[RISKS] Risks Digest 27.14

From: RISKS List Owner <risko_at_private>
Date: Tue, 22 Jan 2013 16:00:33 PST
RISKS-LIST: Risks-Forum Digest  Tuesday 22 January 2013  Volume 27 : Issue 14

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.14.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Jim Horning, 24 Aug 1942 -- 18 Jan 2013 (PGN)
Luther Weeks: Voting Requires Vigilance. Popular Isn't Always Prudent (PGN)
Internet resources allow identification of personal genomes via
  (Lauren Weinstein)
France wants to tax Google/Facebook based on users/data collected
  (Lauren Weinstein)
Under pressure, Journal News withdraws gun database, but the mirrors are
  everywhere ...  (Lauren Weinstein)
These People Are Now Sharing Horrible Things About Themselves
  Thanks to Facebook Search (Lauren Weinstein)
"Distracted driver hits senior while using her iPod" (Gene Wirchenko)
"Facebook Graph Search may be a social engineering nightmare" (Ted Samson
 via Gene Wirchenko)
Risks of inaccurate cellphone tracking info (David Tarabar)
Ahmed Al-Khabaz expelled from Dawson College after finding security flaw
  (David J. Farber, Suresh Ramasubramanian, Steve Crocker)
"Red October relied on Java exploit to infect PCs" (Gene Wirchenko)
Subject: "how Oracle installs deceptive software with Java updates"
  (Ed Bott via Gene Wirchenko)
"Disabling Java in Internet Explorer: No easy task" (Woody Leonhard via
  Gene Wirchenko)
Just How Dumb Is It For CBS To Block CNET From Giving Dish An Award?
  (Mike Masnick)
The 2013 Best of CES Awards: CNET's story (Lindsey Turrentine via
  Monty Solomon)
Re: EHRs may add to, not reduce, the cost of health care (Dave Parnas)
Course announcement: SecAppDev 2013, 4-8 March, Leuven, Belgium
  (Lieven Desmet)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tuesday, January 22, 2013 3:04 PM
From: Peter Neumann <Neumann_at_private>
Subject: Jim Horning, 24 Aug 1942 -- 18 Jan 2013

Jim Horning was one of my favorite friends, colleagues, associates, and a
long-time inspiration, spanning the past 38 years.  He was active in the
computer field since 1958.  He was a vital member of the ACM Committee on
Computers and Public Policy, continuously since 1985; he contributed to the
very first issue of the ACM Risks Forum (1 Aug 1985), and he wrote or
co-wrote seven CACM Inside Risks articles.  He also played significant roles
in USACM.  We worked together on a joint CPSR/ACLU report for the House
Committee on Civil and Constitutional Rights in 1989.  He made many
thoughtful technical and socially aware contributions, always with wisdom,
common sense, and humanity.  I valued every contact I ever had with him.  He
will be very deeply missed by all who knew him, and indirectly by many who
did not.

------------------------------

Date: Tue, 22 Jan 2013 13:26:38 PST
From: "Peter G. Neumann" <neumann_at_private>
Subject: Luther Weeks: Voting Requires Vigilance. Popular Isn't Always Prudent

Luther Weeks,  21 Jan 2013
Op-Ed outlining the integrity risks of the National Popular Vote Compact
http://www.ctnewsjunkie.com/ctnj.php/archives/entry/op-ed_voting_requires_vigilance._popular_isnt_always_prudent/

One third of Americans vote on machines, without the paper ballots we use in
Connecticut. Our president is chosen based on faith in those unverifiable
machines, vote accounting, and unequal enfranchisement in 50 independent
states and the District of Columbia.

In 2000, we witnessed the precarious underpinnings of this state-by-state
voting system combined with the flawed mechanism of the 12th Amendment and
the Electoral Accounting Act. The Supreme Court ruled votes could not be
recounted in Florida, because even that single state did not have uniform
recount procedures. What could possibly make this system riskier?

The National Popular Vote Compact now being considered in states, including
Connecticut, would have such states award their electoral votes to a
purported national popular vote winner. The Compact would take effect once
enough states signed on, equaling more than one-half the Electoral College.
Then the President elected would be the one with the most purported popular
votes. Sounds good and fair at first glance. Looking at the touted benefits
and none of the risks many legislators, advocates, and media influence the
public to make the Compact popular in some polls. Popular is not always
prudent. Voting requires vigilance.

The Compact, cobbled on an already precarious system, would exacerbate its
flaws, adding additional risks. Currently errors, voter suppression, and
fraud can only sway the result in the few swing states. With the Compact
errors, suppression, and fraud in every state would count toward the popular
vote total.

Compact supporters overlook and proponents befog the reality that there
would be no official national popular vote total available in time for
states to choose their electors. The only official popular vote total is the
sum of the Certificates of Attainment sent by each state to the national
Archivist. They cannot be used for choosing electors, since certificates are
not required to be sent until seven days after electors are chosen and are
not required to arrive in Washington until fifteen days after the electors
must be chosen. Supreme Court decisions in 2000 and 1876 stress that these
dates must be strictly followed.

Even if the totals could be obtained in time from each state, they would not
be audited and could not be recounted. Compact proponents obfuscate this by
describing how some states routinely perform audits or recounts. They
conveniently ignore that about one-third of the states do not have audits
and recounts; many voting machines cannot be audited; state recounts are
based on close-vote margins within a state, so even in those states,
recounts would not be triggered by a close national vote. Just as critical,
there would be insufficient time for recounts or audits given the strict
Constitutional deadlines. The Supreme Court would likely reject any recount
going beyond state borders, using the same reasoning used to reject the 2000
Florida recount, as insufficiently uniform.

Additional legal challenges and maneuvers under the Compact would also be
available for partisans bent on sending any reasonably close election to the
Supreme Court or Congress. States not signing the Compact could delay
certifying and transmitting results until the latest deadline. Partisans
could dispute results in their states or sue their Secretary of State for
using uncertified results from other states, delaying reporting or negating
the state's Electoral College vote.

Nothing is available, but legal challenges, even in Compact states, to deter
a future partisan Secretary of State from failing to follow the Compact.

Supporters and opponents debate other contentions for and against the
Compact, most of which are subjective and speculative. e.g. Which is more
ideal, the current Federal system or the popular vote? Would small states or
large states benefit more from the Compact? Where would candidates campaign
and join with PACs in media buys? How equal would every voter actually be,
given the state-by-state system of voter enfranchisement,
disenfranchisement, suppression, and registration?

An accurate, fair, and credible popular vote requires a uniform, workable
national voting system we can trust. That is, a system with uniform
enfranchisement, paper ballots, effective audits, and national recounts,
enforceable and provably enforced as a prerequisite to a considering a
national popular vote.

Luther Weeks is executive director of CTVotersCount
<http://www.ctvoterscount.org/> .

  [This is an extremely complicated issue.  However, as long as we have
  partisan election management with unauditable voting machines, non-level
  playing fields regarding registration and voter rights, extreme
  difficulties in retroactively determining manipulations and unethical,
  illegal, or deceptive practices, no system can be claimed to be fair.
  Readers of RISKS should be well aware of the wide range of pitfalls.  PGN]

------------------------------

Date: Thu, 17 Jan 2013 21:43:42 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Internet resources allow identification of personal genomes via
  surname inference

http://j.mp/10DqhqW  (*Science* via NNSquad) [Free read with registration]

  "Sharing sequencing data sets without identifiers has become a common
  practice in genomics. Here, we report that surnames can be recovered from
  personal genomes by profiling short tandem repeats on the Y chromosome
  (Y-STRs) and querying recreational genetic genealogy databases. We show
  that a combination of a surname with other types of metadata, such as age
  and state, can be used to triangulate the identity of the target. A key
  feature of this technique is that it entirely relies on free, publicly
  accessible Internet resources. We quantitatively analyze the probability
  of identification for U.S.  males. We further demonstrate the feasibility
  of this technique by tracing back with high probability the identities of
  multiple participants in public sequencing projects."

------------------------------

Date: Mon, 21 Jan 2013 09:54:45 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: France wants to tax Google/Facebook based on users/data collected

  "Last Friday, a 198-page government report to the French Ministry of the
  Economy outlined a proposal that, if approved by the French government,
  would impose a tax on tech companies based on how many users a site like
  Facebook or Google has, and how much personal information those companies
  hold."
  http://j.mp/WmsSiF  (ars technica via NNSquad)

Passage of such a law would be immediately followed by the creation of the
secret French government department to create millions of fake Google users
and share as much fake personal information about them as possible!

------------------------------

Date: Fri, 18 Jan 2013 16:20:24 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: Under pressure, Journal News withdraws gun database, but the mirrors
  are everywhere ...

http://j.mp/WeMk0C  (*Journal News* via NNSquad)

  "Today The Journal News has removed the permit data from lohud.com. Our
  decision to do so is not a concession to critics that no value was served
  by the posting of the map in the first place. On the contrary, we've heard
  from too many grateful community members to consider our decision to post
  information contained in the public record to have been a mistake. Nor is
  our decision made because we were intimidated by those who threatened the
  safety of our staffers. We know our business is a controversial one, and
  we do not cower."

And of course, proving again that "public is public" and that trying to hide
on the Internet is hopeless once it has been widely publicized, there are
the various available related mirrors:

http://j.mp/WeM2a6  (Google Sites)

More info:
Gawker releases list of gun owners in New York City (1/8/2013)
http://j.mp/WeMUeE  (Poynter)

------------------------------

Date: Fri, 18 Jan 2013 16:44:21 -0800
From: Lauren Weinstein <lauren_at_private>
Subject: These People Are Now Sharing Horrible Things About Themselves
  Thanks to Facebook Search

  "FB's glistening new search engine makes finding interesting things about
  yourself, your past, and all of your friends excitingly easy. It also
  makes it a cinch to find strangers who are openly racist, sexist, and
  generally embarrassing."
    http://j.mp/WeQe9D (Gizmodo via NNSquad)
    [Warning: link is not safe for work or family!]

The link above is Not Safe for Family.  Not Safe for Work.  Let's face
it, Facebook just plain isn't safe.

------------------------------

Date: Sat, 12 Jan 2013 18:42:41 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Distracted driver hits senior while using her iPod"

"The Daily News", Kamloops, British Columbia, Canada, 2013-01-12, p. A6:
"Distracted driver hits senior while using her iPod

NORTH VANCOUVER

A 19-year-old woman is facing charges in North Vancouver after she drove
onto a sidewalk and struck a 70-year-old man while using her iPod.  The RCMP
say the victim was walking home from a gym when he was struck yesterday at
Mount Seymour Parkway and Emerson Way.  He suffered extensive injuries
including a broken leg and broken ribs, but he is expected to survive.
Police say the driver has been charged with driving without due care and
attention while using an electronic device.

------------------------------

Date: Thu, 17 Jan 2013 12:17:30 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Facebook Graph Search may be a social engineering nightmare"
  (Ted Samson)

Ted Samson, *InfoWorld*, 16 Jan 2013
Facebook's new search engine serves up the kind of data that cyber
  scammers love
http://www.infoworld.com/t/internet-privacy/facebook-graph-search-may-be-social-engineering-nightmare-211002

------------------------------

Date: Tue, 15 Jan 2013 08:11:24 -0500
From: David Tarabar <dtarabar_at_private>
Subject: Risks of inaccurate cellphone tracking info

"If you lose your cellphone, don't blame Wayne Dobson"

Due to a quirk in cellphone location tracking, a resident of North Las Vegas
has repeatedly been visited by people who believe that he has their lost
cellphones. More seriously, police responded to the same address in error -
due to a cellphone 911 call reporting a domestic violence incident.

