[RISKS] Risks Digest 26.07

From: RISKS List Owner <risko_at_private>
Date: Sat, 29 May 2010 20:42:49 PDT
RISKS-LIST: Risks-Forum Digest  Saturday 29 May 2010  Volume 26 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.07.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Drilling for Certainty (David Brooks via PGN)
US Navy's Electro-Magnetic Aircraft Launch System software problem
  (Bruce Horrocks)
It's not just the camera in the laptop (Jeremy Epstein)
Caller ID Spoofing Puts Innocent Man In Jail (Joe Shortsleeve via
  Monty Solomon)
Pre-canned GSM eavesdropping (David Magda)
Video eye to scan for Newton parking lapsesm, will speed ticketing
  (Peter Schworm via Monty Solomon)
Trafficking in Human Data (Jason Roberson via PGN)
4000 echocardiograms lost on a computer read by technicians (DKRoss via PGN)
Measuring crisis response time (Peter Houppermans)
Cyber attack 'could fell US within 15 minutes' (Matthew Kruk)
Galaxy 15 satellite out of control, posing interference threat
  (Lauren Weinstein)
$42.9 million slot jackpot should have been $20 (Jim Reisert)
Affair outed by cellphone records (Gene Wirchenko)
Risks of remote administration, especially with bad crypto
  (Alexander Klimov)
Encrypted Google Web search (Google via Monty Solomon)
Google Streetview inadvertently Captured  Unencrypted Wi-Fi Data
  (Bob Gezelter)
IBM distributes virus-laden USB keys at security conference (Matthew Kruk)
Scientist Infects Himself With Computer Virus (Palmer/Maija)
Re: More Virus Protection Woes (Jonathan de Boyne Pollard)
Re: The Stock Market Fiasco of 6 May 2010 (Bob Frankston)
KNX: "Think Before You Friend!" -- How Facebook Can Seriously Bite
  (Lauren Weinstein)
Re: Risks of RFID car keys (Jonathan de Boyne Pollard)
Re: Wikipedia risks to personal reputation (RISKS-26.06)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 21 May 2010 20:11:19 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Drilling for Certainty

David Brooks (*The New York Times* Op Ed, 28 May 2010, A19 Nat'l Edition)
had a very timely column that is right in line with many RISKS topics.

  "If there is one thing we've learned, it is that humans are not great
  at measuring and responding to risk when placed in situations too
  complicated to understand." ... "There must be ways to improve the choice
  architecture --- to help people guard against risk creep, false security,
  groupthink, the good-news bias [`people tend to spread good news and hide
  bad news'] and all of the rest."

------------------------------

Date: Wed, 12 May 2010 19:16:11 +0100
From: Bruce Horrocks <bruce_at_private>
Subject: US Navy's Electro-Magnetic Aircraft Launch System software problem

<http://www.theregister.co.uk/2010/05/12/emals_backfire/>

The article describes an incident where, apparently, a test of the US Navy's
new Electro-Magnetic Aircraft Launch System (EMALS) failed because it
unexpectedly went in reverse, destroying 'important equipment' and delaying
the program by several months. The failure has been blamed on a software
problem.

Given that such a device only has two possible ways to move - forwards or
backwards - one wonders just how it happened. However, I'm sure that it is
far more complicated than I realise.

What is most risky is the attitude of EMALS programme chief Captain Randy
Mahr who says, "The things that are delaying me right now are software
integration issues, which can be fine-tuned after the equipment is installed
in the ship."

I think most RISKS readers will agree that on-board ship will be the worst
place to finish the software. (However it will be the best place in order to
claim to your paymasters that the project is complete and operational - bar
a minor software glitch that may not happen again. And even if it does, it
may not kill or injure anyone as long as we remember to tell everyone to
stand well away from the back of the machine as well as the front.)

------------------------------

Date: Fri, 21 May 2010 08:47:22 -0400
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: It's not just the camera in the laptop

Risks tend to be worse when there are independent pieces which may be
relatively safe, but put together in unsafe ways.  Bad practices also help.
Here's a good example with all of the above.

