RISKS-LIST: Risks-Forum Digest Tuesday 23 June 2009 Volume 25 : Issue 71 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/25.71.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Metro train fatal accident -- too much automation? (Joe Thompson) Air France crash and computers? (Steven M. Bellovin) Electronic health record systems fails; ambulances turned away from hospital (Dale Hawkins) Demolition: GPS vs Address; Well, we were close... (David Lesher) Shoreline music-food event fiasco: electronic pay system fails (PGN) Green Dam Youth Escort (PGN) China dominates NSA-backed coding contest (Eugene H. Spafford) Electricity Industry to Scan Grid for Spies (Danny Burstein) Google Street View functions as CCTV (Mark Brader) Smart electric meter risks; disastrous GPS misuse (Nicky L Sizemore) Copier short-changes users (Matt Bishop) GM & Segway to make 2-wheeled car (Paul Czyzewski) Another High-Tech Accident? (Gene Wirchenko) Reducing Risks of Implantable Medical Devices (Kevin Fu) Woman Gets Others' Medical Records In Mail (Adolphius St. Clair) Bozeman asking job applicants for their userid/password (Arthur T.) Risks of copyright lobbyists hiring someone to plagiarize PR spin (Kelly Bert Manning) A new way to lose money via ATM... (David Lesher) Re: Security through obscurity (Steven M. Bellovin) REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 23 Jun 2009 12:22:59 -0400 From: Joe Thompson <joe_at_orion-com.com> Subject: Metro train fatal accident -- too much automation? Though a definite determination has not been made yet, some preliminary reports of the DC Metro crash suggest a combination of automated control failure and failure by the operator to apply emergency braking. If borne out, this could be the second Metro crash to be attributed at least partially to driver inattention (along with the 2004 rollback crash). I wonder if some of our systems have gotten *too* automated. During normal operation, Metro trains apparently move and stop fully automatically. In such a mode, it's easy to allow oneself the luxury of distractions, but even in the absence of that, it's also easy to fall into "highway hypnosis". The first thing that comes to mind is making operators do some sort of constant but non-repetitive task to stay alert, but that just moves the problem back to "distraction". What is the status of research, I wonder, into keeping human backups to automated systems alert and awake without occluding their attention in case of a genuine issue? -- Joe ------------------------------ Date: Thu, 4 Jun 2009 18:02:33 -0400 From: "Steven M. Bellovin" <smb_at_private> Subject: Air France crash and computers? Could a Computer Glitch Have Brought Down Air France 447? Jeffrey T. Iverson, *Time*, 5 Jun 2009 http://www.time.com/time/world/article/0,8599,1902907,00.html --Steve Bellovin, http://www.cs.columbia.edu/~smb [Several electrical systems in the Airbus 330 reported breaking down just before the crash, and the autopilot apparently disengaged. The investigation is ongoing. PGN] ------------------------------ Date: Thu, 04 Jun 2009 11:30:08 -0400 From: Hawkins Dale <hawkins_at_private> Subject: Electronic health record systems fails; ambulances turned away from hospital Aaaaargh! >From the Indianapolis Star (via Slashdot) http://www.indystar.com/apps/pbcs.dll/article?AID=/20090603/LOCAL18/906030346 Hospital is forced to turn away patients Methodist Hospital went "on diversion" early Tuesday for the first time in its 100-plus years, sending ambulances that came to its doors to other hospitals. A power surge knocked out Clarian Health's computer system Monday afternoon, derailing the hospitals' ability to access electronic health records for patients, said Clarian spokesman James Wide. Staff members at Methodist and Indiana University Hospital had to enter patients' records by hand. By about 1 a.m. Tuesday, a backlog of paperwork led Methodist and IU hospitals to stop accepting patients who arrived by ambulance. Walk-in patients were still accepted. ------------------------------ Date: Mon, 15 Jun 2009 19:29:15 -0400 (EDT) From: "David Lesher" <wb8foz_at_private> Subject: Demolition: GPS vs Address; Well, we were close... A Sandy Springs man got a phone call Monday that his family home in Carroll County [GA] was gone. Torn down. Demolished. ... Channel 2 Action News reporter Jovita Moore asked Byrd if the demolition company had an address. I said, "What address did you have?" and he said, "They sent