[RISKS] Risks Digest 24.86

From: RISKS List Owner (risko@private)
Date: Wed Oct 17 2007 - 12:22:03 PDT

RISKS-LIST: Risks-Forum Digest  Wednesday 17 October 2007  Volume 24 : Issue 86

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Lessons from June International Space Station crisis (James Oberg via
  Pat Flannery)
Tokyo Train System Ticketing System Failure (Stuart Woodward)
Dutch railway offers too-easy access to customer profiles (Leon Kuunders)
Austin-area toll equipment double-billed 50,000 times (Arthur Flatau)
Car Remote Control Cipher KeeLoq Is Broken (Steve Klein)
License plate scanners in police cars (Rob McCool)
Changed dates of NZ Daylight Saving; unsurprising consequences
  (Donald Mackie)
Medical error: Double mastectomy after 2nd opinion (Ken Knowlton)
Bypassing Internet censorship (Mike Radow)
Risks of writing a novel with your cell phone (PGN)
Re: Another case of Deploy First, Test Later (Henry Baker)
Re: Fake blogs (Dan Yurman)
What do you do with unwanted voting machines? (David Lesher)
Election Law online video lectures (Avi Rubin)
Symposium on Usable Privacy and Security 2007 CFP (Simson Garfinkel)
REVIEW: "The Complete April Fools' Day RFCs", Limoncelli/Salus (Rob Slade)
Abridged info on RISKS (comp.risks)


Date: Tue, 16 Oct 2007 12:51:30 -0500
From: Pat Flannery <flanner@private>
Subject: Lessons from June International Space Station crisis (James Oberg)

[Source: James Oberg, Space Station: Internal NASA Reports Explain Origins
of June Computer Crisis; Faulty computer design and corrosion of leads on
the ISS.  This is a useful article on lessons that need to be learned, even
though the crisis was resolved.  Read the article.  PGN]


Date: Sun, 14 Oct 2007 22:10:38 +0900
From: "Stuart Woodward" <stuart@private>
Subject: Tokyo Train System Ticketing System Failure

I wondered why the station staff were directing the commuters through
the gates without showing their tickets or passes on Friday. The
reason is given here:

All of the automated gates were down due to programming fault in the system
that reads the RFID cards commonly used by commuters.

If the guard wanted to see my train pass I would have had to open up the
Java applet on my phone which handles the renewal of the pass.  It's
possible that it would also have failed due to the ongoing problem.  Also if
the phone's battery is dead there is no way to see details about the
commuter pass, so the only sensible thing to do was to let everyone ride for
free that morning.


stuart@private jp mobile: 090-6166-7976 phone: jp 050-5534-5450
http://www.stuartwoodward.com/map  IM: stuartcw on skype, yahoo, googletalk

  [Stuart seems to support the MAX of five sentences for all e-mail:
  It would certainly not work for RISKS, even if we resorted to James
  Joycean sentences.  But it would certainly be a relief otherwise.  PGN]


Date: Thu, 04 Oct 2007 09:29:40 +0200
From: Leon Kuunders <leon@private>
Subject: Dutch railway offers too-easy access to customer profiles

In order to keep customer satisfaction at the highest level possible, the
Nederlandse Spoorwegen (dutch railway) have enabled several online profiling
features for their subscription holders. Through this website customers can
change their full personal details, look at their (payment) history, change
bank account numbers, order new products, or ask for a refund.

The registration process for this website uses a failed authentication
scheme.  The "register me as a new customer" process works as "I have lost
my password".  For registration the only thing the customer has to do is
enter it's customer number, name and e-mail address, after which a
confirmation e-mail will be sent to the address given.

But there is no check if there has been a previous registration, and if so,
if the e-mail addresses are the same. To make matters worse the customer
number and name are clearly visible printed on letters, magazines and cards
that the company sends to it's customers. Thousands of people every year
lose their card, and with it the full credentials to their personal profile.

In a reaction the dutch railway representative said they thought it was "a
good service to their customers" and "we have no reports of any incidents."
How this service relates to the strict dutch privacy laws the representative
couldn't tell.  In the meantime the registration process is offline and
changed, so more details, like birthdate, are asked before access to a
profile is granted.

Noothoven van Goorstraat 14, 2806 RA, GOUDA  http://leon.kuunders.info
W: +31 641 164 995  P: +31 620 624 702


Date: Thu, 11 Oct 2007 09:44:41 -0500
From: Arthur Flatau <flataua@private>
Subject: Austin-area toll equipment double-billed 50,000 times

An article in the 9 Oct 2007 issue of the *Austin American Statesman*
reports on drivers getting double billed on the relatively new toll roads in
the Austin area.  (I believe none have been in use for more then a year.)

  "The problem has occurred one of every 600 times a car passed one of the
  roads' tolling points.  Agency officials say that they have made a number
  of equipment and software changes in the past few weeks to virtually
  eliminate the problem -- the frequency would now be more like one in every
  2,000 toll transactions ..."

I was going to insert a funny comment about virtually eliminating the
problem, but I can not come up with one that is funnier then the original
wording above.

The problem has to do with the "antennae on the overhead gantries" picking
up the toll tag more then once as it pass through.  I do not understand how
this would be hard to fix in software.  If the same toll tag is picked up
more then once in a span of say 30-60 seconds, this be labeled as an error
of some kind (as it would be impossible to drive through in that span of


Date: Mon, 15 Oct 2007 08:55:27 -0400
From: Steve Klein <steveklein@private>
Subject: Car Remote Control Cipher KeeLoq Is Broken

(This press release is brief and direct, so rather than summarize
I'll quote it in full. -- SK)

KeeLoq is a cipher used in several car anti-theft mechanisms distributed by
Microchip Technology Inc. It may protect your car if you own a Chrysler,
Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or
Jaguar. The cipher is included in the remote control device that opens and
locks your car and that activates the anti-theft mechanism.

Each device has a unique key that takes 18 billion billion values.  With 100
computers, it would take several decades to find such a key.  Therefore
Keeloq was widely believed to be secure. In our research we have found a
method to identify the key in less than a day. The attack requires access
for about 1 hour to the remove control device (for example, while it is
stored in your pocket). Once we have found the key, we can disactivate [sic]
the alarm and drive away with your car.  The attack has been extensively
tested using software simulations.

This research is the joint work between 3 research groups: the computer
science department of the Technion, Israel, the research group COSIC of the
Katholieke Universiteit Leuven (Belgium) and the Hebrew University, Israel.


Date: Sat, 13 Oct 2007 16:38:36 -0700 (PDT)
From: Rob McCool <robm@private>
Subject: License plate scanners in police cars


The *San Francisco Chronicle* just published an article about license plate
scanners in police cars and traffic enforcement vehicles, systems which can
scan "50 plates a second" and "do make mistakes". The system was used to
apprehend an attempted child abduction suspect, and is used for a variety of
parking enforcement measures related to increasing revenue.

The enthusiasm for the systems in this article is tangible, and it contains
a modicum of privacy-related concerns. There is a small discussion of the
risks of thieves and others changing their behavior given that they know
this system is in use, and claims that police officers tried to keep it
secret for that reason. The opportunities for privacy violations as well as
harassment are pretty easy to imagine, as are the unexpected side effects
that its error rate may cause.

The article briefly mentions that such systems are common in London and in
casinos, with little discussion of any problems that may have come up.


Date: Fri, 5 Oct 2007 21:42:37 +1200
From: Donald Mackie <donald@private>
Subject: Changed dates of NZ Daylight Saving; unsurprising consequences

Earlier this year the New Zealand government decided to extend the
period of daylight saving by three weeks.


This involved bringing the spring clock change forward by a week.  There was
some concern in the IT community prior to the change about the ability of
systems to respond to the change.


The clocks changed last Sunday. Unsurprisingly the fixes have been
incomplete - though not entirely devastating. My own organisation uses
Outlook and many of us have synchronised calendars on a mix of iMates,
Blackberries and other phones (ie at least three downstream OSs).

Most appointments on desktops were, thanks to the work Microsoft did,
correct after the clock change.  I only had one which was an hour out - the
person who set this up has been on leave for a few weeks and I suspect their
desktop hasn't been turned on in that time - thus not getting any fixing

The portable device calendars have been a different matter with most (but
irritatingly not all) appointments at the wrong time. Efforts to fix the
issue on individual portables seemed to add to the confusion.  Events
entered by the individual behaved differently to those made by someone
else. The low point was a meeting yesterday that attendees came to at 1300,
1400 & 1500.

It is hoped that things will come back to normal next week, the clock change
would previously have happened next Sunday, the 1st Sunday in October. We'll

Don Mackie, Auckland, New Zealand


Date: Thu, 4 Oct 2007 09:56:06 EDT
From: KCKnowlton@private
Subject: Medical error: Double mastectomy after 2nd opinion

A woman has had a double mastectomy, after seeking a second opinion
confirming that she had cancer.  She didn't -- the second diagnosing doctor
relied on the same mislabeled tissue sample. (For readers of RISKS, there
must be a subtle lesson or two in this.)



Date: Mon, 15 Oct 2007 14:46:42 -0700 (PDT)
From: Mike Radow <mikeradow@private>
Subject: Bypassing Internet censorship

There is an implied *social risk* when technology is used to *block* access
to the full range of Internet resources, i.e., ''censorship''.

Ron Deibert is a Professor of Political Science and Director of the Citizen
Lab at the University of Toronto.  He just published a paper on ''By-Passing
Internet Censorship''...: Everyone's Guide to By-Passing Internet Censorship
for Citizens Worldwide
   His BIO::  http://deibert.citizenlab.org/blog/Info

Some of techniques described in the text (or in the included URLs) were new
to me.  It is likely that many RISKS readers will find this paper
interesting and informative, too.


Date: Fri, 5 Oct 2007 5:25:54 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Risks of writing a novel with your cell phone


When Satomi Nakamura uses her cellphone, she has to be extra careful to take
frequent breaks. That's because she isn't just chatting. The 22-year-old
homemaker has recently finished writing a 200-page novel titled "To Love You
Again" entirely on her tiny cellphone screen, using her right thumb to tap
the keys and her pinkie to hold the phone steady. She got so carried away
last month that she broke a blood vessel on her right little finger. ...
[Source: Yukari Iwatani Kane, Ring! Ring! Ring!  In Japan, Novelists Find a
New Medium; Budding Scribes Peck Their Tales on Cellphones; Ms. Nakamura's
Hurt Pinkie, *Wall Street Journal*, 26 Sep 2007; thanks to Charles C. Mann]


Date: Tue, 16 Oct 2007 12:15:12 -0700
From: Henry Baker <hbaker1@private>
Subject: Re: Another case of Deploy First, Test Later (Re: Huge, RISKS-24.85)

"A foolish consistency is the hobgoblin of little minds."  Ralph Waldo Emerson

Whether intended or not, one consequence of the widespread implementation of
IEEE-754 floating point arithmetic is that almost every computer now gets
_exactly_ the same answer, down to the last little bit.  This "answer" may
be far from the "correct" answer, but at least all of the computers will be
consistent.  In the "old" (pre-754) days, running the same Fortran program
on several different computers could uncover potential sources of error.  No

(This generic phenomenon of foolish consistency even has a technical name:
"informational cascade" -- if everyone agrees, then everyone must be
correct.  See http://en.wikipedia.org/wiki/Informational_cascade )

I realize that using multiple types of arithmetic to uncover bugs in
floating point code may not be particularly efficient, but it sometimes
works.  IEEE-754 also provided for rounding modes that would allow for
"range" arithmetic in order to achieve the same ends with much greater
efficiency.  Unfortunately, no one seems to implement or utilize those
rounding modes anymore.


Date: Mon, 15 Oct 2007 12:33:18 -0600
From: "Dan Yurman" <djysrv@private>
Subject: Re: Fake blogs (Evron, RISKS-24.83)

The problem of fake blogs is significant for me in two ways.  I operate a
blog on nuclear energy and nonproliferation topics.  First, my content is
being ripped off without attribution to attract ad clicks on other web sites
and fake blogs.  Aggregators of all kinds are taking blog content and using
it to generate their own ad revenue.  Good luck on that because in the past
year I haven't made so much as lunch money from the ads on my blog served up
by Google.

Second, and the more relevant issue for this list, is my content is being
used on fake web sites to drive clicks on links in search engine results
sending unsuspecting users to fake blogs and via redirect to websites with
NSFW content and malware.  The fake blogs often have redirects embedded in
them so that the fake blogspot site is never really seen. The user is taken
directly to the malicious website.

More than two-thirds of my blog visitors per month come in via unique search
terms for one-time retrieval of archived material. People who search on the
topics covered by my blog usually have industry or government expertise and
know what they are looking for.  It is pretty hard to confuse a search for a
pop tart singer with one for spent nuclear fuel.

I've seen that visitors don't get to my blog on the first try.  It annoys
them that a serious, work-related search has been diverted into a fake blog
or website. There are additional problems for users who's employers have
zero tolerance for hitting URLs with NSFW content.

This phenomenon is due to the fact that fake blog sites contain the same
search terms as mine because they copied the original.  Search engines
deliver their results indiscriminately and do not always help users separate
the fake blogs from the real ones.

For instance, a recent post on an planned environmental review by the
Nuclear Regulatory Commission on uranium mining in Wyoming was picked up by
another legitimate blog.  My post and theirs both appeared subsequently in
bogus blogs with redirects to NSFW content.  I am not posting the fake blog
URL here because it is unsafe.

I have a niche subject blog which isn't a big site, but with traffic
approaching 5,000 visitors a month this is getting to be a problem.

I've assembled a few tips to avoid trouble, which may be obvious to readers,
but here they are anyway.  Fake blogs often have numbers in the web site
name preceding 'blogspot.com.  Also, fake blogs tend to show up further down
in the search results, due in part to a smaller number of links to them, but
not always.  Another way around is to search blogs on Technorati and check
the "authority" of a blog containing content of interest.  The more links
from other blogs with similar topics, the more likely it is legitimate, but
that could change.  Some search engines include a snippet from the content,
and if the words are gibberish, that's a dead giveaway.  Finally, search on
the blog name itself and see how it shows up in search engine results and
what kind of content is in the snippets.

I have no way as an individual to stop the current problem.  I'm certainly
open to ideas for constructive group action.  Also, please feel free to
share with me authentication measures you use before clicking on a blog link
in a set of search results. If there are enough of them that are useful,
I'll assemble a blog post on it based on your contributions, with or without
attribution as you wish, and post a link to it in a future message to this

Dan Yurman  djysrv@private, http://djysrv.blogspot.com 1-208-521-5726


Date: Sat, 13 Oct 2007 14:16:27 -0400 (EDT)
From: David Lesher <wb8foz@private>
Subject: What do you do with unwanted voting machines?

It used to be that everyone wanted a Florida voting machine.  {...}  But now
that Florida is purging its precincts of 25,000 touch-screen voting machines
bought after the recount for up to $5,000 each, hailed as the way of the
future but deemed failures after five or six years, no one is biting.  {...}
[Source: Abby Goodnough, Voting Machines Giving Florida New Headache, *The
New York Times*, 13 Oct 2007]

Pre-RISKS-able story [i.e: one any regular RISK reader could see was coming
from $10E6 away...]:

Florida is now stuck with $millions of worthless DRE voting machines.  Like
too many used car and overpriced condo owners; they still owe money on them.

The risks are old ones:

1. If you throw enough money at a bad problem; you can make it a REALLY bad
   problem...that will need more money.

2. Legislators alas, never learned "primum non nocere" as MD's do.

3. Spending money first, then studying the problem & spec'ing the solution
   later; is almost always a bad idea. While the failures are more
   spectacular in building bridges than buying computing appliances; the
   results are often similar.


Date: Thu, 11 Oct 2007 14:22:40 -0400
From: Avi Rubin <rubin@private>
Subject: Election Law online video lectures

The Election Law Program, a joint venture of the College of William and Mary
School of Law and the National Center for State Courts has put some course
material in the form of online video lectures on election issues online:

Here is a listing of the lectures available from their web site.  The last 3
are lectures that I gave there.

Segment 1: Why Election Law Cases Are Different
Professor Richard Hasen

Segment 2: Pre-Election Issues: An Overview
Professor Richard Hasen

Procedural Concerns Related to Pre-Election Litigation
Professor Richard Hasen

Substantive Concerns Related to Pre-Election Litigation
Professor Richard Hasen

Segment 3: Election Day issues
Professor Ned Foley

Segment 4: Post-Election Issues
Professor Ned Foley

Segment 5: Electronic Voting: Global Election Systems
Professor Aviel Rubin

Why Electronic Voting is Different
Professor Aviel Rubin

Electronic Voting Technologies: Strengths and Weaknesses
Professor Aviel Rubin

Avi Rubin, JOHNS HOPKINS UNIVERSITY, Computer Science; Technical Director,
Information Security Institute 410-516-8177 http://www.cs.jhu.edu/~rubin/


Date: Sat, 13 Oct 2007 22:27:09 -0700
From: Simson Garfinkel <simsong@private>
Subject: Symposium on Usable Privacy and Security 2007 CFP

CALL FOR PAPERS -- SOUPS 2008 [Pruned for RISKS.  PGN]
Symposium On Usable Privacy and Security
July 23-25, 2008
Carnegie Mellon University, Pittsburgh, PA USA

The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring
together an interdisciplinary group of researchers and practitioners in
human computer interaction, security, and privacy. The program will feature
technical papers, a poster session, panels and invited talks, discussion
sessions, and in-depth sessions (workshops and tutorials). Detailed
information about technical paper submissions appears below. For information
about other submissions please see the SOUPS web site


We invite authors to submit original papers describing research or
experience in all areas of usable privacy and security. Topics include, but
are not limited to:

 * innovative security or privacy functionality and design,
 * new applications of existing models or technology,
 * field studies of security or privacy technology,
 * usability evaluations of security or privacy features or security
   testing of usability features, and
 * lessons learned from deploying and using usable privacy and
   security features.

Papers need to describe the purpose and goals of the work completed to date,
cite related work, show how the work effectively integrates usability and
security or privacy, and clearly indicate the innovative aspects of the work
or lessons learned as well as the contribution of the work to the
field. Submitted papers must not substantially overlap papers that have been
published or that are simultaneously submitted to a journal or a conference
with proceedings. Accepted papers will appear in the ACM Digital Library as
part of the ACM International Conference Proceedings Series. The technical
papers committee will select an accepted paper to receive the SOUPS 2008
best paper award.

Papers may be up to 12 pages in length including bibliography, appendices,
and figures, using the SOUPS proceedings template on the SOUPS web site. All
submissions must be in PDF format and should not be blinded. In addition,
you must cut and paste an abstract of no more than 300 words onto the
submission form.

Submit your paper using the electronic submissions page for the SOUPS 2008
conference (http://cups.cs.cmu.edu/soups/2008/submit.html). A successful
submission will display a web page confirming it, and a confirmation email
is sent to the corresponding author. Please make sure you receive that
confirmation email when you submit, and follow the directions in that email
if you require any follow up.

Technical paper submissions will close at midnight, US East Coast time, the
evening of Friday, 29 Feb 2007.

General Chair: Lorrie Cranor, Carnegie Mellon University

Interactive and In-Depth Session Chairs:
Andrew Patrick, National Research Council Canada
Konstantin Beznosov, University of British Columbia

Posters Co-Chairs: Rob Miller, MIT and
Jaime Montemayor, The Johns Hopkins University Applied Physics Laboratory

Technical Papers Co-chairs: Jason Hong, Carnegie Mellon University and
Simson L. Garfinkel, Naval Postgraduate School


Date: Mon, 15 Oct 2007 12:38:37 -0800
From: Rob Slade <rMslade@private>
Subject: REVIEW: "The Complete April Fools' Day RFCs", Limoncelli/Salus

BKAFDRFC.RVW   20070814

"The Complete April Fools' Day RFCs", Thomas A. Limoncelli/Peter H.
Salus, 2007, 978-1-57398-042-5
%A   Thomas A. Limoncelli funnybook@rfc-humor.com
%A   Peter H. Salus http://www.rfc-humor.com peter@private
%C   P.O. Box 640218, San Jose, CA 95164-0218
%D   2007
%G   978-1-57398-042-5
%I   Peer-to-Peer Communications, Inc.
%O   U$19.95 800-420-2677 fax: 408-435-0895 info@peer-to-peer.com
%O  http://www.amazon.com/exec/obidos/ASIN/1573980420/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/1573980420/robsladesin03-20
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   390 p.
%T   "The Complete April Fools' Day RFCs"

For those in the know, the designation "RFC" is a bit of a joke in itself.
As a "Request For Comment," there is an implication of a proposal, as
opposed to a standard.  In fact, the RFCs are the "official" documents of
the Internet protocols, and are part of a formal process.  Given the nature
of the Internet, and the people involved, it should come as no surprise that
embedded in this library are jokes, making fun of the process as much as
anything else.

(Just to make things clear, this is far from a compendium of all of the
jokes flying around the net, or even all of the jokes about network
standards.  The April Fools' RFCs are a specific class of net jokes, and are
the material of this volume.)

The RFCs themselves present a kind of technical history of the Internet.  In
a similar way, the April Fools' RFCs are a history of aspects of the
Internet.  Some of them document technical concerns and emphasis, such as
the 1990s attempts to implement the Internet on any base physical transport
(RFC 1149, dealing with avian carriers) or 2002's efforts to run all
utilities over the Internet (RFC 3251, for providing electricity over
Internet Protocol).  Others reflect more general social concerns.

The RFCs are all freely available.  This book collects all the April Fools'
documents, and the authors have even made the collection available on the
Internet.  However, the print version contains additional commentary,
structure, and supplementary background information about the RFC authors.

And it's handy to have the dead trees edition for those times when the avian
carriers aren't flying to your particular hotspot.

copyright Robert M. Slade, 2007   BKAFDRFC.RVW   20070814
rslade@private     slade@private     rslade@private

  [Steve Bellovin's Evil Bit (and Drew Dean's Angelic Bit), both of which
  appeared in RISKS-22.66 are both worthy, although only the first one was a
  "real" RFC.  The "IP over Avian Carriers" is a real classic.  The material
  is highly recommended for humor-loving RISKS readers.  Limoncelli and
  Salus deserve many thanks for making this material so easily accessible.
  Of course many other non-RFC April Fools' spoofs are also worthy, such as
  Chernenko@MOSKVAX (Piet Beertema, 1 April 1984, pre-RISKS, but reproduced
  in my book, Computer-Related Risks, pp.  146-148) and the April Fools'
  warning message attributed to Gene Spafford (RISKS-6.52) come immediately
  to mind, even though the day of wreckoning is still half a year away.


Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
=> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 24.86

This archive was generated by hypermail 2.1.3 : Wed Oct 17 2007 - 12:52:42 PDT