As described in RISKS-25.95 and 25.97, a school district in Pennsylvania
provided laptops to students equipped with the LanRev software, which allows
remotely enabling the camera.  While initially claimed to be used to track
down stolen units, the school district is alleged to have used the camera to
spy on students, including capturing pictures of students in their homes in
various states of undress.  [The students' lawyers claim that through the
discovery process they've found thousands of pictures, which the court is
allowing the families to review, which makes the "track down stolen units"
argument suspect.]

The LanRev software in the laptop works by querying a server every few
seconds for commands.  It turns out that the software uses a fixed
encryption key (the same for all instances of the software worldwide), so
once you have the key, if you can get in the middle, you can issue commands
to the client that it will believe.  The Wired article describing this
weakness talks about being on the same network as the laptop (e.g., common
Wifi network) to jump in the middle, but of course it can also be done by
redirecting the client through DNS or BGP to a site that the attacker
controls.  And once you can impersonate the server, you can tell the client
to do anything, including running arbitrary programs.

So the risk is the combination of:
* Poor use of encryption (fixed shared key)
* Lack of a reliable way to get to a server (no protection against DNS, BGP,
  or MITM attacks)
* Application software running with full system access (lack of least
  privilege)
* Cameras that give no reliable indication of when they're on (there's a
  light on some cameras, but it's software-controlled - and I'm guessing
  that LanRev doesn't turn it on since their product is designed to use in
  case the equipment is stolen to remotely enable the camera)
* The purchaser (the school district) not knowing what questions to ask
  before buying/installing the software

[The vendor selling the LanRev software says they're releasing a new version
that uses SSL/TLS, which will address many of these problems.  Amazing to me
that with open source TLS implementations (e.g., OpenSSL), there's anyone
still rolling their own crypto....]

http://www.wired.com/threatlevel/2010/05/lanrev/

------------------------------

Date: Wed, 12 May 2010 21:37:28 -0400
From: Monty Solomon <monty_at_private>
Subject: Caller ID Spoofing Puts Innocent Man In Jail (Joe Shortsleeve)

[Source: Joe Shortsleeve, Caller ID Spoofing Puts Innocent Man In Jail, WBZ,
11 MAy 2010]

Imagine police bursting into your home, handcuffing you, and then locking
you up for days for something you did not do.  The I-Team says that is
exactly what happened to a Quincy man, and WBZ's Chief Correspondent Joe
Shortsleeve says this man was set up by someone using a popular technology.
The man does not want people to know his name, but he recounted that cold
winter night a year ago when he was making cupcakes in his kitchen. ...

http://wbztv.com/local/man.arrested.innocent.2.1686484.html

------------------------------

Date: Tue, 11 May 2010 11:47:56 -0400
From: "David Magda" <dmagda_at_private>
Subject: Pre-canned GSM eavesdropping

A company called Meganet has released a product that allows you to
eavesdrop on GSM signals. From the "Engadget" article:

> The ["Dominator I"] system consists of two nondescript white boxes, two
> directional antennas that you'll point in the direction of your victim,
> and a laptop that you can use to get a glimpse at all of the phones
> currently connected to your nearest cell site and record up to four active
> calls simultaneously [...]. It can't do the 128-bit A5/3 used in UMTS, but
> now that it's been cracked in a somewhat practical way, we're sure the
> Dominator II can't be far behind.

http://tinyurl.com/2wdsu6y
http://www.engadget.com/2010/05/10/meganets-dominator-i-snoops-on-four-gsm-convos-at-once-fits-in/

The product is not yet listed on their web page:

http://www.meganet.com/

Time to change the cipher I guess.

------------------------------

Date: Sun, 16 May 2010 17:08:26 -0400
From: Monty Solomon <monty_at_private>
Subject: Video eye to scan for Newton parking lapses, will speed ticketing

[Source: Peter Schworm, *The Boston Globe*, 10 May 2010; PGN-ed]

Newton MA is acquiring three $50K automatic license plate recognition
devices with a panoramic video camera, laptop computer, and sophisticated
software to detect cars that have been parked too long that sounds an alert
to write a ticket.

