RISKS-LIST: Risks-Forum Digest Friday 10 March 2006 Volume 24 : Issue 19 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/24.19.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Technical Problems Cause Errors in SAT Test Scores (Karen W. Arenson via PGN) Officials Say Scoring Errors for SAT Were Understated (Karen W. Arenson via Monty Solomon) Watered-Down SAT Scores! (Chuck Weinstock) Complexity causes 50% of product returns (PGN) Onboard Emissions Chip Major Malfunction (Colin Brayton) Excel garbles microarray experiment data (Mark Liberman) Citibank Blocks Some Debit-Card Use Abroad (Monty Solomon) Government surplus sale yields personal data (Karl Klashinsky) Australian National Credit Union Limits Internet Passwords (evant) More stupid high-tech legislation in NJ (Walter Dnes, Tanner Andrews, Rex Black) Re: On learning from accidents (Martyn Thomas, Jerome Ravetz, Perry Bowker, Richard Karpinski) Insecure APC BioPod (Gabe Goldberg) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 8 Mar 2006 15:30:27 PST From: "Peter G. Neumann" <neumann@private> Subject: "Technical Problems Cause Errors in SAT Test Scores" On the order of 4000 students taking the October 2005 Scholastic Aptitude Tests (SATs) received scores lower than they should have been, due to unexplained "technical problems". Some scores on the reasoning section were as much as 100 points too low (out of 800). This may be unfortunate for those students, considering that the final acceptances and rejections are being decided before the affected universities have been notified. Similar scanning problems were noted in an earlier SAT chemistry test, although on a smaller scale. [Source: Karen W. Arenson, *The New York Times*, 8 Mar 2006, National Edition A16; PGN-ed] http://www.nytimes.com/2006/03/08/education/08sat.html ------------------------------ Date: Thu, 9 Mar 2006 10:17:18 -0500 From: Monty Solomon <monty@private> Subject: Officials Say Scoring Errors for SAT Were Understated A day after the College Board notified colleges that it had misreported the scores of 4,000 students who took the SAT exam in October, an official of the testing organization disclosed that some of the errors were far larger than initially suggested. ... Chiara Coletti, the College Board's vice president for public affairs, said that 16 students out of the 495,000 who took the October exam had scores that should have been more than 200 points higher. "There were no changes at all that were more than 400 points." [Source: Karen W. Arenson, *The New York Times*, 9 Mar 2006] http://www.nytimes.com/2006/03/09/education/09sat.html?ex=1299560400&en=ada0b50e98bcfb5f&ei=5090 ------------------------------ Date: Fri, 10 Mar 2006 09:12:11 -0500 From: Chuck Weinstock <weinstock@private> Subject: Watered-Down SAT Scores! Pearson Educational Measurement suggests that wet weather may have caused the 4000 affected test results, blaming abnormally high moisture for expanding the paper so that it could not be read properly at a scanning center in Austin TX. The test on 8 Oct 2005 coincided with the beginning of heavy rains in the Northeast, from where most of those tests came. (As much as 10 inches fell on New Jersey.) [Source: AP item on 10 Mar 2006.] ------------------------------ Date: Thu, 9 Mar 2006 14:23:39 PST From: "Peter G. Neumann" <neumann@private> Subject: Complexity causes 50% of product returns Perhaps relevant to Don Norman's research on human interfaces, Elke den Ouden's thesis at the Technical University of Eindhoven concluded that half of all supposedly malfunctioning products returned to stores were in reality in full working order, but just too complex to be operated successfully. She also noted that the average U.S. consumer will spend a maximum of about 20 minutes trying to get a newly acquired electronics device to work before giving up. http://abcnews.go.com/Technology/wireStory?id=1693288 ------------------------------ Date: Wed, 8 Mar 2006 15:21:05 -0500 From: "Colin Brayton" <cbrayton@private> Subject: Onboard Emissions Chip Major Malfunction Drivers in Missouri discovered that the onboard chips that monitored their auto emissions could fail, causing certification failure, and could then then be an unbelievable bother to reset: Alter got a "drive cycle," or a step-by-step recipe to reset the car's computer by driving 10 minutes or more at 50 to 65 mph, then coasting down to 15 mph without hitting the brakes until the car reaches 20 mph. Then he had to stop and