http://www.lvrj.com/news/if-you-lose-your-cellphone-don-t-blame-wayne-dobson-186670171.html

------------------------------

Date: Mon, 21 Jan 2013 10:57:35 -0500
From: "David J. Farber" <farber_at_private>
Subject: Ahmed Al-Khabaz expelled from Dawson College after finding
 security flaw

http://news.nationalpost.com/2013/01/20/youth-expelled-from-montreal-college-after-finding-sloppy-coding-that-compromised-security-of-250000-students-personal-data/

A student has been expelled from Montreal's Dawson College after he
discovered a flaw in the computer system used by most Quebec CEGEPs (General
and Vocational Colleges), one which compromised the security of over 250,000
students' personal information.

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a
member of the school's software development club, was working on a mobile
app to allow students easier access to their college account when he and a
colleague discovered what he describes as `sloppy coding' in the widely used
Omnivox software which would allow ``anyone with a basic knowledge of
computers to gain access to the personal information of any student in the
system, including social insurance number, home address and phone number,
class schedule, basically all the information the college has on a
student.''

``I saw a flaw which left the personal information of thousands of students,
including myself, vulnerable, I felt I had a moral duty to bring it to the
attention of the college and help to fix it, which I did. I could have
easily hidden my identity behind a proxy. I chose not to because I didn't
think I was doing anything wrong.''

``I felt I had a moral duty to bring it to the attention of the college.''

After an initial meeting with Director of Information Services and
Technology Francois Paradis on 24 Oct 2012, where Mr. Paradis congratulated
Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he
and Skytech, the makers of Omnivox, would fix the problem immediately,
things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called
Acunetix, designed to test for vulnerabilities in websites, to ensure that
the issues he and Mija had identified had been corrected. A few minutes
later, the phone rang in the home he shares with his parents.

``It was Edouard Taza, the president of Skytech. He said that this was the
second time they had seen me in their logs, and what I was doing was a cyber
attack. I apologized, repeatedly, and explained that I was one of the people
who discovered the vulnerability earlier that week and was just testing to
make sure it was fixed. He told me that I could go to jail for six to twelve
months for what I had just done and if I didn't agree to meet with him and
sign a non-disclosure agreement he was going to call the RCMP and have me
arrested. So I signed the agreement.'' ...

------------------------------

Date: Jan 21, 2013 11:30 AM
From: "Suresh Ramasubramanian" <suresh_at_private>
Subject: Re: Ahmed Al-Khabaz expelled from Dawson College after
  finding security flaw

the rest of the article goes on to say -

1. Taza from Skytech denies he threatened Al Khabaz, and said that he'd told
him that discovering vulns was fine, but pen-testing their systems uninvited
to see whether the vulns were fixed or not wasn't legal.

2. The school seems to have separately decided to expel him, with 14 out of
15 professors voting to expel, though without giving him a hearing first.

------------------------------

Date: Monday, January 21, 2013
From: *Steve Crocker*
Subject: Re: Ahmed Al-Khabaz expelled from Dawson College after finding
  security flaw

The following stands out:

  Two days later, Mr. Al-Khabaz decided to run a software program called
  Acunetix, designed to test for vulnerabilities in websites, to ensure that
  the issues he and Mija had identified had been corrected. A few minutes
  later, the phone rang in the home he shares with his parents.

When I was a program manager at (D)ARPA in the early 1970s, I ran tiger
teams on the Arpanet and quickly discovered the importance of discipline in
the process.  It's one thing to find flaws, it's something else entirely to
disclose them publicly, and it's further something else to run subsequent
"tests" to determine whether the flaw has been fixed.  The people who find
the flaws often develop a sense of ownership and entitlement, and that's
where trouble arises.  A "20-year-old computer science student, and a
member of the school's software development club" probably had no training
or counseling regarding finding and reporting flaws.  Having reported his
findings to responsible parties, he fulfilled his moral obligations and he
should have remained at arms' length from the system unless invited to do
further work, but this might not have been evident to him.  Conversely, the
school's elders should have gone further than congratulating the student
for his work.  They should have realized the need to counsel the student
that his role was now complete, that he needed to stay away from further
action, and that the results might or might not be in accordance with his
instincts.  In this respect, the school's management might have been just
as uneducated in these matters as the student.