me some GPS coordinates." I said, "Don't you have an address?" (and) he said, "Yes, my GPS coordinates led me right to this address here and this house was described." said Byrd. <http://www.wsbtv.com/news/19715994/detail.html> ------------------------------ Date: Tue, 23 Jun 2009 9:24:41 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Shoreline music-food event fiasco: electronic pay system fails On 13 Jun 2009, the first Great American Food and Music Fest at the Shoreline Amphitheatre in Mountain View CA (reportedly with some top-price tickets at $500) used an electronic bracelet payment system for food that "came down with a bad case of indigestion". The system collapsed, causing up to five-hour waits in food lines. [Source: Lisa Fernandez, San Jose Mercury, 16 June 2009] ------------------------------ Date: Tue, 23 Jun 2009 9:30:12 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Green Dam Youth Escort As of 1 July, all PCs sold in China must have the Green Dam Youth Escort software that is intended to filter out porn. However, that software has serious security flaws (http://www.cse.umich.edu/~jhalderm/pub/gd/) and also allegedly violates open-source licensing. [Sources: Andrew Jacobs, China Criticized Over Computer Filtering Plan, *The New York Times*, 10 Jun 2009 http://www.nytimes.com/2009/06/11/business/global/11censor.html?_r=1 and Edward Wong, China Orders Fixes in Censoring Software, *The New York Times*, 16 Jun 2009; PGN-ed. Mere mention of this here may also result in RISKS being blacklisted in China -- if it is not already. Also, the ability to violate privacy, and for anyone -- not just the Chinese government -- to remotely alter the software for surreptitious purposes including surveillance might turn it into Green Damn-Youth Escort or even the Green Youth Damned Escort Service. PGN] ------------------------------ Date: June 10, 2009 10:49:30 AM EDT From: "Eugene H. Spafford" <spaf_at_private> Subject: China dominates NSA-backed coding contest Programmers from China and Russia have dominated an international competition on everything from writing algorithms to designing components. Whether the outcome of this competition is another sign that math and science education in the U.S. needs improvement may spur debate. But the fact remains: Of 70 finalists, 20 were from China, 10 from Russia and two from the U.S.... http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=development&articleId=9134122 ------------------------------ Date: Thu, 18 Jun 2009 00:21:56 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Electricity Industry to Scan Grid for Spies The electric-utility industry is planning a pilot initiative to see whether Chinese spies have infiltrated computer networks running the power grid, according to people familiar with the effort. Officials of the North American Electric Reliability Corp., an industry regulatory group, are negotiating with a defense contractor for the job of searching for breaches by cyberspies, according to people familiar with the plans. [Wall Street Journal] rest: http://online.wsj.com/article/SB124528065956425189.html#mod=testMod ------------------------------ Date: Sun, 21 Jun 2009 06:55:03 -0400 (EDT) From: msb_at_private (Mark Brader) Subject: Google Street View functions as CCTV * From: John Hatpin <RemoveThisjfhopkin_at_private> * Newsgroups: alt.fan.cecil-adams * Subject: Google CCTV * Date: Sun, 21 Jun 2009 11:41:54 +0100 * Xref: number.nntp.dca.giganews.com alt.fan.cecil-adams:1611995 Google Street View functions as CCTV http://www.theregister.co.uk/2009/06/19/street_view_mugging/ Now, what are the chances of that happening, eh? Normally, to get a result like that, you'd pretty much need cameras on every .... oh, never mind. John Hatpin http://uninformedcomment.wordpress.com/ ------------------------------ Date: Mon, 15 Jun 2009 11:38:14 -0700 From: "Sizemore, Nicky L CTR DISA JITC" <NICKY.SIZEMORE.ctr_at_private> Subject: Smart electric meter risks; disastrous GPS misuse Two highly risks-relevant stories from 'The Register': Smart electric meter risks: This one to be reported at the upcoming Black Hat conference: http://www.theregister.co.uk/2009/06/12/smart_grid_security_risks/. Apparent gross GPS misuse: This one reported with minimal detail and only a URL, but sounds worthy of tracking down... http://www.theregister.co.uk/2009/06/15/gps_house_flattening/ ...some substantiation from WSB Atlanta at... http://www.wsbtv.com/news/19715994/detail.html ...and ABCNews at. Many other google hits, but most are brief and obviously derivative. http://abcnews.go.com/Business/story?id=7823594&page=1 [These are left as an exercise for the reader. I don't have time to abstract. Also, sorry for the long gap between issues. PGN] ------------------------------ Date: Tue, 09 Jun 2009 05:28:04 -0700 From: Matt Bishop <bishop_at_private> Subject: Copier short-changes users I gave a midterm in an introductory programming class this term. The class has 90 people. I wrote the midterm, and asked the office staff to make 100 copies (just to be sure I had enough). I picked them up a day before the exam. When I got to the class, I passed out the midterms. I ran out of copies after passing out 75 -- that means 15 people didn't have one. So I had to cancel the midterm, and write a completely new one. When I reported the discrepancy, the office staff was quite upset and investigated. It turned out that the counter on the copier was malfunctioning and reporting more copies than were actually made. Moral of the story: always count the number of copies that a copier tells you it makes! [Nasty problem if the copier is rented and usage costs are based on what the counter says! I suppose a malicious bug would give you the correct number of copies, but charge for 33% more. PGN] ------------------------------ Date: Tue, 2 Jun 2009 11:24:03 -0700 From: Paul Czyzewski <tallpaul_at_private> Subject: GM & Segway to make 2-wheeled car [This is an old item that somehow got lost in the shuffle, even with the "notsp" tag in the subject line. PGN] GM, Segway think 2 wheels, Associated Press, 7 Apr 2009 http://www.latimes.com/business/la-fi-gm-segway7-2009apr07,0,2638670.story The companies plan to develop a two-wheeled, two-seat electric vehicle as a clean, safe and inexpensive alternative to traditional cars ... The companies plan to announce today that they are developing a two-wheeled, two-seat electric vehicle designed to be a safe, inexpensive and clean alternative to traditional cars for cities across the world. The companies said their project, dubbed PUMA, for Personal Urban Mobility and Accessibility, would include a communications network allowing vehicles to interact with one another to regulate traffic flow and prevent crashes. ... [paul: okay, here's the kicker. Emphasis added:] *Because it would be designed to automatically avoid obstacles such as pedestrians and other cars, the PUMA vehicle ***** would not need air bags **** and **** would have safety belts for "comfort purposes" only, ****** said Larry Burns, GM's vice president of research, development and strategic planning. [and, yes, I did check to make sure that the story was not dated April 1. Paul Czyzewski] ------------------------------ Date: Sat, 13 Jun 2009 13:37:44 -0700 From: Gene Wirchenko <genew_at_private> Subject: Another High-Tech Accident? The URL summarises the article well: http://www.upi.com/Odd_News/2009/06/01/Man-jogs-into-tree-while-using-Twitter/UPI-68651243891045/ ------------------------------ Date: Mon, 22 Jun 2009 01:46:03 -0400 From: Kevin Fu <kevinfu_at_private> Subject: Reducing Risks of Implantable Medical Devices [I asked Kevin to submit a note on his CACM Inside Risks column this month, on improving security and privacy for Implantable Medical Devices (IMDs). It is a very timely column. PGN] Millions of patients benefit from programmable, implantable medical devices (IMDs) that treat chronic ailments such as cardiac arrhythmia, diabetes, and Parkinson's disease with various combinations of electrical therapy and drug infusion. Modern IMDs rely on radio communication for diagnostic and therapeutic functions---allowing healthcare providers to remotely monitor patients' vital signs via the Web and to give continuous rather than periodic care. However, the convergence of medicine with radio communication and Internet connectivity exposes these devices not only to safety and effectiveness risks, but also to security and privacy risks. The column explains the impact of these risks on patient care, and makes recommendations for legislation, regulation, and technology to improve security and privacy of IMDs. The full text appears on: http://www.csl.sri.com/users/neumann/insiderisks08.html#218 and on ACM's portal.acm.org website as well. ------------------------------ Date: Sat, 20 Jun 2009 09:32:22 -0400 From: "Adolphius St. Clair" <nermal1_at_private> Subject: Woman Gets