[RISKS] Risks Digest 25.75

From: RISKS List Owner <risko_at_private>
Date: Thu, 6 Aug 2009 10:31:20 PDT
RISKS-LIST: Risks-Forum Digest  Thursday 6 August 2009  Volume 25 : Issue 75

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/25.75.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Software never fails, people decide that it does (Paul Robinson)
Seven water mains break due to computer glitch (Joseph Lorenzo Hall)
Stock Traders Find Speed Pays, in Milliseconds (Charles Duhigg via
  Monty Solomon)
GPS typo saves couple? (Joel Baskin)
How To Hijack 'Every iPhone In The World' (Andy Greenberg via Monty Solomon)
10 ways your voice and data can be spied on (Gene Wirchenko)
The NSA Is still Listening to You (jidanni)
Beware of Outdated E-mail Addresses (Gene Wirchenko)
Funniest security faux pas this week (Ron LaPedis)
You think Adobe bug reports are tough to submit... (Michael Albaugh)
Re: Risks of hierarchical map displays (Leonard Finegold, Gavin Treadgold,
  Gene Wirchenko)
Industrial object-oriented language made void-safe (Bertrand Meyer)
Ari Juels, Tetraktys, a `cryptographic thriller' (Ben Rothke via PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 26 Jul 2009 18:17:14 -0700 (PDT)
From: Paul Robinson <paul_at_paul-robinson.us>
Subject: Software never fails, people decide that it does

There was an article [1] on Slashdot saying how Software Engineering and
Computer Science are two different things. It also refers to an article [2]
on Dr. Dobbs Journal that says that Software Engineering will never be a
rigorous, formal discipline. Which is true.

The statement that software engineering - which is a mislabel - cannot be a
rigorous, formal system is so obvious that it might as well be one of those
things we never think about until we have to and when we do think about it
it's intuitively obvious.

Consider what will happen when you die, there are only three possibilities:
You exist after you die and you like the results; you exist after you die
and you do not like the results; you do not exist after you die. All three
possibilities are equally valid since we have no evidence of any of them. If
as it turns out, that when you die you cease to exist, it is not something
you need to worry about. Now, the thought probably terrifies you - it used
to terrify me, too - until you realize something: if you cease to exist, you
will know nothing. You'll never know that you don't exist.

So consider the conditions of the existence of software. Software is always
perfect and is always the same, it never changes. It does not rot, rust,
age, get moldy, crumble, break, shatter or fail. It never needs maintenance,
lubrication, cleaning, sharpening, polishing, repair or replacement. As long
as the hardware that copies it makes identical copies, it is perfect and
always will be perfect, except for the extremely rare and unusual case of
deterioration of the storage media due to cosmic ray damage. Which can be
detected by mathematical algorithm, in which case, if there is another
source, another perfect copy can be made and it's right back where it
was. Software is never defective and can never be defective other than the
case I've given of the rare possibility of cosmic-ray damage to media or
hardware failure in copying, and thus it never needs change, modification or
updating.

Every year, every country makes changes to its tax laws. Any software which
must comply with those new changes has to be changed according to the
decisions of tax accountants and lawyers as to what is needed to be in
compliance. If you have a cellular network and want to add new features, you
have to modify the software - in the switches, the handsets, the gateways,
and/or all of these - to be able to enable them to offer new features. In
both cases the software needs updating.

Both statements are true, but you might ask how they can be when they appear
to be conflicting. They're not, and I'll explain why.

Any software package, from a 1-line APL function to a 20 million-line COBOL
behemoth application suite that runs a trillion dollar bank, large insurance
company or government agency, only requires maintenance or change because in
someone's subjective opinion it needs a change. A bridge needs replacement
when it collapses or when it is beyond its useful life; a building needs
replacement under the same circumstances. A piece of metal furniture needs
replacement when its structure rusts into dust, fails or is unable to
support a load due to metal fatigue. These are objective facts, either the
structure is usable or it isn't. An engineer can determine by experience and
judgment that the structure is at its lifespan limit or can point to signs
of physical rust, deterioration, or structure failure indicators that prove
their opinion.

Any declaration that a software package needs updating, change, or
replacement is strictly based upon the subjective opinion of someone saying
that it needs the work. All software change is the result of some person's
opinion that the change needs to be made and have no basis in reality except
their opinion. Their opinion is correct if you agree with them or if in your
opinion you can't disagree with their opinion. They may be correct that
because of errors in how the software performs its desired function, need
for new function, or need for changes in existing function, the software
needs change, replacement or updating, but they can only be "correct"
because it is considered that in someone's opinion they agree with their
opinion that the change is needed.

