[RISKS] Risks Digest 26.91

From: RISKS List Owner <risko_at_private>
Date: Wed, 11 Jul 2012 5:15:20 PDT
RISKS-LIST: Risks-Forum Digest  Wednesday 11 June 2012  Volume 26 : Issue 91

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.91.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Stuxnet Parallels to Voting Security (Rebecca T Mercuri)
Campaigns to Track Voters with "Political Cookies" (Lauren Weinstein)
A320 Lost 2 of 3 Hydraulic Systems on takeoff (PGN)
Risks of the Spent Fuel Pool in Reactor Building 4 at Fukushima Daiichi
  (Peter Bernard Ladkin)
More on Fukushima (Richard I. Cook via PGN)
San Diego fireworks suffer a *slight* glitch... (David Lesher)
Botched computer "upgrade" in sixth day of transactions chaos at RBS
  (Peter Bernard Ladkin)
RBS computer failure condemns man to spend weekend in the cells
  (Gabe Goldberg)
Time isn't on my side; Lesson: Look before you leap... (Henry Baker)
Drones: Yet another reason to keep your sextant at hand (Danny Burstein)
Scientists crack RSA SecurID 800 tokens, steal cryptographic keys
  (Lauren Weinstein)
Bugs in source code cannot be used in DUI cases in Minnesota (Ben Blout)
RAND: Cyberdeterrence and Cyberwar (Lauren Weinstein)
France shutting down their /once groundbreaking/ Minitel service
  (Lauren Weinstein)
UK considers broad Web site blocking by default (Lauren Weinstein)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 10 Jul 2012 12:45:13 -0400
From: RTMercuri <notable_at_private>
Subject: Stuxnet Parallels to Voting Security

I had occasion to attend the NIKSUN World Wide Security and Mobility
Conference (WWSMC) on July 9, 2012 in Princeton, NJ. The day's closing
speaker was Mr. Barry Lyons, CISSP, Cyber Architect, Northrop Grumman
Information Systems, on the topic of "STUXNET/FLAME: The Next Generation of
Hideous Cyber Attacks." During the Q&A session at the end of the talk, I
questioned Barry's characterization of the STUXNET components as "new" and
"game changing" and asked him what led him to believe this was the case,
especially since prior research (such as in voting machines) had already
revealed many similar vulnerabilities and potential exploits. In response,
he hopped down off of the stage (he was wearing a wireless microphone),
traveled through a large portion of the audience to just in front of where I
was sitting, and asserted that voting machines were somehow different
because they were "computers." (The talk as well as the Q&A portion was
recorded by IEEEtv, and I will provide a link when it becomes available, to
the Risks Digest.)

I thought that readers of Risks would be interested in seeing my follow-up
email message to Mr. Lyons (prompted by his suggestion that we should
continue the conversation later), along with his insightful reply (at the
bottom):

- - --- Original Message -----
Subject: Your Stuxnet Talk
Date: Tue, 10 Jul 2012 11:18:59 -0400
From: RTMercuri <notable_at_private>
To: barry.lyons_at_private

Barry --

Apparently I hit a nerve last evening with my question about the potential
exploits of programmable logic controllers having been warned about, years
prior to the advent of Stuxnet. Upon returning home, I glanced through my
Ph.D. dissertation (Electronic Vote Tabulation: Checks & Balances, publicly
defended October 27, 2000 at the School of Engineering and Applied Science
of the University of Pennsylvania, freely downloadable at
http://www.cis.upenn.edu/grad/documents/mercuri-r.pdf), and located (pages
49-50) the portion of the paragraph that I had recalled writing some 12
years ago, as follows:

"But just because tampering with the software may not be the easiest method
does not mean that it has not or will not be done. Thompson's [Footnote: Ken
Thompson, "Reflections on Trusting Trust," Communications of the ACM, August
1984] implication is that the hooks and backdoors, particularly those within
compilers and operating systems, exist and have already been proliferated
invisibly throughout the industry. Under this view, software rigging is
assumed to have already happened, rather than just a speculative
possibility. One could extend these assumptions as well to the
hardware. Presently there is nothing that restricts vendors from using
custom integrated circuit chips in the DREs [Direct Recording Electronic
voting machines], and some do, even for the CPUs.  It is not inconceivable
that a crafty individual could devise a set of microcoded instructions that
would be activated only under certain situations. Reliance on any particular
vendor or brand of components would therefore increase vulnerability. Some
chips now even permit internally reconfigurable microcode as well as
microarchitecture, and such a self-modifying CPU could erase any trace of
its own subroutines once they were executed. With election dates and times
being well-known and predictable, this could occur within the space of
microseconds during the voting session."

This description is most certainly generically predictive of targeted
long-term attacks on specialized hardware, from particular vendors,
established in air-gapped networks, that can exploit vulnerabilities such as
those presented with programmable logic controllers. As well, numerous
researchers (including Harri Hursti in 2005 and Ed Felten in 2006) have
repeatedly demonstrated that removable memory units (such as those that
establish ballot configurations for elections) can be compromised such that
the system will generate false reports, as well as assist in the
dissemination of malware that is transferable from machine to machine. The
parallels to Stuxnet are clearly obvious.

I had thought that you would welcome the opportunity to explain, or at least
acknowledge, to the WWSMC conference audience, the fact that many salient
aspects of the Stuxnet approach were indeed exploits of long-known
vulnerabilities. Instead, I was rather surprised that you chose to continue
with head-in-the-sand assertions that Stuxnet was somehow new and also a
"game changer." I recognize that it is embarrassing that your employer,
Northrop Grumman (and many other large firms relied on by the U.S. and other
governments to provide security advice and protection), was caught with its
pants down in being unaware of particular design flaws common to many
critical infrastructure systems (including those that elect the officials
that authorize payment for your security analysis and training contracts
with our tax dollars).  But to pretend that the possibility of such attacks
had not been well-publicized by highly-regarded computer security experts,
years before Stuxnet, is foolhardy, since it perpetuates the illusion that
systems developers need not keep abreast of all such advance warnings in the
scientific literature.

Certainly, rogue government agents, malcontents, and recreational hackers,
have their ears to the ground in monitoring these computer security
discussions, as their proof-of-concept attacks continue to illustrate. This
started with the Morris Worm in 1988, with its exploit of UNIX security
flaws previously exposed by the hacker's father (some believe that the elder
Morris may have intentionally put his son up to the challenge or
conveniently provided the tools and information necessary to perform the
attack, after the scientist's earlier admonishments in this regard were not
taken seriously by the technical community). Indeed, Robert Sr.'s remarks
(to the NY Times, November 5, 1988), that the worm "has raised the public
awareness to a considerable degree" and that "it is likely to make people
more careful and more attentive to vulnerabilities in the future," are not
much different, especially in their naivete, from your "game changer"
assertions.

As you continue in your role as a security evangelist, I would urge you to
modify your take-home messages, such as in talks on Stuxnet and other
NextGen attacks, to include warnings that the development of malware does
not occur in a vacuum. Security experts need to be as well-informed (if not
more so) on the evolving exploitable design flaws, as those who intend to
compromise it already are. If not, then we are most certainly conceding the
future CyberWars to the opposition. In fact, we may have already lost the
upcoming battles. Good predictive security means that fewer reactive
band-aids should need to be used and less loss may occur.  In this regard,
Dr. Pruthi and his colleagues at NIKSUN are to be commended for raising the
bar on "knowing the unknown" especially by bringing such warnings to the
attention of the security community while there is still time to consider
redesigns, instead of encouraging reliance on after-the-fact mitigation
methods.

I welcome your thoughts and hope to continue this dialogue.

Rebecca Mercuri, Ph.D., Notable Software, Inc.

- -- ----- Reply --------
Subject: Re: EXT :Your Stuxnet Talk
Date: Tue, 10 Jul 2012 16:10:52 +0000
From: Lyons, Barry (IS) <barry.lyons_at_private>
To: 'notable_at_private' <notable_at_private>

Dear Dr. Mercuri,

Wishing you success in all endeavors.

Barry Lyons, CISSP
Sent from BlackBerry - please forgive errors.

------------------------------

Date: Wed, 27 Jun 2012 08:07:16 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Campaigns to Track Voters with "Political Cookies"

http://j.mp/M4qHis  (Technology Review via NNSquad)

  "The firm gathers publicly available voter files from all 50 states and
  supplements this with records of political donations and other profiles
  purchased from commercial data brokers, says CEO Jeff Dittus.  Then,
  working with about 100 high-traffic websites that register their users,
  they can match the offline data to the online identities of individuals."

While I generally feel that way too much angst is directed Web site ad
personalization and related tracking, the creepy line is breached for me
when non-Web activities (and related identity linkages at some level) are
merged with online actions, especially without users' active notification
and specific informed consent.  This is particularly of concern when
political activities are involved, since the main goal of such systems seems
to be to pitch what cynical observers of the political process might call
personalized lies.  The underlying technology is not new.  I've been
publicly discussing what I consider to be abuses in this realm by Aristotle,
in postings I've made since late in the last century!  And to see Aristotle
now salivating at the prospect of how online voting would play into all this
has to be one of the most chilling warnings against the utterly unworkable
and dangerous concept of online voting that has yet been explicitly stated,
albeit unintentionally.

------------------------------

Date: Mon, 25 Jun 2012 10:34:30 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: A320 Lost 2 of 3 Hydraulic Systems on takeoff

Interesting story from aero-news.net [Thanks to Ira Rimso.n]

A JetBlue A320 on a flight from Las Vegas to New York Tuesday reportedly
lost two of its three hydraulic systems during the flight, which forced the
pilot to circle an area south the Nevada city for four hours burning off
enough fuel to make a safe landing. Passengers described the experience as
the airplane "careening wildly through the sky" as it made steep turns and
"lurched from side to side."

One of the pilots of the plane told ATC that "we've lost two hydraulic
systems," and declared an emergency, according to a report in the New York
Post. JetBlue confirmed that the incident occurred.

The plane, which had just departed from Las Vegas, carried five hours of
fuel. The A320 is unable to dump fuel, so the pilot had to stay airborne
while it was burned off. One passenger described the flight as "four hours
of hell." Another described "an obvious metal screeching" just as the
airplane lifted off from McCarran International Airport.

Dave Esser, an ERAU professor based in Florida, said that the side-to-side
swerving was a likely sign of a loss of lateral control. But Esser said the
passengers were not in serious danger because of the backup systems and
redundancies built into the Airbus. However, an Airbus manual indicated
that the simultaneous failure of two hydraulic systems is "improbable in
operation."

The airplane did eventually land safely. The FAA and NTSB will conduct an
investigation.

------------------------------

Date: Tue, 26 Jun 2012 08:07:21 +0200
From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de>
Subject: Risks of the Spent Fuel Pool in Reactor Building 4 at Fukushima
  Daiichi (Yurman, RISKS-28.87)

In RISKS-28.87, Dan Yurman tries to reassure us about the state of the Spent
Fuel Pool in Reactor Building 4 at Fukushima Daiichi nuclear power
plant. Yurman cites an article by Will Davis on a blog at the American
Nuclear Society.

Yurman's note seems to me to be little more than propaganda, and Davis's
account is flawed. There are obvious reasons to continue to worry about the
state of this Spent Fuel Pool (SFP4), about its structural stability, as
well as the continued viability of its ad-hoc cooling system.

As far as I know, there is no public hazard analysis of the state of SFP4;
neither do I know of an engineering assessment of it independent of Tepco.

