Cancer 1] was being converted to '1-DEC.'
Figure 1 lists 30 gene names that suffer an analogous fate.
A worse problem apparently afflicts information from microarray
experiments:
There is another default conversion problem for RIKEN clone identifiers
identifiers of the form nnnnnnnEnn, where n denotes a digit. These
identifiers are comprised of the serial number of the plate that contains
the library, information on plate status, and the address of the clone. A
search ... identified more than 2,000 such identifiers out of a total set
of 60,770. For example, the RIKEN identifier "2310009E13" was converted
irreversibly to the floating-point number "2.31E+13." A non-expert user
might well fail to notice that approximately 3% of the identifiers on a
microarray with tens of thousands of genes had been converted to an
incorrect form, yet the potential for 2,000 identifiers to be
transmogrified without notice is a considerable concern. Most important,
these conversions to an internal date representation or floating-point
number format are irreversible; the original gene name cannot be
recovered.
RIKEN <http://www.jarvislab.net/Genomics.html> microarrays are
systematically affected, but other microarray results are apparently
often garbled as well:
The floating-point conversion is not restricted to RIKEN clone identifiers
but will affect any clone designation derived from plate
coordinates. ... [If plate library references are omitted or numerical],
all clones from row E of any plate are converted to floating point numbers
by Excel. ... Since 96-well plates contain 8 rows and 12 columns, row E
represents 12/96 or 12.5% of the clones on the plate; similarly, 6.25% of
clones from 384-well plates would be affected. Most libraries contain
hundreds of plates, each of which would be subject to this problem.
If some computer virus or trojan did this sort of damage to the results
of thousands of high-cost biomedical experiments, I imagine that we'd
see a serious effort to put some people in jail. I'm not suggesting that
any similar sort of retribution is appropriate here, but perhaps some
rehabilitation would be in order, along the lines suggested below.
There's an acronym from the old days of classic AI, DWIM, standing for
"Do What I Mean". The Jargon File explains
<http://www.catb.org/%7Eesr/jargon/html/D/DWIM.html>:
Warren Teitelman originally wrote DWIM to fix his typos and spelling
errors, so it was somewhat idiosyncratic to his style, and would often
make hash of anyone else's typos if they were stylistically
different. Some victims of DWIM thus claimed that the acronym stood for
"Damn Warren's Infernal Machine!".
In one notorious incident, Warren added a DWIM feature to the command
interpreter used at Xerox PARC. One day another hacker there typed delete
*$ to free up some disk space. (The editor there named backup files by
appending $ to the original file name, so he was trying to delete any
backup files left over from old editing sessions.) It happened that there
weren't any editor backup files, so DWIM helpfully reported *$ not found,
assuming you meant 'delete *'. It then started to delete all the files on
the disk! The hacker managed to stop it with a Vulcan nerve pinch after
only a half dozen or so files were lost.
The disgruntled victim later said he had been sorely tempted to go to
Warren's office, tie Warren down in his chair in front of his workstation,
and then type delete *$ twice. DWIM is often suggested in jest as a
desired feature for a complex program; it is also occasionally described
as the single instruction the ideal computer would have. Back when proofs
of program correctness were in vogue, there were also jokes about DWIMC
(Do What I Mean, Correctly).
It seems to me that all interactive programs should have a prominently
displayed switch labeled something like DEWITYD, "Do Exactly What I Tell
You, Damnit!" (pronounced as "de-witted"). No doubt the results will be
wrong (or even disastrous) at least as often as the results of DWIM will be;
but at least you'll know exactly who to blame.
Posted by Mark Liberman at March 9, 2006 05:51 PM
<http://www.sitemeter.com/stats.asp?site=sm7languagelog>
[I always enjoyed seeing Warren's license plate (DWIM) now and then while
driving. However, based on experience with InterLisp, many wags suggested
that the correct acronym should have been DWWTYM -- Do What Warren Thinks
You Mean. PGN]
------------------------------
Date: Wed, 8 Mar 2006 12:40:13 -0500
From: Monty Solomon <monty@private>
Subject: Citibank Blocks Some Debit-Card Use Abroad
Citibank said has blocked the use of some of its PIN-based debit cards after
detecting fraudulent cash withdrawals in Britain, Canada and Russia. PINs
were apparently obtained from "a third-party business' information breach"
in the U.S. last year. [Source: Eileen Alt Powell, AP Online, 8 Mar 2006;
PGN-ed]
http://finance.lycos.com/home/news/story.asp?story=56481434
[Apparently the PINs are archived, perhaps even unencrypted? PGN]
http://www.msnbc.msn.com/id/11731365/
------------------------------
Date: Tue, 07 Mar 2006 11:03:09 -0800
From: Karl Klashinsky <klash@private>
Subject: Government surplus sale yields personal data
Health and immigration records sold at B.C. auction
(news item from the Canadian Broadcasting Corp)
Several investigations have begun after computer tapes containing health
and immigration records for thousands of people in British Columbia were
sold at a public auction for $101.