Similar technology has been put to use by a number of police departments
across the state in recent years, but largely to enforce outstanding arrest
warrants or hunt for serious offenders.  Some communities, including Boston,
use such a system to locate repeat parking offenders.

http://www.boston.com/news/local/massachusetts/articles/2010/05/10/newton_goes_high_tech_vs_parking_violators/

------------------------------

Date: Thu, 20 May 2010 18:50:55 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Trafficking in Human Data (Jason Roberson)

Device design for gathering data and  billing rather than safety?

[Source: Jason Roberson, Hospitals criticized over offers to earn or save
money by sharing electronic patient data, *The Dallas Morning News* item, 18
May 2010, thanks to dkross.  PGN-ed]
http://www.dallasnews.com/sharedcontent/dws/bus/stories/051810dnbuspatientprivacy.1372a8f4.html

``The $45 billion set aside for electronic health records in the federal
government's 2009 stimulus package created a carrot-and-stick approach to
lure providers into the electronic age.  Physician practices could be paid
up to $44,000 over five years, and hospitals could get a maximum of $15.9
million to install systems that comply with federal rules.  On the other
hand, the government would penalize providers that don't participate,
reducing their Medicare and Medicaid payments by 1 percent beginning in
2015. In later years, the penalty grows to 3 percent.''

But with the promises of efficiency come questions of privacy.  Dallas-based
Tenet Healthcare Corp.'s vendor has been criticized for sharing patient data
with drug companies. Fort Worth's Cook Children's Health Care System
potential vendor may offer physician customers discounts for sharing patient
data.  Three other hospitals anticipate sharing records.

Dr. Deborah Peel, founder of Patient Privacy Rights, questions whether a
patient's most confidential information in their medical records, such as
psychological treatment or HIV testing, will be secure at those hospitals.
"Once your information is released, it's like a sex tape that lives in
perpetuity in cyberspace," Peel said. "You can never get it back."

http://www.dallasnews.com/sharedcontent/dws/bus/stories/051810dnbuspatientprivacy.1372a8f4.html

------------------------------

Date: Fri, 28 May 2010 15:13:27 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: 4000 echocardiograms lost on a computer read by technicians

  [From D.K.Ross]

http://manhattan.ny1.com/content/top_stories/119355/heart-tests-went-unread-for-years-at-harlem-hospital

------------------------------

Date: Fri, 28 May 2010 12:18:01 +0200
From: Peter Houppermans <peter_at_private>
Subject: Measuring crisis response time

Apologies for the self promotion, but I keep getting good feedback for my
simple, non-technical method of determining Business Continuity Management
agility:

  1. Take a copy of your BCM/BCP guide.
  2. Carry it to a safe place.
  3. Set fire to it and measure how long it burns.

Background here: http://bit.ly/alOheK.

Given that these manuals can serve in possible loss-of-life situations I'm
not quite sure how someone can supply this in good conscience, but I'm
positive this will start a healthy debate.

------------------------------

Date: Sat, 8 May 2010 17:14:06 -0600
From: "Matthew Kruk" <mkrukg_at_private>
Subject: Cyber attack 'could fell US within 15 minutes'

http://www.telegraph.co.uk/news/worldnews/northamerica/usa/7691500/Cyber-attack-could-fell-US-within-15-minutes.html

The US must prepare itself for a full-scale cyber attack which could cause
death and destruction across the country in less than 15 minutes, according
to Richard Clarke, former anti-terrorism Tsar to Bill Clinton and George W
Bush.  Clarke claims that America's lack of preparation for the annexing of
its computer system by terrorists could lead to an "electronic Pearl
Harbor".  In his warning, Mr Clarke paints a doomsday scenario in which the
problems start with the collapse of one of Pentagon's computer networks.
[Source: Alex Spillius in Washington, *The Telegraph*, 07 May 2010; PGNed]

------------------------------

Date: Sun, 9 May 2010 17:25:59 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Galaxy 15 satellite out of control, posing interference threat

  [From the Network Neutrality Squad list]