But the claim by someone that a software package needs change, updating or
replacement is, and always will be, a subjective opinion based on nothing
more than "because I say so."

(1) http://tech.slashdot.org/story/09/06/06/0210229
(2) http://www.ddj.com/architect/217701907

------------------------------

Date: Tue, 28 Jul 2009 19:32:16 -0400
From: Joseph Lorenzo Hall <joehall_at_private>
Subject: Seven water mains break due to computer glitch

http://www.nj.com/news/index.ssf/2009/07/seven_water_mains_break_in_jer.html

Jersey City is my hometown during my visiting postdoc at Princeton's CITP.
>From the story:

  Seven water mains broke in the Jersey City Heights today -- the result of
  a computer glitch that caused a false low pressure reading and kicked on
  pumps at a United Water facility, officials said.  Due to low water
  pressure in the Heights following the ruptures, fire officials posted four
  water tanker trucks at two locations in the area for use in the event of a
  fire, Fire Director Armando Roman said.  [...]"

Pretty serious consequences from this glitch, no doubt... and a mighty
efficient way to mess up fire response.  And I can attest with video
evidence that the water was indeed brown:
http://www.flickr.com/photos/joebeone/3766791608/

UC Berkeley/Princeton  http://josephhall.org/

------------------------------

Date: Fri, 24 Jul 2009 22:40:44 -0400
From: Monty Solomon <monty_at_private>
Subject: Stock Traders Find Speed Pays, in Milliseconds

Charles Duhigg, *The New York Times*, 14 Jul 2009

It is the hot new thing on Wall Street, a way for a handful of traders to
master the stock market, peek at investors' orders and, critics say, even
subtly manipulate share prices.  It is called high-frequency trading - and
it is suddenly one of the most talked-about and mysterious forces in the
markets.

Powerful computers, some housed right next to the machines that drive
marketplaces like the New York Stock Exchange, enable high-frequency traders
to transmit millions of orders at lightning speed and, their detractors
contend, reap billions at everyone else's expense.  These systems are so
fast they can outsmart or outrun other investors, humans and computers
alike. And after growing in the shadows for years, they are generating lots
of talk.

Nearly everyone on Wall Street is wondering how hedge funds and large banks
like Goldman Sachs are making so much money so soon after the financial
system nearly collapsed. High-frequency trading is one answer.  And when a
former Goldman Sachs programmer was accused this month of stealing secret
computer codes - software that a federal prosecutor said could "manipulate
markets in unfair ways" - it only added to the mystery. Goldman acknowledges
that it profits from high-frequency trading, but disputes that it has an
unfair advantage.  Yet high-frequency specialists clearly have an edge over
typical traders, let alone ordinary investors. The Securities and Exchange
Commission says it is examining certain aspects of the strategy. ...

http://www.nytimes.com/2009/07/24/business/24trading.html

------------------------------

Date: Tue, 28 Jul 2009 13:17:58 -0700
From: Joel Baskin <jdbaskin_at_private>
Subject: GPS typo saves couple?

A Swedish couple touring in Italy drove to Carpi instead of Capri due to a
typo.  Who knows if they would have tried to drive to the intended island --
so this may have saved them. :)

This is just another case of user error -- but should GPS systems check
spelling, and if so how? Could there be a database of places with similar
names within defined distances? Extended metadata would be of use -- but
effort would increase quite quickly for several reasons.

http://news.bbc.co.uk/2/hi/europe/8173308.stm

  [Also noted by Rick Moen in the *San Francisco Chronicle* and by Gene
  Wirchenko.  PGN]

------------------------------

Date: Wed, 29 Jul 2009 08:14:30 -0400
From: Monty Solomon <monty_at_private>
Subject: How To Hijack 'Every iPhone In The World'

Andy Greenberg, 28 Jul 2009

On Thursday, two researchers plan to reveal an unpatched iPhone bug that
could virally infect phones via SMS.  If you receive a text message on your
iPhone any time after Thursday afternoon containing only a single square
character, Charlie Miller would suggest you turn the device off. Quickly.

That small cipher will likely be your only warning that someone has taken
advantage of a bug that Miller and his fellow cybersecurity researcher
Collin Mulliner plan to publicize Thursday at the Black Hat cybersecurity
conference in Las Vegas. Using a flaw they've found in the iPhone's handling
of text messages, the researchers say they'll demonstrate how to send a
series of mostly invisible SMS bursts that can give a hacker complete power
over any of the smart phone's functions. That includes dialing the phone,
visiting Web sites, turning on the device's camera and microphone and, most
importantly, sending more text messages to further propagate a mass-gadget
hijacking.  ...

http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html

------------------------------

Date: Tue, 28 Jul 2009 10:55:12 -0700
From: Gene Wirchenko <genew_at_private>
Subject: 10 ways your voice and data can be spied on

1. Wireless keyboard eavesdropping
2. Wired keyboard eavesdropping
3. Laptop eavesdropping via lasers
4. Commercial keyloggers
5. Cell phones as remotely activated bugs
6. Cell phone SIM card compromise
7. Law enforcement wiretapping based on voice print
8. Remote capture of computer data
9. Cable TV as an exploitable network
10. Cell phone monitoring

Some of these ways have been covered in RISKS before.
Item 9 caught my eye:
  Commercially available software claims to capture cell phone conversations
  and texting. Attackers need to get physical access to the phone to upload
  the software that enables this.

  http://www.itbusiness.ca/it/client/en/CDN/News.asp?sub=true&id=54027

------------------------------

Date: Thu, 23 Jul 2009 10:31:34 +0800
From: jidanni_at_private
Subject: The NSA Is still Listening to You

This summer, on a remote stretch of desert in central Utah, the National
Security Agency will begin work on a massive, 1 million-square-foot data
warehouse. Costing more than $1.5 billion, the highly secret facility is
designed to house upward of trillions of intercepted phone calls, e-mail
messages, Internet searches and other communications intercepted by the
agency as part of its expansive eavesdropping operations. The NSA is also
completing work on another data warehouse, this one in San Antonio, Texas,
which will be nearly the size of the Alamodome.

http://informationclearinghouse.info/article23125.htm

------------------------------

Date: Fri, 24 Jul 2009 11:41:27 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Beware of Outdated E-mail Addresses

Twitter hack illustrates danger of chained exploits
http://www.infoworld.com/d/security-central/twitter-hack-illustrates-danger-chained-exploits-535?source=IFWNLE_nlt_daily_2009-07-24

The article discusses a few attacks.  The one that struck me as interesting
is the one at the bottom of page one and top of page two.

  "The second example of a chained exploit is even more intriguing. In this
  case, a malicious hacker broke in to one or more Twitter employees' e-mail
  accounts, then publicly posted both personal and company confidential
  information.

  The hacker accomplished this feat after discovering that a Twitter
  employee used Gmail and that a request for a new password for the account
  would be sent to the employee's Hotmail account. However, the employee had
  not used the Hotmail account in a very long time, so their Hotmail address
  was available for anyone to adopt.

  The hacker registered for the Hotmail address and had Gmail send a
  password reset for the Twitter employee's Gmail account to what was now
  the hacker's Hotmail account. With the new password, the hacker gained
  access to the Twitter employee's Gmail account. Using information found in
  the employee's e-mail, the hacker was able to acquire personal information
  about the employee and data to exploit Twitter's own network. TechCrunch
  has an excellent step-by-step account of the hack."

The TechCrunch link referred to is full of yummy technical details.
<http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/>

------------------------------

Date: Wed, 22 Jul 2009 17:01:31 -0700
From: Ron LaPedis <rlapedis_at_private>
Subject: Funniest security faux pas this week

According to the About Us blurb on their web site, "The Payment Card
Industry (PCI) Knowledge Base (www.KnowPCI.com ) is the largest an
independent research community focused on the security of payment and
related financial and personal data.  Our registered membership includes
approximately 2000 persons, including retailers, hoteliers, academics,
bankers, payment processors, PCI assessors (QSAs), providers of payment
systems and security technologists."

Yet when I registered on the site, their confirmation e-mail contained my
username and password in clear text. I think we already know the RISKS in
that, no?

FOLLOW UP: An e-mail to the founder of the organization resulted in him
asking the webmistress to remove the password from the confirmation e-mail
which she did within the hour. Now THAT is service!

Ron LaPedis, MBCP, MBCI, CISSP-ISSAP, ISSMP  +1 415 939 8887
Seacliff Partners International, LLC
http://seacliffpartners.com Business Continuity & Security Advisors

------------------------------

Date: Wed, 22 Jul 2009 14:37:33 -0700
From: Michael Albaugh <m.e.albaugh_at_private>
Subject: You think Adobe bug reports are tough to submit...

Gene Wirchenko should be glad he was only trying to report a bug.
(RISKS Digest 25.74).

When I upgraded to PageMaker7 (Yes, that long ago, they may have
reformed by now), I got porn-spam within 15 minutes of entering "my
e-mail address" into their online registration.
Yes, it was one I created for this specific purpose. When I tried to
report this, I found that
abuse_at_private did not apparently exist. postmaster_at_private would
not accept my e-mail either.

