RISKS-LIST: Risks-Forum Digest Thursday 30 August 2012 Volume 27 : Issue 01 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.01.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: United Airlines Network Outage (Jonathan B Spira) Observation Deck: What Happens When Cars Start Talking to Each Other? (Gabe Goldberg) The Cadillac Your Livery Driver Has Been Dreaming Of (John Pearley Huffman via Monty Solomon) Study says drivers, not cellphones, pose the accident risk (Hiawatha Bray via Monty Solomon) New malware infects VMware VMs (Bob DeSilets) Shared private key can apparently compromise RuggedComSCADA gear (Digital Bond via NNSquad) "How to Secure Data by Addressing the Human Element" (Thor Olavsrud via Gene Wirchenko) "Your car, tracked: the rapid rise of license plate readers" (Cyrus Farivar via Monty Solomon) Data so secure even you can't read it (Ben Moore) I've Got That Syncing Feeling (Craig Forman via Monty Solomon) How to Hack your own Hotmail account (Jeremy Ardley) Don't download that app: US presidential candidates will STALK you with it John Leyden via Monty Solomon) "Buying Their Way to Twitter Fame" (Austin Considine via Lauren Weinstein) "Twitter's fake followers: Influence for sale" (Bill Snyder via Gene Wirchenko) Lauren Weinstein <lauren_at_private> 5 Design Tricks Facebook Uses To Affect Your Privacy Decisions Doug Jones: guest editorial on voter registration (PGN) Re: "How to avoid an Elections-Ontario-style data-breach fiasco" (Gene Wirchenko) Spyware Matching FinFisher Can Take Over IPhone and BlackBerry (Dave Farber, John Fricker) Re: Knight Capital software upgrade costs $440m (Amos Shapir) Re: NYPD unveils new $40 million super computer system (Raj Mathur) Re: Announcement of civil timekeeping meeting (mathew) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 28 Aug, 2012 9:01 PM From: "Jonathan B Spira" <jspira_at_private> Subject: United Airlines Network Outage (via Dave Farber's IP) [United Airlines' SHARES passenger reservation system had a two-hour system-wide outage on 28 Aug 2012 that affected United's website, flight check-in, and boarding, and also caused ground-stops at UAL hubs in Houston, Newark, and SFO. SHARES (the former Continental system) has had various troubles since it was adopted by UAL after the merger. PGN] Among other interesting tidbits, United was handing out hand-written boarding passes today (dozens of pictures of these posted on Twitter). More details on the outage here plus picture of boarding pass: *United Airlines Network Outage Snarls Air Traffic* http://www.frequentbusinesstraveler.com/2012/08/united-airlines-network-outage-snarls-air-traffic/ [An earlier item noted by Dave Farber: United reservation system crashes, FAA issues ground stop. PGN] http://travel.usatoday.com/flights/post/2012/08/united-reservation-system-crashes-faa-issues-ground-stop/833343/1 ------------------------------ Date: Mon, 27 Aug 2012 20:56:58 -0400 From: Gabe Goldberg <gabe_at_private> Subject: Observation Deck: What Happens When Cars Start Talking to Each Other? What could go wrong? I mean, aside from flocks of birds and schools of fish having had millions of years to evolve compatibly, and there being Windows/iOS/Android cars trying to collaborate seamlessly in real time. Plus people having rooted their cars... [See the article by Adam Rogers:] http://www.wired.com/autopia/2012/08/observation-deck-what-happens-when-cars-start-talking-to-each-other/ Gabriel Goldberg, Computers and Publishing, Inc., 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 http://www.linkedin.com/in/gabegold ------------------------------ Date: Fri, 24 Aug 2012 22:49:53 -0500 From: Monty Solomon <monty_at_private> Subject: The Cadillac Your Livery Driver Has Been Dreaming Of (John Pearley Huffman) ... What replaces many of those buttons is Cadillac's intuitive new CUE system, which uses a large touch screen at the center of the dashboard; think of it as an embedded iPad. Using Apple-style gestures and swipes, the driver can scroll through various apps until finding the right one for a particular task. Those tasks include navigation, sound system and Bluetooth phone controls. Throw in some voice controls and the CUE interface sets a new standard for ease of use. Also replacing some switches are touch-sensitive strips that control the ventilation system while continuing the design theme. This effectively and elegantly extends the use of gesture-based controls beyond the touch screen. ... [Source: John Pearley Huffman, *The New York Times*, 26 Aug 2012] http://www.nytimes.com/2012/08/26/automobiles/autoreviews/the-cadillac-your-livery-driver-has-been-dreaming-of.html ------------------------------ Date: Mon, 27 Aug 2012 22:21:16 -0500 From: Monty Solomon <monty_at_private> Subject: Study says drivers, not cellphones, pose the accident risk (Hiawatha Bray) Hiawatha Bray, *The Boston Globe*, 27 Aug 2012, Cellphones' role in crashes doubted Don't blame the technology. For those who argue that a ban on cellphone use while driving will make highways safer, there's bad news: People who chat behind the wheel often drive more aggressively even after they hang up, according to a study from the Massachusetts Institute of Technology, "The people who are more willing to frequently engage in cellphone use are higher-risk drivers, independent of the phone," said Bryan Reimer, associate director of MIT's New England University Transportation Center. "It's not just a subtle difference with those willing to pick up the phone. This is a big difference." Reimer and a team of MIT researchers studied the behavior of 108 Greater Boston drivers. About half acknowledged frequent phone use when driving; the rest said they rarely used their phones behind the wheel. ... http://bostonglobe.com/business/2012/08/26/not-cellphone-but-driver-that-high-risk-not-cellphone-but-driver-that-high-risk/nVKDgqQTnn91287ZZ30v7N/story.html?s_campaign=8315 ------------------------------ Date: Aug 28, 2012 11:52 AM From: "Bob DeSilets" <desilets_at_private> Subject: New malware infects VMware VMs (ZDNet via Dave Farber's IP) Great, Just when you though you were safe running a VM: The Windows version of a piece of Malware discovered in July, called Crisis, has been found to be capable of infecting VMware virtual machines as well as Windows Mobile devices, and removable USB drives. When originally discovered Crisis was thought to target just Windows and Mac OS users. It has the capability to record Skype conversations, capture traffic from instant messaging programs, and track websites visited in Firefox or Safari. According to Symantec, Crisis "searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool. This may be the first malware that attempts to spread on to a virtual machine." [ZDnet, 22 Aug 2012] http://www.v3.co.uk/v3-uk/news/2200412/crisis-malware-infects-vmware-virtual-machines http://www.zdnet.com/crisis-malware-targets-virtual-machines-7000002986/ Bob DeSilets, Information Security Officer, Perelman School of Medicine University of Pennsylvania desilets_at_private (215)746-5578 ------------------------------ Date: Wed, 22 Aug 2012 13:13:13 -0700 From: Lauren Weinstein <lauren_at_private> Subject: Shared private key can apparently compromise RuggedCom SCADA gear http://j.mp/O6UCpX (Digital Bond via NNSquad) "Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom devices yesterday. This time, Justin took a different track with the device firmware and showed that all products use the same SSL private key, hard-coded in the firmware. This is fairly typical in cheap consumer-grade embedded products, and has the unfortunate effect that easy Man-In-The-Middle attacks can be performed against products. For example, any compromised host on the switch management network can be used to spoof affected RuggedCom switches, meaning that the bad guy or gal could capture legitimate usernames and passwords for the switch." [This item is all over the Web, including slashdot. But check out the DigitalBond.com website. with Dale Peterson and others. It is loaded with RISKS-related goodies. PGN] ------------------------------ Date: Tue, 21 Aug 2012 15:21:38 -0700 From: Gene Wirchenko <genew_at_private> Subject: "How to Secure Data by Addressing the Human Element" (Thor Olavsrud) A double-hitter here. (Two Risks in One!) http://www.cio.com/article/713753/How_to_Secure_Data_by_Addressing_the_Human_Element Thor Olavsrud, CIO.com, 15 Aug 2012 Your sensitive data is only as secure as the weakest link in your organization, and in many cases the weak link is your employees. A properly established security awareness and training program can pay huge dividends. 1. The article reports on a DEFCON 18 contest to do human engineering. Standard RISKS stuff. 