Galaxy 15 satellite out of control, posing interference threat to
other satellites
http://bit.ly/bjrL9m  (Christian Science Monitor)

------------------------------

Date: Wed, 19 May 2010 15:28:47 -0600
From: Jim Reisert AD1C <jjreisert_at_private>
Subject: $42.9 million slot jackpot should have been $20

*The Denver Post*
http://www.denverpost.com/ci_15117714

The correct prize for an apparent $42.9 million slot machine jackpot that a
Thornton woman hit at a Central City casino should have been $20.18,
Colorado gaming regulators said [19 May 2010].  The errant jackpot appeared
on a "Price is Right" penny slot at Fortune Valley Hotel & Casino on March
26 after Louise Chavez made a minimum bet of 40 cents.

The Colorado Division of Gaming's forensic investigation found that the slot
machine malfunctioned and displayed the wrong payout because of errors in
"mathematical calculations built into the game software."

Interesting that it was a mathematical error, and not a mechanical one.  I
guess someone missed testing this corner case!  Certainly in this case, the
Price WASN'T Right!

Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us

------------------------------

Date: Tue, 18 May 2010 09:07:53 -0700
From: Gene Wirchenko <genew_at_private>
Subject: Affair outed by cellphone records

  Mom who cheated on husband says Rogers bill outed her affair and broke up
  her marriage because her Rogers cellphone bill exposed her extramarital
  affair, and is suing Rogers.  [Source: "The Daily News" of Kamloops, BC,
  Canada, 2010-05-18, p. A7; PGNed]

Well, this is an interesting mess.  This raises questions.  The answers will
vary by jurisdiction.

* When can a service provider combine billing?  What are the privacy
  implications, and how are they covered by law?

* If the invoice and surrounding matters are evidence for this trial, what
  about a claim by the ex-husband for breach of marriage contract?  Note
  that the husband is not limited to seeking merely $600,000, but might seek
  more.

* While adultery is not a criminal offence in Canada, it is grounds for
  divorce.  Consequently, it is reasonable to argue that adultery is not in
  the public interest.  Criminal activity would not be protected by privacy
  laws, but should such a situation be protected?  Would the answer change
  if the husband caught a sexually-transmitted disease as a result of his
  wife's affair?  Why or why not?

------------------------------

Date: Tue, 25 May 2010 15:32:33 +0300
From: Alexander Klimov <alserkli_at_private>
Subject: Risks of remote administration, especially with bad crypto

I guess most readers remember the story when a remote administration
program "Absolute Manage" was used to spy on students at home via
their laptop web-cams. Recent analysis
<http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere>
shows that one does not need to be a sysadmin in that school to
exploit it.

Turns out that software uses a fixed (hard-coded) Blowfish key for all its
encryption and a 7-digit number (SeedValue) for authentication. As a result
all communication can be easily decrypted once intercepted.  In addition it
is possible in about four hours of guessing to find the SeedValue used by
each client for its server authentication (the same number is used by all
clients of a server) and send commands to a client even without a need for
network data interception.

------------------------------

Date: Sat, 22 May 2010 09:22:43 -0400
From: Monty Solomon <monty_at_private>
Subject: Encrypted Google Web search

Search more securely with encrypted Google Web search, 21 May 2010

As people spend more time on the Internet, they want greater control over
who has access to their online communications. Many Internet services use
what are known as Secure Sockets Layer (SSL) connections to encrypt
information that travels between your computer and their service. Usually
recognized by a web address starting with "https" or a browser lock icon,
this technology is regularly used by online banking sites and e-commerce
websites. Other sites may also implement SSL in a more limited fashion, for
example, to help protect your passwords when you enter your login
information.

Years ago Google added SSL encryption to products ranging from Gmail to
Google Docs and others, and we continue to enable encryption on more
services. Like banking and e-commerce sites, Google's encryption extends
beyond login passwords to the entire service. This session-wide encryption
is a significant privacy advantage over systems that only encrypt login
pages and credit card information.  Early this year, we took an important
step forward by making SSL the default setting for all Gmail users. And
today we're gradually rolling out a new choice to search more securely at
https://www.google.com. ...

http://googleblog.blogspot.com/2010/05/search-more-securely-with-encrypted.html

SSL Search
http://www.google.com/support/websearch/bin/answer.py?answer=173733&hl=en

------------------------------

Date: Sat, 15 May 2010 06:43:38 -0500
From: Bob Gezelter <gezelter_at_private>
Subject: Google Streetview inadvertently Captured  Unencrypted Wi-Fi Data

An article that originally appeared in Bits, one of the online Blogs
maintained by staff of *The New York Times* has been repeated on the
first business page of today's paper.

Apparently, it has been disclosed that Google's Streetview imaging vehicles
were also taking note of Wi-Fi networks they encountered in their surveys.
The details of what happened are contained in the underlying Google blog
post at:
  http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html

It appears to be a case of code reuse with under-appreciated side effects.
Then again, unencrypted Wi-Fi should probably only be used for otherwise
encrypted traffic (e.g., VPN, SSH, HTTPS) with properly administered keys.

All in all, since the Google Streetview vehicles were not in any one place
for any length of time, the danger of this is low. It is certainly not cost
effective for an organization to trawl through a large geographic space
looking for interesting data. The hazard is more credible with more local,
non-roving threats, who acquire data over a longer period of time.

Morals of the story:
  1) Encrypt your home network
  2) Use public Wi-Fi as a carrier for otherwise enciphered traffic

I noted the utility of public, unencrypted Wi-Fi as a "dial-tone" for
otherwise secured communications (e.g., VPN) in a series of talks under the
auspices of the IEEE Computer Society Distinguished Visitor Program.  "Safe
Computing in the Age of Ubiquitous Connectivity", a paper presenting this
material was presented at LISAT 2007. A reprint of this paper is available
at: http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html

The New York Times article is at:
  http://www.nytimes.com/2010/05/15/business/15google.html?hpw

CNN/Money has also published an account, at:
  http://money.cnn.com/2010/05/14/technology/Google_mistaken_wifi_collection/index.htm

Bob Gezelter, http://www.rlgsc.com

------------------------------

Date: Sat, 22 May 2010 13:34:41 -0600
From: "Matthew Kruk" <mkrukg_at_private>
Subject: IBM distributes virus-laden USB keys at security conference

IBM distributes virus-laden USB keys at security conference
ASHER MOSES
May 21, 2010

IBM has been left with egg on its face after it distributed virus-laden USB
keys to attendees at Australia's biggest computer security conference.

Delegates of the AusCERT conference, held over the past week at the Royal
Pines Resort on the Gold Coast, were told about the malware problem in a
warning email this afternoon by IBM Australia chief technologist Glenn
Wightwick.

The incident is ironic because conference attendees include the who's who of
the computer security world and IBM was there to show off its security
credentials. ...

http://www.smh.com.au/technology/security/ibm-distributes-virusladen-usb-keys-at-security-conference-20100521-w1gv.html

------------------------------

Date: Wed, 26 May 2010 16:24:36 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Scientist Infects Himself With Computer Virus

[Source: Palmer/Maija, *Financial Times* 26 May 2010;
Excerpted from ACM TechNews, 26 May 2010.  PGN]

University of Reading scientist Mark Gasson has deliberately infected
himself with a computer virus in order to study the potential risks of
implanting electronic devices in humans.  Gasson implanted a radio frequency
identification chip into his left hand last year.  The chip, which is about
the size of a grain of rice, gives him secure access to Reading's buildings
and his mobile phone.  Gasson then introduced a computer virus into the
chip.  He says the infected microchip contaminated the system that was used
to communicate with it, and notes that it would have infected any other
devices it was connected to.  Gasson says the experiment provides a "glimpse
at the problems of tomorrow," considering devices such as heart pacemakers
and cochlear implants are essentially mini-computers that communicate,
store, and manipulate data.  "This means that, like mainstream computers,
they can be infected by viruses and the technology will need to keep pace
with this so that implants, including medical devices, can be safely used in
the future," he says.
  http://www.ft.com/cms/s/0/2e2f5ea4-68b5-11df-96f1-00144feab49a.html