Others' Medical Records In Mail Anyone out there guess what corrective action Blue Cross - Blue Shield would have taken to correct this screw-up if this person had not gone to the news? A Seminole County FL woman expecting a new insurance card from Blue Cross/Blue Shield received a box with hundreds of private medical records for other people. [WFTV, 19 Jun 2009] http://www.wftv.com/news/19804431/detail.html ------------------------------ Date: Sat, 20 Jun 2009 14:39:07 -0400 From: "Arthur T." <risk200906.10.atsjbt_at_private> Subject: Bozeman asking job applicants for their userid/password Bozeman, Montana has a job application form that asks: "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc." There are column headings for Username and Password. Despite what's been written, there is no indication in the form that it's not mandatory. <http://www.bozeman.net/bozeman/humanResource/forms/Background_Check_Form_Interview_MASTER.pdf> There has been much written about this. Most of it attacks the requirement on ethical and privacy issues, but there is another point that I've seen less often. It is against most sites' Terms of Service to give your password to anyone, and it's against most sites' TOS to attempt to access the site with someone else's userid. If you recall, Lori Drew was convicted in federal court of violating the MySpace TOS in the cyberbullying case. It seems to me that if city personnel actually used any of the passwords, they could be indicted on the same charges, as could the applicants who supplied the passwords. Once the public flap started, I'm surprised that Bozeman didn't take the easy way out by saying that they never planned to use the information. It's just that anyone who supplied their userids and passwords was automatically disqualified for lack of sufficient intelligence. ------------------------------ Date: Sun, 07 Jun 2009 21:04:39 -0700 From: Kelly Bert Manning <bo774_at_private> Subject: Risks of copyright lobbyists hiring someone to plagiarize PR spin It isn't just students who need to worry about plagiarized content being revealed when they submit their papers. It has recently been revealed that 3 "independent" Conference Board of Canada "research" reports submitted to legislators and recommending increased copyright protection were found to contain large sections of word for word boilerplate text copied, without acknowledgment or attribution, from the funding lobby group's own PR Spin material on the issue. This wasn't a case of copying without permission or knowledge of the copyright holder. It appears to be an embarrassing case of the copyright holder trying to give their own questionable claims a credibility boost by having "independent" researcher's names used in place of their own name. Ironic, eh! http://www.michaelgeist.ca/content/view/62/128/ http://www.michaelgeist.ca/content/view/4009/125/ Conference Board Recalls All Three IP Reports The Conference Board of Canada has just announced that it is recalling all three IP reports that it issued last week. It says that "an internal review has determined that these reports did not follow the high quality research standards of The Conference Board of Canada." Update: Jesse Brown interviewed Anne Golden, CEO of the Conference Board of Canada. Golden admits that the digital economy report was plagiarised. Update II: Media coverage of the Conference Board pulling the reports from the CBC, Vancouver Sun, Montreal Gazette, Macleans, Mediacaster, Techdirt, and the Georgia Straight." The Conference Board at first "stood by" all 3 submissions, but is now in full retreat and asking former staff researchers for "help". Some former researchers whose names were left attached to what became in large part a word for word repeat of lobbyist material are seeking to have their names disassociated from the plagiarised work. Independent research work which contradicted the lobbyist claims was removed, but the researcher's names were somehow left on as authors of a work they do not wish to have their names associated with. One researcher listed as an author of the reports, who is seeking to have [his/her] name removed from the plagiarism tainted documents, gives reasons such as: "The Conference Board asks for my help but won't acknowledge that it was wrong to put my name on reports that bear little resemblance to the original research I submitted, were substantially reworked, and were published ten months after I resigned." http://www.techdirt.com/articles/20090603/0733135109.shtml Former Conference Board Author Explains How Lobbyists Influenced Plagiarized Reports http://www.michaelgeist.ca/content/view/4025/125/ Ex-Conference Board Author Speaks Out; Confirms "Push Back" From Copyright Lobby Funders http://www.p2pnet.net/story/22321 Conference Board denies Geist allegations http://www.calgaryherald.com/Clients+dictated+think+tank+research+Former+employee/1659760/story.html Clients dictated think-tank research: Former employee Copyright lobbyists seeking to extend protection have previously learned to be careful what they ask for. USA provisions for making the copyright period longer allowed the original owner, or their heirs, to have the copyright reassigned to them for the extended period of protection, since the price paid for transferring the copyright was based on the original copyright period length. The widow and daughter of one of the originators of "Superman" retrieved their half of the copyright, after a marathon of litigation. An heir of the other creator is also talking to Lawyers. ------------------------------ Date: Tue, 23 Jun 2009 13:12:09 -0400 (EDT) From: "David Lesher" <wb8foz_at_private> Subject: A new way to lose money via ATM... Paul Marks, Cash machines hacked to spew out card details, *New Scientist*, 17 June 2009 <http://www.newscientist.com/article/mg20227135.700-cash-machines-hacked-to-spew-out-card-details.html> After months poring over the Windows-based software in the bank's ATMs, Henwood and his team were astonished. They found a 50-kilobyte piece of malware disguised as a legitimate Windows program called lsass.exe. {..} This is a clever choice of camouflage, says SpiderLabs' forensics manager Stephen Venter: to an IT staffer, lsass.exe doesn't look out of place in a Windows system, so routine checks wouldn't necessarily pick it up. Yet it has no useful function in an ATM. {...} Equally ingenious is how the crooks harvest their stolen data - by using the ATM's receipt printer. Inserting a trigger card into the machine's slot causes the malware to launch a small window on the screen, with a variety of options. The first is to print out a list of all recently used cards. The data on the printout is encrypted, so crime bosses could enlist low-level accomplices to visit ATMs to retrieve the printouts, safe in the knowledge that they cannot use the data to clone cards themselves. Comment: And yet companies build both ATM's and voting machines based on Windows.... ------------------------------ Date: Sat, 6 Jun 2009 22:21:01 -0400 From: "Steven M. Bellovin" <smb_at_private> Subject: Re: Security through obscurity (MacIntyre, RISKS-25.69) The subject of security through obscurity comes up frequently. I think a lot of the debate happens because people misunderstand the issue. It helps, I think, to go back to Kerckhoffs' second principle, translated as "The system must not require secrecy and can be stolen by the enemy without causing trouble", per http://petitcolas.net/fabien/kerckhoffs/). Kerckhoffs said neither "publish everything" nor "keep everything secret"; rather, he said that the system should still be secure *even if the enemy has a copy*. In other words -- design your system assuming that your opponents know it in detail. (A former official at NSA's National Computer Security Center told me that the standard assumption there was that serial number 1 of any new device was delivered to the Kremlin.) After that, though, there's nothing wrong with trying to keep it secret -- it's another hurdle factor the enemy has to overcome. (One obstacle the British ran into when attacking the German Engima system was simple: they didn't know the unkeyed mapping between keyboard keys and the input to the rotor array.) But -- *don't rely on secrecy*. Steve Bellovin, http://www.cs.columbia.edu/~smb [The peticolas website is very helpful. Check it out! Steve included the original quote in French, but I could not make it look correct. PGN] ------------------------------ Date: Mon, 8 Jun 2009 11:19:34 -0800 From: Rob Slade <rmslade_at_private> Subject: REVIEW: "Zero Day Threat", Byron Acohido/Jon Swartz BKZRDYTH.RVW 20090120 "Zero Day Threat", Byron Acohido/Jon Swartz, 2008, 978-1-4027-5695-5, U$19.95/C$21.95 %A Byron Acohido %A Jon Swartz %C 1 Atlantic Ave, #105, Toronto, ON, Canada M6K 3E7 %D 2008 %G 978-1-4027-5695-5 1-4027-5695-X %I Sterling Publishing Co., Inc. %O U$19.95/C$21.95 800-805-5489 specialsales_at_private %O