http://www.cbc.ca/story/canada/national/2006/03/06/bc-government-tapes060306.html
The records contained information on sexual abuse, HIV status, and mental
health, as well as other information that was obviously quite confidential
in nature.
The fact that old backup tapes were sold off is probably not too surprising
to RISKS readers. What is interesting is that this is not the first time,
and, according to the article, "the government brought in rules that should
have ensured that all information was removed from surplus computer
equipment before it was sold."
------------------------------
Date: Wed, 8 Mar 2006 16:00:16 +1100
From: evant@private
Subject: Australian National Credit Union Limits Internet Passwords
A step backwards for customers of Australian National Credit Union
(www.friendlybanking.com.au) where from 21 Mar 2006 all users of the credit
union's Internet banking will be limited to choosing passwords of six
characters, consisting only of the numbers 0-9. They have previously had the
ability to choose alpha-numeric passwords of varying length.
The credit union's website claims that the changes are for enhanced security
(http://www.friendlybanking.com.au/Pages/view_news.asp?news_id=1999):
Important Internet Banking Password Changes
As of 21st March 2006, passwords for Internet Banking will be
changing. This will apply to all passwords and second passwords (where
applicable). Your Internet Banking password will now be known as your Web
Access Code (WAC).
Web Access Codes (WAC) must now be six (6) digits long and only contain
numbers (0 - 9), but no spaces. Make sure it is difficult for others to
guess and does not contain your date of birth, member number and repeated
digits.
Please do not change your WAC until you are prompted to on or after the
21st March 2006. This will save you having to re enter a new WAC.
These changes are being made in preparation for an improved site later in
the year with added functionality such as Bpay view, Secure mail, Setting
up regular payments, Submit a request for a new Term Deposit, Added
security features.
After I enquired about this apparent backward step, the credit union's
response claimed this was required for the implementation of two-factor
authentication, amongst other security enhancements. Two-factor
authentication might be great for those who use it, but those that don't
will be left with the limited password options.
I thought the RISKS were obvious, but perhaps not to the credit union's
security team.
------------------------------
Date: Tue, 7 Mar 2006 23:38:35 -0500
From: "Walter Dnes" <waltdnes@private>
Subject: More stupid high-tech legislation in NJ (RISKS-24.19)
High-tech-howlers are nothing new for New Jersey legislators. See
http://catless.ncl.ac.uk/Risks/12.09.html#subj5 back in 1991. That was
about a bill that would require all "software engineers" to be licenced, for
a *VERY WIDE* definition of "software engineer". The initial draft would've
required every secretary who created a Word or Excel macro to be licenced as
an engineer.
Walter Dnes <waltdnes@private> In linux /sbin/init is Job #1
------------------------------
Date: Mon, 6 Mar 2006 23:03:08 -0500 (EST)
From: tanner andrews <tanner@private>
Subject: Re: NJ Bill Would Prohibit Anonymous Posts on Forums (RISKS-24.19)
Too much important opinion, including that leading to the founding of the
country, was published anonymously to permit the government to ban anonymous
opinion. Even unto this day, anonymous pamphleteering is an honorable
activity at the core of the First Amendment.
The main difference between Mrs. McIntyre's pamphlets and the fora to be
regulated is that a reader could use the pamphlet to create litter. The
Internet provides no similar opportunity because one is not handed an
physical object.
I would expect that such a statute, were it to be enacted, would be quickly
challenged and almost as quickly overturned. See _McIntyre v. Ohio
Elections Comm'n_, 514 U.S. 334 (1995). Nor is the question of littering
dispositive. See _Schneider v. NJ_, 308 U.S. 147 (1939) [@156, Milwaukee;
@157, Worcester].
Obviously I am not a lawyer and you would talk to one before challenging or
violating any statute.