Perhaps there is more to this particular story than has been reported.
Perhaps the student was informed he was not to do further testing.  The
larger point is it would be useful to have some readily available guidelines
for appropriate behavior by both the person finding the flaw and the
organization receiving the report.

------------------------------

Date: Tue, 15 Jan 2013 08:45:20 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Red October relied on Java exploit to infect PCs"

http://arstechnica.com/security/2013/01/massive-espionage-malware-relied-on-java-exploit-to-infect-pcs/
Red October relied on Java exploit to infect PCs
Unearthed attack site reveals some inner workings of espionage malware.

Dan Goodin, *Arstechnica*, 15 Jan 2013

opening paragraph:

Attackers behind a massive espionage malware campaign that went undetected
for five years relied in part on a vulnerability in the widely deployed Java
software framework to ensnare their victims, a security researcher said.

------------------------------

Date: Tue, 22 Jan 2013 10:40:57 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "how Oracle installs deceptive software with Java updates" (Ed Bott)

Ed Bott for The Ed Bott Report, 22 Jan 2013
A close look at how Oracle installs deceptive software with Java updates
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/

Summary: Oracle's Java plugin for browsers is a notoriously insecure
product.  Over the past 18 months, the company has released 11 updates, six
of them containing critical security fixes. With each update, Java actively
tries to install unwanted software. Here's what it does, and why it has to
stop.

------------------------------

Date: Tue, 22 Jan 2013 12:56:57 -0800
From: Gene Wirchenko <genew_at_private>
Subject: "Disabling Java in Internet Explorer: No easy task" (Woody Leonhard)

Woody Leonhard, *InfoWorld*, 22 Jan 2013
Disabling Java in Internet Explorer: No easy task
Firefox, Chome, and Safari let you. But short of a complex,
CERT-documented process, there's no reliable way to disable Java in IE
http://www.infoworld.com/t/web-browsers/disabling-java-in-internet-explorer-no-easy-task-211220

  The Microsoft instructions kill about 20 Java CLSIDs. The CERT method
  kills almost 800 of them.

That has to make you wonder -- at least, it makes me wonder -- whether there
are other tricky methods for invoking Java in Internet Explorer, even after
the CERT fixes have been applied.

------------------------------

Date: Sat, 12 Jan 2013 15:28:21 -0500
From: Monty Solomon <monty_at_private>
Subject: Just How Dumb Is It For CBS To Block CNET From Giving Dish An Award?
  (Mike Masnick)

Mike Masnick, *Techdirt*, 11 Jan 2013

As you may or may not recall, last year, pretty much all the TV networks
sued Dish Networks over a new feature it had launched, PrimeTime Any Time
(PTAT), with its Autohopper technology on its DVRs. PTAT is where it would
automatically record all the major networks' prime time programming and hold
onto it for a bit.  Autohopper would then automatically skip over the
commercials. It's important to recognize that these features, on their own,
have been considered legal. VCRs had auto commercial skip ages ago and DVR
technology (time shifting) has been called fair use plenty of times.  Given
that, the lawsuits aren't going well so far.

But, in a moment of pure stupidity, some very short-sighted suits at CBS
made a really silly decision. As you may or may not have heard, CES -- the
massive consumer electronics show -- has been going on all this week in Las
Vegas. I just got back from there myself. At the show, Dish announced
another merging of some of its products, adding its Slingbox (who they
bought years back) to the same basic setup.  Slingbox, of course, is for
"place shifting" what the DVR is for "time shifting." You hook it up to your
TV and it lets you access what's playing on your TV via the Internet via
your computer, phone or tablet). It's hardly surprising that this is where
Dish was heading. ...

http://www.techdirt.com/articles/20130111/00145421637/just-how-dumb-is-it-cbs-to-block-cnet-giving-dish-award.shtml

------------------------------

Date: Sat, 19 Jan 2013 13:17:02 -0500
From: Monty Solomon <monty_at_private>
Subject: The 2013 Best of CES Awards: CNET's story (Lindsey Turrentine)

, *CNET*, 14 Jan 2013
The true story of what happened before last week's Best of CES Awards
unveiling
http://news.cnet.com/8301-30677_3-57563877-244/the-2013-best-of-ces-awards-cnets-story/

A CNET Reporter Resigns Amid CBS-Dish Tussle
January 14, 2013
http://blogs.wsj.com/digits/2013/01/14/a-cnet-reporter-resigns-amid-cbs-dish-tussle/

Dish Gives Itself The Award That CBS Stopped CNET From Giving
http://consumerist.com/2013/01/18/dish-gives-itself-the-award-that-cbs-stopped-cnet-from-giving/

------------------------------

Date: Sat, 12 Jan 2013 14:30:14 -0500
From: Dave Parnas <parnas_at_private>
Subject: Re: EHRs may add to, not reduce, the cost of health care
  (Lesher, RISKS-27.13)

Predictions of savings are usually based on two assumptions:

  1) The new system is used instead (not in addition to) of the old one.
  2) The records are shared so that tests and other exams do not have to
     be duplicated.

In the cases that I have seen (a very limited set) at most one of these
conditions have been met and often neither is met.  Old systems are often
incompatible with the new systems and may perform functions that the new
ones do not do.

Professor Emeritus, McMaster University, University of Limerick
http://www.amadon.ca/Public/information.htm  +1 613 2498038 parnas@private

------------------------------

Date: Thu, 10 Jan 2013 10:47:57 +0100
From: Lieven Desmet <Lieven.Desmet_at_private>
Subject: Course announcement: SecAppDev 2013, 4-8 March, Leuven, Belgium

We are pleased to announce SecAppDev Leuven 2013, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The course is a joint initiative with KU Leuven and
Solvay Brussels School of Economics and Management.

SecAppDev 2013 is the 9th edition of our widely acclaimed course,
attended by an international audience from a broad range of industries
including financial services, telecom, consumer electronics and media
and taught by leading software security experts including

+ Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab.
+ Ken van Wyk, co-founder of the CERT Coordination Center and widely
   acclaimed author and lecturer.
+ Dr. Steven Murdoch of the University of Cambridge Computer
   Laboratory's security group, well known for his research in
   anonymity and banking system security.
+ Jim Manico, an OWASP board member.
+ John Steven, a sought-after architect for high-performance, scalable
   JEE systems.

When we ran our first annual course in 2005, emphasis was on awareness and
security basics, but as the field matured and a thriving security training
market developed, we felt it was not appropriate to compete as a non-profit
organization. Our focus has hence shifted to providing a platform for
leading-edge and experimental material from thought leaders in academia and
industry. We look toward academics to provide research results that are
ready to break into the mainstream and attract people with an industrial
background to try out new content and formats.

The course takes place from March 4th to 8th in the Faculty Club,
Leuven, Belgium.

For more information visit the web site: http://secappdev.org.

Places are limited, so do not delay registering to avoid disappointment.
Registration is on a first-come, first-served basis.
A 25% discount is available for Early Bird registration until January
15th. Alumni, public servants and independents receive a 50% discount.

I hope that we will be able to welcome you or your colleagues to our course.

Lieven Desmet
http://secappdev.org

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request_at_private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request_at_private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe_at_private or risks-unsubscribe_at_private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall_at_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.14
************************
Received on Tue Jan 22 2013 - 16:00:33 PST

This archive was generated by hypermail 2.2.0 : Tue Jan 22 2013 - 16:58:21 PST