Such an independent assessment seems to me to be required. There are
instances in which engineering representations in which Tepco has been
involved, for example assessing the INES Level of the situation at Reactors
5 and 6, have misled as to the true situation. That is surely something
which would have been noted in an adequate report on engineering
performance, yet Tepco has recently produced one and "exonerates itself",
according to the New York Times' Hirok Tabuchi.
http://www.nytimes.com/2012/06/21/world/asia/tepco-operator-of-fukushima-exonerates-itself-in-report.html
It "never hid information, never underplayed the extent of fuel meltdown and
certainly never considered abandoning the ravaged site. It asserts that
government interference in the disaster response created confusion and
delays."

The worst case outcome of a structural failure of SFP4 is nowhere near
benign, as Davis suggests.  The chances of that worst-case outcome are
neither zero nor negligible. These two observations alone suffice to vitiate
the claims of Yurman and Davis.

I wrote an extended essay at
http://www.abnormaldistribution.org/2012/06/05/concerns-about-spent-fuel-pool-4-at-fukushima-daiichi/

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited

------------------------------

Date: Sun, 8 Jul 2012 9:13:20 PDT
From: "Peter G. Neumann" <neumann_at_private>
Subject: Fukushima

  [From Richard I. Cook, MD]

http://naiic.go.jp/en/report/
http://naiic.go.jp/en/about/chairmans-message/

Chairman's message

``...nuclear power became an unstoppable force, immune to scrutiny by civil
society. Its regulation was entrusted to the same government bureaucracy
responsible for its promotion. At a time when Japan's self-confidence was
soaring, a tightly knit elite with enormous financial resources had
diminishing regard for anything `not invented here.'

``This conceit was reinforced by the collective mindset of Japanese
bureaucracy, by which the first duty of any individual bureaucrat is to
defend the interests of his organization. Carried to an extreme, this led
bureaucrats to put organizational interests ahead of their paramount duty to
protect public safety.

``Only by grasping this mindset can one understand how Japan's nuclear
industry managed to avoid absorbing the critical lessons learned from Three
Mile Island and Chernobyl; and how it became accepted practice to resist
regulatory pressure and cover up small-scale accidents. It was this mindset
that led to the disaster at the Fukushima Daiichi Nuclear Plant...''

------------------------------

Date: Thu, 05 Jul 2012 19:59:59 -0400
From: David Lesher <wb8foz_at_private>
Subject: San Diego fireworks suffer a *slight* glitch...

and a 20+ minute show goes off in 15 seconds....

I'm shocked to read that:

  Garden State co-owner August Santore spoke to KPBS media partner Channel
  10 News. He said the mishap wasn't due to human error or firework
  technology, but to a corrupt computer file.

<http://www.kpbs.org/news/2012/jul/05/sd-bay-fireworks-show-major-misfire/>

  [Corrupt, eh?  I'm really shocked that a computer file would be so evil.
  PGN]

------------------------------

Date: Tue, 26 Jun 2012 07:39:01 +0200
From: Peter Bernard Ladkin <ladkin_at_private-bielefeld.de>
Subject: Botched computer "upgrade" in sixth day of transactions chaos at RBS

Last Tuesday, 19 Jun 2012, the Royal Bank of Scotland upgraded a computer
system associated with transaction processing. It didn't go well. The
transaction-processing system, which apparently processes up to 10 million
transactions per day, was not able to keep up with demand.

*The Guardian* is reporting that up to 13 million customers of RBS and
subsidiary banks, including NatWest and Ulster Bank, have been unable to
access account information. Payments, including automatic payments on loans,
have not been made. The Financial Services Authority, which regulates
banking and finance in GB, is demanding a "complete account" of the
problems.

The bank branches have been opened later hours until 7pm, to enable personal
transactions for people after work, and were also open Sunday, for which
7,000 temporary staff were hired, according to the Guardian.