let the car idle for 50 seconds or more before taking the car back up to highway speeds, then gradually slowing until the car came to a stop. Nothing. The car still was rejected. Nine times in all. "It was like, well, what do I do now?" he said. "I am driving around, doing this, putting (a couple hundred) miles on it. So is it inconvenient? Yeah. A big inconvenience. The amount of gas I wasted. And my time." Finally, he discovered a shop whose repair technician drove his car while monitoring its readiness codes with a mobile computer. Once the codes reset, the technician took the car for a test. The cost: $120 for two hours of the technician's time. Illinois test officials say they see the problem in about 1 percent to 2 percent of all on-board diagnostic tests. Sources: *St. Louis Dispatch*, 25 Feb 2006 <http://www.stltoday.com/stltoday/news/stories.nsf/stlouiscitycount=y/story/C1B49084DF769D42862571200022E77F?OpenDocument> New Market Machines <http://blogalization.nu/marketmachines/?p=3D1495>(my blog) ------------------------------ Date: Fri, 10 Mar 2006 8:31:32 PST From: "Peter G. Neumann" <neumann@private> Subject: Excel garbles microarray experiment data [TNX to Fernando Pereira for putting me on to this one.] http://itre.cis.upenn.edu/~myl/languagelog/ http://itre.cis.upenn.edu/~myl/languagelog/archives/002912.html The December 1 DWIM effect [The Cupertino effect, 9 Mar 09, 2006] The damage done by well-intentioned (mis)features of MS Office is not limited to occasional dadafication of EU bureaucratese <http://itre.cis.upenn.edu/%7Emyl/languagelog/archives/002911.html>. According to Barry R Zeeberg, Joseph Riss, David W Kane, Kimberly J Bussey, Edward Uchio, W Marston Linehan, J Carl Barrett and John N Weinstein, "Mistaken Identifiers: Gene name errors can be introduced inadvertently when using Excel in bioinformatics <http://www.biomedcentral.com/1471-2105/5/80>", BMC Bioinformatics 2004, 5:80: When we were beta-testing [two new bioinformatics programs] on microarray data, a frustrating problem occurred repeatedly: Some gene names kept bouncing back as "unknown." A little detective work revealed the reason: ... A default date conversion feature in Excel ... was altering gene names that it considered to look like dates. For example, the tumor suppressor DEC1 [Deleted in Esophageal Cancer 1] was being converted to '1-DEC.' Figure 1 lists 30 gene names that suffer an analogous fate. A worse problem apparently afflicts information from microarray experiments: There is another default conversion problem for RIKEN clone identifiers identifiers of the form nnnnnnnEnn, where n denotes a digit. These identifiers are comprised of the serial number of the plate that contains the library, information on plate status, and the address of the clone. A search ... identified more than 2,000 such identifiers out of a total set of 60,770. For example, the RIKEN identifier "2310009E13" was converted irreversibly to the floating-point number "2.31E+13." A non-expert user might well fail to notice that approximately 3% of the identifiers on a microarray with tens of thousands of genes had been converted to an incorrect form, yet the potential for 2,000 identifiers to be transmogrified without notice is a considerable concern. Most important, these conversions to an internal date representation or floating-point number format are irreversible; the original gene name cannot be recovered. RIKEN <http://www.jarvislab.net/Genomics.html> microarrays are systematically affected, but other microarray results are apparently often garbled as well: The floating-point conversion is not restricted to RIKEN clone identifiers but will affect any clone designation derived from plate coordinates. ... [If plate library references are omitted or numerical], all clones from row E of any plate are converted to floating point numbers by Excel. ... Since 96-well plates contain 8 rows and 12 columns, row E represents 12/96 or 12.5% of the clones on the plate; similarly, 6.25% of clones from 384-well plates would be affected. Most libraries contain hundreds of plates, each of which would be subject to this problem. If some computer virus or trojan did this sort of damage to the results of thousands of high-cost biomedical experiments, I imagine that we'd see a serious effort to put some people in jail. I'm not suggesting that any similar sort of retribution is appropriate here, but perhaps some rehabilitation would be in order, along the lines suggested