[RISKS] Risks Digest 26.27

From: RISKS List Owner <risko_at_private>
Date: Fri, 31 Dec 2010 16:22:35 PST
RISKS-LIST: Risks-Forum Digest  Friday 31 December 2010  Volume 26 : Issue 27

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.27.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Snowstorm plus phone problems beset fliers (Chase/McMahon via Monty Solomon)
US pilot 'probed over YouTube videos of airport lapses' (Amos Shapir)
Car immobilisers easily circumvented by crafty carjackers (Gabe Goldberg)
New drug law will track more prescriptions (Favot/Hailey via Monty Solomon)
Is reading wife's e-mail a crime? Rochester Hills man faces trial
  (L.L Brasier via Monty Solomon)
Flaws in Tor anonymizer network (Lauren Weinstein)
Banks' Reaction to Broken-Chip-and-PIN is Broken (Peter Bernard Ladkin)
The Gawker hack: how a million passwords were lost (Joseph Bonneau
  via Monty Solomon)
Gawker tech boss admits site security was crap (Gabe Goldberg)
Why You May Want to Avoid Non-ASCII Characters in Your Passwords
  (FJohn Reinke)
When it comes to the cloud, fight it... or join it? (Jeremy Epstein)
Re: WikiLeaks (Amos Shapir)
Cryptographers Chosen to Duke It Out in Final Fight (ACM technews)
RISKS of reusing ID numbers (Geoff Kuenning)
$15 phone, 3 minutes all that's needed to eavesdrop on GSM call (Jon Borland
  via Monty Solomon)
Re: A Pinpoint Beam Strays Invisibly, Harming Instead of Healing (Hal Murray)
Re: Radiation Machines Overdosing Again (Stanley F. Quayle, Barry Gold)
Re: FCC Acts to Preserve Internet Freedom and Openness (Michael Smith)
Re: Google Maps vs. USPS in Wisconsin (Everett W. Howe)
WikiLeaks, Secrets, and Lies - and a new book! (Simon Chesterman)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 29 Dec 2010 12:24:39 -0500
From: Monty Solomon <monty_at_private>
Subject: Snowstorm plus phone problems beset fliers

Katie Johnston Chase and Alexa McMahon, Phone jam-ups stymie fliers;
Airlines unable to handle calls after snowstorm, *The Boston Globe*,
29 Dec 2019

As airlines were scrambling to get flight schedules back to normal
yesterday, stranded travelers were struggling to reach them, sometimes being
left on hold for more than an hour - or worse, disconnected from the call.

Cali Archon of Portsmouth, N.H., tried calling JetBlue Airways for four
hours yesterday morning to rebook her 15-year-old daughter's flight to Fort
Lauderdale, Fla. But each time, after about five minutes of recorded
messages, the system told her: "Please try back at a later time. We are
doing the best we can to manage our call volumes at this time. This call
will end now.''

And then it did. ...

http://www.boston.com/business/articles/2010/12/29/for_stranded_travelers_calling_airlines_its_hurry_up_and_wait/

------------------------------

Date: Sun, 26 Dec 2010 16:46:12 +0200
From: Amos Shapir <amos083_at_private>
Subject: US pilot 'probed over YouTube videos of airport lapses'

This is a classical tale of Shoot the Messenger.  As we all know, TSA's
security is perfect; anyone claiming otherwise is therefore a Terrorist and
would be treated as such.

Full story at (i.a.): http://www.bbc.co.uk/news/world-us-canada-12078040

------------------------------

Date: Sat, 25 Dec 2010 11:06:17 -0500
From: Gabe Goldberg <gabe_at_private>
Subject: Car immobilisers easily circumvented by crafty carjackers

Nothing weaker than 128-bit AES is considered sufficient protection for
e-commerce transactions, but car manufacturers are still using proprietary
40-bit and 48-bit encryptions protocols that are vulnerable to brute force
attacks. Worse still, one unnamed manufacturer used the Vehicle
Identification Number (VIN) as the "secret" key for the immobiliser.

http://www.theregister.co.uk/2010/12/20/car_immobiliser_security_flaws/

------------------------------

Date: Thu, 30 Dec 2010 15:14:15 -0500
From: Monty Solomon <monty_at_private>
Subject: New drug law will track more prescriptions (Favot/Hailey)

[Source: Sarah Favot and Caroline Hailey, New drug law will track more
prescriptions, *MetroWest Daily News*, 26 Dec 2010; long item PGN-ed]
http://www.metrowestdailynews.com/top_stories/x1295283307/New-drug-law-will-track-more-prescriptions

Massachusetts residents face a new routine when they pick up certain
prescription drugs at the pharmacy on 1 Jan 2011.  Under a law passed last
summer, they will have to show a driver's license or another approved ID
before the druggist can give them prescriptions ranging from addictive
opiates to certain medicines for diarrhea. Their purchases will be recorded
in a massive database that will include their names, addresses and the kinds
and amount of pills they take.

