RISKS-LIST: Risks-Forum Digest Saturday 27 November 2010 Volume 26 : Issue 23 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.23.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: NYCTA forging subway signal inspections (David Lesher) Failed hard disk stalls New Orleans real estate market (Andrew Klossner) Access-based cache attack on AES-128 (Bangerter et al.) Wiseguys Plead Guilty in Ticketmaster Captcha Case (Jim Reisert) U.S. Shuts Down Web Sites in Piracy Crackdown (Ben Sisario via Monty Solomon) Deep Pockets have Deep Packets? (Steve Stecklow and Paul Sonne) Israeli army uses FaceBook to expose draft dodgers (Amos Shapir) U.S. may require jamming of cell phone use inside vehicles (Various) Passenger arrested for stripping down to underwear for TSA pat down (Peter Houppermans) Vermont law on drug data mining ruled unconstitutional (Danny Burstein) When will we learn that digital communication isn't private? (Tom Keane via Monty Solomon) Re: Massive Chinese Net Reroute Exposes Web's Achilles' Heel (Mike Andrews) Re: New study on adverse events in hospitals (Barbara Zanzig) Malware Analysts' Cookbook and DVD (Ligh et al., review by Richard Austin) Cyber Warmongering and Influence Peddling (Gary McGraw) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 20 Nov 2010 00:10:36 -0500 From: David Lesher <wb8foz_at_private> Subject: NYCTA forging subway signal inspections NYC Transit supervisors falsified thousands of vital signal inspections across the subway system for years, leaving straphangers at risk for deadly collisions like the one that killed nine people in Washington, D.C., The Post has learned. Across every line in every borough, a cabal of managers in the signal department forced maintainers to fib on the inspections by threatening them with punishment like loss of overtime, according to a sweeping investigation by the MTA Inspector General. At least one high-level chief, Tracy Bowdwin -- the MTA's highest earning signal department supervisor at $165,000-a-year -- was demoted in the fallout, and managers are still being questioned, transit sources said. ... [Source: Heather Haddon, New York Post, 19 Nov 2010; PGN-ed] <http://www.nypost.com/f/print/news/local/nyc_subway_signal_inspections_falsified_ZUVA7DheupaPwrjF5yoO4M> Need we discuss the risks of ignoring maintenance and inspections, to save money? ------------------------------ Date: Wed, 24 Nov 2010 15:36:06 -0800 From: Andrew Klossner <andrew_at_private> Subject: Failed hard disk stalls New Orleans real estate market Because of a "failure in the hard drive," nobody in New Orleans has been able to close a real estate transaction for over a month. The contractor responsible for making backups apparently didn't. http://blog.nola.com/crime_impact/print.html?entry=/2010/11/computer_glitch_stalls_orleans.html ------------------------------ Date: Wed, 24 Nov 2010 13:50:25 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Access-based cache attack on AES-128 Endre Bangerter, David Gullasch, and Stephan Krenn *Cache Games - Bringing Access Based Cache Attacks on AES to Practice* Cryptology ePrint Archive: Report 2010/594 http://bit.ly/ev8KtA (IACR) Side channel attacks on cryptographic systems are attacks exploiting information gained from physical implementations rather than utilizing theoretical weaknesses of a scheme. In particular, during the last years, major achievements were made for the class of access-driven cache-attacks. The source of information leakage for such attacks are the locations of memory accesses performed by a victim process. In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations using compressed tables, where it is not possible to find out the beginning of AES rounds any more -- a corner stone for all efficient previous attacks. All results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations. A contribution of probably independent interest is a denial of service attack on the scheduler of current Linux systems (CFS), which allows to monitor memory accesses with novelly high precision. Finally, we give some generalizations of our attack, and suggest some possible countermeasures which would render our attack impossible. ------------------------------ Date: Sun, 21 Nov 2010 19:38:23 -0700 From: Jim Reisert AD1C <jjreisert_at_private> Subject: Wiseguys Plead Guilty in Ticketmaster Captcha Case http://www.wired.com/threatlevel/2010/11/wiseguys-plead-guilty/ I found the last sentence of this paragraph interesting: "[The defendants] wrote a script that impersonated users trying to access FaceBook, and downloaded hundreds of thousands of possible Captcha challenges from reCaptcha, prosecutors maintained. They identified the file ID of each Captcha challenge and created a database of Captcha `answers' to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, authorities said." Of course it's a risk to have "hundreds of thousands of possible Captcha challenges" available, and be able to exploit them. I find it interesting that their software tried to behave "more human" to shield itself from discovery. Could the script have passed the Turing test? Jim Reisert AD1C, <jjreisert@private>, http://www.ad1c.us ------------------------------ Date: Sat, 27 Nov 2010 14:48:34 -0500 From: Monty Solomon <monty_at_private> Subject: U.S. Shuts Down Web Sites in Piracy Crackdown (Ben Sisario) [Source: Ben Sisario, *The New York Times*, 27 Nov 2010] In what appears to be the latest phase of a far-reaching federal crackdown on online piracy of music and movies, the Web addresses of a number of sites that facilitate illegal file-sharing were seized this week by Immigration and Customs Enforcement, a division of the Department of Homeland Security. By Friday morning, visiting the addresses of a handful of sites that either hosted unauthorized copies of films and music or allowed users to search for them elsewhere on the Internet produced a notice that said, in part: "This domain name has been seized by ICE - Homeland Security Investigations, pursuant to a seizure warrant issued by a United States District Court." In taking over the sites' domain names, or Web addresses, the government effectively redirected any visitors to its own takedown notice. ... https://www.nytimes.com/2010/11/27/technology/27torrent.html ------------------------------ Date: Wed, 24 Nov 2010 16:46:54 PST From: "Peter G. Neumann" <neumann_at_private> Subject: Deep Pockets have Deep Packets? Shunned Profiling Technology on the Verge of Comeback Steve Stecklow and Paul Sonne, *Wall Street Journal* One of the most potentially intrusive technologies for profiling and targeting Internet users with ads is on the verge of a comeback, two years after an outcry by privacy advocates in the U.S. and Britain appeared to kill it. The technology, known as "deep packet inspection," is capable of reading and analyzing the "packets" of data traveling across the Internet. It can be far more powerful than "cookies" and other techniques commonly used to track people online because it can be used to monitor all online activity, not just Web browsing. Spy agencies use the technology for surveillance. Now, two U.S. companies, Kindsight Inc. and Phorm Inc., are pitching deep packet inspection services as a way for Internet service providers to claim a share of the lucrative online ad market. Kindsight and Phorm say they protect people's privacy with steps that include obtaining their consent. They also say they don't use the full power of the technology, and refrain from reading email and analyzing sensitive online activities. Use of deep packet inspection this way would nonetheless give advertisers the ability to show ads to people based on extremely detailed profiles of their Internet activity. To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users' interests. Both would share ad revenue. ... ------------------------------ Date: Wed, 24 Nov 2010 18:02:17 +0200 From: Amos Shapir <amos083_at_private> Subject: Israeli army uses FaceBook to expose draft dodgers The Israeli army lets religious women avoid the draft, but recently FaceBook has been used to catch cheaters. Full story at: http://www.bbc.co.uk/news/world-middle-east-11825100 ------------------------------ Date: Fri, 19 Nov 2010 21:11:17 PST From: "Peter G. Neumann" <neumann_at_private> Subject: U.S. may require jamming of cell phone use inside vehicles Original message to which the following is a response, from Lauren Weinstein in Network Neutrality Squad: U.S. may require jamming of cell phone use inside vehicles http://bit.ly/deUpGb (Daily Caller) Two items on this for Secretary LaHood: 1) A dangerous and stupid idea for both technical and (ironically) safety reasons 2) Good (Blankin') Luck getting people to put up with this one Response from Bob Frankston: > I can't help but think about legislation requiring every car have a person > walking in front of it to assure that horses won't get scared. The idea that > one should use the DNS to control the net is bad enough. The idea that cell > phones have only one purpose -- talking while driving -- is just as dumb. If > we ban cell phones > > *Passengers won't be able to communicate > *Navigation systems won't get or provide updates > *Medical monitors would fail > *Emergency SMS systems won't be able to warn you about weather conditions. > > Well, fighting the last war is Congress' forte. > > Next topic TSA probing every cavity ... Response from ssc: Date: Fri, 19 Nov 2010 19:21:13 -0500 From: ssc <ssc_at_private-ass.net> If this comes to pass, I will make a ton of $ removing the jammers from cars. Also, just wait till someone goes to report a crime, an emergency call or an accident and it doesn't go thru, and the law-vultures get involved. This will be a MESS! Also, as anyone familiar with radio knows (Lauren), radio signals don't respect any territory. Imagine the interference generated, and resulting poor coverage in urban canyons, where cell signals are already overtaxed, and marginal in signal strength. Thousands of cars emitting jamming signals affecting pedestrian traffic will render the devices useless in cities. The result will be phones switching to higher power