------------------------------
Date: Mon, 06 Mar 2006 22:45:37 -0600
From: Rex Black <rexblack@private>
Subject: Re: NJ Bill Would Prohibit Anonymous Posts on Forums (RISKS-24.18)
On the other hand, having had a few "hit job" reviews posted of my book,
*Managing the Testing Process*, posted at Amazon.com by anonymous reviewers,
it seems that allowing people to slam other people--who may well be
competitor's--in a public forum without disclosing their identities and
therefore their interests poses some risks not just to the people who are
slammed, but also to the readers who may unquestioning accept the critique
while unaware of the motivations and interests behind the critique.
Rex Black, CTO, Pure Testing, Pvt Ltd; President, American Software Testing
Qualifications Board; President, International Software Testing
Qualifications Board; 31520 Beck Road, Bulverde, TX 78163 +1 (830) 438-4830
www.rexblackconsulting.com
------------------------------
Date: Tue, 7 Mar 2006 09:48:48 -0000
From: "Martyn Thomas" <martyn@thomas-associates.co.uk>
Subject: Re: On learning from accidents (Kirakowski, RISKS-24.18)
When was the last time you saw a safety case where the claimed probabilities
of failure had error bounds?
When was the last time you saw a sound argument justifying these error
bounds? I never have.
Has anyone on the list *written* such a safety case?
------------------------------
Date: Tue, 7 Mar 2006 14:07:05 +0000
From: Jerome Ravetz <jerome-ravetz@private>
Subject: Re: On learning from accidents (Norman, RISKS-24.17)
Up to now the most obvious harm done by pseudo-precision may well be in the
'accidents' of badly designed systems. It could also be that the failure to
control the mass of meaningless output from computer programs ('GIGO
science') is a consequence of our dogmatic faith in numbers. My education
in pseudo-precision began when I realised that students being taught the
Systeme Internationale as promoted in England in 1970 were forced to lie.
At that time, the S.I. prefixes were rigorously cascaded in thousands; the
deci- and centi- were banned. So students doing exercises in 'the metric
system' were required to quote measurements of length to the nearest
millimetre, even when the object was a rough concrete pillar. Like Hamish
Marson I knew some old-fashioned physical scientists who taught their
students about the management of uncertainty; but the breed was dying out
even then.
Reflecting on all this I eventually wrote (with my colleague Silvio
Funtowicz) 'Uncertainty and Quality in Science for Policy'. In this we
developed the 'NUSAP' notational scheme, whose categories are Numeral, Unit,
Spread, Assessment and Pedigree. The principle behind NUSAP has had some
success; the Dutch Environment Agency has a 'Guidance' for assessing
uncertainty in scientific information which is becoming a standard. But
even there I find inadequate attention to the task of matching precision to
accuracy. And for the situations when very uncertain quantities are
involved (as in much policy-related information) I find hardly any concern
at all.
Are there RISKS readers interested in developing this?
Jerry Ravetz, 111 Victoria Road, Oxford OX2 7QG, +44 [0]1865 512247
Mobile 0790 535 2788 Website: www.jerryravetz.co.uk
Visiting Fellow, the James Martin Institute for Science and
Civilization, Business School, Oxford University.
Files of my recent papers, available for downloading, can be found on the
website www.nusap.net; on the Home Page see Tutorials - Post-Normal Science
and NUSAP, and Sections - Reports, papers.
------------------------------
Date: Thu, 09 Mar 2006 10:27:35 -0500
From: Perry Bowker <pbowker@private>
Subject: Re: On learning from accidents (Norman, RISKS-24.17)
The discussion of error tolerances reminded me of a time, many years ago,
when I was an undergrad physics student. We were, of course, drilled
endlessly by professors and post-grad assistants about the vital need to
include error bars in experimental results. One day, my lab partner and I
were running some experiment (I think it was to explore a Wheatstone bridge)
built out of ancient wires, resistances, and meters. The hopelessly antique
equipment inspired my partner to record some result as "4.1487892 +/- .002%"
in his lab book. When the experiment was marked, the instructor wrote "I
don't see how you could have achieved such precision", to which my partner
wittily wrote back: "You should not be critical of extra work, voluntarily
done."
------------------------------
Date: Mon, 6 Mar 2006 21:16:46 -0800
From: <dick@private>
Subject: Re: On learning from accidents (Marson, RISKS-24.18)
Relevant experience? (gotta understand)
Hamish Marson asks, How many people who write software actually have
relevant experience in the real world for things they're doing?
In my view, relevant experience is not near enough to do the job right.
Usually when a task is to be done using a computer, the designers and coders
must understand the task BETTER than most real world experts do. Otherwise
it doesn't work and nobody is happy. Furthermore, there are many other ways
to fail, as well. Some of them are profitable anyway.