2. At one point is this interesting paragraph: "We find surprisingly little variation in guessing difficulty; every identifiable group of users generated a comparably weak password distribution," Bonneau writes. "Security motivations such as the registration of a payment card have no greater impact than demographic factors such as age and nationality. Even proactive efforts to nudge users towards better password choices with graphical feedback make little difference. More surprisingly, even seemingly distant language communities choose the same weak passwords and an attacker never gains more than a factor of 2 efficiency gain by switching from the globally optimal dictionary to a population-specific lists." ------------------------------ Date: Mon, 20 Aug 2012 09:56:41 -0400 From: Monty Solomon <monty_at_private> Subject: "Your car, tracked: the rapid rise of license plate readers" (Cyrus Farivar) Cyrus Farivar, Ars Technica, Aug 15 2012 Largely unregulated, cameras now collect millions of travel records every day. Tiburon, a small but wealthy town just northeast of the Golden Gate Bridge, has an unusual distinction: it was one of the first towns in the country to mount automated license plate readers (LPRs) at its city borders-the only two roads going in and out of town. Effectively, that means the cops are keeping an eye on every car coming and going. A contentious plan? Not in Tiburon, where the city council approved the cameras unanimously back in November 2009. The scanners can read 60 license plates per second, then match observed plates against a "hot list" of wanted vehicles, stolen cars, or criminal suspects. LPRs have increasingly become a mainstay of law enforcement nationwide; many agencies tout them as a highly effective "force multiplier" for catching bad guys, most notably burglars, car thieves, child molesters, kidnappers, terrorists, and-potentially-undocumented immigrants. Today, tens of thousands of LPRs are being used by law enforcement agencies all over the country-practically every week, local media around the country report on some LPR expansion. But the system's unchecked and largely unmonitored use raises significant privacy concerns. License plates, dates, times, and locations of all cars seen are kept in law enforcement databases for months or even years at a time. In the worst case, the New York State Police keeps all of its LPR data indefinitely. No universal standard governs how long data can or should be retained. Not surprisingly, the expanded use of LPRs has drawn the ire of privacy watchdogs. In late July 2012, the American Civil Liberties Union and its affiliates sent requests to local police departments and state agencies across 38 states to request information on how LPRs are used. ... http://arstechnica.com/tech-policy/2012/08/your-car-tracked-the-rapid-rise-of-license-plate-readers/ ------------------------------ Date: Fri, 24 Aug 2012 15:52:34 GMT From: "Ben Moore" <ben.moore_at_private> Subject: Data so secure even you can't read it Victorinox is allowing its security program's VeriSign certificate to lapse on September 15th. Without this certificate the contents of the secure partition can't be decrypted.. "Swiss army knife maker Victorinox has decided to take the sting out of ditching support for the security software in its range of USB-knife drives by offering customers a full refund. I"n a message posted to Facebook but not apparently anywhere else, the company said customers unhappy with the ending of the security features on the company's combined penknife/flash memory drives could send them back for a refund. "The company announced the end of support for the security features a few days ago in an ambiguous Facebook post that failed to clarify that all of the drive's security features - including an encrypted partition, biometric authentication and secure password management - would cease functioning. "However, the seriousness of the issues was underlined by the company setting 15 September as the date by which customers must back up all data on the encrypted section of the drives." http://news.techworld.com/security/3377751/victorinox-offers-refunds-after-usb-swiss-army-drives-lose-security/ http://www.engadget.com/2012/08/21/victorinox-stops-software-updates-secure-usb-drives/ ------------------------------ Date: Tue, 28 Aug 2012 13:02:15 -0400 From: Monty Solomon <monty_at_private> Subject: I've Got That Syncing Feeling (Craig Forman) Your devices are eager to make all your content line up nicely. Sometimes the results are not so nice. Craig Forman, *Wall Street Journal*, 26 Aug 2012 http://online.wsj.com/article/SB10000872396390443324404577594873646163262.html The trouble started when I innocently downloaded a free IKEA catalog app to my iPad. The trouble nearly ended with a $1,200 charge from AT&T. I was traveling in Europe for a short family trip. Before leaving the U.S., I downloaded the image-heavy catalog using a standard broadband connection. Aware of the costs of digital Internet access while abroad, my wife, son and I thought we had taken all the correct precautions. Were location-based services off? Check. Notifications