RISKS Forum mailing list archives
Risks Digest 27.47
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 11 Sep 2013 15:52:12 PDT
RISKS-LIST: Risks-Forum Digest Weds 11 September 2013 Volume 27 : Issue 47 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.47.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: On the NSA (Matthew Green via David Rosenthal and Dewayne Hendricks) Johns Hopkins Tells Security Researcher To Remove Blog Post About NSA Encryption Attacks From University Server (Mike Masnick via Dewayne Hendricks) Crypto prof asked to remove NSA-related blog post (Nate Anderson via Dewayne Hendricks) Government Announces Steps to Restore Confidence on Encryption Standards (Nicole Perlroth) "NSA Officers Spy on Love Interests" (Siobhan Gorman via Gene Wirchenko) "NSA Leak Leaves Crypto-Math Intact but Highlights Known Workarounds" (Tom Simonite) UK Internet Filter Blocks VPNs, Australia to Follow Soon? (Torrent Freak via Lauren Weinstein) FTC Says Webcam's Flaw Put Users' Lives on Display (Edward Wyatt via Jim Reisert) The Steely, Headless King of Texas Hold 'Em (Michael Kaplan via Monty Solomon) American Fantasy Football app lets hackers change team rosters (Monty Solomon) How an Austrian Used Legos to Hack Amazon's Kindle E-Book Security (Arik Hesseldahl via Monty Solomon) Review Group on Global Signals Intelligence Collection and Communications Technologies Seeks Public Comment (Lauren Weinstein) Trouble with Red Light Cameras (Ben Moore) "World's most secure smartphone" looks like snake oil, experts say (Jon Brodkin) Tiny screens spill the beans (jidanni) Re: Test 'reveals Facebook, Twitter and Google snoop on e-mails' (Geoff Kuenning) Re: HuffPo Edward Snowden Impersonated NSA Officials (Amos Shapir) Re: 'Walkie-Talkie' skyscraper melts Jaguar car parts (Martyn Thomas, Glynn Clements, Steve Loughran) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Saturday, September 7, 2013 From: *Dewayne Hendricks* Subject: On the NSA (Matthew Green via David Rosenthal) [Note: This item comes from friend David Rosenthal. DLH] Matthew Green, On the NSA, 5 Sep 2013 <http://blog.cryptographyengineering.com/2013/09/on-nsa.html> Let me tell you the story of my tiny brush with the biggest crypto story of the year. A few weeks ago I received a call from a reporter atProPublica, asking me background questions about encryption. Right off the bat I knew this was going to be an odd conversation, since this gentleman seemed convinced that the NSA had vast capabilities to defeat encryption. And not in a 'hey, d'ya think the NSA has vast capabilities to defeat encryption?' kind of way. No, he'd already established the defeating. We were just haggling over the details. Oddness aside it was a fun (if brief) set of conversations, mostly involving hypotheticals. If the NSA could do this, how might they do it? What would the impact be? I admit that at this point one of my biggest concerns was to avoid coming off like a crank. After all, if I got quoted sounding too much like an NSA conspiracy nut, my colleagues would laugh at me. Then I might not get invited to the cool security parties. All of this is a long way of saying that I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough. And since I never got a chance to see the documents that sourced the NYT/ProPublica story -- and I would give my right arm to see them -- I'm determined to make up for this deficit with sheer speculation. Which is exactly what this blog post will be. 'Bullrun' and 'Cheesy Name' If you haven't read the NYT or Guardian stories, you probably should. The TL;DR is that the NSA has been doing some very bad things. At a combined cost of $250 million per year, they include: * Tampering with national standards (NIST is specifically mentioned) to promote weak, or otherwise vulnerable cryptography. * Influencing standards committees to weaken protocols. * Working with hardware and software vendors to weaken encryption and random number generators. * Attacking the encryption used by 'the next generation of 4G phones'. * Obtaining cleartext access to 'a major Internet peer-to-peer voice and text communications system' (Skype?) * Identifying and cracking vulnerable keys. * Establishing a Human Intelligence division to infiltrate the global telecommunications industry. * And worst of all (to me): somehow decrypting SSL connections. All of these programs go by different code names, but the NSA's decryption program goes by the name 'Bullrun' so that's what I'll use here. How to break a cryptographic system There's almost too much here for a short blog post, so I'm going to start with a few general thoughts. Readers of this blog should know that there are basically three ways to break a cryptographic system. In no particular order, they are: [...] ------------------------------ Date: September 9, 2013 5:43:31 PM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Johns Hopkins Tells Security Researcher To Remove Blog Post About NSA Encryption Attacks From University Server (Mike Masnick) Mike Masnick, TechDirt, from the now-take-a-look dept, 9 Sep 2013 <http://www.techdirt.com/articles/20130909/11193024453/johns-hopkins-tells-security-researcher-to-remove-blog-post-about-nsa-encryption-attacks-university-server.shtml> Last week, a great blog post by cryptographer and research professor Matthew Green was posted, providing some fantastic details about the likely attack vectors by the NSA to compromise encryption schemes. It's a well written and detailed piece from someone who clearly knows what he's talking about. Oh, and it kicks off with an amusing story about how the reporters working on the "NSA builds backdoors into encryption" story had contacted him for comments and, because they didn't reveal too many details, he was concerned about coming off as too paranoid or too much of a "crank." However, after the details came out, he realized he "wasn't cranky enough." Oddness aside it was a fun (if brief) set of conversations, mostly involving hypotheticals. If the NSA could do this, how might they do it? What would the impact be? I admit that at this point one of my biggest concerns was to avoid coming off like a crank. After all, if I got quoted sounding too much like an NSA conspiracy nut, my colleagues would laugh at me. Then I might not get invited to the cool security parties. All of this is a long way of saying that I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough. He then goes on to explain where the most probable attacks are coming from and what we should be most worried about and what's likely still safe. I had hoped to write up something about the post in general, but today something new came up. Green noted that the Dean where he teaches, at Johns Hopkins, had asked him to remove the blog post from the university's servers. The blog post was cross-posted both to a blog on the university's servers, as well as to Green's personal blog on Blogger. The personal blog post is still up (and now about to get that much more attention for the takedown). He also notes that this "isn't my Dean's fault" though plenty of folks are curious whose fault it might be. For what it's worth, it appears that Hopkins has a close relationship with the NSA, and the school really isn't that far from the NSA's headquarters. [...] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: September 9, 2013 7:36:06 PM EDT From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Crypto prof asked to remove NSA-related blog post (Nate Anderson) [Note: Latet info on the earlier posting I made on this story today. DLH] Nate Anderson, ArsTechnica, 9 Sep 2013 Predictable backtrack from Johns Hopkins comes a few hours later. <http://arstechnica.com/security/2013/09/crypto-prof-asked-to-remove-nsa-related-blog-post/> Matthew Green is a well-known cryptography professor, currently teaching in the computer science department of Johns Hopkins University in Baltimore. Last week, Green authored a long and interesting blog post about the recent revelations that the National Security Agency (NSA) has, among much else, subverted crypto standards. In his words, "The TL;DR ['too long; didn't read' version] is that the NSA has been doing some very bad things." And Green went on to speculate at some length about what those "bad things" were and what they might mean. Today, Green's academic dean contacted him to ask that "all copies" of the blog post be removed from university servers. Green said that the move was not "my Dean's fault," but he did not elaborate. Were cryptology professors at Johns Hopkins not allowed to say, as Green had, things like: I was totally unprepared for today's bombshell revelations describing the NSA's efforts to defeat encryption. Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough. Was basic academic freedom on the line? Had the request even come initially from Johns Hopkins or from outside the school -- perhaps someone at the NSA headquarters just up the road from Baltimore? I asked John Hopkins, and spokesman Dennis O'Shea responded with the school's side of the story: The university received information this morning that Matthew Green's blog contained a link or links to classified material and also used the NSA logo. For that reason, we asked Professor Green to remove the Johns Hopkins-hosted mirror site for his blog. Upon further review, we note that the NSA logo has been removed and that he appears to link to material that has been published in the news media. Interim Dean Andrew Douglas will inform Professor Green that the mirror site may be restored. The statement raised further questions, including: from whom did the school "receive" its information? Why was the school's top administration getting involved in the use of the NSA logo on one professor's individual blog post? What was the point of the request given that Green had also published the post to a mirror hosted at Blogger? Wasn't the whole episode likely to bring far greater traffic to Green's post once word of the takedown request got out? Late this afternoon, Green shared his side of the story on Twitter (tweets concatenated below for ease of reading): [...] Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/> ------------------------------ Date: Wed, 11 Sep 2013 11:26:53 -0400 From: ACM TechNews <technews () HQ ACM ORG> Subject: Government Announces Steps to Restore Confidence on Encryption Standards (Nicole Perlroth) Nicole Perlroth, *The New York Times*, 10 Sep 2013, via ACM TechNews, The U.S. National Institute of Standards and Technology (NIST) announced that it will reopen the public vetting process for the Dual EC DRBG encryption standard, after reports that the U.S. National Security Agency (NSA) had written the standard and could break it. "We want to assure the IT cybersecurity community that the transparent, public process used to rigorously vet our standards is still in place," NIST says. "NIST would not deliberately weaken a cryptographic standard." The announcement comes after recent revelations that NSA has been able to get around much of the encryption that protects massive amounts of information on the Internet. For encryption to be secure, the system must generate secret prime numbers randomly. However, one of the random number generators used in the Dual EC DRBG standard contained a back door for the NSA. The standard was adopted by NIST and by the International Organization for Standardization, which has 163 member countries. Many cryptographers previously had expressed reservations about NSA's participation in developing encryption standards, and some say they now have lost confidence in the NIST standards-setting process. "We'll have to re-evaluate that relationship," Johns Hopkins University cryptography researcher Matthew D. Green wrote in a blog post. "Trust has been violated." http://bits.blogs.nytimes.com/2013/09/10/government-announces-steps-to-restore-confidence-on-encryption-standards/ ------------------------------ Date: Sat, 07 Sep 2013 15:02:34 -0700 From: Gene Wirchenko <genew () telus net> Subject: "NSA Officers Spy on Love Interests" Siobhan Gorman, WashWire, 23 Aug 2013 http://blogs.wsj.com/washwire/2013/08/23/nsa-officers-sometimes-spy-on-love-interests/ opening text: WASHINGTON National Security Agency officers on several occasions have channeled their agency's enormous eavesdropping power to spy on love interests, U.S. officials said. The practice isn't frequent -- one official estimated a handful of cases in the last decade -- but it's common enough to garner its own spycraft label: LOVEINT. ------------------------------ Date: Mon, 09 Sep 2013 13:01:03 -0700 From: Gene Wirchenko <genew () telus net> Subject: "NSA Leak Leaves Crypto-Math Intact but Highlights Known Workarounds" (Tom Simonite) Tom Simonite, *MIT Technology Review*, 9 Sep 2013 New details of the NSA's capabilities suggest encryption can still be trusted. But more effort is needed to fix problems with how it is used. http://www.technologyreview.com/news/519171/nsa-leak-leaves-crypto-math-intact-but-highlights-known-workarounds/ ------------------------------ Date: Fri, 6 Sep 2013 09:46:43 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: UK Internet Filter Blocks VPNs, Australia to Follow Soon? "In the UK mobile Internet providers are required to block content that may be considered "harmful" to children. The filter mainly targets adult oriented content, but one provider now says that VPN services also fall into this category as they allow kids to bypass age