The goal of the law is to combat the growing problem of prescription drug
abuse, particularly among teens and young adults. According to one federal
survey, Massachusetts ranked 8th among those 18-to-25 who have used drugs
not prescribed to them.

Mass State Rep. Harriet Stanley: ``This bill is a great example of how costs
increase without you realizing. We thought we had a grip, but we have to
re-look at it this session.''

------------------------------

Date: Wed, 29 Dec 2010 02:08:15 -0500
From: Monty Solomon <monty_at_private>
Subject: Is reading wife's e-mail a crime? Rochester Hills man faces trial

[Source: L.L. BRASIER, *Free Press*, 26 Dec 2010]
http://www.freep.com/article/20101226/NEWS03/12260530/1318

A Rochester Hills man faces up to 5 years in prison -- for reading his
wife's e-mail.  Oakland County prosecutors, relying on a Michigan statute
typically used to prosecute crimes such as identity theft or stealing trade
secrets, have charged Leon Walker, 33, with a felony after he logged onto a
laptop in the home he shared with his wife, Clara Walker.  Using her
password, he accessed her Gmail account and learned she was having an
affair. He now is facing a Feb. 7 trial. She filed for divorce, which was
finalized earlier this month.

Legal experts say it's the first time the statute has been used in a
domestic case, and it might be hard to prove ...

http://www.freep.com/article/20101226/NEWS03/12260530/1318

------------------------------

Date: Tue, 28 Dec 2010 07:57:03 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Flaws in Tor anonymizer network

  [Network Neutrality Squad]

http://bit.ly/gRa88D  (ars technica)

------------------------------

Date: Tue, 28 Dec 2010 13:27:48 +0100
From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de>
Subject: Banks' Reaction to Broken-Chip-and-PIN is Broken

The UK Card Association, which represents organisations who offer
financial-card transactions in the UK, has written to the University of
Cambridge, http://www.cl.cam.ac.uk/~rja14/Papers/20101221110342233.pdf ,
asking it not to publish on the WWW some work by Omar Choudary on breaking
the Chip-and-PIN protocol used on most bank cards debit cards, and credit
cards. Reported in The Independent newspaper:
http://www.independent.co.uk/news/education/education-news/banks-attempt-to-suppress-maths-students-expos233-of-chip-and-pin-2170396.html
and on Ross Anderson's Security Group blog
http://www.lightbluetouchpaper.org/ . Choudary's short blog post describing
his work is at
http://www.lightbluetouchpaper.org/2010/10/19/the-smart-card-detective-a-hand-held-emv-interceptor/

The public knowledge that Chip-and-PIN is broken is almost a year old. It
was reported in German trade publications at the beginning of February 2010,
for example
http://www.heise.de/newsticker/meldung/PIN-Pruefung-im-EMV-Verfahren-bei-EC-und-Kreditkarten-ausgehebelt-929528.html
(in German). The original work won a Best Paper award at the IEEE Symposium
on Security and Privacy in May 2010.

Apparently the banks have had about a year to fix a broken protocol and
haven't managed to promulgate one. So now their associations are writing to
people to ask them not to publish. That process has been known to be broken
for far longer than Chip-and-PIN.

On the other hand, maybe the banks shouldn't worry too much about word
getting around. I received in October a letter from American Express saying
that, with their new cards issued in January 2011, rather than just
signature on a transaction, they are introducing Chip-and-PIN "so you are
better protected from card abuse". Hadn't they heard?

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com  www.rvs.uni-bielefeld.de

------------------------------

Date: Sun, 26 Dec 2010 11:54:14 -0500
From: Monty Solomon <monty_at_private>
Subject: The Gawker hack: how a million passwords were lost (Joseph Bonneau)

Joseph Bonneau, Lightbluetouchpaper, 15 Dec 2010

Almost a year to the date after the landmark RockYou password hack, we have
seen another large password breach, this time of Gawker Media. While an
order of magnitude smaller, it's still probably the second largest public
compromise of a website's password file, and in many ways it's a more
interesting case than RockYou. The story quickly made it to the mainstream
press, but the reported details are vague and often wrong. I've obtained a
copy of the data (which remains generally available, though Gawker is
attempting to block listing of the torrent files) so I'll try to clarify the
details of the leak and Gawker's password implementation (gleaned mostly
from the readme file provided with the leaked data and from reverse
engineering MySQL dumps). I'll discuss the actual password dataset in a
future post.  ...

http://www.lightbluetouchpaper.org/2010/12/15/the-gawker-hack-how-a-million-passwords-were-lost/

------------------------------

Date: Sat, 25 Dec 2010 11:09:26 -0500
From: Gabe Goldberg <gabe_at_private>
Subject: Gawker tech boss admits site security was crap

Gawker Media plans to overhaul its web infrastructure and require employees
to use two-factor authentication when accessing sensitive documents stored
online, following an embarrassing attack that completely rooted the
publisher's servers.

http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermath/

------------------------------

Date: Thu, 30 Dec 2010 19:17:27 -0500
From: "fj_at_rcc" <fjohn_at_private>
Subject: Why You May Want to Avoid Non-ASCII Characters in Your Passwords

I think these folks misunderstand the concept of "security". The clout comes
from "three strikes and your locked out". Who cares what character the User
uses? And, limiting its length, specifying a character set, limiting the
character set, or creating other hurdles is down right dumb. Especially when
teamed up with an unlimited number of mistakes.  More and more people are
relying of "password memorize-ers" like Roboform, Keypass, or
LastPass. Seriously, when are folks going to realize how "Julius Caesar-ish"
passwords alone are. Argh!

F.John Reinke, Kendall Park, NJ 08824, http://reinkefaceslife.com
http://www.reinkefj.com   http://www.linkedin.com/in/reinkefj

http://lifehacker.com/5721610/why-you-should-avoid-non+ascii-characters-in-your-passwords

> It does not affect most of our users - If you are not using non-Latin
> characters for your password, there is nothing to do (see wikipedia
> <http://en.wikipedia.org/wiki/ASCII>for more information on the characters
> that are not affected - US-ASCII).*If you do use characters that are
> non-Latin, you should reset your password to ensure it is updated to fully
> support these special characters.*

> Tom also notes that, to help address the problem, "when a person logs
> in with a non-ascii char in password, we prompt them to reset." Read
> up for more details at Gawker Tech.
http://tech.gawker.com/5717059/does-your-password-contain-non+latin-characters

------------------------------

Date: Thu, 23 Dec 2010 09:39:23 -0500
From: Jeremy Epstein <jeremy.j.epstein_at_private>
Subject: When it comes to the cloud, fight it... or join it?

The US Veterans Administration has discovered that its employees in at least
9 hospitals were using commercial providers like Google and Yahoo to store
and share patient information in calendars and other documents, in violation
of VA policies.  The VA CIO says this shows that they need to make more
cloud services available to employees, lest the employees bypass official
systems in favor of commercial systems which do not have the same level of
protection.  (Let's ignore for a moment the assumption that VA systems *are*
any more secure.)

I'm ambivalent about this - on the one hand, just because the service is
available commercially doesn't mean that it should be provided to everyone
in an organization like a VA hospital.  On the other hand, it's pretty clear
that people will bypass security systems if they don't provide adequate
capabilities.  So the security organization is in a difficult position of
what to provide.

There seems a pretty clear parallel to multilevel secure systems -- if it's
too hard to move data from classified to unclassified systems, people will
figure out ways around it (cf Wikileaks).  But does that mean we should
allow easy interconnection and data movement?

http://www.nextgov.com/nextgov/ng_20101222_6852.php

------------------------------

Date: Tue, 21 Dec 2010 17:57:25 +0200
From: Amos Shapir <amos083_at_private>
Subject: Re: WikiLeaks (RISKS-26.25)

> PGN: The resilience of WikiLeaks despite attempts to shut it down is a
> testament to the extreme difficulty governments face in their attempts to
> control the Internet.]

Unfortunately, rejoicing (in this article as well as the previous one about
the inclusion of email within 4th Amendment protection) is premature.  IMHO
the WikiLeaks affair only shows that authorities had not caught up with the
Internet yet; but considering China as a case in point, the future looks
rather bleak.

Just as it is now impossible to drive a car legally on public roads anywhere
in the world without having registered both the vehicle and driver with the
authorities first, the situation in cyberspace is going to gravitate towards
the same level of control.  We all connect through a rather small number of
ISP's, all of whom depend on governments in many ways, and must obey local
laws and regulations.

Once legislators and regulators catch up, sites like WikiLeaks would suffer
the same fate as women driving in Saudi Arabia.  I'm afraid that this is
going to happen sooner than anyone dares to predict.

  [I don't think I was rejoicing!  However, i think the WikiLeaks situation
  has enormous impacts all around -- on the government security policies
  relying on untrustworthy systems, overclassification, etc., and on
  ubiquitous losses of personal privacy for everyone else, for starters.
  The problems exposed here are literally enormous.  PGN]

------------------------------

Date: Wed, 15 Dec 2010 11:28:17 -0500
From: technews_at_private
Subject: Cryptographers Chosen to Duke It Out in Final Fight

ACM TechNews, Wednesday, December 15, 2010
Read the TechNews Online at: http://technews.acm.org
(c) 2010 INFORMATION, INC.
This service may be reproduced for internal distribution.

  [RISKS is sponsored by ACM, and therefore I consider RISKS internal to our
  subscribers.  Please treat this accordingly.  PGN]

ACM TechNews; Wednesday, December 15, 2010
Sponsored by
  http://www.acm.org/careercenter
  http://www.facebook.com/home.php?#/group.php?sid=3Df763a52a3bbe09f2e99cf6de81463c16&gid=5535958999&ref=search
  http://www.linkedin.com/groups?gid=3D36836

TheOfficialACM Twitter
http://twitter.com/TheOfficialACM

Cryptographers Chosen to Duke It Out in Final Fight
New Scientist (12/13/10) Celeste Biever

The U.S. National Institute of Standards and Technology (NIST) has selected
five Secure Hash Algorithm (SHA-3) entrants as finalists for its competition
to find a replacement for the gold-standard security algorithm.  The
finalists include BLAKE, devised by a team led by Jean-Philippe Aumasson of
the Swiss company Nagravision, and Skein, which is the work of computer
security expert and blogger Bruce Schneier.  "We picked five finalists that
seemed to have the best combination of confidence in the security of the
algorithm and their performance on a wide range of platforms" such as
desktop computers and servers, says NIST's William Burr.  "We wanted a set
of finalists that were different internally, so that a new attack would be
less likely to damage all of them, just as biological diversity makes it
less likely that a single disease can wipe out all the members of a
species."  The finalists incorporate new design ideas that have arisen in
recent years.  The Keccak algorithm from a team led by STMicroelectronics'
Guido Bertoni uses a novel idea called sponge hash construction to produce a
final string of 1s and 0s.  The teams have until Jan. 16, 2011, to tweak
their algorithms, then an international community of cryptanalysts will
spend a year looking for weaknesses.  NIST will pick a winner in 2012.
http://www.newscientist.com/article/dn19865-cryptographers-chosen-to-duke-it-out-in-final-fight.html

------------------------------

Date: Sun, 12 Dec 2010 00:14:16 +1300
From: Geoff Kuenning <geoff_at_private>
Subject: RISKS of reusing ID numbers

I recently (a few days ago) purchased an item from the Apple Store as a
Christmas present.  Quite soon, I received an e-mail telling me that it had
been shipped and giving a 9-digit tracking number.

I immediately clicked on the appropriate link, only to learn that my item
had apparently been shipped from Dubai on September 16th and delivered to
Sofia on September 21st.

Hmmm...that didn't seem quite right.

24 hours later, the same Web page listed the tracking number twice,
giving both the Dubai shipment and my own.

With a billion numbers to choose from, WHY are they recycling them so
quickly?  Do they have a clumsy auto-generation algorithm?  If so, the
RISKS are additional and glaringly obvious.

    Geoff Kuenning   geoff@private   http://www.cs.hmc.edu/~geoff/

------------------------------

Date: Wed, 29 Dec 2010 16:39:31 -0500
From: Monty Solomon <monty_at_private>
Subject: $15 phone, 3 minutes all that's needed to eavesdrop on GSM call
  (Jon Borland)

[Source: Jon Borland, wired.com]

Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a
pair of researchers demonstrated a start-to-finish means of eavesdropping on
encrypted GSM cellphone calls and text messages, using only four sub-$15
telephones as network "sniffers," a laptop computer, and a variety of open
source software.

While such capabilities have long been available to law enforcement with the
resources to buy a powerful network-sniffing device for more than $50,000
(remember The Wire?), the pieced-together hack takes advantage of security
flaws and shortcuts in the GSM network operators' technology and operations
to put the power within the reach of almost any motivated tech-savvy
programmer. ...

http://arstechnica.com/gadgets/news/2010/12/15-phone-3-minutes-all-thats-needed-to-eavesdrop-on-gsm-call.ars

------------------------------

Date: Tue, 28 Dec 2010 21:51:42 -0800
From: Hal Murray <hmurray_at_private>
Subject: Re: A Pinpoint Beam Strays Invisibly, Harming Instead of Healing

Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26)
http://www.nytimes.com/2010/12/29/health/29radiation.html?partner=rss&emc=rss

The initial accident report offered few details, except to say that an
unidentified hospital had administered radiation overdoses to three patients
during identical medical procedures.

It was not until many months later that the full import of what had happened
in the hospital last year began to surface in urgent nationwide warnings,
which advised doctors to be extra vigilant when using a particular device
that delivers high-intensity, pinpoint radiation to vulnerable parts of the
body.

------------------------------

Date: Thu, 30 Dec 2010 14:10:27 -0500
From: "Stanley F. Quayle" <stan_at_private>
Subject: Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26)

> To adopt the de facto standard set by the aviation industry, that some set
> party is deemed liable (in aviation: the airline) and pays compensation?

It might work differently elsewhere, but here in the USA, the "standard"
is to sue everyone: the manufacturer, the airline, the FAA, the pilots,
all the way down to the mechanics that last touched the airplane.

> Isn't it about time that professional engineering bodies took a public stand
> that such events are avoidable and should be avoided?

Most engineering bodies have a code of ethics that includes something
similar to:

  Engineers, in the fulfillment of their professional duties, shall:
  Hold paramount the safety, health, and welfare of the public.

These devices may not have been created by licensed professional engineers.
Most states in the USA allow design and manufacture of equipment without a
license, as long is it not something like a bridge, dam, or road.  (This is
called the "industrial exemption".)

Stanley F. Quayle, P.E. N8SQ  Quayle Consulting Inc.  +1 614-868-1363
8572 North Spring Ct., Pickerington, OH  43147  USA  http://www.stanq.com

------------------------------

Date: Wed, 29 Dec 2010 22:24:53 -0800
From: Barry Gold <BarryDGold_at_private>
Subject: Re: Radiation Machines Overdosing Again (Ladkin, RISKS-26.26)

> What is there about medical accidents which lets everyone be comparatively
> so complacent about them compared with other walks of life such as
> transportation?

Well, there are a couple of differences.

1. When an airliner crashes, it kills many people.  Big splashy headlines.
That's why the terrorists keep trying for airliners.  They could blow up a
bus, but a bus holds, what? 40 people?  Even a 737 holds 130 people.  A
mid-sized craft like the DC-8 holds over 250, and the 747 can seat over 500.
When there is "operator error" on a medical device, it kills one person.
All told, maybe a dozen people die before the normal checks built into our
hospital & clinic system(*) detect that something is wrong and take
countermeasures: replacing the device, special warnings, whatever it takes.

So a medical device failure just isn't as exciting as an airliner crashing.

2. Harm should be balanced against good.  Let's say you have a choice: you
can build a device and get it out the door in 6 months, or you can adopt
standards equivalent to those used for EAL-7 in the security community, and
get it out five years from now.  How many people will die of cancer or other
treatable diseases during those 4.5 years?  If you kill 5 people with
accidental overdoses, and save 20, aren't you ahead?

[Yeah, I know, but what if I'm one of the 5?  True, but I never know in
advance whether I'll be one of the 5, or one of the 20.  Overall, I'll take
those odds when I have an otherwise fatal -- or debilitating -- disease.]

    [snip]

> Isn't it about time that professional engineering bodies took a public stand
> that such events are avoidable and should be avoided? That devices prone to
> accidents through "operator error" should be taken off the market and
> redesigned? To adopt the de facto standard set by the aviation industry,
> that some set party is deemed liable (in aviation: the airline) and pays
> compensation? (Obvious candidates here would be the manufacturer or the
> hospital; one would then leave it to the insurance industry to negotiate
> contributory payments from other parties, as insurance usually does.)

AFAIK that already happens.  You can bet that every one of the patients
killed (or injured) by an accidental overdose has received compensation, or
soon will.  Does it really make a difference if the initial payer is a
hospital/clinic whose employee "misused" the device, or the manufacturer.
Either way, the insurance industry will sort out who pays how much.

One thing to consider: it is impossible to make something foolproof, because
fools are so ingenious.  I'm reminded of a news story I read a couple of
decades back:

  A nuclear sub came limping into port with inadequate power.  Technicians
  came on board to see what was wrong, and found that one of the engines was
  installed upside down (and hence, wasn't producing much power, if any).
  Now... the engineers who designed the engine knew that it would be
  installed by average Navy seamen -- which is to say, people with an IQ of
  around 100.  Not total dummies, but not especially smart either.  So they
  built it in the shape of a trapezoid: the top and bottom were of different
  widths.  And the space it was installed into was similarly shaped.

That didn't stop the installers.  When it wouldn't fit, they just used a
bigger hammer.

So yes, it would be nice if life-critical systems had better failure modes
and were less subject to operator error.  And in some cases, yes, the
manufacturer could and should have anticipated that and taken appropriate
steps to prevent it.

*But* nothing is ever perfect.  And the perfect is the enemy of the good.

------------------------------

Date: Thu, 30 Dec 2010 12:22:16 +1100
From: Michael Smith <emmenjay_at_private>
Subject: Re: FCC Acts to Preserve Internet Freedom and Openness (R-26.20)

One objection I have heard is that the FCC is overreaching its authority.
Once the precedent is set, we can expect many more internet regulations from
the FCC.

There seems to be an increase in the phenomenon of statutory bodies
unilaterally extending their powers to cover areas that are too contentious
for Congress to tackle.

------------------------------

Date: Wed, 29 Dec 2010 17:16:16 -0800
From: "Everett W. Howe" <however_at_private>
Subject: Re: Google Maps vs. USPS in Wisconsin

You can have all kinds of good clean fun looking to see what Google Maps
does with abbreviations.  For instance, the streets in the neighborhood just
south of

  Twin Trails Neighborhood Park, San Diego, CA

(Google maps link here: http://tinyurl.com/324whky ) have Western-themed names, like

  Cayote Ave
  Sundance Ave
  Cavalry Ct
  Trail Dust Ave
  Old West Ave

and so forth.  But Google Maps thinks that all instances of the word "West" should be abbreviated, so "Old West Ave" is marked as "Old W Ave".

Everett Howe, Center for Communications Research, 4320 Westerra Court
San Diego, CA 92121  http://www.alumni.caltech.edu/~however/

------------------------------

Date: Thu, Dec 2, 2010 at 10:24 PM
From: Simon Chesterman <chesterman_at_private>
Subject: WikiLeaks, Secrets, and Lies - and a new book!

*One Nation Under Surveillance: A New Social Contract to Defend Freedom
Without Sacrificing Liberty* (Oxford University Press, 2011) examines what
limits -- if any -- should be placed on a government's efforts to spy on
its citizens in the name of national security.
www.OneNationUnderSurveillance.net

The Web site also has links to two op-eds discussing current issues in the
debates over security, privacy, and the work of intelligence services.

The first, being distributed through *Project Syndicate*, considers the
recent WikiLeaks revelations. The perverse consequence of this guerrilla
transparency will in fact be greater secrecy, worse decision-making, and
less accountability in the United States and elsewhere.

The second, published in the global edition of the *New York Times*, looks
at the reviews of data protection laws in the United States and Europe
presently underway -- and shows why privacy will lose out.

Simon Chesterman, Vice Dean (Graduate Studies), NUS Law School, Global
Professor & Director, NYU School of Law Singapore Programme, 469G Bukit
Timah Road, Singapore 259776

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.27
************************
Received on Fri Dec 31 2010 - 16:22:35 PST

This archive was generated by hypermail 2.2.0 : Fri Dec 31 2010 - 18:35:35 PST