RISKS-LIST: Risks-Forum Digest Weds 14 September 2011 Volume 26 : Issue 56 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** <http://catless.ncl.ac.uk/Risks/26.56.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Air France 447: Smart planes still vulnerable to human error (Don Norman) Re: United Airlines uses 11,000 iPads to take planes paperless (Geoff Kuenning) Automation in the air dulls pilot skill (AP item) Many US schools adding iPads, trimming textbooks (Stephanie Reitz via Monty Solomon) Benefits of IT on Education? (NYTimes) DigiNotar SSL Security Cert Breach (Gregg Keizer via Gene Wirchenko) Risks in Google, specifically Gmail (Paul Robinson) Microsoft posts security bulletins 4 days early, scrambles to fix mistake (Jon Brodkin via Monty Solomon) $100 Bill: The Fed Has a $110 Billion Problem with New Benjamins (Leonard Finegold) Re: Bitcoin + Cloud Computing = Approx. USD$231K Up In Smoke (Arno Wagner) Dutch Government Websites No Longer Secure (Danny Burstein) Forged Google crypto certificate found in the wild (Lauren Weinstein) Google+ Security/Privacy Risks? (Tony Bradley via Gene Wirchenko) The Internet's Secret Back Door (Lauren Weinstein) Closed, Says Google, but Shops' Signs Say Open (David Segal via Monty Solomon) Re: Researchers crack APCO P25 public safety encryption ... (Jeremy Ardley) Re: Visa to adopt chip & pin in the US (David Alexander) Re: T-Mobile JavaScript comment stripper breaks websites (Amos Shapir) Re: Yet another incident of over-reliance on GPS navigation (Geoff Kuenning, Amos Shapir) Man unable to open car from the inside and dies of dehydration (Clive Page) Patient Data Posted Online in Major Breach of Privacy (Kevin Sack via Monty Solomon) Cash for iPhones -- spam, scam, or phishing (DoN. Nichols) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 28 Aug 2011 03:12:54 -0700 From: Don Norman <norman_at_private> Subject: Air France 447: Smart planes still vulnerable to human error > On flight 447, the handoff from computer to pilots proved fatal for the > 228 aboard. I really get annoyed when people quickly and without evidence claim "human error." With regard to the Air France accident, it is far too soon to come to a final judgment. As for the notion that when automation fails, it just gives up and turns control over to the pilots, well, that problem has been discussed and studied for decades. Many knowledgeable experts in aviation safety people have studied and written about this problem. I've written about it in my books and journals. The aviation safety people at NASA Ames have studied it over and over again and made many recommendations, a number of which have been followed. Readers of RISKS should be sophisticated enough not to jump on the "human error" bandwagon every time it seems convenient. [Don, Thanks for rubbing this one in again. In RISKS, we have repeatedly emphasized that blame is usually widely distributable, and that many so-called human errors are the result of inadequacies in requirements, specifications, system designs, implementation inconsistencies and bugs, and so on, but human beings are still always a potential weak link. And yet the poor humans get fingered, because they have fewer champions such as you. PLEASE keep up the good work. Cheers! PGN] Don Norman, Nielsen Norman Group. KAIST (Daejeon, S. Korea), IDEO Fellow norman@private www.jnd.org http://www.core77.com/blog/columns/ Latest book: "Living with Complexity <http://www.jnd.org/books.html#608>" ------------------------------ Date: Tue, 30 Aug 2011 21:45:50 -0700 From: Geoff Kuenning <geoff_at_private> Subject: Re: United Airlines uses 11,000 iPads to take planes paperless But of course passengers will still be prohibited from using those same devices while the pilots have them turned on... Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Tue, 30 Aug 2011 02:24:34 -0700 From: Lauren Weinstein <lauren4321_at_private> Subject: Automation in the air dulls pilot skill WASHINGTON (AP) -- Are airline pilots forgetting how to fly? As planes become ever more reliant on automation to navigate crowded skies, safety officials worry there will be more deadly accidents traced to pilots who have lost their hands-on instincts in the air.... http://hosted.ap.org/dynamic/stories/U/US_AIRLINE_PILOTS_AUTOMATION?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT ------------------------------ Date: Mon, 5 Sep 2011 02:00:28 -0400 From: Monty Solomon <monty_at_private> Subject: Many US schools adding iPads, trimming textbooks (Stephanie Reitz) Stephanie Reitz, Associated Press, 3 Sep 2011 HARTFORD, Conn.