I have no technical details. The public reports seem to be somewhat shy of
details. I don't know whether it is SW, HW, or SW+HW, and I don't know which
system is involved; whether it is the transaction-processing system itself
or some other interconnected system.

Stephen Hester, chief executive of RBS, says the bank is "well on the way to
recovery" from the problems. Reports from customers on Monday, 25 June, were
that many were no longer experiencing problems.

Suppose that such computerised highly-connected transaction-processing
systems have been in place for 40 years (Wikipedia suggests that the first
"modern" ATMs, which were enabled for simultaneous transaction processing,
came into use in 1972 in the UK, although I remember them first from Wells
Fargo Bank in California in the mid-late 1970's.) At 8,760 hours in the year
(or 8,784 in a leap year), 40 years represents about 350,000 operating
hours. Looking at it another way, if there is a major system upgrade once a
week, then 40 years represents about 20,000 system upgrades. Not that these
figures give much of a guide to reliability (for example, the systems have
changed almost unrecognisably in this time), upgrading a running TP system
seems not to be an operation which one would call ultrareliable, given the
meaning of that term in the critical-systems community.

Peter Bernard Ladkin, Causalis Limited and University of Bielefeld

  [Also noted by Wendy Grossman.  PGN]
http://www.guardian.co.uk/technology/2012/jun/25/how-natwest-it-meltdown

------------------------------

Date: Tue, 26 Jun 2012 10:36:12 -0400
From: Gabe Goldberg <gabe_at_private>
Subject: RBS computer failure condemns man to spend weekend in the cells

Companies are of course responsible for problems caused by shortcuts,
mistakes, malfeasance. But it's not clear who's the villain here -- if there
is one. Offshoring jobs is mentioned but not conclusively implicated. The
company's mostly apologetic tone seems appropriate (though more explanation
would have helped) and the last couple sentences are correct:

Things go wrong. Things go wrong in technology. We have to learn the lessons
from what went wrong here and try to make then less likely to happen in the
future.

RBS computer failure condemns man to spend weekend in the cells - Telegraph
[Source: *The Telegraph*]

http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/9355467/RBS-computer-failure-condemns-man-to-spend-weekend-in-the-cells.html

Gabriel Goldberg, Computers and Publishing, Inc.       gabe_at_private
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433

------------------------------

Date: Tue, 03 Jul 2012 07:57:15 -0700
From: Henry Baker <hbaker1_at_private>
Subject: Time isn't on my side; Lesson: Look before you leap...

http://seekingalpha.com/article/699681-big-cloud-lessons-from-a-bad-weekend?source=yahoo

"Yelp (YELP), Reddit, and LinkedIn (LNKD) all suffered problems from the
addition of a "leap second" at midnight on Saturday, aimed at synchronizing
Internet time with the atomic clocks of real time.  Those systems with
configurations expecting 60 second minutes were knocked down, and although
they quickly got back up it was embarrassing."

------------------------------

Date: Thu, 28 Jun 2012 15:45:36 -0400 (EDT)
From: danny burstein <dannyb_at_private>
Subject: Drones: Yet another reason to keep your sextant at hand

Commercial Drones and GPS Spoofers a Bad Mix

Researchers at the University of Texas at Austin Radionavigation Laboratory
have successfully demonstrated that a drone with an unencrypted GPS system
can be taken over by a person wielding a GPS spoofing device.  You can see a
video accompanying a Fox News story on it, as well as a video here of an
experiment conducted by the researchers, led by Professor Todd Humphreys.

Humphreys and company were recently invited by the U.S. Department of
Homeland Security (DHS) to demonstrate whether their capability to
successfully spoof commercial GPS systems in the laboratory could work in
the field. ...

The UT researchers took equipment costing about $1000 to the White Sands
Missile Range in New Mexico last week and showed observers from both the
Federal Aviation Administration (FAA) and DHS how control of a test drone
could be taken away from its original overseers. The UT researchers, as the
above article notes, have been able to take control of basically every type
of unencrypted commercial GPS system in their laboratory.

rest:
http://spectrum.ieee.org/riskfactor/aerospace/aviation/commercial-drones-and-gps-spoofers-a-bad-mix

popular news article:
  http://rt.com/usa/news/texas-1000-us-government-906/

Note that this is _unencrypted_ GPS, but that's a hefty chunk of the users.

  [Also noted by Paul Saffo.  PGN]

------------------------------

Date: Mon, 25 Jun 2012 08:38:07 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: Scientists crack RSA SecurID 800 tokens, steal cryptographic keys

http://j.mp/MvhBKv  (ars technica via NNSquad)

  "The exploit, described in a paper to be presented at the CRYPTO 2012
  conference in August, requires just 13 minutes to extract a secret key
  from RSA's SecurID 800, which company marketers hold out as a secure way
  for employees to store credentials needed to access confidential virtual
  private networks, corporate domains, and other sensitive environments. The
  attack also works against other widely used devices, including the
  electronic identification cards the government of Estonia requires all
  citizens 15 years or older to carry, as well as tokens made by a variety
  of other companies."

------------------------------

Date: Mon, 2 Jul 2012 23:09:43 -0400 (EDT)
From: Ben Blout <bdbnext_at_private>
Subject: Bugs in source code cannot be used in DUI cases in Minnesota

A ruling from the Minnesota Supreme Court means that defendants will not
be able to use  the source code for the Intoxilyzer breath-test machine
in their legal defense.  (These machines are used to determine blood
alcohol levels for DUI cases, and are known colloquially as breathalyzers.)

An earlier ruling found that the source code contained bugs, including
one that caused the proximity of a cell phone during testing to affect
results.  However, the Supreme Court ruled that the Intoxilyzer was
accurate by a preponderance of the evidence.

http://minnesota.publicradio.org/collections/special/columns/news_cut/archive/2012/06/minnesota_supreme_court_limits.shtml
http://www.startribune.com/local/160533855.html

An earlier, including mention that the replacement devices include their
source code:
http://www.startribune.com/local/158324965.html

------------------------------

Date: Thu, 28 Jun 2012 12:34:14 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: RAND: Cyberdeterrence and Cyberwar

http://j.mp/NGWeTb  (RAND [PDF] via NNSquad)

  "Cyberwar is nothing so much as the manipulation of ambiguity. The author
  explores these topics in detail and uses the results to address such
  issues as the pros and cons of counterattack, the value of deterrence and
  vigilance, and other actions the United States and the U.S. Air Force can
  take to protect itself in the face of deliberate cyberattack."

------------------------------

Date: Wed, 27 Jun 2012 22:05:19 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: France shutting down their /once groundbreaking/ Minitel service

http://j.mp/MUYSag  (BBC [Video])

  "France is switching off its groundbreaking Minitel service which brought
  online banking, travel reservations, and porn to millions of users in the
  1980s.  But then came the worldwide web. Minitel has been dying slowly and
  the plug will be pulled on Saturday."

------------------------------

Date: Wed, 27 Jun 2012 19:30:01 -0700
From: Lauren Weinstein <lauren_at_private>
Subject: UK considers broad Web site blocking by default

http://j.mp/LuEiK7  (BBC via NNSquad)

   "The government is to consider putting extra pressure on computer users
   to filter out pornography when setting up Internet accounts.  Ministers
   are suggesting that people should automatically be barred from accessing
   unsuitable adult material unless they actually choose to view it.  It is
   one of several suggestions being put out for a consultation on how to
   shield children from pornography.  Websites promoting suicide, anorexia
   and self-harm are also being targeted."

The good old UK police state mentality marches on.  And of course, if
you ask to have the blocks lifted, you automatically go on Her
Majesty's government "pervert" list.

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.91
************************
Received on Wed Jul 11 2012 - 05:15:20 PDT

This archive was generated by hypermail 2.2.0 : Wed Jul 11 2012 - 05:55:32 PDT