------------------------------

Date: Sat, 08 May 2010 13:33:02 +0100
From: Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups_at_private>
Subject: Re: More Virus Protection Woes (Brady, RISKS 26.04)

As a former Microsoft MVP myself, I append a note of caution to M. Brady's
pointing to a Usenet conversation between one Microsoft MVP (Robear Dyer)
and xyrself, misattributed to "the MS MVPs".  MVPs don't represent Microsoft
in any way.  Nor do MVPs work for Microsoft.  (Robear Dyer's potted
autobiography at James A. Eshelman's Windows Support Centre WWW site states
that xe works for a vineyard.)  MVPs are helpful experts that Microsoft has
chosen to recognize for their on-line contributions.  They are not a formal
organization or a club, with a collective voice, but individuals in receipt
of (annual) awards of a title.

For more information, read http://mvps.org./about/ and
http://aumha.org./ as well as, of course, Microsoft's own WWW pages
about the MVP award programme.

------------------------------

Date: Fri, 14 May 2010 11:43:04 -0400
From: "Bob Frankston" <Bob19-0501_at_private>
Subject: Re: The Stock Market Fiasco of 6 May 2010 (RISKS-26.06)

A *NYTimes* story debunks the fat finger theory and the problem of
individual markets trying to correct these aberrations.
http://www.nytimes.com/2010/05/14/business/14norris.html?ref=business It
also calls to mind the recent understanding of rogue waves
(http://en.wikipedia.org/wiki/Rogue_wave) which didn't fit into the classic
models. As per the NYT article I don't want to claim any understanding of
the particular complex phenomena but I do feel that our tendency towards
analog continuous models fail us when digital or quantizing effects are
interacting.

------------------------------

Date: Thu, 13 May 2010 16:55:30 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: KNX: "Think Before You Friend!" -- How Facebook Can Seriously Bite

  [NNSquad]

L.A. newsradio station KNX has been running a series on how various entities
-- real estate agents, landlords, banks, and other financial institutions,
are using the data they find on Facebook to make decisions about real-world
matters with tremendous impact on individual lives.  Say too much, and you
might get burned.  Look like you're too private, and they might think you're
hiding something.

The entire series to date is available here:
  http://bit.ly/aPRDCa  (KNX 1070 Los Angeles)

------------------------------

Date: Sat, 08 May 2010 13:35:49 +0100
From: Jonathan de Boyne Pollard <J.deBoynePollard-newsgroups_at_private>
Subject: Re: Risks of RFID car keys (Garret, RISKS-26.04)

Garret writes of a passive RFID device that xe does not have to be in direct
physical possession of, or even know the location of; that xe doesn't have
to formally present to a security device, or take any overt action in order
to operate; that a miscreant with suitable transponders located near to
M. Garret's home/hotel room/backpack can make use of remotely, without
necessarily trespassing upon M. Garret's property at all or having any sort
of physical access to xyr belongings or even cracking the encryption; that
will nonetheless enable M. Garret and such miscreants to access and to drive
M. Garret's (rented) car.  These are not new problems, of course.  Bruce
Schneier and Avi Rubin, amongst others, wrote about them almost half a
decade ago.  My first reaction, upon reading this latest article, was blunt:
Why is anybody still calling such devices "keys"?  They are clearly not.

Perhaps RISKS readers can come up with more suitable names.

------------------------------

Date: Wed, 19 May 2010 14:32:06 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Re: Wikipedia risks to personal reputation (RISKS-26.06)

Quite a few of our RISKS readers pointed out that the long message from
Edward Nilges in the previous issue was not really an appropriate item nor
was it sufficiently related to Computer-Related Risks, suggesting that I
erred in including it in RISKS-26.06.  I agree.  I erred, and apologize.

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.07
************************
Received on Sat May 29 2010 - 20:42:49 PDT

This archive was generated by hypermail 2.2.0 : Sat May 29 2010 - 21:49:01 PDT