RISKS-LIST: Risks-Forum Digest Monday 20 August 2007 Volume 24 : Issue 80
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/24.80.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Vista prevents users from playing high-def content (Jon Brodkin via
Monty Solomon)
Software bug took Skype out (Wolfgang Bruener via Mark J Bennison)
Hacking The iPhone, Andy Greenberg on Black Hat (via Monty Solomon)
Google mistakes own blog for spam, deletes it (Robert McMillan via
Monty Solomon)
Concern Over Wider Spying Under New Law (Risen-Lichtblau via Monty Solomon)
Risks of trusting your fonts? (Boyd Adamson)
Credit card headaches from TJX breach remain (Monty Solomon)
Cost of data breach at TJX soars to $256m (Monty Solomon)
Re: LAX airport delay cause (Olivier MJ Crepin-Leblond, Huge)
Re: Source code at issue in drunk test (Steven M. Bellovin)
Re: Toll data nabs unfaithful spouses (David Lesher)
Re: U.S. legal time changing to UTC (David E. Ross, Randy Saunders,
Rob Seaman)
Overreliance on voting technology? (Joseph Brennan)
Everyone is getting on the "secure voting" bandwagon (Ferdinand J. Reinke)
Search engines: too many users for personal assistance (Dan Jacobson)
Save your transaction numbers! (Andrew Koenig)
Wendy's: In the Clear (Gene Wirchenko)
Re: ... misuse of someone else's credit card (Adrian Cherry)
Engaging Privacy and Information Technology in a Digital Age (Jim Horning)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 11 Aug 2007 12:02:16 -0400
From: Monty Solomon <monty@private>
Subject: Vista prevents users from playing high-def content
Content protection features in Windows Vista are preventing customers from
playing high-quality video and audio and harming system performance, even as
Microsoft neglects security programs that could protect users, computer
researcher Peter Gutmann argued at the USENIX Security Symposium in Boston
[on 8 Aug 2007]. [Source: Content protection rules said to harm system
performance, detract from security, Jon Brodkin, NetworkWorld.com, 9 Aug
2007]
http://www.networkworld.com/news/2007/080907-vista-high-def.html
------------------------------
Date: Mon, 20 Aug 2007 08:06:20 +0100
From: "Bennison, Mark J" <mark.m.bennison@private>
Subject: Software bug took Skype out
[Source: Wolfgang Gruener, *TGDaily* 20 Aug 2007]
http://www.tgdaily.com/content/view/33452/103/
Skype today provided a few more information pieces about the reasons behind
its massive network outage last week. According to the company, the network
outage was initially caused by a "massive restart of [its] user's computers
across the globe within a very short timeframe as they rebooted after
receiving a routine software update." That high number of reboots was
followed by an equally high number of log-in requests, which resulted in
what Skype calls a "chain reaction."
On the Skype blog, a company representative wrote that this event revealed a
"previously unseen software bug within the network resource allocation
algorithm" which prevented Skype's "self-healing function from working
quickly. ... Skype has now identified and already introduced a number of
improvements to its software to ensure that our users will not be similarly
affected in the unlikely possibility of this combination of events
recurring."
The company said that there were no malicious activities that impacted Skype.
[Also noted by Danny Burstein. PGN]
------------------------------
Date: Monday, August 06, 2007 1:44 PM
From: Monty Solomon [mailto:monty@private]
Subject: Hacking The iPhone, Andy Greenberg on Black Hat
The Black Hat Conference
Hacking The iPhone
Andy Greenberg, 08.04.07, 2:02 PM ET
Don't say you weren't warned, iPhone fans. Even when the prerelease fervor
surrounding Mac's mobile messiah-phone was at its highest, security
researchers were warning that it would be vulnerable to exploitations like
data theft and hijacking.
Last Thursday, Charlie Miller proved them right. In a presentation at the
Black Hat conference in Las Vegas, a gathering of cyber-security
researchers, Miller detailed how he had hacked and hijacked the iPhone by
exploiting a vulnerability in its Web browser.