below. There's an acronym from the old days of classic AI, DWIM, standing for "Do What I Mean". The Jargon File explains <http://www.catb.org/%7Eesr/jargon/html/D/DWIM.html>: Warren Teitelman originally wrote DWIM to fix his typos and spelling errors, so it was somewhat idiosyncratic to his style, and would often make hash of anyone else's typos if they were stylistically different. Some victims of DWIM thus claimed that the acronym stood for "Damn Warren's Infernal Machine!". In one notorious incident, Warren added a DWIM feature to the command interpreter used at Xerox PARC. One day another hacker there typed delete *$ to free up some disk space. (The editor there named backup files by appending $ to the original file name, so he was trying to delete any backup files left over from old editing sessions.) It happened that there weren't any editor backup files, so DWIM helpfully reported *$ not found, assuming you meant 'delete *'. It then started to delete all the files on the disk! The hacker managed to stop it with a Vulcan nerve pinch after only a half dozen or so files were lost. The disgruntled victim later said he had been sorely tempted to go to Warren's office, tie Warren down in his chair in front of his workstation, and then type delete *$ twice. DWIM is often suggested in jest as a desired feature for a complex program; it is also occasionally described as the single instruction the ideal computer would have. Back when proofs of program correctness were in vogue, there were also jokes about DWIMC (Do What I Mean, Correctly). It seems to me that all interactive programs should have a prominently displayed switch labeled something like DEWITYD, "Do Exactly What I Tell You, Damnit!" (pronounced as "de-witted"). No doubt the results will be wrong (or even disastrous) at least as often as the results of DWIM will be; but at least you'll know exactly who to blame. Posted by Mark Liberman at March 9, 2006 05:51 PM <http://www.sitemeter.com/stats.asp?site=sm7languagelog> [I always enjoyed seeing Warren's license plate (DWIM) now and then while driving. However, based on experience with InterLisp, many wags suggested that the correct acronym should have been DWWTYM -- Do What Warren Thinks You Mean. PGN] ------------------------------ Date: Wed, 8 Mar 2006 12:40:13 -0500 From: Monty Solomon <monty@private> Subject: Citibank Blocks Some Debit-Card Use Abroad Citibank said has blocked the use of some of its PIN-based debit cards after detecting fraudulent cash withdrawals in Britain, Canada and Russia. PINs were apparently obtained from "a third-party business' information breach" in the U.S. last year. [Source: Eileen Alt Powell, AP Online, 8 Mar 2006; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=56481434 [Apparently the PINs are archived, perhaps even unencrypted? PGN] http://www.msnbc.msn.com/id/11731365/ ------------------------------ Date: Tue, 07 Mar 2006 11:03:09 -0800 From: Karl Klashinsky <klash@private> Subject: Government surplus sale yields personal data Health and immigration records sold at B.C. auction (news item from the Canadian Broadcasting Corp) Several investigations have begun after computer tapes containing health and immigration records for thousands of people in British Columbia were sold at a public auction for $101. http://www.cbc.ca/story/canada/national/2006/03/06/bc-government-tapes060306.html The records contained information on sexual abuse, HIV status, and mental health, as well as other information that was obviously quite confidential in nature. The fact that old backup tapes were sold off is probably not too surprising to RISKS readers. What is interesting is that this is not the first time, and, according to the article, "the government brought in rules that should have ensured that all information was removed from surplus computer equipment before it was sold." ------------------------------ Date: Wed, 8 Mar 2006 16:00:16 +1100 From: evant@private Subject: Australian National Credit Union Limits Internet Passwords A step backwards for customers of Australian National Credit Union (www.friendlybanking.com.au) where from 21 Mar 2006 all users of the credit union's Internet banking will be limited to choosing passwords of six characters, consisting only of the numbers 0-9. They have previously had the ability to choose alpha-numeric passwords of varying length. The credit union's website claims that the changes are for enhanced security (http://www.friendlybanking.com.au/Pages/view_news.asp?news_id=1999): Important