-For incoming freshmen at western Connecticut's suburban Brookfield High School, hefting a backpack weighed down with textbooks is about to give way to tapping out notes and flipping electronic pages on a glossy iPad tablet computer. A few hours away, every student at Burlington High School near Boston will also start the year with new school-issued iPads, each loaded with electronic textbooks and other online resources in place of traditional bulky texts. While iPads have rocketed to popularity on many college campuses since Apple Inc. introduced the device in spring 2010, many public secondary schools this fall will move away from textbooks in favor of the lightweight tablet computers. Apple officials say they know of more than 600 districts that have launched what are called "one-to-one" programs, in which at least one classroom of students is getting iPads for each student to use throughout the school day. Nearly two-thirds of them have begun since July, according to Apple. ... http://www.boston.com/news/local/massachusetts/articles/2011/09/03/many_us_schools_adding_ipads_trimming_textbooks/ ------------------------------ Date: Sun, 4 Sep 2011 8:57:14 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Benefits of IT on Education? [From D Kross] As schools embrace digital learning, evidence is scarce that expensive technology is improving education. http://www.nytimes.com/2011/09/04/technology/technology-in-schools-faces-questions-on-value.html?hp ------------------------------ Date: Tue, 06 Sep 2011 09:40:35 -0700 From: Gene Wirchenko <genew_at_private> Subject: DigiNotar SSL Security Cert Breach (Gregg Keizer) Gregg Keizer: Hackers gain ability to impersonate CIA, MI6, Mossad, 6 Sep 2011 http://www.itbusiness.ca/it/client/en/home/News.asp?id=63989 Dutch firm DigiNotar has admitted its network was hacked and SSL security certificates were stolen. The certificates can be used for "man in the middle" attacks. The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday. The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates. Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service. "Now that someone (presumably from Iran) has obtained a legit HTTPS cert for CIA.gov, I wonder if the US gov will pay attention to this mess," Christopher Soghoian, a Washington D.C.-based researcher noted for his work on online privacy, said in a tweet Saturday. ------------------------------ Date: Sun, 11 Sep 2011 10:02:55 -0700 (PDT) From: Paul Robinson <paul_at_paul-robinson.us> Subject: Risks in Google, specifically Gmail Having heard about the problem of the guy whose account with Google was suspended because he was suspected of storing child pornography, I'd like to mention a problem with Google's Gmail that I discovered. I use Yahoo for web mail. My DNS provider for paul-robinson.us forwards all mail addressed to any address ending in @paul-robinson.us to my mailbox on Yahoo. And Yahoo provides a drop-down selector on its composition option so when I send mail, I can select whether to send it from Yahoo under paul_at_paul-robinson.us or from my Yahoo account number. It works flawlessly, whether someone sends me a message from Yahoo or from any other domain, I get any mail they address to my domain. The same is not true with Gmail. There is a weird technical problem with Gmail, if a Gmail client sends mail to a domain that redirects its mail - like mine - and the terminating address that the redirection goes to is a Gmail account, Gmail discards the message. I found this out because my sister has her own domain name, the way I do, and I have mail sent to her domain to redirect to her account, same as I do. She even has the same DNS provider as I do. The difference is, she gets her mail from Gmail, and if a Gmail customer mails something to her domain name, she does not get the mail in her Gmail box. ------------------------------ Date: Sat, 10 Sep 2011 18:55:59 -0400 From: Monty Solomon <monty_at_private> Subject: Microsoft posts security bulletins 4 days early, scrambles to fix mistake (Jon Brodkin) Jon Brodkin, ArsTechnica Each month, there is a clearly defined process Microsoft uses to release security patches to fix flaws in Windows and its other products. On a Thursday, Microsoft releases an advance notification, listing the software affected by the upcoming patches and the type of threat fixed, such as "elevation of privilege" or "remote code execution." But no specific details are released until the following Tuesday, the second Tuesday of each month, when the full security bulletins and accompanying patches are made public. But this month, the process went awry. The vague advance notification went out as scheduled yesterday. But today, the