------------------------------
Date: Wed, 08 Mar 2006 22:06:21 -0500
From: Gabe Goldberg <gabe@private>
Subject: Insecure APC BioPod
APC (American Power Conversion) http://apc.com/ sells a BioPod
http://apc.com/products/family/index.cfm?id=246&ISOCountryCode=ww
described "Biometric Security:A Simple and Secure Way to Remember Passwords".
Text is "As security concerns continue to grow, so do the number of
passwords. The Biometric Password Manager provide users a convenient and
secure way to manage and access multiple security phrases and codes. This
product biometrically identifies users and gives them convenient access to
password protected applications and web sites."
When you install the software, it uses your Windows password for securing
all your login/password pairs. That's of course bad because you might want
more or layered security on your logins. What's worse is that if you have no
Windows password the software silently accepts null as password. That is,
not only do you not need a password to open the password vault stored on the
BioPod, no warning is given that a password might be a good idea to secure
the goodies.
After getting over my astonishment at that behavior I called APC tech
support but couldn't convince them that there was a problem. The dialogue
below shows my repeated failed attempts to convince the Web folk that a
problem exists.
==================================
Me: Biopod has huge security flaw, compromises the device's integrity.
I've reported this to your support people but see no action taken.
APC: Thank you for contacting APC's email support on 01/31/2006 06:27
PM. I would be happy to assist you.
I apologize for the inconvenience. I am unaware of any security flaw with
the BioPod. If you would like to describe the details of the suspected
please feel free to send them to me. Officially the BioPod is not
advertised as a security device, but a password manager, so it is not
designed to increase the security of your computer, but provide a safe way
to manage and store your passwords.
Me: Installing the BioPod software on a Windows PC that is not password
protected makes the BioPod password blanks. That is, when the password
challenge is issued simply clicking OK without using a fingerprint AND
WITHOUT ENTERING A PASSWORD logs in to the BioPod password vault.
That's not my idea of a useful password manager.
APC: The OmniPass software and BioPod can be setup for use with a Windows
password or without a Windows password. If you don't have a Windows
password and setup a "Windows" user you will be able to log into the
password vault without a password because you don't have a Windows
password. If you don't want to setup a Windows password simply setup a
non-Windows user in OmniPass by following the directions in the attached
document.
Me: You're entirely missing my point. NO WARNING IS GIVEN THAT THE BIOPOD
HAS BEEN SET UP WITH NO PASSWORD. THIS IS A PROFOUND SECURITY EXPOSURE
SINCE IT GIVES THE ILLUSION OF PROTECTION WHERE THERE IS NONE. Do you
think the BioPod is performing correctly and that it's documented
correctly and fully? If so, we have nothing further to discuss -- but I'm
astonished at APC's (lack of) response to this problem.
APC: I understand your point, however if you choose to setup a BioPod user
using your Windows password as the master password and your Windows
Password is blank, the BioPod would clearly not have a secure Master
Password. It is for this reason if you do not have a Windows password it
is recommended you use choose the option to setup a separate Master
Password not based on the Windows password. Or you could opt to add
security to your computer system by adding a Windows password.
Me: This is your last chance. I reinstalled the software to review the
installation dialogue. If no Windows password is set NO WARNING IS GIVEN
THAT THE DEVICE IS NOT SECURE. You're correct that the user can set a
Windows password for the specific purpose of having it inherited by the
BioPod, and then remove the Windows password. But doesn't this seem a bit
cumbersome to you? And aren't users unlikely to do it WITHOUT SPECIFIC
INSTRUCTIONS?
Having the BioPod only take the Windows password, being unable to set a
specific unique password for the BioPod, is very bad design. Your
unwillingness to acknowledge that users MAY NOT REALIZE THAT THEIR BIOPOD
is insecure is baffling.
So my next communication will be with your public relations people and
some mailing lists that publicize security risks such as this. They'll of
course see how many times I tried to convince you that there's a problem
here.
APC: When the BioPod and OmniPass software are used properly they provide
a secure way to manage your passwords. For more information about the
operation of the software please contact Softex Inc, the designer of the
software at www.softexinc.com support@private
Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place,
Falls Church, VA 22042 <http://www.cpcug.org/user/gabe> (703) 204-0433
------------------------------
Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 24.19
************************
This archive was generated by hypermail 2.1.3 : Fri Mar 10 2006 - 14:48:27 PST