For iPhone owners, the talk wasn't as foreboding as it might have
been. Apple had released a patch for Miller's exploit just days before. But
Miller, a researcher at Independent Security Evaluators, says Apple's patch
was only possible because he had informed the company of the vulnerability
weeks before he presented it to Black Hat's hacker audience. And, he says,
it would only be a matter of time and effort to find an equally powerful
backdoor into the phone.
Though there has yet to be any documented criminal hijacking of the iPhone
outside of a lab, Miller says his research shows the relative ease of
hacking smart phones, as well as Macs in general. He spoke with Forbes.com
about the iPhone's vulnerabilities, Apple's short-lived patch and the
company's undeserved reputation for building secure computers. ...
http://www.forbes.com/security/2007/08/04/iphone-apple-mac-tech-cx_ag_0804miller.html
------------------------------
Date: Sat, 11 Aug 2007 12:05:32 -0400
From: Monty Solomon <monty@private>
Subject: Google mistakes own blog for spam, deletes it (Robert McMillan)
Robert McMillan, IDG News Service, 08/08/07
Readers of Google's Custom Search Blog were handed a bit of a surprise
Tuesday when the Web site was temporarily removed from the blogosphere and
hijacked by someone unaffiliated with the company.
The problem? Google had mistakenly identified its own blog as a
spammer's site and handed it over to another person. ...
http://www.networkworld.com/news/2007/080807-google-mistakes-own-blog-for.html
------------------------------
Date: Sat, 18 Aug 2007 22:11:14 -0400
From: Monty Solomon <monty@private>
Subject: Concern Over Wider Spying Under New Law
Broad new surveillance powers approved by Congress this month could allow
the Bush administration to conduct spy operations that go well beyond
wiretapping to include -- without court approval -- certain types of
physical searches of American citizens and the collection of their business
records. This offers a case study in how changing a few words in a
complex piece of legislation has the potential to fundamentally alter the
Foreign Intelligence Surveillance Act. [Source: James Risen and Eric
Lichtblau, *The New York Times*, 19 Aug 2007; PGN-ed]
http://www.nytimes.com/2007/08/19/washington/19fisa.html?ex=1345176000&en=2e7a7948ff52f9fe&ei=5090
------------------------------
Date: Mon, 20 Aug 2007 12:03:39 +1000
From: Boyd Adamson <boyd-adamson@private>
Subject: Risks of trusting your fonts?
Jim Weirich, a prominent developer noticed that on his machine
numbers were coming out incorrectly:
http://onestepback.org/index.cgi/Tech/Mac/MyMacCantCount.red
It seems that a corrupted "font cache" was causing all the "7" glyphs
in a single font (in all apps) to display as "9".
Jim was doing web development. What would have happened if he were
doing financial or life-critical systems work?
[It's a real glyph-hanger! PGN]
------------------------------
Date: Thu, 9 Aug 2007 09:01:04 -0400
From: Monty Solomon <monty@private>
Subject: Credit card headaches from TJX breach remain
Almost seven months after TJX Cos. revealed that at least 45.7 million
credit and debit card numbers were compromised, some banks such as Citibank
are still reissuing cards for customers whose information may have been
exposed. ... [Source: Se Young Lee, *The Boston Globe*, 9 Aug 2007; PGN-ed]
http://www.boston.com/business/personalfinance/articles/2007/08/09/credit_card_headaches_from_tjx_breach_remain/
------------------------------
Date: Fri, 17 Aug 2007 22:50:17 -0400
From: Monty Solomon <monty@private>
Subject: Cost of data breach at TJX soars to $256m
The figure is more than 10 times the roughly $25 million TJX estimated just
three months ago, though at the time it cautioned it didn't know the full
extent of its exposure from the breach. The costs include fixing the
company's computer system and dealing with lawsuits, investigations, and
other claims stemming from the breach, which lasted more than a year before
the company discovered the problem in December 2006. [Source: Ross Kerber,
*The Boston Globe*, 15 Aug 2007; PGN-ed]
http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/
------------------------------
Date: Thu, 16 Aug 2007 21:58:57 +0200
From: =?iso-8859-1?Q?Olivier_MJ_Cr=E9pin-Leblond?= <ocl@private>
Subject: Re: LAX airport delay cause
This is a classic NIC fault. Without being in the know about LAX's specific
failure, I suspect that all terminals are connected to large switches which
simply act as relays to the backbone. On numerous occasions have I found
NICs failing simply by either repeating any received packets, thus flooding
the network, or worse still, not recognising potential collisions and
therefore transmitting whilst other computers are transmitting at the same
time. This results in a collision on each attempt. I've seen 100Mbit/s
networks grind to a halt (0.1Mbit/s). As opposed to expensive backbone
telecom equipment, computer NICs are often cheap and nasty $5 electronics.
The solution?
Don't put all your eggs in one basket.
Don't put all your computers on one sub-network.
Olivier Crepin-Leblond, PhD / Global Information Highway Ltd
------------------------------
Date: Fri, 17 Aug 2007 15:07:07 +0100
From: Huge <huge@private>
Subject: Re: LAX airport delay cause (Magda, RISKS-24.79)
What's happening at my place of employ is that the business are starting
to query why we have duplicate systems "sat around doing nothing", so
they start running production work on the DR kit. Then, when one site
fails, the other can no longer cope with the workload.
------------------------------
Date: Thu, 16 Aug 2007 21:10:02 -0400
From: "Steven M. Bellovin" <smb@private>
Subject: Re: Source code at issue in drunk test (RISKS 24.79)
The Minnesota case relies on a rather narrow foundation: the RFP
to which CMI responded gave title to at least some of the code to
the state, and required CMI's co-operation with defense attorney
requests. In other words, the Minnesota Supreme Court's ruling is
not based on a recognition of a fundamental right as opposed to the
factual basis of this particular case. I wonder, in fact, if
the prosecutors could secure a court order for the code under contract
law, and enforce it with large civil damages.
More details on this in my blog entry on the case:
http://www.cs.columbia.edu/~smb/blog/2007-08/2007-08-10.html
------------------------------
Date: Thu, 16 Aug 2007 15:21:54 -0400 (EDT)
From: "David Lesher" <wb8foz@private>
Subject: Re: Toll data nabs unfaithful spouses (RISKS-24.79)
> Seven of the 12 E-ZPass states in the U.S. Northeast and Midwest provide
> toll records to court orders in criminal and civil cases. Four of those
> states (including NJ and PA) allow release only in criminal cases.
A) Do they require a court order? [Or just a request?]
B) How do those states that do block civil demands accomplish same?
[i.e. Do they have tested support in state law?]
C) What does this portend for other tracking records: NYC's new access
charge scheme, DC Metro {and others, inc NYC..} permanent fare cards, video
recordings, and cell phone tracking records? Does the alleged protection
mentioned extend to them?
The obvious Risk: Mission Creep abounds. Will folks be required to archive
all data just in case... How will the demand alter system design? Staffing?
------------------------------
Date: Thu, 16 Aug 2007 13:58:53 -0700
From: "David E. Ross" <david@private>
Subject: Re: U.S. legal time changing to UTC
The elimination of leap-seconds is being promoted by those who are too lazy
or too incompetent to code time conversions correctly. This situation arose
because the long-term slowing of the earth's rotation (which creates the
need for leap-seconds) failed to occur for several years, eliminating the
need for leap-seconds for 7 years. Previously, a leap-second had been
required every year or two.
>From 1 January 1961 until 1 January 1972, UTC seconds varied in length
relative to TAI seconds, leap-seconds were fractions of a second, and UTC
clocks thus did not tick on the same instant as TAI clocks. I was a
software test engineer on a project that handled this correctly.
UTC was redefined starting 1 January 1972 to have a second exactly the same
as the TAI second, to have leap-seconds exactly whole seconds, and thus UTC
clocks thereafter indeed did tick on the exact same instant as TAI clocks.
The old software did not need revision; it still handled this correctly.
This was for a large software system for the command and control of military
space satellites. Internal time was kept in TAI minutes from some base time
because the mathematics required all minutes to be uniform in duration.
External time, however, was reported in UTC (day, month, year, hour, minute,
and seconds -- to the nearest millisecond). UTC was also used as an
intermediate step to getting actual solar time (not mean solar time) for
determining the orientation of the surface of the earth relative to a fixed
coordinate system based on the stars.
When the software system was replaced in the mid-1980s, the developer (who
had not worked on the previous system) did not really understand the
difference between UTC and TAI. I repeatedly -- and unsuccessfully --
warned both the developer and the US Air Force (the customer) that there
would be problems for not doing time conversions correctly. In the end, the
Air Force was required to suspend mission operations a minute before a
leap-second and resume operations a minute after. This suspension was
considered to be a cost-effective response to the lack of proper design
because correcting the design would impact both software and hardware with a
cost of several millions of dollars (partially a consequence of poor
modularization of the software). A capability that existed in 1970 no
longer existed in 1992.
A historical tabulation of leap-seconds:
http://hpiers.obspm.fr/eoppc/bul/bulc/UTC-TAI.history
A history of the proposal to eliminate leap-seconds oriented against the
proposal:
http://www.ucolick.org/~sla/leapsecs/nc1985wp7a.html
David E. Ross <http://www.rossde.com/>
------------------------------
Date: Thu, 16 Aug 2007 15:26:57 -0400
From: Randy Saunders <R.Saunders@private>
Subject: Re: U.S. legal time changing to UTC (Seaman, RISKS-24.79)
We need to check our math here.
We're adding leap-seconds at a rate of less that one second per year. With
86400 seconds in a day, turning day to night takes more than 43,200 years.
That's not a few to me, that's five times recorded human history.
Perhaps the time community will decide to add a leap-minute every 100 years
or so. That's the sort of Y2K planning even Congress should be able to
manage, and it only impacts folks who need to be within a minute of solar
time. It would become the sort of once-in-a-lifetime event that century
changes have been in the past. For a minute, about the time it took to read
this "sky is falling" post.
Randy Saunders, JHU Applied Physics Lab +1.240.228.3861 R.Saunders@private
------------------------------
Date: Thu, 16 Aug 2007 13:46:48 -0700
From: Rob Seaman <seaman@private>
Subject: Re: U.S. legal time changing to UTC (Saunders, RISKS-24.80)
"Day into night" was poetic license to grab people's attention - apparently
it worked.
Your calculation assumes a linear effect. The first leap hour is estimated
to occur in about 600 years. They accelerate quadratically after that -
remember, we have leap seconds due to the tidal slowing that has already
occurred. Future slowing will make leap seconds occur more frequently.
There have been the equivalent of about 4 leap hours since Aristotle's time:
http://www.ucolick.org/~sla/leapsecs/ancient.png
As I said, the expected cost to the astronomical community is large. One
independent estimate was $3M to remediate a single midsize telescope. The
cost to other communities, as with Y2K, is unknown until an inventory is
performed. This legislation guarantees, however, that researchers,
government, and industry need to pay attention to UTC - now the law of the
land. For instance, the impact of climate on our economy is ever more
critically appreciated. Weather and tides, ocean currents and glaciers all
respond to diurnal effects. The question isn't whether a static offset of a
minute matters - the question is whether a residual secular slope of that
magnitude matters. For many purposes, no. But is it prudent to assume that
no risks possibly pertain?
We're all the "time community", of course.
Interested parties will find detailed, often entertaining, and sometimes
repetitive discussion of these issues on the LEAPSECS mailing list:
http://six.pairlist.net/mailman/listinfo/leapsecs
Rob Seaman, National Optical Astronomy Observatory
------------------------------
Date: Thu, 16 Aug 2007 21:46:56 -0400
From: Joseph Brennan <brennan@private>
Subject: Overreliance on voting technology?
Imagine paper ballots, with a separate slip for each office that is up for
election. Voters coming into the polling place would be handed a set of
slips. They could be color coded, but also marked by number. The voters
would first check that they have a complete set of slips.
The voters would then mark their choice of candidates on each slip, or write
in any name wanted. They would put the slips into boxes for each
color/number. (If a slip happens to go into the wrong box, that can be
easily sorted out later by the poll counters.)
At the close of voting hours, poll counters would take each box in turn and
sort the slips into piles for each candidate. In many cases the winner will
be immediately apparent when one pile is obviously larger than the others.
But of course exact counts would be made and reported. Poll watchers would
watch the counting to be sure no one removes or adds slips.
After counting, the slips would be put into boxes and sealed. If a recount
is called for later, the slips can simply be recounted.
Would an electronic system offer less opportunity for fraud, or more
reliable detection of fraud? Would an electronic system be cheaper to
implement? If no, why do we want electronic systems?
[This is of course a very old idea (used in many places more or less as
proposed), but it keeps looking better and better when observing the mad
feeding frenzy for all-electronic machines that have rushed in where even
fools might fear to tread. PGN]
------------------------------
Date: Thu, 16 Aug 2007 17:00:20 -0400
From: "r @ reinke" <reinke@private>
Subject: Everyone is getting on the "secure voting" bandwagon
Go low tech on the counting side of the equation. By manually counting
paper ballots, integrity and trust is restored. The time savings and
convenience don't outweigh the costs when you factor in the distrust a
closed, unverifiable system creates. For almost 200 years, most elections
in the U.S. were handled this way. No, this doesn't alleviate fraud. It
does potentially save billions of dollars to the taxpayer by eliminating
unnecessary technology purchases while restoring accountability in the
electoral system. Without accountability and transparency in our electoral
system, technology additions do not provide any value no matter how
persuasive are their advocates.
http://www.lewrockwell.com/fisk/fisk9.html
Even the political philosophy types understand that there's no confidence in
any technology-based solution.
So why should us technology types keep pounding our collective heads against
the walls?
Maybe the low tech solutions are really "the best" since they can be
verified by the great unwashed ... ... and I include myself in that. Since
the "kamikaze 1000", Dye boldly, or whatever isn't "my" platform of
expertise, then I too am part of the great unwashed that doesn't understand
it's particular version of "voo doo".
Some times one can be too smart for one's own good. There's no doubt that
smart people can figure out a technological solution. And, there is equally
also no doubt that the people, who seek to rule over others, are just as
smart and cunning as well. Humans can always find a hole that they can
exploit.
The old programming canard is so true, "you never find the last bug".
At least, the manual "one - two - three" doesn't require detailed
examination. Just a counter and two or three watchers.
Ferdinand J. Reinke, Kendall Park, NJ 08824
http://www.reinke.cc/ blog => http://www.reinkefaceslife.com/
------------------------------
Date: Mon, 13 Aug 2007 00:31:08 +0800
From: jidanni@private
Subject: Search engines: too many users for personal assistance
> attempting to contact search engine personnel
Why aren't search engine companies responsive to little old you and me?
Simple. Take why I dare not get hooked on their "gmail" product: How can one
expect personal assistance when there are just too many users for the
company to provide personal assistance to?
------------------------------
Date: Sat, 11 Aug 2007 10:37:25 -0400
From: "Andrew Koenig" <ark@private>
Subject: Save your transaction numbers!
Between us, my wife and I have four credit cards, which you might think of
as "hers," "mine," "ours," and "business expenses." All four of those cards
are with Citibank, three in the guise of AT&T Universal Cards, and the
fourth directly.
The fourth card has significantly different properties from the other three,
despite being with the same bank. For one thing, it gives rebates on
various kinds of purchases, which can be spent (only) on buying or
maintaining an automobile. For another, the due date for payments is a week
before the statement date; on the other three cards, the two dates are the
same.
Every month, a few days after statements become available, I go online and
schedule electronic payments for all four cards. Although I am nervous
about the possibility that a payment might wind up being credited for much
more than I had requested, that is a possibility with paper checks also, and
now that we don't get original checks back anyway, all such transactions
come down to "he said, they said" anyway.
So...In the middle of last month, I scheduled payments for three credit
cards (the fourth had a zero balance). A few days ago, I went back to check
that the payments were in the queue as requested. To my surprise, (1) One
of them had vanished, and (2) Even though the next statements had not yet
been prepared, it was already past the due date.
I immediately scheduled another payment, which went through that day.
Nevertheless, when the next statement came out, it included both a $39 late
fee and finance charges for all outstanding charges--even those that were to
recent to appear on the statement.
I was able to get them to reverse those charges, based on their observation
that I had paid the other cards at the same time. I still don't know what
happened to this payment. Did I really forget one of the cards? Did I
enter the transaction only to have it go awry somehow? I doubt I will ever
know.
But I do know that this would not have happened if, after seeing the final
confirmation screen, I had simply saved the date and confirmation number.
Yes, it is always possible for them to deny that the confirmation number
exists, just as it is possible to deny that a canceled check exists. But
it is much harder to do so, especially if they do not offer any alternative
means of proof.
------------------------------
Date: Wed, 08 Aug 2007 16:10:09 -0700
From: Gene Wirchenko <genew@private>
Subject: Wendy's: In the Clear
Here is the text from a confirmation E-mail that I got from Wendy's
Restaurant:
You are receiving this email because you (or someone pretending to be you)
has entered the WENDY'S KICK FOR A MILLION CONTEST. If you did not enter
this contest, please ignore this email.
This email confirms we have received your WENDY'S KICK FOR A MILLION
CONTEST entry information.
For your records, here is the password you used to register: XXXXXXXXX
[I changed the password in paragraph three. (sigh)]
------------------------------
Date: Thu, 9 Aug 2007 13:56:34 +0100
From: "Adrian Cherry (UK)" <Adrian.Cherry@private>
Subject: Re: ... misuse of someone else's credit card (Robinson, RISKS-24.78)
> I use Netscape version 7.2 "Mozilla/5.0 (Windows; U; Windows NT 5.1;
> en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)" on a Windows XP machine
> with Service Pack 2 for browsing because I do not trust Internet Explorer
> and its security holes.
You could actually claim that Internet Explorer 7.x (IE7) is better than
Netscape 7.x (N7) for security. Like anything with statistics it possible to
interpret the numbers several ways. For checking browser security I would
recommend http://secunia.com/
So N7 has 31 security issues against 15 with IE7. So N7 actually has more
security holes than IE7 however on the bright side they are better at
patching the security holes than Microsoft, N7 only has 4 outstanding
security issues against IE7 with 9 still to fix, one of which is considered
highly critical.
In fact if you want the most secure browsing then the latest version of
Opera, www.opera.com is my recommendation, all 8 security issue have been
patched by the vendor. From the website "There are no unpatched Secunia
advisories affecting this product".
IE7 : http://secunia.com/product/12366 Unpatched 60% (9 of 15
Secunia advisories)
N7 : http://secunia.com/product/85 Unpatched 13% (4 of 31
Secunia advisories)
Opera 9 : http://secunia.com/product/10615 Unpatched 0% (0 of 8 Secunia
advisories)
------------------------------
Date: Mon, 20 Aug 2007 12:57:13 -0700
From: "Horning, Jim" <Jim.Horning@private>
Subject: Engaging Privacy and Information Technology in a Digital Age
(Re: Horning, RISKS-24.68)
The abstract of the report titled in the above Subject line was included in
RISKS-24.68, http://catless.ncl.ac.uk/Risks/24.68.html#subj15.
This report is now available from the National Academies Press,
in hardcover or pdf download:
http://books.nap.edu/catalog.php?record_id=11896
[This report was in the works for about five years. Jim's blog entry on
it is online:
http://horning.blogspot.com/2007/08/privacy-is-not-simple.html
PGN]
------------------------------
Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman your
FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
------------------------------
End of RISKS-FORUM Digest 24.80
************************
This archive was generated by hypermail 2.1.3 : Mon Aug 20 2007 - 16:53:28 PDT