The website kindly directed me to send a registered letter to some
lawyers in Los Angeles, at a post-office box. I found it simpler to
delete the account, as it had served its purpose. I also chose at that
point to never again buy from Adobe.

------------------------------

Date: Wed, 22 Jul 2009 18:20:12 -0400
From: Leonard Finegold <L_at_private>
Subject: Re: Risks of hierarchical map displays (Wallich, RISKS-25.74)

Where was this, and what was the GPS?  Sympathy.  Have experienced just this
for Cathedral Valley, UT (beautifully deserted).  GPS = Garmin Nuvi 350.
Had happily driven around the dirt roads, using the GPS.  Afterwards, I
wanted to check another route in and out, and found just what you did.

PS. Could you just have stopped on the road, presumably no-one around?

------------------------------

Date: Thu, 23 Jul 2009 12:14:31 +1200
From: Gavin Treadgold <gav_at_private>
Subject: Re: Risks of hierarchical map displays (Wallich, RISKS-25.74)

I am most familiar with Garmin handheld and auto GPS units, but this
probably applies to other brands as well. Under Settings > Maps, there
usually exists an option entitled Map Detail. By default on Garmins, it is
set to Normal. It also has options such as Least Detail, Less Detail, More
Detail and Most Detail. If you increase the level of detail, you will see
the roads that exist lower in the hierarchy at a wider zoom level - which is
probably what Paul was attempting to achieve. E.g. roads that previously may
on have been shown at the say a 500m scale (as set by the map developer) now
become visible up to say 1.2km or 2km scales. A number of units also offer
more granular control of what layers are visible up to what zoom level.

This works well in the countryside, but can be a real problem in cities with
dense road networks as the map display takes longer to redraw, and when it
has redrawn it becomes too cluttered to be readable.

It is certainly possible to force the display of more roads at higher zoom
levels, once again, the risk is actually user awareness of the features of
the device they are using, and how to customise their device to achieve the
desired display.

Gavin, Immediate Past President of the NZ Recreational GPS Society
http://www.gps.org.nz/

------------------------------

Date: Wed, 22 Jul 2009 18:14:40 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Re: Risks of hierarchical map displays (Wallich, RISKS-25.74)

Paul Wallich wrote "I wonder whether such hierarchical displays contribute
to some of the GPS-aided navigation debacles that sometimes grace this
publication -- a driver may have some idea that they're going the wrong way,
but their display doesn't offer enough information to plan a new route
easily, and the psychological pressure to keep moving forward can increase
as conditions get worse."

I have similar problems with Google Maps.  I frequently look up locations
mentioned in articles that I read.  Sometimes, even after zooming out as far
as I can, I still do not know where the location that I am looking at is.

In another case, the urban, residential location indicated was a bit off
from the actual location.  Normally, this would not be of much consequence,
but in this case, between the two locations was a deep gully.

------------------------------

Date: Sun, 26 Jul 2009 23:57:43 +0200
From: "Bertrand Meyer" <Bertrand.Meyer_at_private>
Subject: Industrial object-oriented language made void-safe

Re: Tony Hoare: "Null References: The Billion Dollar Mistake"

In January-February there was a discussion on comp.risks on the risks of
null references, following the publication of a talk abstract by Tony Hoare
(http://qconlondon.com/london-2009/presentation/Null+References:+The+Billion
+Dollar+Mistake).

For the past five years we have been working at making Eiffel completely
void-safe ("void" being the same as "null"). Part of the significance of
this work is that we are not dealing with an experimental design but with an
existing industrial language and millions of lines of code that cannot just
be discarded. The mechanism was included in the ECMA/ISO standard for
Eiffel, but a full implementation required upgrading the libraries,
providing a migration path for existing code, and refining the mechanism.
With the release of EiffelStudio 6.4 in June, the language is entirely
void-safe. Our recent paper "Avoid a Void: The eradication of null
dereferencing" describes the challenges of void safety, the design of the
Eiffel mechanism, and the difficulties encountered in making it practical.
It is available at
http://se.ethz.ch/~meyer/publications/hoare/void-safety.pdf.

Bertrand Meyer, Eiffel Software http://www.eiffel.com
ETH Zurich http://se.ethz.ch/~meyer

------------------------------

Date: Wed, 29 Jul 2009 13:11:36 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Ari Juels, Tetraktys, a `cryptographic thriller'

Ari Juels, Tetraktys, Emerald Bay Books, 2009, 351 pages, ISBN 978-0982283707
Reviewed by Ben Rothke
Review from http://books.slashdot.org/story/09/07/29/1313201/Tetraktys

"Imagine for a moment what his novels would read like if Dan Brown got
his facts correct. The challenge Brown and similar authors face is to
write a novel that is both compelling and faithful to the facts. In
Tetraktys, author Ari Juels is able to weave an interesting and
readable story, and stay faithful to the facts. While Brown seemingly
lacks the scientific and academic background needed to write such
fiction, Juels has a Ph.D. in computer science from Berkeley and is
currently the Chief Scientist and director at RSA Laboratories, the
research division of RSA Security."

The book, which might be the world's first cryptographic thriller, tells
the story of Ambrose Jerusalem, a gifted computer security expert, still
haunted by his father's death, a few months shy of his doctorate, who
has a beautiful and loving girlfriend, and a bright future ahead of him.
This is until the government gets involved and Jerusalem's plans are put
on hold when the NSA asks him to join them to track down a strange and
disturbing series of computer breaches.

Tetraktys, like similar thrillers, has its standard set of characters;
from corrupt State Department and World Bank officials, a dashing
protagonist with a long-suffering girlfriend, to mysterious and obscure
terrorist groups. This terrorist group is in the book is comprised of
followers of Pythagoras.

As to the title, a tetraktys is a triangular figure of ten points
arranged in four rows, with one, two, three, and four points in each
row. It is a mystical symbol and was most important to the followers of
Pythagoras. While mainly known as the creator of the Pythagorean
theorem, Pythagoras of Samos was an influential Greek mathematician and
founder of the religious movement of Pythagoreanism. Those wanting more
information can watch a video
<http://www.tetraktysnovel.com/?page_id=83> about the symbol.

As to the storyline, the NSA is trying to recruit Ambrose as they feel
that the terrorists, who form a secret cult of followers of Pythagoras
have broken the RSA public-key algorithm. Breaking RSA is something that
is not expected for many decades, but if a revolution in factoring
numbers were to occur sooner, RSA's demise could happen that much
quicker. And if RSA was indeed broken by the antagonists, it would
undermine the security of nearly every government and financial
institution worldwide and create utter anarchy.

A good part of the book centers on the cult of Pythagoras. Its followers
believe that truth and reality can only be understood via their system
of numbers. The NSA needs Jerusalem's assistance as he is one of the few
people who have the mathematical, classical and philosophical background
to help them. It is he who ultimately connects the dots that the
Pythagoreans have left, which leads to the books dramatic conclusion.

The book is a most enjoyable read and one is hard pressed to put it down
once they start reading it. The reader gets a good understanding of who
Pythagoras was and his worldview via Juels weaving of Pythagorean
philosophy into the storyline.

While the book is not autobiographical, there are many similarities
between Ambrose Jerusalem and Ari Juels. From identical initials, to
their lives in events in Berkeley and Cambridge, to RSA and more.

For a first book of fiction, Tetraktys is a great read. As a novelist,
Juels style approaches that of Umberto Eco, in that he weaves numerous
areas of thought into an integrated story. Like Eco's works, Tetraktys
has an arcane historical figure as part of it storyline, and an
intricate plot that takes the reader on many, and some unexpected,
turns. While not as complex and difficult to read as Eco, Tetraktys is a
remarkable work of fiction for someone with a doctorate in computer
science, not literature.

The book though does have some gaps, but that could be expected for a
first novel. The reader is never sure what the Pythagoreans are really
after or why they have resurfaced, and one of the characters is killed,
for reasons that are not apparent. Readers who want more information can
visit the Tetraktys web site <http://www.tetraktysnovel.com/>.

As to the book's protagonist, Ambrose Jerusalem is to Juels what Jack
Ryan is to Tom Clancy, meaning that his adventures are just beginning,
and that is a good thing.

For those interested in a cryptographic thriller, Tetraktys is an
enjoyable read. The book interlaces Greek philosophy, mathematics, and
modern crime into a cogent theme that is a compelling read. And if the
exploits of Ambrose Jerusalem continue, we may have found the successor
to Umberto Eco.

Ben Rothke is the author of Computer Security: 20 Things Every Employee
Should Know
<http://www.amazon.com/dp/0072262826?tag=benrothkswebp-20&camp=14573&creative=327641&linkCode=as1&creativeASIN=0072262826&adid=1J568GC6NDN92JTGVDP3&>.

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 25.75
************************
Received on Thu Aug 06 2009 - 10:31:20 PDT

This archive was generated by hypermail 2.2.0 : Thu Aug 06 2009 - 11:25:33 PDT