RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 28.13

From: RISKS List Owner <risko () csl sri com>
Date: Tue, 5 Aug 2014 10:56:03 PDT
RISKS-LIST: Risks-Forum Digest  Tuesday 5 August 2014  Volume 28 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/28.13.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Canada: China hacked into National Research Council computers
  (Larry Werring)
CIA admits to spying on Senate (TheHill via David Farber)
Driverless cars and speed limits (Michael Bacon)
Tappan Zee Bridge: Left Coast Lifter gets tech upgrade? (Theresa Juva-Brown
  via Gene Wirchenko)
"The EPA doesn't know what clouds it has -- and neither do you"
  (David Linthicum via Gene Wirchenko)
BBC: Russia enacts 'draconian' law for bloggers and online media
  (Lauren Weinstein)
Chinese Communist Party-Backed Tech Giants Bring Censorship To The
  Global Stage (Techcrunch via NNSquad)
It's Legal to Unlock Your Cell Phone (*The White House* via Dave Farber)
How safe are your quantified selfies? (Symantec item via Henry Baker)
Google scans your e-mail for child porn, and reports to law enforcement when
  it finds same (Herb Lin via Dave Farber)
The Visual Microphone: Passive Recovery of Sound from Video (YouTube via
  NNSquad)
Forget "Heart Bleed"; meet "Heart Rate" (Henry Baker)
Re: 'Big Brother' airport installs world's first ... (Adam Shostack,
  Rob Bailey)
Re: Fouling the NEST; Who's roo(s)ting in your home? (Alister Wm Macintyre)
Re: Smart grid hack worries to raise insurance rates? (Brian Inglis)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 31 Jul 2014 21:44:22 -0400
From: "Larry Werring" <larry.werring () cyberunitss com>
Subject: Canada: China hacked into National Research Council computers

http://www.thestar.com/news/canada/2014/07/29/canadian_spy_agency_says_chinese_hacked_into_national_research_council_computers.html

The Canadian government took the unusual step Tuesday of pointing fingers
squarely at Beijing after a cyber attack on a prominent federal scientific
research agency.  The federal government's chief information officer
confirmed Tuesday that the National Research Council of Canada (NRC) was the
target of a cyberattack from a "highly sophisticated Chinese state-sponsored
actor."

Laurentius (Larry) Werring, VP Systems Security, Cyberun IT Security
Services, 207 Bank Street, Suite 168, Ottawa, ON K2P 2N2 Canada 1-613-297-9232

  [Also noted by Suzanne Johnson.  PGN]

------------------------------

Date: Thu, 31 Jul 2014 14:10:20 -0400
From: "David Farber via ip" <ip () listbox com>
Subject: CIA admits to spying on Senate | TheHill

http://thehill.com/policy/technology/213933-cia-admits-to-wrongly-hacking-into-senate-computers

CIA officials improperly hacked the Senate Intelligence Committee's
computers ahead of a report on `enhanced interrogation' techniques, the spy
agency's inspector general has concluded.

In a statement shared with The Hill, CIA spokesman Dean Boyd said that the
internal watchdog determined ``that some CIA employees acted in a manner
inconsistent with the common understanding'' between the agency and the
committee about access to the network they used to share documents.

CIA chief John Brennan told Intel Committee Chairwoman Dianne Feinstein
(D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) about the findings
``and apologized to them for such actions by CIA officers,'' Boyd added.

------------------------------

Date: Fri, 1 Aug 2014 08:14:54 +0100
From: Michael Bacon <michaelbacon () tiscali co uk>
Subject: Driverless cars and speed limits

It is interesting to contemplate what confusion will be caused when a
driverless car passes a speed camera at a speed above the posted limit, say,
in temporary road works.

It is then amusing to contemplate the scenario of a faulty speed camera
falsely pinging a driverless car.  An "Oh no I wasn't." / "Oh yes you
were." pantomime dialogue between computers might ensue.