Internet Banking Password Changes As of 21st March 2006, passwords for Internet Banking will be changing. This will apply to all passwords and second passwords (where applicable). Your Internet Banking password will now be known as your Web Access Code (WAC). Web Access Codes (WAC) must now be six (6) digits long and only contain numbers (0 - 9), but no spaces. Make sure it is difficult for others to guess and does not contain your date of birth, member number and repeated digits. Please do not change your WAC until you are prompted to on or after the 21st March 2006. This will save you having to re enter a new WAC. These changes are being made in preparation for an improved site later in the year with added functionality such as Bpay view, Secure mail, Setting up regular payments, Submit a request for a new Term Deposit, Added security features. After I enquired about this apparent backward step, the credit union's response claimed this was required for the implementation of two-factor authentication, amongst other security enhancements. Two-factor authentication might be great for those who use it, but those that don't will be left with the limited password options. I thought the RISKS were obvious, but perhaps not to the credit union's security team. ------------------------------ Date: Tue, 7 Mar 2006 23:38:35 -0500 From: "Walter Dnes" <waltdnes@private> Subject: More stupid high-tech legislation in NJ (RISKS-24.19) High-tech-howlers are nothing new for New Jersey legislators. See http://catless.ncl.ac.uk/Risks/12.09.html#subj5 back in 1991. That was about a bill that would require all "software engineers" to be licenced, for a *VERY WIDE* definition of "software engineer". The initial draft would've required every secretary who created a Word or Excel macro to be licenced as an engineer. Walter Dnes <waltdnes@private> In linux /sbin/init is Job #1 ------------------------------ Date: Mon, 6 Mar 2006 23:03:08 -0500 (EST) From: tanner andrews <tanner@private> Subject: Re: NJ Bill Would Prohibit Anonymous Posts on Forums (RISKS-24.19) Too much important opinion, including that leading to the founding of the country, was published anonymously to permit the government to ban anonymous opinion. Even unto this day, anonymous pamphleteering is an honorable activity at the core of the First Amendment. The main difference between Mrs. McIntyre's pamphlets and the fora to be regulated is that a reader could use the pamphlet to create litter. The Internet provides no similar opportunity because one is not handed an physical object. I would expect that such a statute, were it to be enacted, would be quickly challenged and almost as quickly overturned. See _McIntyre v. Ohio Elections Comm'n_, 514 U.S. 334 (1995). Nor is the question of littering dispositive. See _Schneider v. NJ_, 308 U.S. 147 (1939) [@156, Milwaukee; @157, Worcester]. Obviously I am not a lawyer and you would talk to one before challenging or violating any statute. ------------------------------ Date: Mon, 06 Mar 2006 22:45:37 -0600 From: Rex Black <rexblack@private> Subject: Re: NJ Bill Would Prohibit Anonymous Posts on Forums (RISKS-24.18) On the other hand, having had a few "hit job" reviews posted of my book, *Managing the Testing Process*, posted at Amazon.com by anonymous reviewers, it seems that allowing people to slam other people--who may well be competitor's--in a public forum without disclosing their identities and therefore their interests poses some risks not just to the people who are slammed, but also to the readers who may unquestioning accept the critique while unaware of the motivations and interests behind the critique. Rex Black, CTO, Pure Testing, Pvt Ltd; President, American Software Testing Qualifications Board; President, International Software Testing Qualifications Board; 31520 Beck Road, Bulverde, TX 78163 +1 (830) 438-4830 www.rexblackconsulting.com ------------------------------ Date: Tue, 7 Mar 2006 09:48:48 -0000 From: "Martyn Thomas" <martyn@thomas-associates.co.uk> Subject: Re: On learning from accidents (Kirakowski, RISKS-24.18) When was the last time you saw a safety case where the claimed probabilities of failure had error bounds? When was the last time you saw a sound argument justifying these error bounds? I never have. Has anyone on the list *written* such a safety case? ------------------------------ Date: Tue, 7 Mar 2006 14:07:05 +0000 From: Jerome Ravetz <jerome-ravetz@private> Subject: Re: On learning from accidents (Norman, RISKS-24.17) Up to now the most obvious harm done by pseudo-precision may well be in the 'accidents' of badly designed systems. It could also be that the failure to control the mass of meaningless output from computer programs ('GIGO science') is a consequence of our dogmatic faith in numbers. My education in pseudo-precision began when I realised that students being taught the Systeme Internationale as promoted in England in 1970 were forced to lie. At that time, the S.I. prefixes were rigorously cascaded in thousands; the deci- and centi- were banned. So students doing exercises in 'the metric system' were required to quote measurements of length to the nearest millimetre, even when the object was a rough concrete pillar. Like Hamish Marson I knew some old-fashioned physical scientists who taught their students about the management of uncertainty; but the breed was dying out even then. Reflecting on all this I eventually wrote (with my colleague Silvio Funtowicz) 'Uncertainty and Quality in Science for Policy'. In this we developed the 'NUSAP' notational scheme, whose categories are Numeral, Unit, Spread, Assessment and Pedigree. The principle behind NUSAP has had some success; the Dutch Environment Agency has a 'Guidance' for assessing uncertainty in scientific information which is becoming a standard. But even there I find inadequate attention to the task of matching precision to accuracy. And for the situations when very uncertain quantities are involved (as in much policy-related information) I find hardly any concern at all. Are there RISKS readers interested in developing this? Jerry Ravetz, 111 Victoria Road, Oxford OX2 7QG, +44 [0]1865 512247 Mobile 0790 535 2788 Website: www.jerryravetz.co.uk Visiting Fellow, the James Martin Institute for Science and Civilization, Business School, Oxford University. Files of my recent papers, available for downloading, can be found on the website www.nusap.net; on the Home Page see Tutorials - Post-Normal Science and NUSAP, and Sections - Reports, papers. ------------------------------ Date: Thu, 09 Mar 2006 10:27:35 -0500 From: Perry Bowker <pbowker@private> Subject: Re: On learning from accidents (Norman, RISKS-24.17) The discussion of error tolerances reminded me of a time, many years ago, when I was an undergrad physics student. We were, of course, drilled endlessly by professors and post-grad assistants about the vital need to include error bars in experimental results. One day, my lab partner and I were running some experiment (I think it was to explore a Wheatstone bridge) built out of ancient wires, resistances, and meters. The hopelessly antique equipment inspired my partner to record some result as "4.1487892 +/- .002%" in his lab book. When the experiment was marked, the instructor wrote "I don't see how you could have achieved such precision", to which my partner wittily wrote back: "You should not be critical of extra work, voluntarily done." ------------------------------ Date: Mon, 6 Mar 2006 21:16:46 -0800 From: <dick@private> Subject: Re: On learning from accidents (Marson, RISKS-24.18) Relevant experience? (gotta understand) Hamish Marson asks, How many people who write software actually have relevant experience in the real world for things they're doing? In my view, relevant experience is not near enough to do the job right. Usually when a task is to be done using a computer, the designers and coders must understand the task BETTER than most real world experts do. Otherwise it doesn't work and nobody is happy. Furthermore, there are many other ways to fail, as well. Some of them are profitable anyway. ------------------------------ Date: Wed, 08 Mar 2006 22:06:21 -0500 From: Gabe Goldberg <gabe@private> Subject: Insecure APC BioPod APC (American Power Conversion) http://apc.com/ sells a BioPod http://apc.com/products/family/index.cfm?id=246&ISOCountryCode=ww described "Biometric Security:A Simple and Secure Way to Remember Passwords". Text is "As security concerns continue to grow, so do the number of passwords. The Biometric Password Manager provide users a convenient and secure way to manage and access multiple security phrases and codes. This product biometrically identifies users and gives them convenient access to password protected applications and web sites." When you install the software, it uses your Windows password for securing all your login/password pairs. That's of course bad because you might want more or layered security on your logins. What's worse is that if you have no Windows password the software silently accepts null as password. That is, not only do you not need a password to open the password vault stored on the BioPod, no warning is given that a password might be a good idea to secure the goodies. After getting over my astonishment at that behavior I called APC tech support but couldn't convince them that there was a problem. The dialogue below shows my repeated failed attempts to convince the Web folk that a problem exists. ================================== Me: Biopod has huge security flaw, compromises the device's integrity. I've reported this to your support people but see no action taken. APC: Thank you for contacting APC's email support on 01/31/2006 06:27 PM. I would be happy to assist you. I apologize for the inconvenience. I am unaware of any security flaw with the BioPod. If you would like to describe the details of the suspected please feel free to send them to me. Officially the BioPod is not advertised as a security device, but a password manager, so it is not designed to increase the security of your computer, but provide a safe way to manage and store your passwords. Me: Installing the BioPod software on a Windows PC that is not password protected makes the BioPod password blanks. That is, when the password challenge is issued simply clicking OK without using a fingerprint AND WITHOUT ENTERING A PASSWORD logs in to the BioPod password vault. That's not my idea of a useful password manager. APC: The OmniPass software and BioPod can be setup for use with a Windows password or without a Windows password. If you don't have a Windows password and setup a "Windows" user you will be able to log into the password vault without a password because you don't have a Windows password. If you don't want to setup a Windows password simply setup a non-Windows user in OmniPass by following the directions in the attached document. Me: You're entirely missing my point. NO WARNING IS GIVEN THAT THE BIOPOD HAS BEEN SET UP WITH NO PASSWORD. THIS IS A PROFOUND SECURITY EXPOSURE SINCE IT GIVES THE ILLUSION OF PROTECTION WHERE THERE IS NONE. Do you think the BioPod is performing correctly and that it's documented correctly and fully? If so, we have nothing further to discuss -- but I'm astonished at APC's (lack of) response to this problem. APC: I understand your point, however if you choose to setup a BioPod user using your Windows password as the master password and your Windows Password is blank, the BioPod would clearly not have a secure Master Password. It is for this reason if you do not have a Windows password it is recommended you use choose the option to setup a separate Master Password not based on the Windows password. Or you could opt to add security to your computer system by adding a Windows password. Me: This is your last chance. I reinstalled the software to review the installation dialogue. If no Windows password is set NO WARNING IS GIVEN THAT THE DEVICE IS NOT SECURE. You're correct that the user can set a Windows password for the specific purpose of having it inherited by the BioPod, and then remove the Windows password. But doesn't this seem a bit cumbersome to you? And aren't users unlikely to do it WITHOUT SPECIFIC INSTRUCTIONS? Having the BioPod only take the Windows password, being unable to set a specific unique password for the BioPod, is very bad design. Your unwillingness to acknowledge that users MAY NOT REALIZE THAT THEIR BIOPOD is insecure is baffling. So my next communication will be with your public relations people and some mailing lists that publicize security risks such as this. They'll of course see how many times I tried to convince you that there's a problem here. APC: When the BioPod and OmniPass software are used properly they provide a secure way to manage your passwords. For more information about the operation of the software please contact Softex Inc, the designer of the software at www.softexinc.com support@private Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 <http://www.cpcug.org/user/gabe> (703) 204-0433 ------------------------------ Date: 2 Oct 2005 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@private or risks-unsubscribe@private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ------------------------------ End of RISKS-FORUM Digest 24.19 ************************
This archive was generated by hypermail 2.1.3 : Fri Mar 10 2006 - 14:48:27 PST