http://www.amazon.com/exec/obidos/ASIN/140275695X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/140275695X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/140275695X/robsladesin03-20 %O Audience n Tech 1 Writing 2 (see revfaq.htm for explanation) %P 297 p. %T "Zero Day Threat" The title here is definitely misleading: the authors have just taken a sensational term and stuck it on a book about "the shocking truth of how banks and credit bureaus help cyber crooks steal your money and identity." Now, as a malware researcher, I'm delighted to see them state, right off the top, the rather bitter truth that security is in such a sorry state because the general populace demands convenience over security, and major companies are willing to give it to them. I'm not quite as happy to find that Acohido and Swartz don't fully understand what a zero day threat actually is. I'm willing to suspend judgment for a while based on their very useful division of each chapter into exploiters (traditional blackhats and opportunists), enablers (those who build weak infrastructures), and expediters (those who, in various ways, make the problem worse). It's good to see that the authors aren't just retailing the common "oooh, teenage hackers!" stories, and realize that the situation is complex, and involves the interacting behaviours of many different parties. The synergy of this approach is not demonstrated in chapter one. Of the three parts of the chapter, the first talks about some drug addicts involved in dumpster diving for credit card and bank account information, the second briefly notes the speed and volume of credit card transactions, and the third examines a few of the malware instances around the year 2000. It is not clear what these have to do with each other. Subsequent chapters follow up on these stories. The tales start to interweave at about chapter five, but few connections are made between the items in the content, and those that do exist seem to be almost random. A final chapter in the book, eighteen, is entitled "What Must Be Done." Unfortunately, it is overly broad, and not very specific, reducing to an assertion that we need better financial activity oversight and review, better Internet infrastructure, and better security in operating systems and other software. Appendix A, on personal security, contains a fairly pedestrian collection of advice on credit card, financial, computer, and Internet security. All of the recommendations would help increase the safety of most people: sadly they do not exhaust the possible avenues of attack, and many of the suggestions are not completely within the capability of the average user. (For example, yes, it is a good idea to use strong passwords that are long, and contain a mix of characters, and to change those passwords on a regular basis. The trick is to teach people ways of creating passwords such that the user can remember them, and attackers can't. As a second instance, it is dangerous to click on any banner ad or popup window: what proportion of those who use the Internet regularly can identify those entities when they appear?) Acohido and Swartz demonstrate, as David Rice did in "Geekonomics" (cf. BKGKNMCS.RVW), that financial entities have little incentive either to take serious steps to reduce electronic fraud, or to protect consumers (or merchants) from losses due to fraudulent transactions. The authors have done an excellent job of research in the narrative, at least as far as events in the public record are concerned. There is also evidence of commendable exclusive investigation to confirm or enhance specific areas. Unfortunately, the technical material has little depth, and is somewhat suspect when dealing with specialized areas. Overall, the stories of the blackhat community are entertaining, the tales from the financial world emphasize dangers that should be stressed, and the narratives from the malware environment provide a history (more social than technical) of major recent infestations. The work contains a wealth of stories that could be used to promote security awareness, but doesn't otherwise provide a significant source of security assistance. copyright Robert M. Slade, 2009 BKZRDYTH.RVW 20090120 http://victoria.tc.ca/techrev/rms.htm ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 25.71 ************************Received on Tue Jun 23 2009 - 11:44:25 PDT
This archive was generated by hypermail 2.2.0 : Tue Jun 23 2009 - 12:38:12 PDT