off? Check. All three iPhones switched to Wi-Fi only? Check, check and check. So the midnight e-mail from AT&T came as a surprise: "Unusually high volumes of data. 750 megabytes downloaded. Please check your phone." I checked my phone-but all potential digital gotchas had been put to rest. We were jet lagged and exhausted. Surely a couple hours' sleep couldn't put us in digital harm's way? But in these modern days of anytime, anywhere, cloud-based synchronization, those few hours of shut-eye were plenty costly. I awoke to a buzzing of my phone, an SMS and an e-mail from AT&T: The data download had nearly doubled while I was sleeping. My account was in imminent danger of being shut off unless I called them. ... ------------------------------ Date: Mon, 27 Aug 2012 13:37:10 +0800 From: Jeremy Ardley <jeremy.ardley_at_private> Subject: How to Hack your own Hotmail account http://youtu.be/YB5WsZjtses (Watch in HD full-screen to see text) Is a video of how to change the text and headers of an e-mail in your own Hotmail account. It is perfectly legal and is acknowledged by Microsoft as a design feature of their Windows Live Hotmail client. Up until this was described by myself, Richard Boddington, and Grant Boxall, it was assumed that Hotmail e-mails could not be altered. As such they have been used as evidence in court cases. Our paper is available to Subscribers of the Journal of Digital Forensics, Security and Law http://www.jdfsl.org/ The technique we show can tracelessly alter any part of an e-mail including all headers. It is possible for instance to create a fictitious e-mail sent at some date in the past and with wording as desired. Examples of this could be forging an e-mail admitting liability or offering to pay money. The list is endless. The 'hack' works because Microsoft introduced a new protocol called DeltaSync that enables Windows Live clients to synchronize e-mails across machines via Hotmail. Altering a local copy of an e-mail on a client and then syncing will cause that copy to overwrite the Hotmail copy and as well overwrite copies on other clients. Using this technique you can also add payloads to an e-mail - e.g. some malware and have it automatically delivered to a target machine. As an example in ingenious felon could break into some-ones house and insert malware into an e-mail and by syncing the package could then get onto a synced work computer bypassing any mail scanning system. We looking are at similar schemes with e-mail syncing via web-server -- e.g., IMAP ------------------------------ Date: Tue, 21 Aug 2012 09:06:48 -0400 From: Monty Solomon <monty_at_private> Subject: Don't download that app: US presidential candidates will STALK you with it (John Leyden) John Leyden, *The Register*, 20 Aug 2012 Romney mobile application even requests permission to record audio ... Security researchers have uncovered privacy shortcomings in the mobile applications offered by both the Barack Obama and Mitt Romney presidential campaigns. The campaign teams of the incumbent US President and his Republican challenger have each released apps for both iOS and Android, in good time for the election on November 6. Experts at GFI Software looked at the Android versions of both apps, discovering both to be surprisingly invasive. Obama for America and Mitt's VP request permissions, access to services and data, and capabilities beyond their core mandate. For example, each of the apps features the ability to cross-post on users' behalf and report back to base. One app even has a tool to encourage users to go canvassing on behalf of the candidate, which in GFI's test directed Obama supporters to an unsafe part of a US town - just north of downtown Clearwater, Florida. Both Android apps slurp the details of users' contacts and log location data, as a rundown by GFI on both apps and the permissions they seek explains. The Romney app even requests permission to record audio for unspecified (and so-far unactivated) purposes. ... http://www.theregister.co.uk/2012/08/20/us_pres_campaign_mobile_app_privacy/ ------------------------------ Date: Thu, 23 Aug 2012 20:55:52 -0700 From: Lauren Weinstein <lauren_at_private> Subject: "Buying Their Way to Twitter Fame" (Austin Considine) Source: Austin Considine, *The New York Times*, 23 Aug 2012, via NNSquad http://j.mp/O7snpe "It may be the worst-kept secret in the Twittersphere. That friend who brags about having 1,000, even 100,000 Twitter followers may not have earned them through hard work and social networking; he may have simply bought them on the black market. And it's not just ego-driven blogger types. Celebrities, politicians, start-ups, aspiring rock stars, reality show hopefuls - anyone who might benefit from having a larger social media footprint - are known to have bought large blocks of Twitter followers." ------------------------------ Date: Thu, 30 Aug 2012 09:39:33 -0700 From: Gene Wirchenko <genew_at_private> Subject: "Twitter's fake followers: Influence for sale" (Bill Snyder) Bill Snyder, *InfoWorld*, 30 Aug 2012 >From Lady Gaga to Obama, paid tweets and inflated followings game online reputations and call the whole system into question http://www.infoworld.com/d/the-industry-standard/twitters-fake-followers-influence-sale-201295 selected text: Organizations are in fact buying fake followers, including both major candidates for the White House, numerous other politicians, and scads of celebrities. Republican presidential nominee Mitt Romney, for example, had 673,002 followers on July 20. One day later, that number soared by 17 percent, or 117,000 new followers. On the other side of the partisan divide, President Barack Obama's campaign boasts that he has nearly 19 million followers. However, an analysis by StatusPeople, a social media management company based in London, shows that only 30 percent of them actually exist or have active accounts. To be fair, it's possible that spam bots are creating at least some of the fake accounts. The implications are serious: Twitter has changed how politics is reported in the United States and has been a weapon used by pro-democracy advocates in countries like Egypt and Iran. It's also a tool used by businesses to stay in touch with customers. To its credit, Twitter has tried to stop the spread of fake accounts and the like, but cheaters and petty profiteers are still eroding its value as a communications tool. Sincerely, ------------------------------ Date: Sun, 26 Aug 2012 15:04:25 -0700 From: Lauren Weinstein <lauren_at_private> Subject: 5 Design Tricks Facebook Uses To Affect Your Privacy Decisions http://j.mp/PKSimw (Techcrunch via NNSquad) "In fact, Facebook keeps "improving" their design so that more of us will add apps on Facebook without realizing we're granting those apps (and their creators) access to our personal information." ------------------------------ Date: Fri, 24 Aug 2012 10:17:10 PDT From: "Peter G. Neumann" <neumann_at_private> Subject: Doug Jones: guest editorial on voter registration Doug Jones, a long-time observer of elections, has written an excellent guest editorial in the Iowa Press-Citizen on risks of using databases to disqualify voters. As this is a problem that is increasingly prevalent, it seems worth noting here. PGN http://www.press-citizen.com/article/20120823/OPINION02/308230009 ------------------------------ Date: Tue, 21 Aug 2012 15:04:00 -0700 From: Gene Wirchenko <genew_at_private> Subject: Re: "How to avoid an Elections-Ontario-style data-breach fiasco" (RISKS-26.94) You thought that the Elections Ontario submission was a winner? I got this from a reader: > Woah! The staff thought that encryption meant zipping it up. LOL. Utterly > amazing. No wonder there is very little effort needed to crash e-mail > accounts and FTP server accounts. :) Most people don't understand even > the basics. Amazing. Unfortunately, winning means losing here. ------------------------------ Date: Wed, 29 Aug 2012 12:29:58 -0400 From: Dave Farber <dave_at_private> Subject: Spyware Matching FinFisher Can Take Over IPhone and BlackBerry [Via Dave Farber's IP distribution. PGN] http://www.bloomberg.com/news/2012-08-29/spyware-matching-finfisher-can-take-over-iphone-and-blackberry.html FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc.'s iPhone and Research in Motion Ltd. (RIM)'s BlackBerry, an analysis of presumed samples of the software shows. Systems that can be targeted include Microsoft Corp.'s Windows Mobile, the Apple iPhone's iOS, BlackBerry and Google Inc.'s Android, according to the company's literature. The program can secretly turn on a device's microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs' Citizen Lab. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyberweapon. ... ------------------------------ Date: Aug 29, 2012 1:17 PM From: "John Fricker" <john.fricker_at_private> Subject: Re: Spyware Matching FinFisher Can Take Over IPhone and BlackBerry [Re: via Dave Farber's IP] Interesting but wrong when it comes to iOS and the iPhone and iPad. "A mobile device's user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy. As Gamma's promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks like it comes from the phone maker, and asking the user to ``please install this system update,'' Marquis-Boire says." It's impossible to install software on iOS in this manner. The May 2012 white paper from Apple ( http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf) explains why (see Execute Never). ------------------------------ Date: Wed, 22 Aug 2012 17:33:11 +0300 From: Amos Shapir <amos083_at_private> Subject: Re: Knight Capital software upgrade costs $440m This gives new meaning to the term "Fly by Knight"... Seriously, as others had already pointed out, the problem is not a software bug, but the fact that the trading system had accepted the bad data as genuine. The problem is, the system has no sanity checks; but as long as money can be made by insane actions (whether intended or not), I'm afraid that insanity will stay as an inherent part of the system. ------------------------------ Date: Tue, 21 Aug 2012 10:30:21 +0530 From: "Raj Mathur <raju_at_linux-delhi.org> Subject: Re: NYPD unveils new $40 million super computer system (RISKS 26.98) Am I the only one who sees the RISKS attendant on this partnership and a off-the-shelf crime prevention and investigation system? [UNLIKELY! PGN] Off the top of my head (and based on the minimal information available in the article): * Expectation of sales will certainly dilute the quality and effectiveness of the product for the original client. Instead of being made purely on the merits of functionality and usefulness for NYPD, decisions on features and fixes will instead be vetted through a commercial viability test. The product is likely to end up as bloatware, losing all contact with the needs of the force on the ground in the process. * Presumably this product is not Free/Open Source Software. Unless there's an existing understanding that clients (other than NYPD) will have access to the source code, with permission to modify for their own requirements, popularity of the product would result in straitjacketing of procedures at other police forces. What suits NYPD may not be right for New Delhi or Rome. Heck, it may not even be right for Des Moines. Easy availability of such a package would promote processes and documentation that works for the NYPD, at the cost of local innovation and locally appropriate processes. Unless the original design and development has been done with full customisability as one of the primary criteria (an expensive, time-consuming and ultimately still limited process), we are more likely to see police forces adapting to the system rather than the other way around. * If the product becomes even reasonably popular, vulnerabilities and exploits will eventually be available in the wild to permit criminals to game -- or worse, misuse -- the system. * [Rant] Is there any reason at all for a police force to become a commercially viable entity? In my opinion, crime prevention and law enforcement on the one hand and economic viability on the other are completely separate objectives, and mixing the two is unlikely to result in any benefit to the first. Raj Mathur http://otheronepercent.blogspot.com raju@private http://kandalaya.org http//schizoid.in ------------------------------ Date: Thu, 23 Aug 2012 09:42:11 -0500 From: mathew <meta_at_private> Subject: Re: Announcement of civil timekeeping meeting (RISKS-26.92,93,98) The Science Time idea is good, but I have a much simpler suggestion. Keep UTC exactly as it is for civil timekeeping. And the people who don't like leap seconds or find them hard to deal with can switch to TAI, which already exists. Need a cheap local source of TAI? Get a GPS. And start setting up an NTP network of TAI timeservers -- anyone doing this yet? The people who don't want leap seconds in their timescale can stop having them today. There's nothing much standing in their way, except perhaps lack of a good way to indicate TAI in Internet timestamps. But instead, the proposal is to abolish UTC. I use the word 'abolish' because the whole point of UTC is that it's kept in sync with astronomical time via leap second adjustments; if you get rid of the leap seconds, you just have TAI with a fixed offset. So the calls to abolish UTC are really about tricking people into switching to TAI for civil timekeeping without knowing they're doing it. That way we don't have to get governments involved and have a democratic discussion, right? If the proposal was to switch to TAI for system clocks and then apply appropriate translation to civil time for display, I'd support it. http://www.pobox.com/~meta/ ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.01 ************************Received on Thu Aug 30 2012 - 11:19:13 PDT
This archive was generated by hypermail 2.2.0 : Thu Aug 30 2012 - 12:19:11 PDT