This brings to mind the situation reported a great many years ago when the
UK changed the dialing code for the telephone operator.  After consumers
complained of having no power, a faulty electricity substation was
discovered to be repeatedly sending an automated status report to which
another automated system was responding: "You no longer dial '0' for the
operator.  Please replace your receiver and dial '100'.

The RISK is that no-one will have thought of all the RISKS.  Unless, of
course, they are avid readers here.

------------------------------

Date: Thu, 31 Jul 2014 20:37:33 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Tappan Zee Bridge: Left Coast Lifter gets tech upgrade?
  (Theresa Juva-Brown)

Theresa Juva-Brown, tjuva () lohud com 30 Jul 2014
The famous Left Coast Lifter -- the ginormous crane that will help build the
new Tappan Zee Bridge -- just got a new computer system
http://www.lohud.com/story/news/local/tappan-zee-bridge/2014/07/28/tappan-zee-bridge-left-coast-lifter-gets-tech-upgrade/13287985/

selected text:

This week Hiti's team finished installing the crane's new computer software
and hardware, including a flat panel touch screen for the operator.  The
computer now uses Windows 7 and has a solid-state hard drive instead of one
with cooling fans, which tend to erode in a marine environment, he said.

  As noted in alt.folklore.computers by Walter Bushell:

"IIUC the license for Windows always states it's not to be used in critical
operations.
Why oh why do people insist on using OSes outside their design regions?"

------------------------------

Date: Fri, 01 Aug 2014 10:02:16 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "The EPA doesn't know what clouds it has -- and neither do you"
  (David Linthicum)

David Linthicum | InfoWorld, 01 Aug 2014
A federal audit shows what's probably true at most enterprises: Cloud
services are hiding in the shadows of IT
http://www.infoworld.com/d/cloud-computing/the-epa-doesnt-know-what-clouds-it-has-and-neither-do-you-247150

opening text:

Do you know how much cloud computing is really going on in your
organization? If you're like IT management in most companies and government
agencies, you don't have a clue.

For example, the Environmental Protection Agency (EPA) doesn't know how many
cloud computing contracts it has or how secure they are, according to a
recent audit by the agency's inspector general, in a report released last
week. In at least one instance, the EPA may not have had access to a
subcontractor's cloud for investigative purposes. Worse, that same
subcontractor was not compliant with the Federal Risk and Authorization
Management Program (FedRAMP), which sets security standards for cloud
providers.

------------------------------

Date: Fri, 1 Aug 2014 09:33:11 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: BBC: Russia enacts 'draconian' law for bloggers and online media

  "A new law imposing restrictions on users of social media has come into
  effect in Russia.  It means bloggers with more than 3,000 daily readers
  must register with the mass media regulator, Roskomnadzor, and conform to
  the regulations that govern the country's larger media outlets.  Internet
  companies will also be required to allow Russian authorities access to
  users' information.  One human rights group called the move
  "draconian". The law was approved by Russia's upper house of parliament in
  April. It includes measures to ensure that bloggers cannot remain
  anonymous, and states that social networks must maintain six months of
  data on its users.  The information must be stored on servers based in
  Russian territory, so that government authorities can gain access."  BBC
  via NNSquad   http://www.bbc.com/news/technology-28583669

 - - -

Don't worry, Czar Putin knows what's good for you, comrade.

------------------------------

Date: Sat, 2 Aug 2014 22:52:55 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Chinese Communist Party-Backed Tech Giants Bring Censorship To The
  Global Stage

Techcrunch via NNSquad
http://techcrunch.com/2014/08/02/chinese-communist-party-backed-tech-giants-bring-censorship-to-the-global-stage/

  "It should come as no surprise, then, that the Portuguese version of Baidu
  produces heavily censored results on topics considered sensitive to the
  Chinese leadership.  Compare search results between Google's Portuguese
  edition and Baidu's. On Google.br.com, a search for Tank Man (el hombre
  del tanque) turns up photos, documentary video and news articles about the
  lone rebel who stood in the way of approaching tanks outside of Tiananmen
  Square in 1989 ..."

 - - -

The result when one country or group of countries tries to impose its
own censorship desires onto the entire planet.

------------------------------

Date: Friday, August 1, 2014
From: *The White House* <info () mail whitehouse gov>
Subject: It's Legal to Unlock Your Cell Phone (via Dave Farber)

*Note: You're receiving this email because you've previously petitioned the
White House on cell phone unlocking.*

It's Legal to Unlock Your Cell Phone

Last week, Congress passed a bill legalizing cell phone unlocking --
and this afternoon, President Obama signed that bill into law.

This effort began as a result of the petition you signed, "Make Unlocking
Cell Phones Legal." Two weeks after the petition crossed the threshold, we
laid out steps that the Federal Communications Commission (FCC), industry,
and Congress could take.

Your effort culminated in the Unlocking Consumer Choice and Wireless
Competition Act that President Obama signed today. The bill not only
restores the rights of consumers to unlock their phones, but ensures that
they can receive help doing so if they lack the technological savvy to
unlock on their own.

It's the first time a We the People petition has led to a legislative fix.

[...]

The White House, 1600 Pennsylvania Ave NW, Washington, DC 20500 202-456-1111

------------------------------

Date: Mon, 04 Aug 2014 09:05:54 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: How safe are your quantified selfies? (Symantec item)

FYI -- More about the vulnerabilities associated with Fitbit/Nike/Garmin/etc.

"For example in one app that tracks sexual activity, the app makes specific
requests to an analytics service URL at the start and end of each session."
http://www.symantec.com/connect/blogs/how-safe-your-quantified-self-tracking-monitoring-and-wearable-tech

Tracking, monitoring, and wearable tech, Symantec, 30 Jul 2014

Each day, millions of people worldwide are actively recording every aspect
of their lives, thoughts, experiences, and achievements in an activity known
as self-tracking (aka quantified self or life logging).  People who engage
in self-tracking do so for various reasons.  Given the amount of personal
data being generated, transmitted, and stored at various locations, privacy
and security are important considerations for users of these devices and
applications.  Symantec has found security risks in a large number of
self-tracking devices and applications.  One of the most significant
findings was that all of the wearable activity-tracking devices examined,
including those from leading brands, are vulnerable to location tracking.

Our researchers built a number of scanning devices using Raspberry Pi
minicomputers and, by taking them out to athletic events and busy public
spaces, found that tracking of individuals was possible.

Symantec also found vulnerabilities in how personal data is stored and
managed, such as passwords being transmitted in clear text and poor session
management.

www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf

  [Long item pruned for RISKS. Main section headings include:
  * How do self-tracking systems work?
  * So just how safe is your quantified self?
  * Location tracking of wearable devices
  * Transmission of tracking and personal data in clear text
    (20 percent of apps transmitted user credentials in clear text.)
  * Lack of privacy policies
    (52 percent of apps examined did not have privacy policies.)
  * Unintentional data leakage
    (The maximum number of unique domains contacted by a single app was 14
    and the average was five.)
  * Other security weaknesses
  * What can you do about this?
  * More information: latest paper
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf

------------------------------

Date: Monday, August 4, 2014
From: Herb Lin <HLin () nas edu>
Subject: Google scans your e-mail for child porn and reports to law
  enforcement when it finds same (via Dave Farber)

Interesting thought.

http://www.telegraph.co.uk/technology/google/11010182/Why-Google-scans-your-emails-for-child-porn.html

Why Google scans your e-mail for child porn

Google trawls both the public internet and your private data to look for
images of child abuse, it has been revealed, after a convicted sex offender
is arrested over the contents of his GMail account

A convicted sex offender has been arrested after Google flagged images of
child abuse found in his GMail account to authorities, according to reports,
revealing that the search giant is quietly but methodically watching our
email activity for illegal images.

Google spotted that the man had illegal images of a young girl stored in
his GMail account during an automated search and reported it to the US
non-profit National Center for Missing and Exploited Children. A subsequent
police investigation lead to his arrest. [...]

So, this process opens all kinds of opportunities for malicious behavior.  A
wants to harass B. So A sends B a known child porn image through gmail, even
though B has not requested it in any way.  Google identifies the image, and
notifies law enforcement authorities.  B is now the target of an
investigation -- the criminal offense being the receipt of child
pornography.

Even worse -- if the email is not opened or goes into spam, Google probably
still scans it, so B never knows he has to report anything to law
enforcement authorities even though Google is reporting it to them.

Folks, please think about a fix for this -- and don't propose a solution
that says Google should not scan those emails.  Is there a way to get both
the benefit of the scans and to prevent the harassment problem described
above?

[For those of you who want to know how Google knows an image is child porn
-- they compute a hash of the image and compare it against a database of
hashes of known CP images, that is images that have been adjudicated to be
CP in court.]

Thoughts? Thanks, Herb Lin

------------------------------

Date: Mon, 4 Aug 2014 08:44:29 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: The Visual Microphone: Passive Recovery of Sound from Video

YouTube via NNSquad
https://www.youtube.com/watch?v=FKXOucXB4a8

Using video (even consumer video) to recover sound from silent video, even
from outside rooms. Using a laser bouncing off window glass has long been a
technique for recovering room sounds remotely. The technology described here
emphasizes the need to keep external windows completely covered during
sensitive communications! Also, we can safely assume that intelligence
agencies (at a minimum) have been using this technique for some time.

------------------------------

Date: Sun, 03 Aug 2014 14:23:17 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: Forget "Heart Bleed"; meet "Heart Rate"

FYI -- "[Low Resting Heart Rate] might be used to help predict future risk
among criminals" Do you really want to share your FitBit/Nike/Garmin
information with the FBI and the NSA ?  Just sleep in the cloud...

"Are Fitbit, Nike, and Garmin Planning to Sell Your Personal Fitness Data?"
http://www.motherjones.com/politics/2014/01/are-fitbit-nike-and-garmin-selling-your-personal-fitness-data

David Kohn, Calm Hearts, Bad Behavior, *The New Yorker*, 2 Aug 2014
http://www.newyorker.com/tech/elements/calm-hearts-bad-behavior

For the past two years, researchers in Hong Kong interviewed the parents of
three hundred and thirty-four adolescents about the aggressive and
antisocial behavior of their children.  Did the kids hurt others to win a
game?  Were they concerned about the feelings of their peers?  The
scientists also measured the heart rate of the children and found that low
resting heart rate (L.R.H.R.) -- usually an indicator of good cardiovascular
health and the envy of distance runners and endurance athletes -- was linked
to bad behavior.

Adrian Raine, the lead author of the Hong Kong study, which appeared in the
July issue of the journal Aggressive Behavior, has been examining this odd
correlation since 1977, when he studied a group of fifteen-year-old boys and
found that those with a low heart rate were more likely to be convicted of
crimes.  Since then, Raine, a criminologist and psychologist at the
University of Pennsylvania, and the author of *The Anatomy of Violence*, has
become an expert on L.R.H.R. and other possible biological markers of
antisocial behavior, such as brain size and neurotransmitter levels.

He says that it's still not clear how the trait is connected to bad
behavior.  ``We've established that the link exists.  But we haven't nailed
down why.''

There are several theories, but Raine tends to favor the fearlessness
hypothesis, which says that some of those with L.R.H.R. remain undaunted by
the threats that would keep most of us in check.  When you get scared, your
heart rate goes up, because your body activates to deal with the imminent
hazard.  By definition, people with less fear tend not to get activated in
situations that others find threatening.

``These people don't learn that it's wrong to be aggressive,'' Laura Wilson,
a research psychologist at Virginia Tech University who has studied the
topic, told me.  ``They don't fear consequences.  They don't get sculpted
into the law-abiding citizens that most people become.''

