Home page logo

risks logo RISKS Forum mailing list archives

Risks Digest 26.98
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 20 Aug 2012 16:06:54 PDT

RISKS-LIST: Risks-Forum Digest  Monday 20 August 2012  Volume 26 : Issue 98

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Epic EMR Device Endangering Lives Nurses Say They Are Guinea Pigs
  for the Vendor Innumerable Complaints (PGN)
Southwest glitch causes multiple billings (Monty Solomon)
NYPD unveils new $40 million super computer system ,,,
 (Rocco Parascandola and Tina Moore via Monty Solomon)
Gene Wirchenko <genew () ocis net>
"Citadel exploit goes after weakest link at airport: employees"
  (Taylor Armerding via Gene Wirchenko)
Hackers Identify Threat to NextGen: Ghost planes (PGN)
Live Security Platinum (David Einstein)
NYC "Metrocard Vending Machine" failure on DNS-changer day (Danny Burstein)
How do you reach your repair techs when the network is dead?
  (Danny Burstein)
"Cloud security dos and don'ts after the latest Dropbox breach"
  (Christine Wong via Gene Wirchenko)
"Security vendor exposes vulnerabilities in DDoS rootkit" (Jaikumar Vijayan
  via Gene Wirchenko)
How we screwed [almost] the whole Apple community (Lukasz Lindell via
  Monty Solomon)
"Elections Ontario data loss victims could top four million" (Howard Solomon
  via Gene Wirchenko)
Rakshasa proof-of-concept malware infects BIOS, network cards
  (Lucian Constantin via Gene Wirchenko)
"Nvidia releases Unix driver to fix high-risk vulnerability"
  (Lucian Constantin via Gene Wirchenko)
iPhone SMS (PGN?)
"Today's Internet: All the fake news that's fit to publish"
  (Robert X. Cringely via Gene Wirchenko)
Trust: Ill-Advised in a Digital Age (Somini Sengupta via Monty Solomon)
Wikileaks reveals TrapWire ... (Paul Steier)
Re: Lawyers who hate maths and computers (Wols)
Re: Oakland police radios fail during Obama visit (Bob Frankston)
Re: Hand wringing over Knight Capital software bugs (Bob Frankston)
Re: Announcement of civil timekeeping meeting (Jan Hoogenraad)
Abridged info on RISKS (comp.risks)


Date: Thu, 16 Aug 2012 16:02:04 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Epic EMR Device Endangering Lives Nurses Say They Are Guinea Pigs
  for the Vendor Innumerable Complaints

  [Thanks to D Kross]

California nurses report that Epic's EMR devices are endangering lives as
reported in the linked report:



Date: Sun, 5 Aug 2012 09:57:19 -0400
From: Monty Solomon <monty () roscom com>
Subject: Southwest glitch causes multiple billings

Arriving at 4 million Facebook friends, Southwest Airlines offered them
half-price tickets.  Unfortunately, hundreds of customers were billed
multiple times for each flight booked -- in at least one case, 20 times for
a $69 ticket.  The problem was discovered around 5pm on 3 Aug 2012.
Complaints apparently mushroomed because of the backlog of callers, and
resulted in a flurry of Facebook postings!!!  [AP item PGN-ed]



Date: Sat, 11 Aug 2012 20:42:36 -0400
From: Monty Solomon <monty () roscom com>
Subject: NYPD unveils new $40 million super computer system ,,,

Rocco Parascandola and Tina Moore, *New York Daily News*, 8 Aug 2012 [PGN-ed]

The NYPD is starting to look like a flashy, forensic crime TV show thanks to
a new super computer system unveiled Wednesday near Wall St.  The Domain
Awareness System designed by the NYPD and Microsoft Corp.  uses data from a
network of cameras, radiation detectors, license plate readers and crime
reports, officials said.  Commissioner Ray Kelly says system is able to
access information through live video feeds and allow cops to get reading on
radioactive substances.  Cops were involved with the programmers throughout
the process, earning the city its cut of the proceeds.

Mayor Bloomberg: "We're not your mom and pop police department anymore, We
are in the next century. We are leading the pack."  The system, which cost
somewhere between $30 and $40 million to develop, could also help pay for
itself with the city expecting to earn 30% of the profits on Microsoft sales
to other city's and countries.



Date: Thu, 16 Aug 2012 13:16:19 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Citadel exploit goes after weakest link at airport: employees"
  (Taylor Armerding)

By Taylor Armerding, *InfoWorld*, 15 Aug 2012
The man-in-the-browser attack using a Trojan has compromised the VPN
at a major hub


Date: Sat, 18 Aug 2012 15:48:01 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Hackers Identify Threat to NextGen: Ghost planes

  [Thanks to Ira Rimson for spotting this one.  PGN]

Is the FAA *really* capable of dealing with tech progress?
"Multilateration"? (From aero-news.net, 18 Aug 2012):
*Hacker Says NextGen Is Vulnerable To Attack*

'Ghost Planes' Could Appear On Your ADS-B-Equipped EFIS

Every time new technology comes along, someone somewhere begins an effort
to see how it can be compromised, manipulated, and sometimes even
destroyed. And apparently NextGen is no exception. In a story appearing on
NPR, a Canadian computer hacker named Brad Haines said that the data
transmitted by ADS-B is unencrypted and unauthenticated. Those are bad
words in the computer security world. Haines, who is known in the online
community as RenderMan, found he could "spoof" the signals and make your
TIS see airplanes where there are none.

Haines imagined a scenario where a hacker suddenly added 50 "ghost
airplanes" to an ATC screen. He said that such an attack could make a pilot
swerve to miss airplanes that aren't there, or potentially shut down an
airport. An hours worth of disruption at a major airport could have ripple
effects that could spread worldwide, he said.

Haines and another hacker named Nick Foster created an ADS-B spoof using
the FlightGear flightsim game. They say if they had hooked the game up to a
low-power transmitter, they could have convinced controllers that they were
an actual airplane. The experiment has reportedly been duplicated in
France. Both Haines and the French hacker ... Romanian grad student Andrei
Costin ... have published papers and made presentations about their work.

The U.S. Air Force has expressed concerns about the potential for
"spoofing" NextGen. One cyberwarfare student ... Maj. Donald McCallie ...
wrote in a paper last year that NextGen is "on a collision course with
history." The FAA has reportedly not yet released the results, or even
initial data, from its own security tests. It has been mostly quiet on the
reports coming from the Air Force and the hackers. In a one-paragraph
statement, the FAA said that an "ADS-B security action plan identified and
mitigated risks and monitors the progress of corrective action. These risks
are security sensitive and are not publicly available."

The FAA told NPR that it will use a system called "multilateration" to
discriminate between real and fake airplanes on ADS-B receivers. But the
system requires multiple receivers analyzing every ADS-B signal.


Date: Mon, 20 Aug 2012 10:33:58 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Live Security Platinum (David Einstein)

A questioner in David Einstein's column in the *San Francisco Chronicle*
today (20 Aug 2012) was a victim of Live Security Platinum.  He/she wondered
(rather naively?) why LSP was able to get by the questioner's collection of
Norton Security Suite and Constant Guard (provided free by Comcast) plus the
free version of Malwarebytes Anti-Malware and Microsoft Security Essentials,
adding that the damage was so bad that the repair center techie suggested
the only solution was to wipe the hard drive and start over (with which
David Einstein disagrees).

Does it surprise any RISKS readers that the anti-malware folks cannot keep
up with new malware?  Or that their free tools actually might detect novel
malware?  Furthermore, this is not just a case that suggests that we should
always look a gift horse in the mouth.  The same questions seem to apply to
non-free tools.  By the way, the horse is out of the barn, irrespective of
how much it costs.


Date: Sun, 19 Aug 2012 15:35:19 -0400 (EDT)
From: Danny Burstein <dannyb () panix com>
Subject: NYC "Metrocard Vending Machine" failure on DNS-changer day

You may recall that the morning the Feds shut down their sanitized /
redirected DNS servers that were helping to minimize the effects of the
"dns-changer" virus, the NYC transit authority Metrocard Vending Machines
were offline during the morning rush hour.

A lot of us wondered whether this was related.

I FOIAled the Transit Authority for their story.

The reply is scanned in at:


They claim "a shortage of cpu processing cycles", without explaining why
that happened. So it just might, or might not be, related to DNS changer...

Further insights appreciated...

  [Cursors, FOIAled again!  PGN]


Date: Wed, 18 Jul 2012 15:40:41 -0400 (EDT)
From: Danny Burstein <dannyb () panix com>
Subject: How do you reach your repair techs when the network is dead?

answer: you send a trooper...

"Collom, who also did not have land or cell service, was notified of the
situation when an Isabella County Sheriff's Deputy went to her home to alert
her of the problem" [a]

- the ILEC (incumbent telco) phone switch hiccuped last night.  This knocked
out very roughly half the landline service in the area, PLUS some of the
cell-cos (conflicting reports as to exactly what was out, since if you hit a
tower ten miles away you were ok. Looks like two of the three were clobbered
in town. Don't know about their data services).

Oh, and killed off the ILEC's DSL internet.

The CLEC (independent telco) facility was still ok - yes, we're one of the
few areas with a true "overbuild" of telco lines. And the "cable" tv and
internet lines did ok.

- oh, and this also shut down the main lines to the "911 dispatch
center". Sigh.

- isn't this where they're supposed to round up all the deputies and buffs,
and station their pickup trucks every half mile?

But wait, there's MORE. The town here has a local, municipal, radio
transmitter which kicks out traffic and related info, and
also.. rebroadcasts the National Weather Service station.

The NWS "All Hazards Radio" is a *key* portion of the national emergency
backbone. It's used for both local issues such as tornadoes, and would be
called into action for some super serious and critical disaster scenarios
(as in nuclear missile detection).

The city's transmitter was just a mess of static. I figured this was simply
that it had hiccuped on its own or that it had lost its own feed.

I then tried tuning in the NWS station directly. Nothing.  their transmitter
is only a couple of miles from me.

- I was able to pick one up from about 40 miles away, but there's nothing

- As I've mentioned before, the NWS/NOAA/All Hazards Radio is a *key*
emergency communications channel, both for local issues (such as tornadoes)
and for those really ugly cold war scenarios.

They're supposed to withstand *anything* short of a direct nuclear ground
strike. Ok, I'm exaggerating. But still, they are very much counted on. To
lose one of them for something this mundane is quite disturbing.

- NOAA's web page does, kindly enough [b], advise that the transmitter is
"out of service"

[a] http://www.themorningsun.com/article/20120718/NEWS01/120719712
[b] http://www.nws.noaa.gov/nwr/stations.php?State=MI


Date: Thu, 02 Aug 2012 09:54:15 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Cloud security dos and don'ts after the latest Dropbox breach"
  (Christine Wong)

Christine Wong, *IT Business*, 1 Aug 2012
Cloud security dos and don'ts after the latest Dropbox breach;
Here's what businesses and consumers can do to protect themselves
from a security breach like the latest one at Dropbox.

Dropbox acknowledged this week that thousands of its users had spam sent to
other accounts that were linked to their Dropbox accounts.  An investigation
found that a Dropbox employee had his password stolen for a non-Dropbox
account. The thieves then used that password to hack into his Dropbox
account, which contained a document with Dropbox user email addresses in
it. Those email addresses were used to send massive spam messages to
accounts owned by Dropbox users.

It was the second serious security breach reported at Dropbox. Just over a
year ago, the company accidentally turned off its password authentication
system, allowing anyone to access Dropbox user files without a password.


Date: Thu, 16 Aug 2012 13:13:07 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Security vendor exposes vulnerabilities in DDoS rootkit"
  (Jaikumar Vijayan)

  Turnabout is fair play?

Jaikumar Vijayan, ComputerWorld, InfoWorld, 15 Aug 2012
Security vendor exposes vulnerabilities in DDoS rootkit
Prolexic says the information is designed to help enterprises mitigate attacks


Date: Mon, 13 Aug 2012 19:18:03 -0400
From: Monty Solomon <monty () roscom com>
Subject: How we screwed [almost] the whole Apple community (Lukasz Lindell)

Lukasz Lindell, 13 Aug 2012

Have you heard the phrase "That's true because I saw it on TV" at some
point? It was often the truth in the old days when people only had the TV or
newspaper to relate to. What you saw or read was the truth, although it
obviously wasn't always so.

Today, thanks to the Internet, we consider ourselves much more
enlightened. We can discuss and examine the source in a way that was not
possible in the past. But are we really aware of all information flowing up
over the net? What is really true and what's not? When someone presents a
bit of loose facts on Twitter, I usually respond with something like "64% of
the facts on the Internet is 48% incorrect according to 52% of respondents",
completely made up numbers out of my head, but it makes people think a
little extra.

It is somewhat disturbing at times when the bandwagon takes of and speeds
up, without people being critical. People stand up for situations that may
never have happened, and spin on it that ultimately results in what will
be treated as facts, or faktoids.

We wanted to test this, how easy is it to spread disinformation? ...



Date: Thu, 02 Aug 2012 09:32:28 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Elections Ontario data loss victims could top four million"
  (Howard Solomon)

Howard Solomon), *IT Business*, 1 Aug 2012

The number of Canadians who could be victims of one of the country's biggest
losses of personal data could hit four million, according to a privacy
official.  (The initial number of data loss was thought to be 2.6 million )
Policy called for data put on portable devices to be encrypted. Not only
wasn't that done, after the loss was reported the agency gave staff two more
data sticks to use with orders to encrypt data -- and again that wasn't

"On what planet do you do the same thing again?" a frustrated Cavoukian
asked reporters.  In fact, she added, the staff thought encrypting data
meant it was to be zipped, or compressed.


Date: Tue, 07 Aug 2012 09:55:01 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: Rakshasa proof-of-concept malware infects BIOS, network cards
  (Lucian Constantin)

Lucian Constantin, *ComputerWorld*, 29 Jul 2012
Researcher creates proof-of-concept malware that infects BIOS, network cards;
New Rakshasa hardware backdoor is persistent and hard to detect

IDG News Service - Security researcher Jonathan Brossard created a
proof-of-concept hardware backdoor called Rakshasa that replaces a
computer's BIOS (Basic Input Output System) and can compromise the operating
system at boot time without leaving traces on the hard drive.


Date: Wed, 08 Aug 2012 13:03:40 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Nvidia releases Unix driver to fix high-risk vulnerability"
  (Lucian Constantin)

Lucian Constantin, IDG News Service, *InfoWorld*, 6 Aug 2012
Nvidia Unix driver 304.32 addresses a privilege escalation
vulnerability that can grant local users root access

Nvidia releases Unix driver to fix high-risk vulnerability.  Nvidia
confirmed the existence of the vulnerability and released version 304.32 of
the Nvidia Unix driver for Linux, FreeBSD and Solaris operating systems in
order to address it. The new version also includes other changes that the
company believes will prevent similar exploits in the future.  However,
despite the new release, the company still offers version 295.59 [the
vulnerable version] as primary download on its Unix drivers page.


Date: Mon, 20 Aug 2012 10:18:54 PDT
From: "Who's This?" <anything.you.like () anywhere com>
Reply-to: <anything.else.you.like () anywhere com>
Subject: iPhone SMS

A short item in today's free *Daily Post* (self-declared `No. 1 in Palo Alto
and the mid-Peninsula') reports that a flaw in Apple's iPhone OS for SMS
messages permits senders to enter a reply-to other than the From: line.  Is
that new news to any of you?  (Apple's response is to use its iMessage
service rather than SMS.)

By the way, you may realize that it was utterly trivial for me to edit the
address fields in this message *before* sending it to RISKS.  Nobigdeal.
But is it from me?  Who knows?  You want integrity in received e-mail?  As
Scott McNealy once said about privacy, fuggetaboutit.  The spammers and
scammers of the world seem to be winning.  PGN


Date: Wed, 15 Aug 2012 13:45:43 -0700
From: Gene Wirchenko <genew () ocis net>
Subject: "Today's Internet: All the fake news that's fit to publish"

Robert X. Cringely, *InfoWorld*, 15 Aug 2012
  Fictional Apple screws, phony *New York Times* editorials,
  bogus sources -- is anything on the Net not a fake?


My favourite sentence: "Gaming the media seems to have become the
second-most popular attraction on the Internet besides porn."

The conclusion: "We are rapidly approaching a point where no one is credible
and nothing can be believed.  When you can no longer separate fact from
fiction or reality from propaganda, the media simply becomes a megaphone for
whoever can shout the loudest.  That's a dangerous place to be."

  [And for those of you who think Robert X. Cringely is a real person
  responsible for lo these many items noted in RISKS, a little browse'll
  do ya.  PGN]


Date: Sun, 19 Aug 2012 00:02:48 -0400
From: Monty Solomon <monty () roscom com>
Subject: Trust: Ill-Advised in a Digital Age (Somini Sengupta)

Somini Sengupta, *The New York Times*, 11 Aug 2012

Las Vegas.  Bruce Schneier ordered a Coke, no ice, at the Rio casino on a
Saturday afternoon. I ordered Diet Coke, also no ice, and handed the
bartender an American Express card. He said he needed to see proof of
identity.  Credit cards are often stolen around here, and eight casino
workers had recently been fired for not demanding ID, he quietly explained.
The bartender wanted to keep his job.

Mr. Schneier, 49, is a student of interactions like this, offline and on. He
is a cryptographer, blogger and iconoclast in the world of computer
security, and his latest subject of inquiry is trust: how it is cultivated,
destroyed and tweaked in the digital age.

Offline, he likes to point out, we have ways to establish trust, as in this
casino, where we expect the bartender to serve us a soda, not a poisoned
chalice. We establish trust based on how we speak, whether we appear drunk
or deranged, whether we meet at a casino or a toy store - and also,
irrationally, on attributes like race and age.

Online, this becomes even more complicated, Mr. Schneier argues. We no
longer think twice about letting our friends see our vacation pictures on
Flickr, now owned by Yahoo. So habituated have we become to revealing
intimate details, Mr. Schneier writes, that we forget that Facebook, the
company, can read our missives at any time, potentially forever.

Mr. Schneier is in charge of technology security at BT, the British
telecommunications company. His latest book, "Liars and Outliers: Enabling
the Trust That Society Needs to Thrive," published earlier this year by
Wiley, is filled with foreboding: less about technology than about the
vulnerability of the heart and mind. ...



Date: 18 August 2012 17:04
From: Paul Steier <psteier () prolifics com>
Subject: Wikileaks reveals TrapWire ... (RISKS-26.97)

... how convenient is that, conspiracy theorists? But you can still see a
description of Abraxas' Tr[a]pWire technology here, at the USPTO.

  [missing link added]



Date: Thu, 16 Aug 2012 13:27:51 +0100
From: Wols Lists <antlists () youngman org uk>
Subject: Re: Lawyers who hate maths and computers (RISKS-26.97)

Lawyers, on the other hand, who probably got into law because they hated
math and computers, have not had the computer as strict task-master to
teach them the humility of following errant logic to its mostly bitter

You mean like Judge Alsup, overseeing the Oracle v Google lawsuit?

Who is, I believe, a PhD Maths graduate.

And when Oracle argued that RangeCheck was "oh so valuable" said that he had
spent a morning writing it ten different ways, including learning Java so he
could write a version in that language.

If you follow cases on Groklaw, you rapidly learn that, unlike in other
countries, it is very difficult in the US to sanction lawyers for being an
idiot. As a result, they tend to make idiotic arguments without any fear of
the consequences. In the UK, with its habit of awarding "attorney fees" as a
matter of course, silly arguments tend to get knocked on the head by the
client as a matter of course. They don't want to have to pay the bill for
the other side to refute it!


Date: Wed, 1 Aug 2012 17:22:55 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: Oakland police radios fail during Obama visit (Van Derbeken,

Building a radio system is so 1920's. Why have a separate single-hop radio
system each purpose when we could provide resilient IP coverage that makes
it easy to take advantage of any available path? That seems so obvious but
... and as a bonus we wouldn't be limited to predefined interconnections.

As long as we continue to make telecommunications a profit center we require
assuring that no bits are exchanged unless they are billed for. This funding
model must, by necessity be brittle otherwise people would just shun the
expensive paths. The term "shun" comes from "shunpike" for people who
bypassed toll roads in the heyday of (not for profit) private pikes.

More on the policy stuff in http://rmf.vc/PACTLess for those interested.


Date: Wed, 15 Aug 2012 21:07:18 -0400
From: "Bob Frankston" <bob2-39 () bobf frankston com>
Subject: Re: Hand wringing over Knight Capital software bugs (RISKS-26.97)

I want to emphasize Henry's point that this is not necessarily a software
problem as such. It seems more a matter of hubris -- the same hubris that
lets traders bet trillions of dollars on complex derivatives that few, if
any, understand. And history has shown those that do think they understand
will wind up being wrong at some point.

Perhaps programmers have some responsibility for telling their managers that
they are naïve in their faith in algorithms -- whether embodied in software
or policies. Understanding the risks should be part of basic literacy but,
perhaps, programmers are more aware (or at least, as Henry noted, they
should've learned humility) because they fail often and should expect
failures. But trying to educate those who see programmers as hired hands
might not be a good career move.

Saying that we need AI or "hundreds of eyes" to recognize unusual patterns
misses the point -- you can't anticipate all possibilities especially
algorithms and procedures that interact with other systems that one does not
control nor may even be aware of. Instead one has to expect failures and
deal with them in stride.

Sure big trades bring big returns and an adrenalin rush. And, after, all, to
many traders it's only a game.

It could be worse -- we could privatize all public insurance programs such
as healthcare and social security on the assumption that each individual
could make the right choice about the unknowable future.


Date: Fri, 17 Aug 2012 21:29:52 +0200
From: Jan Hoogenraad <jan-risks () hoogenraad net>
Subject: Re: Announcement of civil timekeeping meeting (Stockton, RISKS-26.93)

I think your proposal is great, and easily implementable. I'd like to
support this.  Is there a forum to do so?

If GMT is defined as currently (Solar), ST (Science Time) is just a
timezone.  Leap seconds (NOT nanosecond steps !) can be distributed by the
normal timekeeping mechanisms ( I regularly get timezone file updates on my
Ubuntu en windows systems as well, and leap seconds can be known a year in
advance).  All timeservers in the world could keep dispersing GMT, no
change.  Local machines can (in batch mode, converting time in past and
future) use the normal timezone converters, with timezone ST.

Local machines can (in background mode) use the normal locking of clocks, internally using zone ST.

Actually, including the additional time zone ST in linux and windows would be relatively easy to do.
This would mark a first simple step.

I would not use NGMT, as update tables are hard, but rather GMT


Date: Thu, 2 Aug 2012 17:50:15 +0300
From: Amos Shapir <amos083 () hotmail com>
Subject: Re: Olympics security poster 'gibberish' (RISKS-26.95,96)

At least it did not happen on a real tombstone...

When my mother had passed away last year, the tombstone maker had trouble
generating an inscription which matched the one on my father's stone, who
had died 12 years earlier.  The reason was that the computerized drawing
program he was using could not control precisely the size of blanks!
Luckily he was aware of the pitfalls and worked hard to overcome the
problems; I can imagine someone else could just as well hit the "print"
button to cast their errors in stone.

PGN asked:
Did the inaccurate spacing result in changing the meaning?
You kind of left me wondering what the literal content was...

No, it was just a matter of formatting, to make the new stone look the same
as the old one (which was set by hand).  In this case, just hitting the
"print" button would only have created bad typesetting, but the encounter
with this system made me realize that what had happened in the TV episode
could have actually happen on a real tombstone.


Date: Mon, 6 Jun 2011 20:01:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 26.98

  By Date           By Thread  

Current thread:
  • Risks Digest 26.98 RISKS List Owner (Aug 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]