full security bulletins went live, four days before their scheduled release. We were able to view two of the five security bulletins before Microsoft unpublished them. Given that the security bulletins were unpublished within an hour of their release, give or take, and that they were dated "Tuesday, September 13, 2011" during the brief time they were live, it seems pretty clear someone at Redmond screwed up. ... http://arstechnica.com/microsoft/news/2011/09/microsoft-posts-security-bulletins-four-days-early-scrambles-to-fix-mistake.ars ------------------------------ Date: Tue, 6 Sep 2011 21:08:10 -0400 From: Leonard Finegold <L_at_private> Subject: $100 Bill: The Fed Has a $110 Billion Problem with New Benjamins http://www.cnbc.com/id/40521684/ [The total face value of the printed but totally unusable new high-tech $100 bills represents more than 10% of the entire supply of U.S. currency on the planet, according to this article. PGN] ------------------------------ Date: Sun, 28 Aug 2011 14:29:05 +0200 From: Arno Wagner <arno_at_private> Subject: Re: Bitcoin + Cloud Computing = Approx. USD$231K Up In Smoke This strikes me as a strong indication that Bitcoin cannot be taken seriously, except maybe as a elaborate and well-camouflaged Ponzi-scheme. The last time I checked, processing credit card information on Amazon EC2 was still not allowed. Forget about any real money transactions. Not only processing Bitcoin transactions there, but in addition doing so without adequate backup, shows a level of unprofessionalism that is staggering. I do not even want to know what serious security problems they had. On the other hand, this kind of blind enthusiasm and lack of understanding is typical for Ponzi-schemes. Sometimes even the scheme instigators seem to suffer from it and do not see what they are doing. This may be the case here. Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno_at_private ------------------------------ Date: Sat, 3 Sep 2011 18:18:50 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Dutch Government Websites No Longer Secure [Source: dutch daily news] The Dutch government can no longer guarantee the security of its websites. This means, for instance, that the Internet identification site DigID is no longer reliable, which Dutch residents use for government services. The Dutch Interior Minister Piet Hein Donner has given a press conference in the early hours of Saturday morning to indicate the urgency of the problem. There is doubt about the reliability of Government sites because the Dutch Internet security company DigiNotar appears to have been hacked on July 19, compromising its security guarantees for "a number of domains, including Dutch Government Websites. ... http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/ ------------------------------ Date: Sat, 3 Sep 2011 18:18:50 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Dutch Government Websites No Longer Secure [Source: dutch daily news] The Dutch government can no longer guarantee the security of its websites. This means, for instance, that the Internet identification site DigID is no longer reliable, which Dutch residents use for government services. The Dutch Interior Minister Piet Hein Donner has given a press conference in the early hours of Saturday morning to indicate the urgency of the problem. There is doubt about the reliability of Government sites because the Dutch internet security company DigiNotar appears to have been hacked on July 19, compromising its security guarantees for "a number of domains, including Dutch Government Websites. ... http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/ ------------------------------ Date: Sat, 3 Sep 2011 18:18:50 -0400 (EDT) From: danny burstein <dannyb_at_private> Subject: Dutch Government Websites No Longer Secure [Source: dutch daily news] The Dutch government can no longer guarantee the security of its websites. This means, for instance, that the Internet identification site DigID is no longer reliable, which Dutch residents use for government services. The Dutch Interior Minister Piet Hein Donner has given a press conference in the early hours of Saturday morning to indicate the urgency of the problem. There is doubt about the reliability of Government sites because the Dutch internet security company DigiNotar appears to have been hacked on July 19, compromising its security guarantees for "a number of domains, including Dutch Government Websites. ... http://www.dutchdailynews.com/dutch-government-websites-no-longer-secure/ ------------------------------ Date: Mon, 29 Aug 2011 22:12:11 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Forged Google crypto certificate found in the wild (NNSquad) "Security researchers have discovered a counterfeit web certificate for Google.com circulating on the internet that gives attackers the encryption keys needed to impersonate Gmail and virtually every other digitally signed Google property." http://j.mp/oPlzjQ (UK Register) A couple of notes on this. First, a widely syndicated story on this topic was titled "Hackers acquire Google certificate ..." -- which isn't exactly true, what they acquired was strictly speaking a *forged* Google certificate, an important distinction when certificate revocation is considered. Secondly, as bad as this is (and regular readers know how critical I've been of both existing PKI certificates and DNS environments), the forged cert alone doesn't provide the ability to perform a man-in-the-middle attack without the added factor of *access* -- either through poisoned DNS diversions, or direct tapping of traffic (e.g. by ISPs/governments), and so on. ------------------------------ Date: Thu, 01 Sep 2011 11:21:24 -0700 From: Gene Wirchenko <genew_at_private> Subject: Google+ Security/Privacy Risks? (Tony Bradley) http://blogs.itbusiness.ca/2011/09/privacy-concerns-with-google/ Tony Bradley, Privacy concerns with Google+ [Long item truncated for RISKS] My issue with Google+ Games is that when I try to play a game I have to first agree to grant the game and its developer various permissions to access and use information from my Google+ Profile -- including my Circles. [...] ------------------------------ Date: Thu, 1 Sep 2011 11:22:15 -0700 From: Lauren Weinstein <lauren_at_private> Subject: The Internet's Secret Back Door (NNSquad) "But years before the RIM battle boiled over, other Western companies handed the country a far greater power: the capability to infiltrate the secure system used by most banking, mail, and financing sites, making the most protected data on the Web available to the prying eyes of the emirates' government-connected telecommunications giant." http://j.mp/rrZIGC (Slate) ------------------------------ Date: Tue, 6 Sep 2011 08:46:36 -0400 From: Monty Solomon <monty_at_private> Subject: Closed, Says Google, but Shops' Signs Say Open (David Segal) David Segal, *The New York Times*, 5 Sep 2011 In mid-August, Jason Rule learned some surprising news about the coffee shop that he owns and operates in Hays, Kan.: the place had closed for good. Not in the real world, where it is thriving. Coffee Rules Lounge was listed for a few days as "permanently closed" on Google Maps. During that time, anyone searching for a latte on a smartphone, for instance, would have assumed the store was a goner. "We're not far from Interstate 70," said Mr. Rule, "and I have no doubt that a lot of people running up and down that highway just skipped us." In recent months, plenty of perfectly healthy businesses across the country have expired - sometimes for hours, other times for weeks - though only in the online realm cataloged and curated by Google. The reason is that it is surprisingly easy to report a business as closed in Google Places, the search giant's version of the local Yellow Pages. ... http://www.nytimes.com/2011/09/06/technology/closed-in-error-on-google-places-merchants-seek-fixes.html ------------------------------ Date: Wed, 14 Sep 2011 19:18:08 +0800 From: Jeremy Ardley <jeremy.ardley_at_private> Subject: Re: Researchers crack APCO P25 public safety encryption ... I presently work in the Emergency Services communications sector and am appalled at the desire to encrypt Emergency Services communications in the same way as Police Communications are. There is a fundamental difference between Police usage and Emergency Service usage. In the Police case there is a possibly understandable desire to keep communications private. In Emergency Services case, the more information that is disseminated the better. Most of the disasters I have seen unfold are fundamentally hampered by lack of effective communication. The systems just get overloaded and public information release gets severely chocked. Having news agencies or others monitoring emergency communications may - on the balance of probabilities - just save a few lives. I'm thinking especially about bush fires where prior warning may assist. The usual Emergency Services communications model results in a big lag between operational orders and information being released to public. Command and Control take the major part of the system's attention. Public communications are pretty low on the rankings. I realise that simply listening to the communications chat may cause undue worry or even result in misjudged actions resulting in death. I argue that having some information will - in general - give a better result than having no information at all. The recent Victorian bush fires are a classic example of lack of information flow to the public. The result was hundreds of deaths. As an aside, one of the major problems in the Victorian bush fires was lack of a common communications network between Emergency Services and Police. Basically the Police couldn't use their radios to talk to Emergency Services units and vice versa. One solution proposed is to move all radio systems to an encrypted Police standard. In contrast to this, in Western Australia, there is a current program to deploy thousands of radios into the Western Australian Emergency Radio Network (WAERN). These are analogue unencrypted radios designed to allow Emergency Services communications across an area about 2.5 times the total area of Western Europe. Quite how the encrypted Police systems will integrate with this is an as-yet unexplained mystery. ------------------------------ Date: Mon, 29 Aug 2011 22:10:45 +0100 (BST) From: David Alexander <davidalexander440_at_private> Subject: Re: Visa to adopt chip & pin in the US I have studied the technology and security mechanisms behind Chip & PIN in depth through the specialist smart card centre at Royal Holloway College, University of London as part of the studies for my InfoSec MSc. I won't deny that there are means by which they can be improved, but they are a lot less broken than the current mag stripe cards and liability system still in use in the USA and that used to be in effect in Europe. The banks wouldn't change the system voluntarily because of the implementation costs, so they were forced to by legal and regulatory means - the liability was transferred to them from the customer, which forced their hands. Statistics show that losses from card fraud dropped dramatically when C&P was introduced, and criminals were forced to move a lot of their activities to other areas. It's not perfect but it is much better. Fact. The terminals do need better anti-tamper protection/detection, and the additional verification system for online purchases (e.g. "Verified by Visa") has definite flaws, especially around the initial enrollment process. Murdoch et al. at Cambridge have done excellent work in highlighting the issues, but a lot of the defences can be implemented in the design of the cards and the terminals, and these are being improved all the time. I don't know for certain, but I expect that the US system will contain extra security features to reduce the vulnerabilities in the system. For obvious reasons the banks refuse to discuss the details and future plans. They still believe in security by obscurity, even if most of us do not. As for the reports in other publications, I'm not impressed with the standard of much of their analysis and reporting. As for the cost of card replacement, they are normally replaced on a 3 year cycle anyway, so the cost of replacement with new cards is nowhere near as high as it first appears. The C&P cards also allows the introduction of the Chip Authentication Program (google Barclays 'PINSentry') handheld device that can authenticate a cardholder and digitally sign transactions. It improves the security of online banking. Banks in the UK now use them to verify the identity of people at the counter by using them to get the user to prove they know the PIN for the card presented. In summary, I don't agree that the US banks shouldn't do this. The EU economy now runs on the use of EMV and debit card payments outstrip the use of cash and cheques by a very significant percentage. The size of the EU economy is as big as the US economy and interoperability is essential for travellers and e-commerce. I would also be interested to hear of viable alternatives, I'm not aware of any at the moment. ------------------------------ Date: Wed, 14 Sep 2011 16:05:31 +0200 From: Amos Shapir <amos083_at_private> Subject: Re: T-Mobile JavaScript comment stripper breaks websites (R 26 55) Earlier versions of enscript, a pretty-printing utility on UNIX, had a bug which caused it to mis-identify comments within strings and strings within comments, so such constructs would be printed in the wrong font format. The funny thing was that among the examples which were included with the program, was a pretty-printed listing of the enscript source code itself; the bug had caused the very code which was supposed to deal with these constructs -- which naturally contained strings like "/*" -- to be formatted badly, thus pointing clearly to where the bug was lurking! ------------------------------ Date: Tue, 13 Sep 2011 17:24:39 -0700 From: Geoff Kuenning <geoff_at_private> Subject: Re: Yet another incident of over-reliance on GPS navigation (Smith, RISKS-26.55) > Police say 25-year-old Sarah Ho of Boston was driving on the Dover Road in > South Newfane late Saturday afternoon when she came upon a road closed > sign. She told police she drove around the sign after seeing other vehicles > drive around the sign. I think it's worth noting that this is only partially a GPS-trust issue. Some years ago, my elderly mother was following written directions to my brother's apartment when she discovered that the exit ramp she needed had been closed for construction work. Undeterred, she drove around the barriers and might have caused serious harm had a cop not intervened. (It was shortly thereafter that we banned her from driving in Los Angeles.) While it's true that people place too much trust in GPS navigation, it's also true that drivers are notorious for ignoring obvious warnings. Geoff Kuenning geoff@private http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Wed, 14 Sep 2011 16:08:52 +0200 From: Amos Shapir <amos083_at_private> Subject: Re: Yet another incident of over-reliance on GPS navigation (Smith, RISKS-26.55) The article quotes the driver "She told police she drove around the sign after seeing other vehicles drive around the sign." This seems to be a case of over-reliance on herd mentality, rather than a problem with using GPS. ------------------------------ Date: Sun, 28 Aug 2011 10:46:39 +0100 From: Clive Page <cgp_at_private> Subject: Man unable to open car from the inside and dies of dehydration We have a Subaru Legacy with a similar locking system. If the car is locked using the button on the key-fob the doors cannot be opened from the inside: this is supposedly an anti-theft feature. In addition if you unlock the doors using this button but fail to open at least one door within a minute, the doors are re-locked. These features made me worried that an electronic fault could trap us inside. For this reason I bought a hammer designed to break toughened glass windows and installed it in a handy position by the driving seat. Perhaps all cars with anti-theft locking systems should have one fitted as standard. Sometimes a mechanical over-ride is good to have. ------------------------------ Date: Thu, 8 Sep 2011 18:56:31 -0400 From: Monty Solomon <monty_at_private> Subject: Patient Data Posted Online in Major Breach of Privacy (Kevin Sack) Kevin Sack, *The New York Times*, 8 Sep 2011 http://www.nytimes.com/2011/09/09/us/09breach.html A medical privacy breach involving Stanford Hospital in Palo Alto, Calif., led to the public posting of data for 20,000 emergency room patients, including names and diagnosis codes, on a commercial Web site for nearly a year, the hospital has confirmed. Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork. Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph. Although medical security breaches are not uncommon, the Stanford breach was notable for the length of time that the data remained publicly available without detection. ... ------------------------------ Date: Tue, 13 Sep 2011 20:02:57 -0400 From: "DoN. Nichols" <dnichols_at_d-and-d.com> Subject: Cash for iPhones -- spam, scam, or phishing Today, in processing the spam which managed to sneak past my filters I found one (personally addressed to me, not BCC'd) offering cash for old iPhones -- regardless of condition. Now -- my first thought (other than noting that I have never owned an iPhone, so what makes them think that I have used ones) was "How difficult is it to totally remove all personal information from an iPhone -- especially a non-jailbroken one." A bit of searching seems to find similar places buying laptops and cell phones, offering a high initial price, and then discovering all kinds of reasons to drop their price to practically nothing. So, it appears that they do pay at least something for them -- but as little as possible. I, personally, would drill through any chips which might store information rather than sell a used iPhone (if I had one) to such a place. (Or more likely, try to turn it into a portable device running linux or similar to play with, but not to use for phone communication.) But how many blindly turn over their used devices with no thought to what information they may be releasing. (703) 938-4564 http://www.d-and-d.com/dnichols/DoN.html ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.56 ************************Received on Wed Sep 14 2011 - 21:43:02 PDT
This archive was generated by hypermail 2.2.0 : Thu Sep 15 2011 - 02:30:36 PDT