restrictions." http://j.mp/19pyD5N (Torrent Freak via NNSquad) ------------------------------ Date: Thu, 5 Sep 2013 17:42:48 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: FTC Says Webcam's Flaw Put Users' Lives on Display (Edward Wyatt) Edward Wyatt, 4 Sep 2013 The so-called Internet of Things -- digitally connected devices like appliances, cars and medical equipment -- promises to make life easier for consumers. But regulators are worried that some products may be magnets for hackers. On Wednesday, the Federal Trade Commission took its first action to protect consumers from reckless invasions of privacy, penalizing a company that sells Web-enabled video cameras for lax security practices. According to the F.T.C., the company, TRENDnet, told customers that its products were `secure', marketing its cameras for home security and baby monitoring. In fact, the devices were compromised. The commission said a hacker in January 2012 exploited a security flaw and posted links to the live feeds, which ``displayed babies asleep in their cribs, young children playing and adults going about their daily lives.'' http://www.nytimes.com/2013/09/05/technology/ftc-says-webcams-flaw-put-users-lives-on-display.html ------------------------------ Date: Mon, 9 Sep 2013 09:43:46 -0400 From: Monty Solomon <monty () roscom com> Subject: The Steely, Headless King of Texas Hold 'Em (Michael Kaplan) Michael Kaplan, *The New York Times*, 5 Sep 2013 Stroll among the games at the Cosmopolitan, the newest casino on the Las Vegas Strip, and you might be overwhelmed by the latest whooping and flashing gambling machines. All the high-resolution monitors and video effects, devoted to themes ranging from deep-sea-fishing expeditions to Spider-Man to the unsubtlest visions of cash washing over lucky winners, are only the most obvious signs of technology's move onto the casino floor. Behind the scenes, server-based gaming now enables managers to rapidly alter payouts, raise or reduce betting minimums, even change games themselves. (In just minutes, a bank of slot machines styled for dance clubbers can be rethemed to appeal to church ladies on a Sunday afternoon.) But a few deceptively prim-looking machines represent an even greater technological leap, the biggest advance in automated gambling since Charles Fey introduced the one-armed bandit in 1895. They owe the way they play to artificial intelligence. The machines, called Texas Hold 'Em Heads Up Poker, play the limit version of the popular game so well that they can be counted on to beat poker-playing customers of most any skill level. Gamblers might win a given hand out of sheer luck, but over an extended period, as the impact of luck evens out, they must overcome carefully trained neural nets that self-learned to play aggressively and unpredictably with the expertise of a skilled professional. Later this month, a new souped-up version of the game, endorsed by Phil Hellmuth, who has won more World Series of Poker tournaments than anyone, will have its debut at the Global Gaming Expo in Las Vegas. The machines will then be rolled out into casinos around the world. They will be placed alongside the pure numbers-crunchers, indifferent to the gambler. But poker is a game of skill and intuition, of bluffs and traps. The familiar adage is that in poker, you play the player, not the cards. This machine does that, responding to opponents' moves and pursuing optimal strategies. But to compete at the highest levels and beat the best human players, the approach must be impeccable. Gregg Giuffria, whose company, G2 Game Design, developed Texas Hold 'Em Heads Up Poker, was testing a prototype of the program in his Las Vegas office when he thought he detected a flaw. When he played passively until a hand's very last card was dealt and then suddenly made a bet, the program folded rather than match his bet and risk losing more money. "I called in all my employees and told them that there's a problem," he says. The software seemed to play in an easily exploitable pattern. "Then I played 200 more hands, and he never did anything like that again. That was the point when we nicknamed him Little Bastard." ... http://www.nytimes.com/2013/09/08/magazine/poker-computer.html ------------------------------ Date: Mon, 9 Sep 2013 09:43:05 -0400 From: Monty Solomon <monty () roscom com> Subject: American Fantasy Football app lets hackers change team rosters http://www.theregister.co.uk/2013/09/06/yahoo_gridiron_game_uncryption/ ------------------------------ Date: Fri, 6 Sep 2013 23:50:40 -0400 From: Monty Solomon <monty () roscom com> Subject: How an Austrian Used Legos to Hack Amazon's Kindle E-Book Security (Arik Hesseldahl) Arik Hesseldahl, 6 Sep 2013 I wouldn't normally pay much attention to an item like this, but there's just something about it that I find fascinating, involving Amazon's Kindle and Legos. A university professor in Austria has released the video below, showing how he has automated a low-tech approach to bypassing the digital rights management system on the Kindle. His name is Peter Purgathofer, and he's an associate professor at the Vienna University of Technology. Using Lego's Mindstorms - a basic robotics kit popular with hobbyists - plus a Kindle and a Mac, he has assembled a way to photograph what's on the screen, and then submit it to a cloud-based text-recognition service. It's sort of a combination of high tech meets low. The scanning is done by way of the Mac's iSight camera. The Mindstorms set does two things: Hits the page-advance button on the Kindle (it appears to be an older model, like the one in the picture above), then mashes the space bar on the Mac, causing it to take a picture. ... http://allthingsd.com/20130906/how-a-man-in-austria-used-legos-to-hack-amazons-kindle-e-book-security/ http://vimeo.com/73675285 ------------------------------ Date: Thu, 5 Sep 2013 17:34:45 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Review Group on Global Signals Intelligence Collection and Communications Technologies Seeks Public Comment The Review Group is seeking public comments on all matters that the President has directed it to examine, namely, how in light of advancements in communications technologies, the United States can employ its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure. Comments can be provided via reviewgroup () dni gov. The deadline for public submissions is October 4, 2013. http://j.mp/1aaVF1x (Tumblr via NNSquad) ------------------------------ Date: Wed, 4 Sep 2013 22:04:10 GMT From: "Ben Moore" <ben.moore () juno com> Subject: Trouble with Red Light Cameras Mississippi has issued two tags (and probably many more) with the same numbers. The one photographed by the red light camera in Memphis, TN was a handicapped tag with the prefix DB and the number 8699. The person who received the automated citation has a normal usage tag of DB8-699. http://wreg.com/2013/09/03/memphis-red-light-camera-has-southaven-family-seeing-red/ This is the same jurisdiction where "Councilman Myron Lowery suggested the city add red light cameras as a way to add revenue. Under some estimates, the city could gain up to $29 million by installing new cameras." http://www.localmemphis.com/news/local/story/City-Council-Votes-to-Cut-Jobs-Keep-Free-Lunch/tOcEsaG9IkiU87JhkWHyYA.cspx ------------------------------ Date: Thu, 5 Sep 2013 08:31:58 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: "World's most secure smartphone" looks like snake oil, experts say (Jon Brodkin) Jon Brodkin, 4 Sep 2013 "Encrypted phone concept a good one, but secrecy and FUD inspire skepticism." http://j.mp/17S3fj2 (Ars Technica via NNSquad) [QSAlpha promises `perfect security' in its prospective Kickstarter smart phone, while at the same time seeking `crowdfunding' so that they can develop it. RISKS readers should know that perfect security is basically impossible when confronting realistic sets of real attacks, not to mention hypothetical or theoretical ones. Insider misuse? Denials of service? Software flaws? Compromisable hardware? Perhaps the crowdfunding is actually a Scam? Or is this just sales hype? Let us know if you spend $395 to reserve one for April 2014 delivery, and how that works out. PGN] ------------------------------ Date: Tue, 10 Sep 2013 03:22:07 +0800 From: jidanni () jidanni org Subject: tiny screens spill the beans I whistleblew something to the authorities, and next thing you know they call my number asking for the violator. Well at least they didn't call the violator asking for me... Can't blame 'em, all that info cramped on a tiny screen. (Or maybe the screens are too big?) ------------------------------ Date: Sun, 08 Sep 2013 23:47:28 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Test 'reveals Facebook, Twitter and Google snoop on e-mails' (Delgado, RISKS-27.46)
Facebook, Twitter and Google have been caught snooping on messages sent across their networks, new research claims, prompting campaigners to express concerns over privacy.
I'm not sure there is actual snooping going on here. One way to protect naive users against phishing attacks is to open the URLs they have been sent and examine them for "phishiness". Bad URLs are rewritten. If that's what's going on here and no records are kept, then it's probably no great cause for concern (although the practice should be clearly disclosed and customers should be given the chance to opt out). But if records are kept (and some techniques at least require records of the URLs that appear, though not association with particular customers) or if the URLs are used for other purposes such as advertising or warrantless searches, then I see a bigger problem. Geoff Kuenning geoff () cs hmc edu http://www.cs.hmc.edu/~geoff/ ------------------------------ Date: Mon, 9 Sep 2013 15:43:30 +0200 From: Amos Shapir <amos083 () gmail com> Subject: Re: HuffPo Edward Snowden Impersonated NSA Officials (RISKS-27.45)
former intelligence official told NBC, "This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.''
If by "brilliant" he means "eccentric", the main trouble may be embarrassment. The real danger is not from brilliant people publicizing secrets for ideological reasons, but from ordinary people who may sell them to foreign agents or criminals. It's not just the NSA -- access to sensitive information in banks, medical institutions, etc., is often protected by third-party security products. It's easy to imagine that a developer of such a product, under financial pressure, may be tempted to install a back door in the product and sell access to the highest bidder. Of course we would never hear of such cases (which in all likelihood may have already happened) because even a rumor that something like this is possible might bring down a security company -- and many of its customers. ------------------------------ Date: Thu, 05 Sep 2013 18:36:04 +0100 From: Martyn Thomas <martyn () thomas-associates co uk> Subject: Re: 'Walkie-Talkie' skyscraper melts Jaguar car parts (RISKS-27.46)
A risk overlooked in the CAD program? http://www.bbc.co.uk/news/uk-england-london-23930675
In a a BBC interview, the developers said that their CAD program takes all the reflections into account, but that tolerances in the specification may have caused the problem. ------------------------------ Date: Thu, 5 Sep 2013 19:27:52 +0100 From: Glynn Clements <glynn () gclements plus com> Subject: Re: 'Walkie-Talkie' skyscraper melts Jaguar car parts (RISKS-27.46) This isn't the first time the phenomenon has been reported, e.g.: http://www.reviewjournal.com/news/vdara-visitor-death-ray-scorched-hair http://en.wikipedia.org/wiki/Walt_Disney_Concert_Hall#Reflection_problems ------------------------------ Date: Mon, 9 Sep 2013 18:37:41 +0100 From: Steve Loughran <steve.loughran () gmail com> Subject: Re: Walkie-Talkie' skyscraper melts Jaguar car parts (RISKS-27.46) There's been more details on the London building that acts as a lens http://www.theguardian.com/artanddesign/2013/sep/06/walkie-talkie-architect-predicted-reflection-sun-rays 1. "the original design of the building had featured horizontal sun louvres on its south-facing facade , but these are believed to have been removed during cost-cutting as the project developed." 2. "The developers have blamed the problem on "the current elevation of the sun in the sky," a position Vinoly [n~] seems inclined to share." It sounds more like the developers used a weather dataset from the last two summers, so assumed that sunlight would not be an observable event during most of the month -so cut back on preventative actions. Happily for most UK residents, and sadly for the building developers, August has been very sunny. If so, blame weather datasets and cost/benefit spreadsheets, not CAD tools. ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.47 ************************
Current thread:
- Risks Digest 27.47 RISKS List Owner (Sep 11)