Another possibility is that people with L.R.H.R. are chronically
under-aroused.  ``Having a low heart rate can be uncomfortable.  It kind of
feels like boredom,'' Amy Gower, a psychology researcher at the University
of Minnesota, says.  ``To relieve that, some people seek stimulation through
aggression.''

Raine's skeptics argue that L.R.H.R. and other biological factors play a
relatively minor role in determining who becomes a criminal.  ``The evidence
is pretty consistent that biological traits don't have a large effect,''
Robert Sampson, a social scientist at Harvard University who has studied the
topic for more than two decades, told me.  ``Social and environmental
characteristics have much more weight.''  He notes that crime rates vary
widely from country to country (Spain's murder rate, for instance, is
twenty-five times lower than Brazil's, and four times lower than in the
United States), even though the biology of humans in those countries differs
very little.  Sampson says that L.R.H.R. may not be biological but, rather,
the result of the same environmental factors that lead to crime: some people
may adapt to chronic stress with a lower heart rate.

Raine suggests that L.R.H.R. might be used to help predict future risk among
criminals.  Information about heart rate might help when deciding whether a
prisoner should be released early, or which sort of prison best fits a
particular offender.  If this idea, in which the fate of a prisoner would be
determined in part by biological data, evokes thoughts of eugenics, Raine,
whose research on so-called `neurocriminology' has been controversial for
decades, acknowledges that the proposal does, in fact, bring up difficult
issues about science, probability, and social control.  He agrees that
L.R.H.R. is far from the sole determinant of criminality; his review of the
research indicates that the trait accounts for about five per cent of all
antisocial behavior (and that the rest can be explained by social and
biological factors such as upbringing, neighborhood, education, income
level, brain chemistry and structure, and so on).  L.R.H.R. should be seen,
Raine says, as a potential warning sign rather than a definitive mark of
inevitable criminality.  ``Low heart rate is one piece of the jigsaw puzzle.
It's not the whole story, but it's not trivial either.''

------------------------------

Date: Fri, 1 Aug 2014 11:09:21 -0400
From: Adam Shostack <adam () shostack org>
Subject: Re: 'Big Brother' airport installs world's first ... (RISKS-28.12)

The Seattle mesh network has been at least temporarily turned off as a
result of a local activism group, the Seattle Privacy Coalition.  Details
about that network have been requested under local freedom of information
laws.

Some additional links for details:
https://www.seattleprivacy.org/the-sort-of-thing-we-are-curious-about/
http://www.dailydot.com/politics/seattle-police-mesh-network-shut-down/
https://twitter.com/SeattlePD/status/410248692264759297

------------------------------

Date: Thu, 31 Jul 2014 19:42:46 -0500
From: Rob Bailey <rob () wm8s com>
Subject: Re: 'Big Brother' airport installs world's first real-time
 passenger tracking system (RISKS-28.12)

In addition to cameras, Houston's TRANSTAR traffic monitoring system uses
your toll tag's serial number to track your location around the region, and
not just where you pay tolls. It then uses your location over time to
estimate average speeds on the various roads along your route. And lest you
think that you can avoid tracking by not getting a toll tag (something that
will make your travel more difficult, since they've restricted some roads to
tag-holders only), the system also uses the hardware address of your
Bluetooth devices (phone, car media system, etc.), for the same purpose.

Area drivers are given this assurance:

"The MAC addresses read by AWAM [Anonymous Wireless Address Matching] are
not directly associated with a specific user and do not contain any
personal data or information that could be used to identify or 'track' an
individual's whereabouts. In addition, all addresses collected by AWAM are
anonymized through encryption immediately upon receipt. Users who have
privacy concerns are also able to turn off the Bluetooth discovery function
of their device which prevents it from being read by AWAM at all."

http://traffic.houstontranstar.org/bluetooth/transtar_bluetooth.html

------------------------------

Date: Thu, 31 Jul 2014 20:14:50 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwheel99 () wowway com>
Subject: Re: Fouling the NEST; Who's roo(s)ting in your home? (RISKS-28.12)

The severity of security breach has not been fully embraced due to the
traditional assumption that thermostat cannot function more than a
thermostat even though users are enjoying its smartness.

Wasn't the TARGET breach a variation on this? . They had a system to help
manage refrigeration, and the hackers got in thru that system to do how much
damage?  The more complicated the system, the easier for hackers to spoof
the people who made it complicated.

------------------------------

Date: Thu, 31 Jul 2014 19:43:59 -0600
From: Brian Inglis <Brian.Inglis () systematicsw ab ca>
Subject: Re: Smart grid hack worries to raise insurance rates? (RISKS-28.10,11)

There may be more immediate issues for power companies and insurers to worry
about.

CBC News reports "SaskPower to remove 105,000 smart meters following fires"
subheaded "8 unexplained fires associated with new devices that measure
power consumption" at http://www.cbc.ca/news/canada/saskatchewan/1.2723046
and says the Saksatchewan government has ordered the provincial power
utility to remove all "smart" meters installed so far across the
province. The costs are estimated at $45/meter ("dumb" presumably) and $45
labour, costing $9.5M. The utility also has 100,000 more meters in stock,
and estimates the effort will take 6-8 months and total cost will reach
$14M.

Little of this is mentioned in their Smart Meters FAQ:
http://www.saskpower.com/our-power-future/construction-projects/smart-meters

CBC quotes the vendor as saying "Sensus underscores the critical importance
of careful meter installation procedures, including the examination of meter
boxes and wiring at installation, training of meter installers and the need
to have rapid remedial action when field problems are observed".

This may indeed point to an issue when installing 105,000 meters in a year
across areas of a large, sparsely populated province, on existing (outside)
meter bases, where the annual temperature range may be (a dry) -40C to +40C.

A quick web search indicates that these problems have been widespread across
North America and large deployments of "smart" meters have been canceled
and reversed due to some fires in a number of states. The same vendor name
crops up in a number of these cancellations.

Risk of not checking the reputation of the vendor and product, and possibly
installers too, or inadequately weighting such evidence against many
governments' requirement to accept the lowest bid offered.

Published reports on the causes and subsequent post-installation inspections
mention inadequate retraining of meter readers as installers, problems
reusing existing older meter bases, corrosion of bases, boxes, and
connectors, broken connection blocks, melted conductors, and loose wiring
connections as some of the installation issues identified.

Risk of not understanding the possible impact of opening up and fiddling
with an installation which may have been untouched for years or decades, and
not following manufacturers recommendations on installer training,
inspection and replacement practices, and prerequisites for equipment
installation.

Also mentioned in some of those reports where "smart" meter installation
resumed, sometimes with different equipment from a different vendor, meter
readers would be retrained and redeployed as meter inspectors, to monitor
the condition and safety of the new meters. Risk of accounting only for
savings from the great new thing, and ignoring any potential requirements
and associated costs of going the new way.

Also mentioned at the bottom of the CBC article:
"Among the features of the new meters was an ability to transmit power usage
data through a radio frequency, making it unnecessary for a meter reader to
enter a home.  That feature had not been implemented for the new meters
already installed but was part of the overall plan for the new technology."

My experience and understanding of "smart" meter deployment benefits has
been that the costs are mainly justified by being able to have meter
"readers" drive by meter locations with wireless equipment to interrogate
the meter and receive the meter and usage data.  Thereby getting actual
usage more accurately, frequently, and cheaply than occasional meter
location visits and manual usage recording, with estimated usage billed
between visits.

The paragraph quoted above implies that a further installation or feature
enabling visit would have been necessary to gain any benefit from the new
meters.  Risk of having someone change something twice rather than doing
everything (hopefully properly) at once doubles the chances that some issue
will occur to let out the magic smoke, doubling the remediation costs (at
least, as these events demonstrate).

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string `notsp' at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 28.13
************************
Previous By Date Next
Previous By Thread Next

Current thread: