Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 26.66
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 6 Dec 2011 8:59:42 PST

RISKS-LIST: Risks-Forum Digest  Tuesday 6 December 2011  Volume 26 : Issue 66

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.66.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Civilian Use of Drone Aircraft May Soon Fly In the US (W. J. Hennigan)
Underpublicized risks of mobile devices (Valdis Kletnieks)
Comedy of Errors Led to False "Water Pump Hack" Report (Kim Zetter via
  Lauren Weinstein)
GCHQ code-cracking challenge "cracked" -- by a Google search! (Robert Meineke)
Ongoing large-scale distributed SSH brute-force attack (Jonathan Kamens)
Skype flaw reveals users' location, file-downloading habits (Joan Goodchild
  via Monty Solomon)
"Security researchers say HP printers vulnerable to hackers" (Gene Wirchenko)
HP printers can be remotely controlled and set on fire, researchers claim
  (Jon Brodkin via Monty Solomon)
The risks of information sharing? (Steven Bellovin)
Exam Cheating on Long Island Hardly a Secret (Anderson/Applebome)
Apple iTunes ... Trojan horse that gives governments access to your computer
  and files  (Gordon Peterson)
Sneaky Mobile Ads Invade Android Phones (Tom Spring via Monty Solomon)
"Carrier IQ: The Sony rootkit all over again" (Robert X. Cringely)
"CarrierIQ" on various mobile handsets (Android Security Test)
Re: Carrier IQ May Have Violated Wiretap Law In Millions Of Cases
  (Declan McCullagh)
"Carrier IQ and Facebook pose the least of your privacy threats" (Galen
  Gruman)
AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it doesn't
  anymore (Lauren Weinstein)
Re: Cybersecurity Requires Patches, Not a Vast Bill (Martyn Thomas)
Re: Complexity (Bob Frankston)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 1 Dec 2011 6:06:38 PST
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Civilian Use of Drone Aircraft May Soon Fly In the US (W. J. Hennigan)

"Drone aircraft, best known for their role in hunting and destroying
terrorist hideouts in Afghanistan and Pakistan, may be coming soon to the
skies near you. Police agencies want drones for air support to find runaway
criminals. Utility companies expect they can help monitor oil, gas and water
pipelines. Farmers believe drones could aid in spraying crops with
pesticides. 'It's going to happen,' said Dan Elwell, vice president of civil
aviation at the Aerospace Industries Association.  'Now it's about figuring
out how to safely assimilate the technology into national airspace.'  That's
the job of the Federal Aviation Administration, which plans to propose new
rules for using small drones in January, a first step toward integrating
robotic aircraft into the nation's skyways."  [Source: W.J. Hennigan,
*Seattle Times*, 29 Nov 2011]
  http://seattletimes.nwsource.com/html/nationworld/2016882681_drones29.html

  [Misappropriating Vint Cerf's famous statement on the Internet,
    ``Drones are for everyone?''  PGN]

------------------------------

Date: Wed, 30 Nov 2011 13:51:05 -0500
From: Valdis.Kletnieks () vt edu
Subject: Underpublicized risks of mobile devices

Heard on Blacksburg Transit on the way to work yesterday:

  "Damn you, Angry Birds. I just missed my stop."

------------------------------

Date: Wed, 30 Nov 2011 23:39:58 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: Comedy of Errors Led to False "Water Pump Hack" Report (RISKS-26.65)

  "Even though Mimlitz's username was connected to the Russian IP address in
  the SCADA log, no one from the fusion center bothered to call him to ask
  if he had logged in to the system from Russia. Instead, the center
  released a report on Nov. 10 titled "Public Water District Cyber
  Intrusion" that connected the broken water pump to the Russian log-in five
  months earlier, inexplicably stating that the intruder from Russia had
  turned the SCADA system on and off, causing the pump to burn out.  "And at
  that point all hell broke loose," Craven said."  [Source: Kim Zetter,
  *WiReD*] http://j.mp/rvWnEC

"Oh Boy!  We get to announce a Foreign CYBER-ATTACK!  Maybe Terrorists
conducting a dry run on a small water system! -- That's what the "experts"
will say on TV!  Don't bother with the reality checks, that could spoil all
the fun!"

------------------------------

Date: Mon, 5 Dec 2011 05:27:11 -0800
From: Robert Meineke <rmeineke () gmail com>
Subject: GCHQ code-cracking challenge "cracked" -- by a Google search!

*The Register*:
http://www.theregister.co.uk/2011/12/03/gchq_code_crack_compo_snafu/

I was going to make a 'crack' about security through obscurity, but I'm not
sure that this even rises to that level!

  [Robert, You are a real firecracker!  PGN]

------------------------------

Date: Sun, 04 Dec 2011 00:23:21 -0500
From: Jonathan Kamens <jik () kamens us>
Subject: Ongoing large-scale distributed SSH brute-force attack

In the past, securing SSH on the public Internet has been pretty much as
easy as (a) keep your OS patched, (b) don't let root log in with a password,
and (c) run fail2ban to stop brute-force attacks.

Unfortunately, it looks like the bad guys have finally figured out how to
put their bots to work running distributed SSH brute-force attacks.  If so,
then fail2ban is no longer going to be good enough, and more sophisticated
(and inconvenient) measures are going to be needed.

Prior to 1 Dec, the five machines I maintain with SSH servers accessible to
the public have been probed by an average of 13 different IP addresses per
day.  On 1 Dec, they were probed by 109 different IP addresses, a 738%
increase over the prior average. On 2 and 3 Dec, they were probed by 79 and
72 different IP addresses. Not as high as the first day, but still quite a
jump!

I saw this increase across the board on five different machines on four
distinct networks run by four different network service providers. I've been
in correspondence with someone at the SANS Internet Storm Center who says
he's seen a similar spike on machines he maintains.

It seems clear to me that someone is engaging in a distributed brute-force
attack trying to break into servers as root via ssh.

Since this particular attack is targeted at the root user, you're safe for
the time being as long as you don't allow root to log in with a
password. But it's only a matter of time before they start attempting
distributed brute-force attacks of non-root accounts. When that happens,
blocking individual IP addresses with a series of failed login attempts is
no longer going to be sufficient.

If you maintain a server whose SSH port is open to the public, please let me
know the details if you're seeing a similar attack on your server (you can
post a comment on my blog
<http://blog.kamens.us/2011/12/04/ongoing-large-scale-distributed-ssh-brute-force-attack/>
or email me <mailto:jik () kamens us>. In case it is useful, here
<http://stuff.mit.edu/%7Ejik/software/ssh-logs.pl.txt> is the script I have
been using to collect and display data from the machines I maintain.

------------------------------

Date: Fri, 2 Dec 2011 10:30:30 -0500
From: Monty Solomon <monty () roscom com>
Subject: Skype flaw reveals users' location, file-downloading habits

Joan Goodchild, CSO Online, 1 Dec 2011
A team of researchers has uncovered an issue that imperils Skype
users' privacy by putting their location and identity up for grabs

Researchers have found a flaw in Skype that can expose your location,
identity and the content you're downloading. Microsoft, which owns Skype,
says they are working on the problem.

The issue was uncovered earlier this year by a team of researchers from
Polytechnic Institute of New York University (NYU-Poly), MPI-SWS in Germany
and INRIA in France and included Keith Ross, Stevens Le Blond, Chao Zhang,
Arnaud Legout, and Walid Dabbous. The team presented the research in Berlin
recently at the Internet Measurement Conference 2011 in a paper titled "I
know where you are and what you are sharing."

The researchers found several properties of Skype that can track not only
users' locations over time, but also their peer-to-peer (P2P) file-sharing
activity, according to a summary of the findings on the NYU-Poly web
site. Earlier this year, a German researcher found a cross-site scripting
flaw in Skype that could allow someone to change an account password without
the user's consent. ...

http://www.csoonline.com/article/695631/skype-flaw-reveals-users-location-file-downloading-habits

 - - - -

Somini Sengupta, Skype Can Expose Your Location, Researchers Say,
*The New York Times* blogs, 29 Nov 2011
http://bits.blogs.nytimes.com/2011/11/29/skype-can-expose-your-location-researchers-say/

Remember when a prankster could make himself a general nuisance by calling
your home phone and quickly hanging up?

The equivalent of a prank call on Skype, the popular
voice-over-Internet-Protocol service, can be much more than a nuisance. If
you are logged in to Skype, a prankster - or thief or spy - can effectively
track where you are and in some circumstances, what you do and even what you
download, according to an experiment led by Keith Ross, a computer science
professor at the Polytechnic Institute of New York University in Brooklyn.
Mr. Ross, along with his collaborators at the French computer research
institute, Inria, followed 10,000 randomly selected Skype users over 16
days. ...

------------------------------

Date: Tue, 29 Nov 2011 13:35:44 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Security researchers say HP printers vulnerable to hackers"

Woody Leonhard | InfoWorld, 29 Nov 2011
Flaw in HP's printer firmware update procedures could expose your
company's printers to hackers. Here are the steps you should take to
protect them
http://www.infoworld.com/t/hacking/security-researchers-say-hp-printers-vulnerable-hackers-180253

selected text:

MSNBC released an "exclusive" report quoting two Columbia University
researchers as saying that millions of HP printers are open to potentially
devastating online hacks. While the security holes appear to be very real,
there's a great deal of question about whether the attacks could ever be
implemented in a real-world situation -- and there are steps you can take at
your corporate firewall right now to mitigate the threat.

The fundamental problem stems from the way HP printers validate firmware
updates prior to applying them. Or more accurately, the way HP printers
don't bother to validate firmware updates prior to applying them.

The demo referenced in the MSNBC report involved an HP printer's fuser. The
altered firmware turned the fuser on and left it on, browning the paper and
throwing off smoke, before the printer's thermal interrupt kicked in.

------------------------------

Date: Tue, 29 Nov 2011 23:41:05 -0500
From: Monty Solomon <monty () roscom com>
Subject: HP printers can be remotely controlled and set on fire,
 researchers claim (Jon Brodkin)

Jon Brodkin, Ars Technica

Security researchers at Columbia University have accused HP of selling
printers with a flaw that could let hackers gain remote control over the
devices. Once compromised, the access can be used to steal personal
information, attack networks, and even set printers on fire by feeding them
a continuous stream of instructions designed to heat them up.

The researchers, funded by government and industry grants, reported the flaw
to federal officials and HP this month, and gave a demonstration to MSNBC,
which has an extensive article on the subject today. HP told MSNBC that it
is reviewing the details, but denied that the problem is as extensive as
claimed by Columbia PhD student Ang Cui and Professor Salvatore Stolfo.  ...

http://arstechnica.com/business/news/2011/11/hp-printers-can-be-remotely-controlled-and-set-on-fire-researchers-claim.ars

------------------------------

Date: Mon, 5 Dec 2011 10:25:01 -0500
From: Steven Bellovin <smb () cs columbia edu>
Subject: The risks of information sharing?

My daughter sent me the following note:

  There's some discussion on the cycling list I'm on about whether bike
  thieves are looking at Strava, a site that lets people compare routes
  they've ridden, to target nice bikes.  Apparently, people's profiles show
  the bikes they've ridden on which rides, and given the ride data, you can
  make a pretty good guess about where their bikes are stored...

There's no hard evidence that this is the thieves' MO, but a lot of people
are speculating and wondering.

Steve Bellovin, https://www.cs.columbia.edu/~smb

------------------------------

Date: Fri, 2 Dec 2011 03:33:26 -0500
From: Monty Solomon <monty () roscom com>
Subject: Exam Cheating on Long Island Hardly a Secret (Anderson/Applebome)

Jenny Anderson and Peter Applebome, *The New York Times*, 2 Dec 2011
http://www.nytimes.com/2011/12/02/education/on-long-island-sat-cheating-was-hardly-a-secret.html

The suspected test takers came from prominent, respected families, some of
them in financial distress - among the five facing felony charges were the
sons of a well-known lawyer, the president of the local library board and a
wealthy philanthropic family.  The youths who are accused of paying them as
much as $3,600 to take SAT and ACT tests were largely undistinguished
students willing to cut corners to strengthen their modest sums.

The combination yielded one of the most conspicuous cheating scandals in
memory, a telling reflection on the college admissions rat race - and,
perhaps, contemporary ethics more broadly. According to prosecutors,
principals, parents and teenagers here on Long Island's Gold Coast, it was
common knowledge at some of the nation's most prestigious high schools that
if you had the money, you could find someone with a sharper vocabulary and a
surer grasp of geometry to fill in the blanks for you. ...

------------------------------

Sent: Mon, 05 Dec 2011 11:01 AM
From: Gordon Peterson <gep2 () terabites com>
Subject: Apple iTunes ... Trojan horse that gives governments access to your computer and files
  [From Dave Farber's IP]

It is being announced that the iTunes software you probably have on your
computer has a purposely built-in back door that allows governments to
surreptitiously log into your computer and prowl around through your
personal data and files.  And of course, virtually everyone allows iTunes to
go through firewalls and other security protections that would otherwise
prevent malicious intrusion.

(This web page is in French, if you're using Google Chrome and don't
understand French, I suggest you use the Google Chrome translation feature.)
http://www.nikopik.com/2011/12/itunes-un-cheval-de-troie-a-la-solde-des-gouvernements.html

Gordon Peterson II  http://personal.terabites.com

------------------------------

Date: Mon, 5 Dec 2011 13:34:09 -0500
From: Monty Solomon <monty () roscom com>
Subject: Sneaky Mobile Ads Invade Android Phones

Download the wrong app to your Android phone, and you may end up with ads on
your home screen or notification bar. We'll tell you who's behind the
annoyance and how to get the ads off your phone.

Tom Spring, 4 Dec 2011

Are you wondering how that mysterious icon ended up on your Android phone's
start screen? Annoyed at the ads clogging your notification bar? You aren't
alone. Thousands of Android apps now include software that shoves marketing
icons onto your phone's start screen or pushes advertising into your
notification bar--and many of the apps give you no warning about the ad
invasion.

Many of these ads come from mobile marketing firms such as AirPush, Appenda,
LeadBolt, Moolah Media, and StartApp. The companies work with app developers
hungry for some way to make money from their smartphone software. By
bundling their adware into popular Android programs, these marketing
companies say they are now pushing ads to millions of new smartphones each
week.

Smartphone users generally hate the swarm of marketing on their
touchscreens, but the approach is growing fast. One of the companies,
AirPush, says 800,000 people a day download an Android app with its adware
inside--up from 250,000 just three months ago.

It may be next to impossible to completely avoid this kind of advertising on
your phone. I looked at dozens of apps that contain ad software and found
that few of them disclose that they contain adware. But there are ways to
get the ads off your phone, as we'll see below. ...

http://www.pcworld.com/article/245305/sneaky_mobile_ads_invade_android_phones.html

------------------------------

Date: Wed, 30 Nov 2011 13:42:01 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Carrier IQ: The Sony rootkit all over again"

Robert X. Cringely, *InfoWorld*, 30 Nov 2011
Can someone legally record almost everything you do on your phone
without telling you? Yes. Meet Carrier IQ, whose software is
installed on nearly 142 million handsets
http://www.infoworld.com/t/cringely/carrier-iq-spying-your-cellphone-180425

------------------------------

Date: Thu, 17 Nov 2011 12:45:04 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: "CarrierIQ" on various mobile handsets

  "Carrier IQ (CIQ) sells rootkit software included on many US handsets sold
  on Sprint, Verizon and more.  Devices supported include android phones,
  Blackberries, Nokias, Tablet devices and more ...  Carrier IQ is able to
  query any metric from a device.  A metric can be a dropped call because of
  lack of service.  The scope of the word metric is very broad though,
  including device type, such as manufacturer and model, available memory
  and battery life, the type of applications resident on the device, the
  geographical location of the device, the end user's pressing of keys on
  the device, usage history of the device, including those that characterize
  a user's interaction with a device."  http://j.mp/vCyUA1 (Android Security
  Test) [NNSquad]

------------------------------

Date: Thu, 01 Dec 2011 5:45 PM
From: Declan McCullagh <declan () well com>
Subject: Re: Carrier IQ May Have Violated Wiretap Law In Millions Of Cases

  [From Dave Farber's IP]

On the other hand, Carrier IQ may *not* have violated wiretap law in
millions of cases.

Dan Rosenberg said that he has reverse-engineered Carrier IQ and found "no
evidence that they are collecting anything more than what they've publicly
claimed: anonymized metrics data." He found "no code in CarrierIQ that
actually records keystrokes for data collection purposes." See:
  http://pastebin.com/aiYNmYVz

John Graham-Cumming also is unconvinced:
"If you watch the 'security researcher's' video you'll find that nowhere
does he make the claim that content that the application sees is leaving
the device... At no point does he enter a debugger and look inside the
CarrierIQ application, and at no point does he run a network sniffer and
look at what data is being transmitted to CarrierIQ."
  http://blog.jgc.org/2011/11/getting-little-tired-of-security.html

Sprint said today that "we do not and cannot look at the contents of
messages, photos, videos, etc., using this tool," which is a pretty broad
denial:
  http://news.cnet.com/8301-31921_3-57335110-281

I hope that IPers remember the panic earlier this year when Samsung was
falsely accused of installing key loggers on laptops. Network World, which
ran the article, ended up deleting it and saying, in a lovely passive voice,
that "an apology has been issued":
  http://news.cnet.com/8301-31921_3-20049259-281.html

If Carrier IQ is transmitting keystrokes or the contents of communications,
I'll be the first to call them on it. But, as far as I know after watching
the video, nobody has demonstrated that's what the software actually does.

------------------------------

Date: Fri, 02 Dec 2011 11:15:23 -0800
From: Gene Wirchenko <genew () ocis net>
Subject: "Carrier IQ and Facebook pose the least of your privacy threats"

Galen Gruman, *InfoWorld*, 2 Dec 2011
Users are regularly signing up for Big Brother-like tech that could
result in the loss of insurance coverage or worse
http://www.infoworld.com/t/internet-privacy/carrier-iq-and-facebook-pose-the-least-your-privacy-threats-180619

selected text:

But the worst risk is what people aren't talking about: Big Brother-type
technology used to monitor specific individuals and shape their behavior
through penalties and rewards. If the government were doing this, we'd have
people in the streets, but in the hands of private companies, these
seductive methods convince people to naively agree to being controlled.

Take, for example, Progressive Insurance's program of offering tracking
devices to monitor how you drive. If you drive safely, as determined by
Progressive, you get an discount. If you're determined to be unsafe, you pay
the "normal" rate.

Given insurance companies' business model -- pay out as little as possible,
take in as much as possible -- the long-term result is obvious: "Unsafe"
drivers will pay more, or they won't be eligible for insurance.

It's not just Progressive. There's been a lot of excitement in the health
care industry over monitoring devices that can make sure people are taking
their medication, eating right, and even exercising. If you do what you're
supposed to, you may get a discount, such as on medical insurance, a measure
now being considered for employer-sponsored plans. If you don't, you may get
nagged, pay more, or be denied coverage. The Orwellian name for such control
approaches is "wellness incentives."

Here is what one poster had to say about the medical monitoring.  That last
paragraph is particularly nasty:

unbound55:
A very good article pointing out activities that are already occurring that
will impact people's lives far more than they think.

My company has been on the leading edge of the health care tracking that is
mentioned in this article.  Already offering incentives for providing
additional health information, they are now offering incentives for
providing detailed health information such as height, weight, cholesterol,
etc.  The plan has already been announced that in another year that
information will be provided to some kind of CSR that will make sure that
your numbers either improve, or that you are actively working on improving
your numbers...or you lose access to the premium insurance.  It is only a
half-step further to lose access to all insurance altogether by
participating in the program.

Unfortunately, most people do not understand the very real problem being
started here.  They likely will not understand it until they get bit by it.
All they see is the discounts being offered.  As someone who spent 9 years
trying to get doctors to understand that I actually was exercising very well
and ate correctly culminating in the discovery of Conn's Syndrome (the
actual root cause of my very high hypertension), I shudder to think how I
would have to deal with that with some under-educated CSR who would simply
report that I clearly was lying about something.

------------------------------

Date: Fri, 2 Dec 2011 10:16:02 -0800
From: Lauren Weinstein <lauren () vortex com>
Subject: AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it
  doesn't anymore (NNSquad)

AT&T, Sprint, T-Mobile admit to using Carrier IQ; Apple says it
doesn't anymore + my comments

http://j.mp/rPycF6  (This message on Google+)

 - - -

http://j.mp/vVRV3J  (Fierce Mobile)

"The controversy over Carrier IQ illegally tracking cell phone users'
activities continues. AT&T Mobility (NYSE:T), Sprint Nextel (NYSE:S) and
T-Mobile USA have come forward, admitting to using Carrier IQ software,
albeit allegedly only to improve their network performance.  On the other
end of the spectrum, Apple said it stopped using Carrier IQ's platform in
the latest version of its operating system, iOS 5."

As I noted originally, it seems unwise to "pile on" in this situation, given
that the facts are not entirely clear.  In particular, it apparently has not
yet been demonstrated that CIQ is actually *transmitting* specific user data
that would be trigger wiretap laws, irrespective of ephemeral data
collection on the device to gather service and use statistics that are being
sent.

My gut feeling is that in this case there may be parties opportunistically
attacking ahead of the facts, and that it is quite possible that the
failures in this situation are mainly ones of transparency, disclosure, and
user control, rather than the much more serious issues of "wiretapping" per
se.

We shall see.

------------------------------

Date: Thu, 01 Dec 2011 21:24:38 +0000
From: Martyn Thomas <martyn () thomas-associates co uk>
Subject: Re: Cybersecurity Requires Patches, Not a Vast Bill (RISKS-26.65)

What other industry would get away with selling a product that isn't fit for
purpose, and then blaming the customers for failing to be quick enough to
carry out repairs?

The vendors should be liable for the consequences of their incompetence and
lack of professionalism. Let's stop blaming the customers.

------------------------------

Date: Wed, 30 Nov 2011 16:44:35 -0500
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: Complexity (RISKS-26.64)

I'll admit that I took the comment on complexity out of context but the
larger context actually reinforces my point. The more constraints you put on
a system the less likely you'll satisfy them so there is inherent complexity
in the sense that the odds of finding an effective solution are
significantly reduced.

This is why we need to understand a fundamentally different dynamic based on
discovery or opportunity. You have a solution and then find out what
problems it solves. Once you look around you'll find that is the norm not
the exception. We use USB for power because creating a standard with new
requirements would've been too difficult. We may lament Facebook's security
model but use it because we find value and deal with the trust problems,
even if we don't do it very well. We can't really articulate what we mean by
"trust" anyway and certainly not as a spec.

Perhaps the most Internet-relevant example is defining "quality" outside the
network rather than in the network. Thus instead of having to have a perfect
network we get the kind of quality we want by choosing our own polices such
as better never than late or vice versa. This is why the Internet is so many
orders of magnitude less expensive than the traditional phone networks.

In fact I argue that tolerance is the key to Moore's law as I wrote in
http://rmf.vc/BeyondLimits.

------------------------------

Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.66
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 26.66 RISKS List Owner (Dec 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault