RISKS-LIST: Risks-Forum Digest Wednesday 25 July 2007 Volume 24 : Issue 75
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/24.75.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Thompson, Langevin Release GAO Cybercrime Report, Announce Plans to
Improve Private Sector Cybersecurity (CHSMajorityPress)
Vista Mail claims rejected mail has been sent (Neil Youngman)
SAIC sent military medical data unencrypted via the Internet (PGN)
Whoops! Nevada governor accidentally posts Outlook password (Declan McCullagh)
Wimbledon and the space shuttle (Mike Scott)
iPhone security flaw (Chris Leeson)
Right to Interfere with eBay Auctions (Greg Beck via Monty Solomon)
NTSB report pending on Comair Flight 5191 crash in Lexington KY (PGN)
IT risks in the Chemical Facility Anti-Terrorism Standard? (David E. Price)
Risks: Cellular carrier account security (Gabe Goldberg)
Risks of purism (Tim Panton)
Re: Space Shuttle uses 2-version programming (Robert Woodhead)
Re: Gripen: Risks of safety measures in military jet (Urban Fredriksson,
Claes T, Nani Isobel)
REVIEW: "Backup and Recovery", W. Curtis Preston (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon Jul 23 10:48:59 2007
From: CHSMajorityPress <CHSMajorityPress@private>
Subject: Thompson, Langevin Release GAO Cybercrime Report, Announce Plans to
Improve Private Sector Cybersecurity
Thompson, Langevin Release GAO Cybercrime Report, Announce Plans to Improve
Private Sector Cybersecurity
July 23, 2007 (WASHINGTON) - Today, Congressman Bennie G. Thompson (D-MS),
Chairman of the Committee on Homeland Security, and Congressman James
R. Langevin (D-RI), Chairman of the Subcommittee on Emerging Threats,
Cybersecurity, Science and Technology released a report conducted by the
Government Accountability Office (GAO) on public and private challenges in
addressing cybercrime.
The GAO reaffirms the threat that cybercrime poses to U.S. national and
economic security interests. In 2005, the Federal Bureau of Investigation
estimated American businesses lost $67.2 billion due to computer crime.
Threats come both from at home and abroad; though many cyberattacks
originate on U.S. soil, foreign adversaries continue to make public
statements about exploiting vulnerabilities in technology to their
advantage.
According to the GAO, the public and private sectors face numerous
challenges to secure cyberspace, both in operational security and in law
enforcement. Both public and private sectors have run into difficulties
detecting or reporting cybercrime; the sectors have struggled to implement
strong information security programs; there is a lack of adequate law
enforcement analytical and technical capabilities to confront these
challenges; and the borderless environment of cybersecurity makes it
difficult for law enforcement to hold accountable those who break laws.
Chairman Thompson issued the following statement regarding the findings:
"When it comes to cyber, we have two worlds to secure - the public and the
private sector. In order to provide leadership to the private sector, the
Department of Homeland Security must demonstrate control of its networks.
Unfortunately, previous GAO engagements and our own investigations into the
Department have shown that 'information security' has become an oxymoron.
This is simply unacceptable. This Administration and the Department's
leadership may continue to disregard these problems, but this Committee will
continue to demand accountability from the government contractors and
employees charged with securing information networks."
Chairman Langevin added:
"I encourage all businesses - small and large - to take a very close look at
their cybersecurity practices. Though 100% security may be unattainable,
there are many policies and procedures that businesses can implement to
better safeguard their data.
Just as the government must improve its cybersecurity posture, so too must
the private sector. The private sector is the nation's economic engine and
the owner of a great majority of the national critical infrastructure.
American businesses must come to realize that the security of the
information that they keep is as important as the bottom line. In the
upcoming months, this Committee will lead the conversation about ways to
spur private sector investment in cybersecurity. Recently, Assistant
Secretary for Cybersecurity and Telecommunications Greg Garcia asked us to
consider legislation to help make the case for private investment. In
addition to our efforts designed to improve Federal network security, I will
work with Chairman Thompson to identify plans for incentives and liabilities
that will improve private sector cybersecurity."
FOR MORE INFORMATION:
Please contact Dena Graziano or Todd Levett at (202) 225-9978.
United States House of Representatives
Committee on Homeland Security
H2-176, Ford House Office Building, Washington, D.C. 20515
Phone: (202) 226-2616 | Fax: (202) 226-4499
<http://homeland.house.gov/>
------------------------------
Date: Fri, 20 Jul 2007 09:24:27 +0100
From: "Neil Youngman" <Neil.Youngman@private>
Subject: Vista Mail claims rejected mail has been sent
Here's a nice little problem with "Vista Mail". It appears that in some
circumstances a "550" permanent rejection SMTP response is ignored and Vista
Mail shows the mail as haven't been sent, even though the mail server
rejected it.
http://lists.exim.org/lurker/message/20070718.140135.4765aa65.en.html
The reason seems to be that Vista mail can't handle multiline responses
correctly.
http://lists.exim.org/lurker/message/20070719.161335.f220a4a6.en.html
The risks of MS being unable to implement a simple protocol correctly are
obvious.
Neil Youngman, Developer, Wirefast Limited +44 (0)20 7592 1258
------------------------------
Date: Sat, 21 Jul 2007 17:54:17 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: SAIC sent military medical data unencrypted via the Internet
Air Force investigators are probing a security breach at Science
Applications International Corp. (SAIC) of San Diego, which handles
sensitive health information for 867,000 U.S. service members and their
families. SAIC has acknowledged that some of its employees sent data over
the Internet unencrypted, including medical appointments, treatments, and
diagnoses. Two years ago, SAIC had a computer intrusion that resulted in
the leakage of SSNs and other personal info on tens of thousands of its
employees -- including former SAIC executive David A. Kay, who was the chief
U.N. weapons inspector in Iraq, and a former director who was a top CIA
official. [Source: Ellen Nakashima and Renae Merle, Military Medical Breach
Revealed: Unencrypted Data Sent Via Internet, *The Washington Post*, 21 Jul
2007, D01; PGN-ed]
http://www.washingtonpost.com/wp-dyn/content/article/2007/07/20/AR2007072001422.html?hpid=sec-health
------------------------------
Date: Fri, 20 Jul 2007 11:25:41 -0700
From: Declan McCullagh <declan@private>
Subject: Whoops! Nevada governor accidentally posts Outlook password
[The files have been deleted since my story went up, but, unfortunately
for the governor's office, are still available on Google's cache:
http://www.google.com/search?q=site%3Alistserv.nv.gov]
Declan McCullagh [via Politech distribution],
Nevada governor accidentally posts Outlook password, 20 Jul 2007
http://news.com.com/8301-10784_3-9747705-7.html
If you ever wanted to be Nevada's governor for a day, it doesn't seem to be
that hard.
In what could be a whopping security hole, Nevada has posted the password to
the gubernatorial e-mail account on its official state Web site. It appears
in a Microsoft Word file giving step-by-step instructions on how aides
should send out the governor's weekly e-mail updates, which has, as a second
file shows, 13,105 subscribers.
The Outlook username is, by the way, "governor" and the password is
"kennyc". We should note at this point that the former Nevada governor, a
Republican, is Kenny C. Guinn, which hardly says much about password
security. [...]
Archived at http://www.politechbot.com/
------------------------------
Date: Fri, 20 Jul 2007 10:31:11 +0100
From: Mike Scott <usenet.10@private>
Subject: Wimbledon and the space shuttle
Not a lot to do with each other, one might have thought. But PGN's comment
in RISKS-24.74 about "proof by simulation" struck a chord.
I'm referring particularly to this year's Wimbledon tennis tournament. For
some years, the BBC has used simulations to show a virtual image of the
ball's path, and in particular where it has bounced. I've wondered
periodically how accurate these were - presumably /something/ has to track
the ball in real time and model its trajectory. I've no idea how it's
done. What I /do/ remember from the last year or so is that the Beeb once
played back in close succession both a real video replay close-up of the
ball bouncing, and then the simulation: it was quite clear that the
simulation was at least 2 or 3 inches adrift, more than enough to make the
difference between a line call being 'in' or 'out'
This year, they actually relied on Hawkeye [the simulator] as final arbiter
in line calls - an umpire refused to over-rule it on at least one
occasion. Separately, a BBC commentator said something like, "if we question
Hawkeye, whatever next?". One of the finalists, IIRC, went so far as to
question the system's accuracy however. Interestingly, the BBC used a lot of
Hawkeye simulation replays to show the bounce of the ball - but I don't
recall seeing a single close-up /video/ replay of the bounce this year.
Of course, tennis line calls are notoriously difficult, and Hawkeye may be
more accurate overall than people's judgment; nevertheless, the blind faith
in it is worrying. Hawkeye at least has the benefit that it can't be
intimidated by the "brats" of the game :-)
[There were several Hawkeye simulations that seemed obviously wrong to the
commentators, spectators, and TV viewers. RISKS has often warned about
people overendowing the infallibility of technology. Despite being
steeped in old traditions, Wimbledon seems to be the latest victim. PGN]
------------------------------
Date: Tue, 24 Jul 2007 09:18:43 +0100
From: "Chris Leeson" <Chris.Leeson@private>
Subject: iPhone security flaw
I suppose it was inevitable - someone has found a security vulnerability in
the iPhone:
Dan Goodin, "Jesus Phone" needs an exorcist; security flaw means demonic
possession for Apple iPhone, *The Register*, 24 Jul 2007
http://www.theregister.co.uk/2007/07/24/iphone_security_vulnerability/
If a person visits a malicious website, then the phone can be infected with
malware. Not a direct attack (in other words, launchable from the person
sitting next to you), but I expect that is coming...
I remember the days when the only thing you could do with a mobile phone was
ring people...
------------------------------
Date: Fri, 20 Jul 2007 16:05:03 -0400
From: Monty Solomon <monty@private>
Subject: Right to Interfere with eBay Auctions (Greg Beck)
Companies Claim Right to Interfere with eBay Auctions for Charging Too Little
Greg Beck, 17 Jul 2007
http://pubcit.typepad.com/clpblog/2007/07/leegin-and-ebay.html
I predicted that companies would soon rely on the Supreme Court's decision
in Leegin Creative Leather Products v. PSKS to justify interfering with
competition from less expensive products sold online. It did not take long
for that prediction to come true. Although interference with eBay sales is
nothing new, companies in two recently filed federal cases explicitly invoke
Leegin as a justification for terminating the eBay auctions of competitors
that charge lower prices online. These cases not only show Leegin's likely
effect on Internet sales, but are also, unfortunately, fairly typical
examples of the sort of anticompetitive actions companies take to fight
lower-priced competition online.
------------------------------
Date: Mon, 23 Jul 2007 10:30:12 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: NTSB report pending on Comair Flight 5191 crash in Lexington KY
Comair pilot instructors testified that the crew of Comair Flight 5191
committed numerous procedural violations relating to briefing, taxiing, and
"sterile cockpit" rules (maintaining a distraction-free cockpit) before
taking off from the wrong runway and crashing near the Lexington KY airport
27 Aug 2006, killing 49 people (see RISKS-24.41). Their testimony is
apparently consistent with evidence released by the NTSB showing that the
pilots violated company and Federal Aviation Administration rules by talking
about their families, work and other subjects while preparing for takeoff.
However, Comair maintains pilots were ``confronted with inaccurate and
inadequate airport charts, maps, signs, barriers, markings, and lighting".
[Source: *Lexington Herald-Leader*, 23 Jul 2007; PGN-ed. Also, only one air
traffic controller was on duty (RISKS-24.43).]
http://www.kentucky.com/471/story/127516.html
------------------------------
Date: Wed, 25 Jul 2007 09:59:44 -0700
From: "David E. Price, SRO, CHMM" <price16@private>
Subject: IT risks in the Chemical Facility Anti-Terrorism Standard?
I was looking at the recent interim Chemical Facility Anti-Terrorism
Standards, 6CFR27, while preparing a briefing on audit possibilities.
The Standard contains the following provisions:
27.230 (a) (7) Sabotage. Deter insider sabotage;
27.255 (d) Records required by this section may be kept in electronic
format. If kept in an electronic format, they must be protected against
unauthorized access, deletion, destruction, amendment, and disclosure.
These requirements seem pretty straightforward. However, there is a risk in
counting on regulators to fully think through requirements such as these.
How can a facility protect electronic records from deletion, destruction, or
amendment by disgruntled insiders such as management, IT personnel, security
personnel, or onsite fire-fighters who all have access to the rooms housing
the electronic equipment?
Two server rooms with separate IT staff could work for the IT group and
possibly management, but it likely isn't feasible to block access to
security or first response personnel. (I once worked as an Operations
Supervisor at a commercial nuclear plant. Management decided that a block of
offices contained material too sensitive to allow the fire brigade access
after hours. A smoldering trash can which convinced us to break down a door
in the middle of the night quickly pointed out the flaw in that thinking,
and we got keys the next day.)
The only easy (partial) solution I could think of involves offsite storage,
with the storage company personnel having read-only access to the onsite
records and onsite staff having read-only access to the offsite
files. However this only reduces but doesn't eliminate the risk, especially
for alteration. (The offsite backup would likely mirror any unauthorized
onsite alteration. This seems to call for incremental backups with retention
of all versions.)
And of course the offsite backup solution increases the risk of disclosure.
Maybe the key is in the requirement to deter and protect rather than prevent
insider sabotage, but this quickly turns into an audit nightmare of how much
deterrence is enough.
------------------------------
Date: Fri, 20 Jul 2007 22:51:36 -0400
From: Gabe Goldberg <gabe@private>
Subject: Risks: Cellular carrier account security
When I established my cell phone account I saw no reason to provide my
social security number, so I gave them random digits, which I then forgot.
So I couldn't make account changes (since last four SSN digits are used for
PIN!) no matter how I explained that they didn't have my real SSN so I
couldn't tell them the what their screen displayed for my account. Today I
called and simply said there was a problem with my account, the record had
the wrong SSN, and I'd like to fix it. No problem, no identity
verification, the rep happily accepted four new digits, which I then used on
their Web site to update my account.
------------------------------
Date: Fri, 20 Jul 2007 11:16:36 +0100
From: Tim Panton <thp@private>
Subject: Risks of purism
In RISKS-24.74 PGN rightly casts doubt on the validity of 'proof by
simulation'.
I'm a fan of well designed simulations. In a former life I was involved in
the testing of a control system for a chemical plant.
We created a faithful simulation of the plant, then arranged for our
simulator to output voltages that mimicked the sensors that were in the real
plant. We then plugged these outputs into the control system and went
through a series of tests.
The results were totally unexpected. It failed, in some cases the simulated
plant responded too slowly. We assumed that the problem was the simulation
or the interfaces. After much study we concluded it wasn't. The control
system was at fault, and in a subtle way, the control blocks covering the
most time critical loops had been spread over multiple processors and the
inter-processor communication was introducing a significant delay. The
manufacturer 're-optimized' the loops and the problem was fixed.
Used appropriately simulations (or stimulations ?) can tell you things you
couldn't easily find any other way, so should be in the toolbox of any
serious tester.
------------------------------
Date: Fri, 20 Jul 2007 09:41:28 +0900
From: Robert Woodhead <trebor@private>
Subject: Re: Space Shuttle uses 2-version programming (PGN, RISKS-24.74)
Consider the risks of live-testing the backup software. If it has a bug,
you've potentially lost a shuttle and crew. Brings a whole new meaning to
"live testing", doesn't it?
Since the backup software isn't going to ever be used until after the fecal
matter has hit the rotary impeller at high velocity (does the shuttle toilet
have a rotary impeller? IIRC it does...), not testing it under live
conditions may well be the lower-risk path. Sometimes the risks of testing
outweigh the benefits.
[Added note: Well, I was struck by the meta-risk. Or maybe it's better
classed as a "reentrant risk" (smirk). RW]
------------------------------
Date: Fri, 20 Jul 2007 09:16:40 +0200 (MET DST)
From: Urban Fredriksson <griffon@private>
Subject: Re: Gripen: Risks of safety measures in military jet
"The picture clearly shows the firing handle." Yes, of a Mk.10LH seat. It
looks different on a Mk.10LS seat as can be seen here:
http://www.canit.se/%7Egriffon/aviation/img/ljungbyhed96/mbmk10.jpg
Photo shows a A/B version seat, the C/D was given a stiffer handle. Saab
says they were able to duplicate the initiation using test subjects with
large thighs, the temporary fix was to restrict flying to 3G and the air
force has said the permanent fix is to fit more flexible handles. Doesn't
seem like there's any doubt as to what happened although the official
investigation is still listed as ongoing.
------------------------------
Date: Fri, 20 Jul 2007 12:08:23 +0200
From: Claes T <claes.t@private>
Subject: Re: Gripen: Risks of safety measures in military jet (R-24.74)
[seat firing handle]
>The handle itself is flexible and can be deformed; it's like stiff wire, so
>if the anti-g suit is responsible then it must impart at least 15 pounds of
>force upwards after deforming the handle and move the handle at least one
>inch. Something which I really can't see happening.
>Typhoon uses the Martin-Baker Mk16A seat
Please note the handle has been changed in the Gripen C/D-versions: the
"wire" is replaced with a heart-formed ring on a short stick. So, the
Typhoon comparison isn't relevant. A picture of the handle versions can be
found at http://www.nyteknik.se/art/51034 [text in Swedish only]. A SAAB
spokesman says in the article (from June 5th) the handle has been found
slightly pushed upwards and not always full retracted after repeated
occasions of high G-load in performed tests after the crash, and that all
handles now should be replaced with a more soft handle like the one in
earlier Gripen versions.
------------------------------
Date: Mon, 23 Jul 2007 23:58:06 -0500
From: Nani Isobel
Subject: Re: Gripen: Risks of safety measures in military jet (R-24.74)
There may be a way the ejection handle can get pulled. Start with a high-g
turn, pitch up, causing the suit to inflate and grip the handle. Follow it
with a high-g turn, pitch down, causing the pilot to be pulled up into the
belts while the suit is still inflated. If the belts are loose or if they
stretch, the pilot could move up by an inch.
------------------------------
Date: Mon, 23 Jul 2007 12:34:08 -0800
From: Rob Slade <rMslade@private>
Subject: REVIEW: "Backup and Recovery", W. Curtis Preston
BKBAKREC.RVW 20070302
"Backup and Recovery", W. Curtis Preston, 2007, 0-596-10246-1,
U$49.99/C$64.99
%A W. Curtis Preston www.backupcentral.com curtis@private
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 2007
%G 0-596-10246-1 978-0-596-10246-3
%I O'Reilly & Associates, Inc.
%O U$49.99/C$64.99 800-998-9938 fax: 707-829-0104 info@private
%O http://www.amazon.com/exec/obidos/ASIN/0596102461/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596102461/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0596102461/robsladesin03-20
%O Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 729 p.
%T "Backup and Recovery"
We tell people to make backups. Occasionally we might mention the
difference between full, differential, and incremental backups. If we are
turning out hotshot forensics specialists we might even go into the
difference between file image backups and disk image backups. But how often
do we tell people that operational databases (which is most of them) have
open files, and generally prevent you from backing up with the usual
utilities?
Part one is an introduction. Chapter one is an overview of some quick
aspects about backups, but primarily is a suggestion to do it, and do it
properly. Basic types of backups, and the factors affecting backup
procedures, are outlined in chapter two. (The material will probably feel
very familiar to those who have worked in the business continuity field: not
just because of the importance of backups in recovery operations, but also
because of the analysis of the complex and interdependent linkages that can
cause disasters.)
Part two examines open source backup utilities. (Most of them are open
source: a few are just "free.") Chapter three reviews some of the utilities
for UNIX, Linux, Windows, and the Mac that can provide fundamental backup
capabilities, and which can also be used by other applications for more
sophisticated backup systems. Amanda (the Advanced Maryland Automated
Network Disk Archiver), an open source, cross-platform, client/server
architecture (Windows servers do not appear to be available, but clients
are) backup system that uses some of these underlying tools is described in
chapter four. Amanda has some very interesting security and scheduling
provisions. BackupPC, a network-based backup system for UNIX (client or
server) and Windows (client) is briefly described in chapter five. Chapter
six explains another distributed system, Bacula, in a rather haphazard
manner. Rsnapshot, which does near-continuous backup, is delineated in
chapter seven.
Part three supposedly turns to commercial backup products. In fact, the
contents are simply a list of factors to be used when evaluating software
products (chapter eight) and various types of hardware (nine).
Bare-metal recovery (what you do to restore the system when you've lost the
whole thing, rather than just a few files) is described in part four. The
Solaris flash archive is intended for cloning of systems, but chapter ten
tells how to use it for recovery. Chapter eleven explains tools and
procedures for Linux, and a little tiny bit for Windows as well. Procedures
for HP-UX are in twelve, AIX in thirteen, and Mac OS X (which basically has
a version of BSD under the graphical user interface) is in fourteen.
Database systems have a) lots and lots of data, b) special backup
requirements, and c) a special importance to most companies, so this
application gets special attention in part five. General concepts are
discussed in chapter fifteen, with the particulars of backup and recovery
for Oracle, Sybase, DB2, SQL Server, Microsoft's Exchange (well, an email
server certainly *uses* a database ...), PostgreSQL, and MySQL in chapters
sixteen to twenty-two.
Part six covers miscellaneous topics. Actually, it is chapter twenty-three
that contains miscellaneous topics (starting out with how to back up VMWare
servers). Chapter twenty-four is a justification for the book (or, for
having a backup process, anyhow).
Preston's work is directed at inexpensive backup solutions for open systems,
so it is not surprising that UNIX utilities get the most space and the
greatest attention to detail. Windows is certainly not ignored, and the
author even bends his own rules to accommodate some helpful utilities in the
Windows realm, but there simply isn't a lot of material to work with.
Backups are important for everyone. This book is not for everyone. The
text will be very valuable for those who have large systems, or large
numbers of systems, with backup needs complicated by special situations.
Now go make a backup.
copyright Robert M. Slade, 2007 BKBAKREC.RVW 20070302
rslade@private slade@private rslade@private
http://victoria.tc.ca/techrev/rms.htm
------------------------------
Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 24.75
************************
This archive was generated by hypermail 2.1.3 : Wed Jul 25 2007 - 14:55:41 PDT