RISKS-LIST: Risks-Forum Digest Weds 31 October 2007 Volume 24 : Issue 88
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/24.88.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Rox-Shocks Tix-Nix Fix (PGN)
Normal hardware upgrades may deactivate Microsoft Vista(tm) (Mike Radow)
German Telephone-Network Partial Outage (Peter B. Ladkin)
A computer-related fatality (Martyn Thomas)
Anti-DWI interlocks considered for ALL drivers (D.F. Manno)
Risk of laptop computer on a commercial aircraft (jared)
LoJack undoes scheme to fake SUV theft (Paul Saffo)
Trojan Horse Redirects Local DNS Settings to Malicious DNS Servers
(Monty Solomon)
Think before you legislate (Robert S. Heuman)
Court filing in TJX breach: 94 million accounts affected (Monty Solomon)
Restaurant chain customers' credit card data stolen (Monty Solomon)
Fighting traffic citations (Steve Greenwald and Jeremy Epstein via PGN)
Gatwick Airport screens display wrong local time (Philippe Jumelle)
TV PVRs getting BST change not quite right (Nick Rothwell)
DST traffic signal snafu (D. Joseph Creighton)
Who set up that meeting anyway? (Jeremy Epstein)
US Congress pulls the classic e-mail oopsie (Danny Burstein)
Who needs bots? (Matt Simpson)
Re: Fake blogs (Dan Jacobson)
Same ol' same ol' (Andrew Koenig)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 31 Oct 2007 15:12:09 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Rox-Shocks Tix-Nix Fix (Re: RISKS-24.87)
After last Monday's (22 Oct 2007) presumed denial-of-service attack that
hindered Denver's World Series ticket sales, reportedly with over 8 million
bogus hits on the website, Tuesday's efforts were much more successful. The
Rockies sold out every ticket for games 3, 4, and 5 [which, as it turns out,
was not needed] in about 2.5 hours. That's a total number of tickets three
times the seating capacity of 50,445, which works out to an average of just
about 1000 tickets per minute. It would take a large cadres of human ticket
sellers to keep up that rate. Thus, automation of this kind clearly has its
merits -- when it works securely and reliably (modulo some presumed amount
of credit-card fraud). However, blocking multiple requests from the same IP
address seems to be overly aggressive -- for example, for groups of would-be
buyers behind firewalls, although it might have slowed down the scalpers.
[Actually, the Rockies suffered a much more costly denial-of-service attack
at the hands (and feet) of the Red Sox.]
------------------------------
Date: Tue, 23 Oct 2007 17:14:35 -0700 (PDT)
From: Mike Radow <mikeradow@private>
Subject: Normal hardware upgrades may deactivate Microsoft Vista(tm)
Microsoft attempts to determine when your *registered* copy of their
Operating System has been moved to another computer.
The concept is simple...: Different hardware components are identified
during the registration process and a *weighted* hash is computed from model
numbers, MAC addresses, etc. This can -- supposedly -- differentiate
innocent user-upgrades from proscribed outright copying. At least, that is
their claim and the heuristic's intent.
When it comes to monitoring Microsoft Vista(tm), this process may not be
perfect. Perhaps it is is bit too touchy in the ''False Positive''
department. At least this is what Slashdot reports, at...:
http://slashdot.org/article.pl?sid=07/10/23/1255235.
As reported in the 23.X.2007 issue of the Australian Consolidated Press
(ACP) magazine, ''... something as small as swapping the video card or
updating a device driver can trigger a total Vista deactivation.''
The full ACP story is at http://apcmag.com/vista_activation ,,,
This article seems to identify a major hazard (read ''show-stopper'') to
everyday regular maintenance!
------------------------------
Date: Wed, 31 Oct 2007 09:10:32 +0100
From: "Peter B. Ladkin" <ladkin@private-bielefeld.de>
Subject: German Telephone-Network Partial Outage
On 29 Oct 2007 a software update to a billing server in the network of the
former Deutsche Telekom (German Telecom) in Düsseldorf resulted in many
telephone numbers nationwide becoming unreachable. The outage lasted between
about 4pm and 9pm. Apparently it also affected some portions of the mobile
telephone network. (It affected me also, but one of my numbers carried on
working. I contract with another service provider.)
Deutsche Telekom is the privatised former state telephone network and still
the majority infrastructure owner in Germany, which is why the outage
affected those such as myself who do not contract for service with DT. It
affected people all over Germany, but DT doesn't say how many.
SW updates are a "daily occurrence" according to a spokesman. They went back
to a previous version and they are inspecting the problem SW now to see what
caused the outage.
(Personal experience, aided by reports in the Neue Westfalische Zeitung,
30 and 31 Oct 2007)
Peter B. Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com www.rvs.uni-bielefeld.de
------------------------------
Date: Sat, 27 Oct 2007 10:54:11 +0100
From: Martyn Thomas <martyn@thomas-associates.co.uk>
Subject: A computer-related fatality
A Texas judge, Sharon Keller, refused to keep her court open for 20 minutes
to receive an appeal from the lawyers representing Michael Richard. He was
executed later the same night.
His lawyers had suffered a computer breakdown and said they were unable to
file the appeal within regular working hours. They had begged Judge Keller
for more time and she refused.
Her decision might have gone unnoticed had the supreme court not announced,
on September 25, that it was reviewing a challenge to the legality of lethal
injection.
The announcement set off a flurry of appeals from death-row inmates and it
is believed Richard's execution most likely would have been halted, to await
the supreme court decision, had he been granted a hearing. Two days after
Richard was executed, the supreme court blocked a lethal injection in
Texas. Judges in Alabama and Kentucky have also stayed executions, bringing
in an unofficial moratorium on the death penalty.
http://www.guardian.co.uk/usa/story/0,,2199596,00.html
------------------------------
Date: Wed, 24 Oct 2007 14:25:08 -0700 (PDT)
From: "D.F. Manno" <dommanno@private>
Subject: Anti-DWI interlocks considered for ALL drivers
*The New York Times* (21 Oct 2007), in a article that may not have been
widely noticed because it was buried in the Automotive section, reports that
automakers and researchers, with U.S. government funding, are working on
anti-drunk-driving interlocks that ALL drivers will have to pass in order to
drive their cars, whether or not they have a record for DWI.
<http://www.nytimes.com/2007/10/21/automobiles/21ALKY.html>
Among other things, the article notes that to start a car with the
interlocks currently used, ``the driver must puff a breath into the unit. To
avoid cheating, the breath puff is measured and must be given in a uniquely
identifiable way that would be hard for a person who is not the driver to
duplicate.'' The breath puff isn't just for starting cars. While driving,
the driver must periodically blow into the system to keep the car running."
The researchers acknowledge that the current technology is not reliable or
durable enough to install in all cars. But the capabilities to determine who
is taking the test and to require periodic retesting while driving would
presumably be carried over into the newer systems.
Aside for the Big Brother and Prohibition aspects, to me the RISK with both
current and future systems seems to be that your car can automatically stop
-- regardless of road, weather or traffic conditions -- if you don't have
time or can't split your attention to take the test (while doing 65 mph on
the freeway, or while you're dealing with your children in the back seat),
or if there's a false positive, or if the equipment is faulty.
------------------------------
Date: Sun, 28 Oct 2007 08:43:23 +0000
From: jared <jared@private>
Subject: Risk of laptop computer on a commercial aircraft
"Jet forced to land by a runaway laptop" is a headline in the 26 Oct 2007
Jewish Chronicle (www.thejc.com). In summary, a London-Tel Aviv flight made
an unscheduled stop at Athens. A laptop has been found on-board which no one
nearby claimed. Per security procedures the plane made an impromptu
landing. At which point the computer's owner, having woken up, asked if
anyone had seen a missing laptop.
------------------------------
Date: Wed, 31 Oct 2007 10:19:10 -0700
From: Paul Saffo <psaffo@private>
Subject: LoJack undoes scheme to fake SUV theft
Talk about dumb and dumber...
[Source: San Diego *Union-Tribune*, 31 Oct 2007; PGN-ed]
http://www.signonsandiego.com/news/northcounty/20071031-0755-bn31car.html
Sheriff's officials say an Oceanside [CA] woman who was behind on car
payments faked that her 1999 GMC Yukon was stolen and hid it in a friend's
backyard in Escondido, not realizing it was equipped with a LoJack system.
After she filed a stolen vehicle report and an insurance claim, police
activated LoJack and found the SUV in a friend's yard with the woman's
boyfriend's old plates.
["'Lo, Jack? How's Jill?" "She's 'Jilling." PGN]
------------------------------
Date: Wed, 31 Oct 2007 16:18:37 -0400
From: Monty Solomon <monty@private>
Subject: Trojan Horse Redirects Local DNS Settings to Malicious DNS Servers
INTEGO SECURITY ALERT - October 31, 2007
OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to
Redirect to Malicious DNS Servers
Exploit: OSX.RSPlug.A Trojan Horse
Discovered: October 30, 2007
Risk: Critical
Description: A malicious Trojan Horse has been found on several pornography
web sites, claiming to install a video codec necessary to view free
pornographic videos on Macs. A great deal of spam has been posted to many
Mac forums, in an attempt to lead users to these sites. When the users
arrive on one of the web sites, they see still photos from reputed porn
videos, and if they click on the stills, thinking they can view the videos,
they arrive on a web page that says the following:
Quicktime Player is unable to play movie file.
Please click here to download new version of codec.
After the page loads, a disk image (.dmg) file automatically downloads to
the user's Mac. If the user has checked Open "Safe" Files After Downloading
in Safari's General preferences (or similar settings in other browsers), the
disk image will mount, and the installer package it contains will launch
Installer. If not, and the user wishes to install this codec, they
double-click the disk image to mount it, then double-click the package file,
named install.pkg.
If the user then proceeds with installation, the Trojan horse installs;
installation requires an administrator's password, which grants the Trojan
horse full root privileges. No video codec is installed, and if the user
returns to the web site, they will simply come to the same page and receive
a new download.
http://www.intego.com/news/ism0705.asp
------------------------------
Date: Tue, 23 Oct 2007 22:20:28 -0400
From: RsH <robert.heuman@private>
Subject: Think before you legislate
Elections Act changes deny vote for 1 million Canadians, CBC News 23 Oct 2007
The federal government said Tuesday it will fix a problem with the newly
revamped Elections Act that prevents up to a million rural voters from
casting a ballot.
Four months ago, Parliament passed amendments to the Canada Elections Act
that requires each voter produce proof of identity and a residential address
before being allowed to cast a ballot.
However, more than one million Canadians living in rural areas don't have an
address that includes a street name and number.
Rural addresses are often just post office boxes. On native reserves, a
resident's address is sometimes simply the name of the reserve.
In Nunavut, more than 80 per cent of registered voters don't have a
residential address.
Government House Leader Peter Van Loan told Parliament Tuesday that the
problem was an oversight and called on all parties to "enthusiastically
support efforts to correct this deficiency."
Van Loan also said if a snap election were to be called before the issue is
resolved, the chief electoral officer has assured him that he's prepared to
use "his adaptation power to ensure that no Canadian loses their right to
vote" in the ensuing election.
With files from the Canadian Press
R. S. (Bob) Heuman <robert.heuman@private>
------------------------------
Date: Thu, 25 Oct 2007 02:04:37 -0400
From: Monty Solomon <monty@private>
Subject: Court filing in TJX breach: 94 million accounts affected
More than 94 million accounts were affected in the theft of personal data
from TJX Cos., a banking group alleged in court filings, more than twice as
many accounts as the Framingham retailer has said were affected in what was
already the largest data breach in history. The data breach affected about
65 million Visa account numbers and about 29 million MasterCard numbers,
according to the court filing, which was made late yesterday by a group of
banks suing TJX over the costs associated with the breach. The banks cited
sealed testimony taken from officials at the two largest credit card
networks. A Visa official also put fraud losses to banks and other
institutions that issued the cards at between $68 million and $83 million on
Visa accounts alone, the filing states, the most specific estimate of losses
to date.
TJX, which operates more than 2,500 stores worldwide under such brand names
as TJ Maxx and Marshalls, previously has said the unidentified hackers who
breached its systems had com promised at least 45.7 million credit and debit
card numbers as far back as 2003. TJX has said about 75 percent of the
compromised cards were expired or had data in the magnetic strip masked,
meaning the information was stored as asterisks rather than numbers. ...
[Source: Ross Kerber, Court filing in TJX breach doubles toll: 94 million
accounts were affected, banks say, *The Boston Globe*, 24 Oct 2007]
http://www.boston.com/business/globe/articles/2007/10/24/court_filing_in_tjx_breach_doubles_toll/
------------------------------
Date: Thu, 25 Oct 2007 01:59:51 -0400
From: Monty Solomon <monty@private>
Subject: Restaurant chain customers' credit card data stolen
Not Your Average Joe's, a Massachusetts restaurant chain, said yesterday
that thieves have stolen credit card data belonging to its customers. The
Dartmouth-based chain estimated fewer than 3,500 of the 350,000 customers it
served in August and September had their credit card information stolen.
The 14-restaurant chain said it is working with the US Secret Service and
major credit card companies to determine how the data theft occurred and
precisely how many customers were affected. [Source: Bruce Mohl, *The
Boston Globe, 24 Oct 2007]
http://www.boston.com/business/globe/articles/2007/10/24/restaurant_chain_customers_credit_card_data_stolen/
[Small potatoes, you say? But the customers were fried, and now they're
playing catchup. PGN]
------------------------------
Date: Fri, 26 Oct 2007 11:51:38 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Fighting traffic citations
In an out-of-band communication, Steven J. Greenwald (sjg6@private) pointed
out an AP item by Lisa Leff, Teen's ticket hinges on GPS vs. radar, 25 Oct
2007, in which a retired sheriff's deputy had used a GPS tracking device to
keep an eye on his stepson Shaun's driving habits. This annoyed Shaun -- at
least until he was pulled over for allegedly doing 62 in a 45-mile-per-hour
zone. The GPS unit showed that he was indeed doing the speed limit.
Whether this is sufficient evidence is still pending.
http://news.yahoo.com/s/ap/20071025/ap_on_hi_te/gps_ticket_challenge_2&printer=1;_ylt=AnZr6gtZNk0ZUsM9p9w..vVk24cA
This item reminded Jeremy Epstein <Jeremy.Epstein@private> of a case
over 30 years ago where a physicist at Los Alamos Labs protested a speeding
ticket by trying to convince the judge (who was a retired physicist from the
labs) that the thunderstorm caused the radar system to give a false reading.
Jeremy found a reference to it at
http://www.bautforum.com/archive/index.php/t-9596.html
It [trying physics to get out of a speeding ticket] was tried in Los
Alamos. One of the weaponeers was booked for driving his vehicle at speeds
well in excess of the limit. At his trial he produced an involved theory
of high-energy physics that suggested the radar speed gun readings were
distorted by a nearby thunderstorm. The judge's summation went.
"Only in Los Alamos would a defendant argue high-energy physics as a
defense against a charge of driving with excessive speed. Only in Los
Alamos would the Judge have the PhD necessary to know that he was talking
utter nonsense."
[Note: Steven J. Greenwald runs a low-volume mailing list intended to foster
interaction between his former/current students from James Madison
University's graduate INFOSEC program (http://www.infosec.jmu.edu) and other
"security seniors" he knows either personally or by reputation. If you think
you qualify and wish to request a subscription, please send e-mail to Steve
with the e-mail address and name you wish to use. PGN]
------------------------------
Date: Mon, 29 Oct 2007 14:52:22 +0100
From: "Philippe Jumelle" <pjumelle@private>
Subject: Gatwick Airport screens display wrong local time
Quite surprisingly (except for RISKS readers), a daylight-saving glitch hit
Gatwick Airport on Oct 28th resulting in ire of passengers and relatives.
http://www.theregister.co.uk/2007/10/29/gatwick_computer_glitch/ and others
[Back at the beginning of April, I noted in RISKS-24.63 that Caltrain
managed to botch the daylight saving cutover. This week they did it even
more curiously: the Menlo Park Station had the correct daylight time
displayed on one side of the tracks, and the week-too-early standard time
on the other side. On the other hand, it makes some sense that the two
sets of displays at any given station are intentionally controlled
separately, particularly when bearing the bad news of late trains
and accidents in one direction or the other. PGN]
------------------------------
Date: Sun, 28 Oct 2007 16:23:09 +0000
From: Nick Rothwell <nick@private>
Subject: TV PVRs getting BST change not quite right
Since it's the time of year for summer time/daylight savings bugs, here's
mine, from the Humax PVR-9200T. It's a UK hard disk TV recorder which takes
Freeview digital-over-aerial channels and supports a seven-day EPG
(programme guide).
Yesterday (last day of BST), the programming timeline display showed
continuous time across the BST-to-GMT boundary; programmes before the change
showed the correct broadcast time, programmes after the change were lined up
against time markers one hour ahead of the wallclock time at which they
would actually be broadcast: in other words, everything was displayed in
BST, so a 7pm weekly episode yesterday would be followed by an 8pm episode
this coming Saturday. Today, all times are in GMT, including those of
programmes before the time change.
So, I thought: a consistent, if slightly unexpected, view of time changes,
and one which would allow the device to switch times unambiguously...
except, of course, it doesn't work: programmed recording entries are
apparently stored with clock times, so all the recordings I programmed last
week will now start (and stop) one hour late. I'm currently going through
and editing them all...
------------------------------
Date: Mon, 29 Oct 2007 10:47:35 -0500
From: "D. Joseph Creighton" <djc@private>
Subject: DST traffic signal snafu
Monday 29 Oct 2007.
Hundreds of traffic lights in Winnipeg, Canada did not change from their
overnight 'flashing amber' states to the normal 'morning rush' state until
an hour later than usual due to old DST settings in them. The lights will
need to be manually overriden for the week until time catches up.
Ref. http://www.cbc.ca/canada/manitoba/story/2007/10/29/daylight-time.html
The RISK of believing all your DST issues are fine when there's no problem
in the spring is illustrated nicely here.
D. Joseph Creighton [ESTP] | Info. Technologist, Database Technologies, IST
Joe_Creighton@private | University of Manitoba Winnipeg, MB, Canada, eh?
------------------------------
Date: Mon, 29 Oct 2007 13:37:38 -0400
From: "Jeremy Epstein" <Jeremy.Epstein@private>
Subject: Who set up that meeting anyway?
As many readers are aware, there's frequently a discrepancy between when
countries switch between "summer time" (or Daylight Savings Time as it's
called in the US) and "winter time" (or Standard Time). Europe switched
to winter time this year on Oct 28; the US switches to Standard Time on
Nov 4. What I'm finding today is that my schedule is a shambles,
because meetings that are normally sequential are overlapping, depending
on who scheduled the meeting. As an example, I have a meeting I
normally attend every Tuesday at 8:30 Eastern; because that was set up
in Outlook by a colleague in Europe, this week it's at 9:30 Eastern
(i.e., the time stayed constant for him but shifted for me). I have
another meeting every Tuesday at 9:30 Eastern which contains an
overlapping set of attendees, but because I set that one up, Outlook has
left my time constant and shifted my European colleagues - thus, the two
meetings "overlap".
Of course, they don't really overlap - it's an artifact of how we've
become dependent on computerized scheduling systems without thinking
about the implications. Yet another reason, I suppose, why airlines and
military systems run on "Zulu time", so as to avoid these glitches!
------------------------------
Date: Sun, 28 Oct 2007 14:47:42 -0400 (EDT)
From: Danny Burstein <dannyb@private>
Subject: US Congress pulls the classic e-mail oopsie
The House Judiciary Committee wrote back, via e-mail, to the contributors to
its confidential whistleblower Internet submission hotline.
Aside from the standard issues of doing any of this stuff via insecure and
unverified e-mail, they listed all the e-mail addresses in the "to" line, so
everyone saw everyone else's name [a].
One of the addresses they sent this whole list to was...
vice_president@private [b]
ratcheting up the usual paranoia concerns.
lots more detail at:
http://www.tpmmuckraker.com/archives/004576.php
[a] since many e-mail spam filters will kill off material addressed to large
numbers of recipients, many of the intended folk probably never got the
note.
[b] it's unclear whether this was really the address they were using to send
a copy to the VP or whether it was one of the "fake" ones used by initial
submitters. I suspect it was the latter.
Either way this procedure was pretty clueless.
------------------------------
Date: Tue, 23 Oct 2007 11:19:05 -0400
From: Matt Simpson <net-news69@private>
Subject: Who needs bots? (Re: Williams, RISKS-24.87)
In "Risks of cute e-mail" in RISKS-24.87, Chris Williams says
> 1) Who needs a bot army to send spam/viruses when you can get people to
> willingly forward things along for you?
>
> 3) Since this appears to have started as a local phenomenon and has slipped
> by every anti-spam and anti-virus engine, the potential for malice is
> high.
There's a joke about the use of gullible humans instead of bots to spread
viruses. It's an e-mail that says something like:
"This is the <insert favorite stupid ethnicity here> virus. We don't have
any smart programmers, so please erase all the files on your hard drive
and forward this to all your friends."
Haha. Very funny. What's really funny is that, if worded just a little bit
differently, this can work, as has already been demonstrated.
Another popular legend that circulated for a while a few years ago was the
"virus" that was on every Windows system. The e-mail warned of some virus
that the sender had found on his own system. It gave instructions for
browsing some directory deep within the bowels of Windows, and if you found
a specific file name, that meant you were infected, and you needed to delete
the file.
Of course, the file was one that exists on any normal Windows system.
(Un)fortunately, it was something non-critical, so deleting it didn't do
much damage, and restore instructions were widely available. I actually
wished that those who followed the warning and deleted the file had suffered
more damage as a result of their gullibility.
So, although the "redneck" virus was a joke, it really is possible to send
people e-mail that will cause them to voluntarily delete parts of their
operating system and then forward the mail to all their friends. Just don't
include the word "joke" and they'll do it.
------------------------------
Date: Wed, 24 Oct 2007 04:24:10 +0800
From: Dan Jacobson <jidanni@private>
Subject: Re: Fake blogs (Yurman, RISKS-24.86)
DY> The problem of fake blogs is significant for me...
DY> I have no way as an individual to stop the current problem...
Hold the domain owner responsible perhaps?:
Dear Yahoo Corporation, YOUR website, http:..., is
impersonating MY website. Please cease and desist.
It would be wrong to go further and give YOU, the impersonators,
copies of MY personal identification documents you request as proof of
my identity. I'm sure you will agree.
YOU, Yahoo Corporation, are impersonating MY website. YOU are
responsible!
Is that not MY telephone number on YOUR website? Call it!
Does YOUR page not say "This page should be at http:...? And where is
that? MY website!
I demand YOU remove http:... It is an unauthorized copy of MY website!
Update: my above bold e-mail merely got me the same form e-mail from
Yahoo asking for identification. The Federal Trade Commission website,
where I turned to next, says they don't solve individuals' problems,
which is just as well, as their webform produced an error.
Second update: No need to hide the URLs:
http://www.geo :phony: cities.com/fireboy1983/index.htm
impersonates my :real: http://jidanni.org/
------------------------------
Date: Thu, 18 Oct 2007 10:54:20 -0400
From: "Andrew Koenig" <ark@private>
Subject: Same ol' same ol'
Today I got e-mail from the bank that services one of my credit cards,
saying:
Need to simplify your finances?
A Balance Transfer can help!
followed by various comments and a clickable link marked
TRANSFER BALANCES NOW
I was about to dismiss this as yet another phishing scheme, but I was
surprised by how authentic it looked. Then I looked more closely, and
noticed that it included my name (correctly spelled) and the last four
digits of my account number.
So I checked the destination for the link, and it actually did refer to my
bank's website. Not only that, but the two other hyperlinks in the message
also referred to my bank's website.
... From which I can only conclude that this bank is trying to train its
customers to be vulnerable to phishing scams. What on earth could they be
thinking?
------------------------------
Date: 17 Oct 2007 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@private
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@private or risks-unsubscribe@private
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
The full info file may appear now and then in RISKS issues.
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
*** NOTE: Including the string "notsp" at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
<http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 24.88
************************
This archive was generated by hypermail 2.1.3 : Wed Oct 31 2007 - 16:03:38 PST