levels (this is automatic*) and reduced battery life at the bare minimum. At this bare minimum, I'd expect to see a noise floor rise of up to 20db, and interference to adjacent services as well, like GPS (due to uneven mixing in poorly designed jamming transmitters and nearby electronics, remember, cheap is the design imperative here). Cellular companies had better get out in front of this fast, otherwise, they face the very real prospect of major cities being inhospitable to hand held phones until every one of the interference-mobiles is gone. * When a cell phone decides its getting a very weak signal, it automatically increases its power up to a point to better enable it to communicate with what it sees as a poor connection or weak signal. This algorithm is built in to conserve battery while allowing full power for marginal signal conditions. jamming from multiple vehicles on urban streets will cause this condition to be perceived by the handsets, and as a side effect, exposing the users to higher than necessary RF output than needed to normally make a call when the phone ramps up output power. Marc [There is a way -- in theory anyway -- to block cell phone use more selectively (e.g., still allowing 911 calls) and avoiding outright jamming. That's the use of "picocells" to "intercept" cell phones before they reach the primary cellular networks. But this would face immense challenges in the mobile environment as well. Lauren Weinstein, NNSquad Moderator ] ------------------------------ Date: Tue, 23 Nov 2010 11:55:01 +0100 From: Peter Houppermans <peter_at_private> Subject: Passenger arrested for stripping down to underwear for TSA pat down It appears we have finally hit a point where people start asking questions. http://www.nbcsandiego.com/news/local-beat/Passenger-Chooses-Strip-Down-Over-Pat-Down-109872589.html?dr Through a statement released by his attorney Sunday night, Wolanyk said "TSA needs to see that I'm not carrying any weapons, explosives, or other prohibited substances, I refuse to have images of my naked body viewed by perfect strangers, and having been felt up for the first time by TSA the week prior (I travel frequently) I was not willing to be molested again." Wolanyk's attorney said that TSA requested his client put his clothes on so he could be patted down properly but his client refused to put his clothes back on. He never refused a pat down, according to his attorney. Wolanyk was arrested for refusing to complete the security process. So much for being overly accommodating :-). However, the same article contained a line that was much more worrying: A woman, identified by Harbor police as Danielle Kelli Hayman,39, of San Diego was detained for recording the incident on a phone. Ah, transparency. We've heard of it.. Regards, Peter ------------------------------ Date: Wed, 24 Nov 2010 20:27:29 -0500 (EST) From: Danny Burstein <dannyb_at_private> Subject: Vermont law on drug data mining ruled unconstitutional Vermont law on drug data mining ruled unconstitutional (Sources: Burlington Vt. news items) A Vermont law that restricts companies' use of information about the drugs doctors prescribe is unconstitutional on free speech grounds, a federal appeals court ruled Tuesday. Three companies that gather information on drugs ordered by doctors and then sell the information to pharmaceutical manufacturers -- IMS Health, SDI and Source Healthcare Analytics -- had sued over the so-called data mining law. Passed in 2007, it bans the sale, transmission or use of prescriber-identifiable data for marketing a prescription drug unless the prescribing doctor consents. A three-judge panel of the U.S. Court of Appeals for the 2nd Circuit said the law is a restriction on commercial free speech that violates the First Amendment. rest: http://www.burlingtonfreepress.com/article/20101124/NEWS01/11240310/Vermont-law-on-drug-data-mining-ruled-unconstitutional ------------------------------ Date: Sat, 27 Nov 2010 16:15:41 -0500 From: Monty Solomon <monty_at_private> Subject: When will we learn that digital communication isn't private? (Tom Keane) Tom Keane, 20 Nov 2010 Perspective: You've got evidence When will we learn that digital communication isn't private? Are scoundrels and villains just stupider today than they once were? It used to be that if you were going to commit a crime or merely be a bit naughty, you'd try to cover your tracks. Getting caught was an outcome to be avoided. Yet now we put our transgressions on display for the world to see. A case in point comes from the campaign of Tim Cahill, state treasurer and erstwhile independent candidate for governor. In the waning weeks of the race, stories emerged that campaign staffers had allegedly traded e-mails about coordinating activities with the Treasury. If true, that's clearly illegal - public money can't be used for political campaigns. The attorney general is looking into the matter and, while I have no idea where things will end up, heads could roll. All because, instead of having a meeting about it or even using the telephone, those supposedly involved circulated a bunch of e-mails. Pretty dumb. If it's any comfort, though, they're hardly alone. Football player Brett Favre faces difficult times of his own for salacious text messages sent to ex-model and New York Jets employee Jenn Sterger. Ditto golfer Tiger Woods and his own paramours. New York gubernatorial candidate Carl Paladino got into trouble for forwarding racist jokes. Florida Representative Mark Foley resigned in 2006 after the unearthing of sexually explicit instant messages he sent a 16-year-old congressional page. The Boeing Corp. ousted CEO Harry Stonecipher over indiscreet e-mails sent to a fellow executive that were found on company servers. E-mails by Goldman Sachs employees seemed to confirm an SEC investigation into investor fraud. Federal investigators uncovered internal company e-mails showing that Enron had illegally manipulated California's electricity markets. The list goes on. Whether it's e-mailing, texting, Tweeting, blogging, or commenting on the Web, near-instant digital communications dominate our professional and personal lives. From one point of view, these new technologies are just an improvement on old-fashioned talking, writing, telephoning, and faxing. In truth, though, they are vastly different. The old ways had some semblance of privacy, oftentimes because they were legally protected (such as prohibitions against recording conversations) or because of the limits of technology (forwarding letters to thousands at once was logistically complicated). The most striking difference, however, is the permanence of the new forms of communication. Twenty years ago, if I sent you a letter with inside information on a stock trade, only you and I knew about it. If you were smart, you'd destroy the document and no one would be the wiser. ... http://www.boston.com/lifestyle/articles/2010/11/28/youve_got_evidence/ ------------------------------ Date: Thu, 18 Nov 2010 10:04:40 -0600 From: Mike Andrews <mikea_at_private> Subject: Re: Massive Chinese Net Reroute Exposes Web's Achilles' Heel (R 26 22) in Risks Digest 26.22, Steven Cherry <s.cherry_at_private> posted: : The U.S.-China Economic and Security Review Commission says that for a : period of 18 minutes last April, China Telecom hijacked 15 percent of : the world's Web traffic and sent it to servers in China, an accusation : the state-run organization has denied. Whether the apparent reroute was : intentional or accidental, it's exposed another weakness in the structure : of the Web. Well, as the ads say, "not exactly". First, it's not a weakness in the structure of the Web, but a (minor?) vulnerability in the structure of the Internet: if someone in China sets up a router so that it claims to be handling traffic for an Autonomous System (AS), some traffic for that AS may be shipped to the Chinese router. Ryan Rawdon, below, comments on the effect of this vulnerability, which is known as a prefix hijack. A more correct statement, according to Bob Poortinga in a post to the "nanog" mailing list, would be that '15% of the world's network prefixes were "hijacked", but the impact was minimal in the US." Ryan Rawdon, following up on Poortinga's correction, wrote "Also worth pointing out that if this was a normal prefix hijack without them actually delivering the packets to the intended recipient (unlikely the case), then there would be very little TCP data seen. A few packets on existing connections before they time out, and SYNs on new connection attempts. Unless they were able to push the traffic back to another ISP which didn't see their originated routes, things would break more likely than be "routed via" the hijacking AS." Once again, shock value is more important than getting the facts right. See also pp. 243-244 (logical pages 251-252) of the 2010 Report to Congress of the U.S.-China Economic and Security Review Commission, at <http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf>, which explains the hijacking event very much more clearly than does the story at www.technewsworld.com. ------------------------------ Date: Tue, 23 Nov 2010 03:50:08 -0800 From: Barbara Zanzig <bzanzig_at_private> Subject: Re: New study on adverse events in hospitals (RISKS-26.22) My mother was hospitalized during the time period mentioned in Rita's report (surrounding October 2008) and died in March 2009. During the two years leading up to her death she was diagnosed with MRSA, a hospital-caused infection; c-diff (clostridium difficile), another hospital-caused infection, although I don't believe she had it; and several other issues. She was a Medicare patient, the sort reported on. I don't see the RISKS, but from everything my mother went through, as well as the report, cost-cutting on nursing staff by hospitals is a huge part of the reported problem. I watched her nurses. They are vastly underpaid and understaffed, and the nation's serious acute care depends largely on them. They, and the hospitalists, work incredible hours. No wonder they make mistakes. The report, as well as my mother's care, is a classic description of money and profit trumping actual care. RISKS are only a matter of reporting, and time. Barbara Zanzig <bzanzig_at_private> Kirkland, WA ------------------------------ Date: Tue, 16 Nov 2010 23:14:51 -0700 From: Peter G Neumann <neumann_at_private> Subject: Malware Analysts' Cookbook and DVD (Ligh et al., review by Richard Austin) Review by Richard Austin in IEEE Cipher (IEEE-security.org online newsletter> Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard Malware Analysts' Cookbook and DVD: Tools and Techniques for Fighting Malicious Code John Wiley & Sons 2011. ISBN 978-0-470-61303-0 amazon.com USD37.79 Table of contents: http://media.wiley.com/product_data/excerpt/33/04706130/0470613033-1.pdf Battling malware has much in common with an arms race - defenders develop new defenses which forces adversaries to adapt and innovate to overcome those defenses, and the cycle repeats ad infinitum. Given this never-ending struggle and the wide prevalence of malware, malicious code analysis is becoming a more important component of the technical repertoire of information security professionals. For many years the classic starting point for aspiring malware analysts has been Peter Szor's "The Art of Computer Virus Research and Defense" (reviewed in the March, 2005 edition of Cipher by Bob Bruen, see http://ieee-security.org/Cipher/BookReviews/2005/Szor_by_bruen.html) and the "Malware Analyst's Cookbook" provides a valuable update on the state of the art. At 700+ pages (plus a DVD of tools), this book provides wide coverage of the tools and techniques used by the practicing malware analyst in a very hands-on fashion. The book is organized into 18 chapters made up of "recipes" that describe the purpose and use of a particular tool or technique. The recipes are clearly presented with illustrations and code snippets used to show the technique in action. The tools DVD uses the same chapter organization and clearly links its contents with the text (a pet peeve of mine is the companion CD/DVD which in nothing more than a blob of tools with no organization whatever). Many references are provided to aid in finding more details or additional information on a particular topic. The focus is on Windows malware (not surprising since most malware targets that platform) but uses tools that run on Windows, Linux and even MacOS. Topic coverage is comprehensive and ranges from how to research malware anonymously using Tor or various proxies to the tried-and-true techniques for analyzing suspicious executables or DLL's to cutting-edge topics such as memory forensics. The substantial value of the book is that it collects, in one place, accessible material on a plethora of useful tools whose documentation is scattered across a universe of project websites and archives. The recipes are much more than a regurgitation of "man" pages and show why a particular tool is useful and how it is applied in a particular situation. The authors gained many "credibility points" in the introduction when they identified and provided links to the compiler and driver kit required to modify their binary tools. By delving deep into the analysis of malware, the authors provide a master-course in how malware actually works and the devious techniques its creators use to subvert our systems to their purposes (confess, do you really know what an IAT-hook is?). If there is a criticism of the book, and it is a mild one, it is that it is a cookbook. Reading it front-to-back will cause you to quickly become lost in contemplation of individual trees and while remaining blind to the forest. A quick skim with a detailed working-through of several interesting recipes will set the stage for when you later reach for this book in carrying out a particular task. If you are a technical professional with an interest in or responsibility for malware analysis, this book is a worthy companion to Szor's book and merits a place on your shelf. It will become a familiar reference in answering the question "I wonder how you ...". - ----- Richard Austin MS, CISSP (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry holding positions ranging from software developer to security architect before becoming a semi-retired, part-time academic. He welcomes your thoughts and comments on this review at raustin2 at spsu dot edu. ------------------------------ Date: Wed, 24 Nov 2010 15:22:38 -0500 From: Gary McGraw <gem_at_private> Subject: Cyber Warmongering and Influence Peddling The RISK of rampant exaggeration and hyperbole when it comes to FUD is payable in terms of privacy and rampant government waste. Cyber Warmongering and Influence Peddling http://www.informit.com/articles/article.aspx?p=1662328 In the article we attempt to provide some guidance for policymakers as they cut through the BS in our field. If you have the ears of any relevant policy makers in the government, please pass this on to them. ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.23 ************************Received on Sat Nov 27 2010 - 19:19:32 PST
This archive was generated by hypermail 2.2.0 : Sat Nov 27 2010 - 21:28:43 PST