RISKS Forum mailing list archives
Risks Digest 28.09
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 22 Jul 2014 15:30:31 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 22 July 2014 Volume 28 : Issue 09 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/28.09.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: New online tracking method difficult to block (ProPublica via Suzanne Johnson) Travis County Developing Electronic Voting System With a Paper Trail (Andra Lim) Racy Photos Were Often Shared at NSA (Michael S. Schmidt) NASDAQ Network Intrusion Installed Attack Malware (Bob Gezelter) How to Flawlessly Predict Anything on the Internet (Lauren Weinstein) Exec. Order 12333: Yet another rule that lets NSA spy on Americans (John Napier Tye via Henry Baker) All your Apple iOS data is still available unencrypted (Dennis Fisher via Henry Baker) Domain Registry Of America Suspended By ICANN (Lauren Weinstein) Routing around insanity & mendacity (Henry Baker) Re: Unix "*" wildcards considered harmful (Lindsay Harris) Re: Disk-sniffing dogs find thumb drives, DVD's? (Barry Gold) Re: Lethal Weapon: The Self Driving Car (John Mainwaring) Risks of apps versus web browsers, deja vu (Rex Sanders) "New variant of malware, Gyges, can quietly exfiltrate government data" (Candice So via Gene Wirchenko) Calling All Hackers: Help Us Build an Open Wireless Router (David Farber) Stop Sneaky Online Tracking with EFF's Privacy Badger (EFF) Silver Bullet 100 launches 23 Jul 2014 (Gary McGraw) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Jul 21, 2014 9:59 AM From: "Suzanne Johnson" <fuhn () pobox com> Subject: New online tracking method difficult to block (ProPublica) [Via Dave Farber] A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com. http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block First documented in a forthcoming paper <https://securehomes.esat.kuleuven.be/%7Egacar/persistent/index.html> by researchers at Princeton <https://www.princeton.edu/main/> University and KU Leuven <http://www.kuleuven.be/english> University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor's Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user's device a number that uniquely identifies it. [...] ------------------------------ Date: Mon, 21 Jul 2014 11:47:12 -0400 (EDT) From: "ACM TechNews" <technews () hq acm org> Subject: Travis County Developing Electronic Voting System With a Paper Trail (Andra Lim) Andra Lim, Austin American-Statesman (TX), 15 Jul 2014 [via ACM TechNews, 21 Jul 2014] An electronic-voting system that prints out a paper copy of the ballot and a take-home receipt to confirm the vote was tallied is under development in Travis County, Texas, and could be in operation within three years. The system would likely have voters use a tablet computer to fill out an electronic ballot and then produce a print version, and the e-ballot would not be counted until voters deposited the print copy into a ballot box that scans a serial number. The take-home receipt would have a code that voters can enter online to verify the vote was counted. The county's initiative in creating its own voting system rather than handing the job over to one of a small cluster of voting machine vendors has never been attempted before, notes Travis County clerk Dana DeBeauvoir. The system came about from a 2009 study of election issues organized by DeBeauvoir, which concluded a paper trail was highly desirable. Adding urgency to the effort is the fact that some county voting machines are reaching the end of their life spans, and there is no longer any federal funding to pay for new systems. http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_5-c334x2b734x060830&; ------------------------------ Date: Tue, 22 Jul 2014 07:12:13 PDT From: "Peter G. Neumann" <neumann () csl sri com> Subject: Racy Photos Were Often Shared at NSA (Michael S. Schmidt) Michael S. Schmidt, *The New York Times*, 21 Jul 2014 "The former National Security Agency contractor Edward J. Snowden said in a wide-ranging interview published on Sunday that the oversight of surveillance programs was so weak that members of the United States military working at the spy agency sometimes shared sexually explicit photos they intercepted." http://lists.readersupportednews.org/ss/link.php?M=105726&N=11939&C=f4887640aca6ce245cee9240e8d43f&L=15981 ------------------------------ Date: Fri, 18 Jul 2014 08:09:24 -0700 From: "Bob Gezelter" <gezelter () rlgsc com> Subject: NASDAQ Network Intrusion Installed Attack Malware Apparently, the reported intrusion at NASDAQ was more dangerous than previously reported, Bloomburg Businessweek reports. Among the new findings: * Attack malware was installed by the attackers. * The investigation was hampered by the insufficient logs and overall security state. A signal warning to all [regarding] the importance of security and maintaining activity logs. www.businessweek.com/articles/2014-07-17/how-russian-hackers-stole-the-nasdaq Bob Gezelter, http://www.rlgsc.com ------------------------------ Date: Sun, 20 Jul 2014 07:55:26 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How to Flawlessly Predict Anything on the Internet Medium via NNSquad https://medium.com/message/how-to-always-be-right-on-the-internet-delete-your-mistakes-519a595da2f5 "This is a modern update to a classic confidence game -- find a risky scenario with limited possibilities, bet on every single combination, and then hide your failures. The result is that you look like you're either psychic or a goddamned genius. Variations of this scam have been used for centuries in finance, magic, and gambling. Mutual fund companies bring new funds to market by incubating new funds outside of the public eye for years, then actively market the strongest performers with the highest returns. Poof! You're an overnight Warren Buffett!" - - - "Columbo" demonstrated this con in the 1976 episode "Now You See Him" (available on Netflix). ------------------------------ Date: Mon, 21 Jul 2014 11:40:07 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Exec. Order 12333: Yet another rule that lets NSA spy on Americans (John Napier Tye) [Long item, very well worth reading in its entirety. PGN] FYI -- In the NSA's version of the "shell game", there's a pea underneath *all* of the shells, so that the NSA can continue spying, no matter which shell the press/Congress/the courts turn over. What if the NSA secretly copies Internet data onto a private fiber to the GCHQ? Since the UK is outside the US, bingo! -- EO#12333 now apples! Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans John Napier Tye, *The Washington Post*, 18 Jul 2014 http://www.washingtonpost.com/opinions/meet-executive-order-12333-the-reagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html John Napier Tye served as section chief for Internet freedom in the State Department's Bureau of Democracy, Human Rights and Labor from January 2011 to April 2014. He is now a legal director of Avaaz, a global advocacy organization. ------------------------------ Date: Mon, 21 Jul 2014 12:01:14 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: All your Apple iOS data is still available unencrypted (Dennis Fisher) Dennis Fisher, Researcher Identifies Hidden Data-Acquisition Services in iOS, 21 Jul 2014 https://threatpost.com/researcher-identifies-hidden-data-acquisition-services-in-ios/107335 There are a number of undocumented and hidden features and services in Apple iOS that can be used to bypass the backup encryption on iOS devices and remove large amounts of users' personal data. Several of these features began as benign services but have evolved in recent years to become powerful tools for acquiring user data. Jonathan Zdziarski, a forensic scientist and researcher who has worked extensively with law enforcement and intelligence agencies, has spent quite a bit of time looking at the capabilities and services available in iOS for data acquisition and found that some of the services have no real reason to be on these devices and that several have the ability to bypass the iOS backup encryption. One of the services in iOS, called `mobile file_relay', can be accessed remotely or through a USB connection can be used to bypass the backup encryption. If the device has not been rebooted since the last time the user entered the PIN, all of the data encrypted via data protection can be accessed, whether by an attacker or law enforcement, Zdziarski said. http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attack_Points_Surveillance_Mechanisms.pdf Zdziarski: ``Between this tool and other services, you can get almost the same information you could get from a complete backup What concerns me the most is that this all bypasses the consumer backup encryption. When you click that button to encrypt the backup, Apple has made a promise that the data that comes off the device will be encrypted.'' Using the hidden services that bypass the encrypted backup protection don't require the use of developer mode and many of them have been present in iOS for five years. Zdziarski, who designed many of the initial methods for acquiring forensic data from iOS devices, said there also is a *packet capture tool* present on every iOS device that has the ability to dump all of the inbound and outbound HTTP data and runs in the background without and notification to the user. ``It's installed by default and they don't prompt the user. If you're going to start packet sniffing every device that's out there, you really should be prompting the user,'' Zdziarski said. Zdziarski discussed his findings in a talk at the HOPE X conference recently and published the slides and paper, as well. The file_relay service has been in iOS for some time and originally was benign, but Zdziarski said that in recent versions it has turned into a tool that can dump loads of user data on command. The file_relay tool can dump a list of the email and social media accounts, the address book, the user cache folder, which contains screenshots, offline content, copy/paste data, keyboard typing cache and other personal data. The tool can also provide a log of periodic location snapshots from the device. There's also a component of the file_relay service called HFSMeta that appeared in iOS 7 and can create a complete metadata image of the device's file system. The data it provides includes metadata on all files, such as timestamps, sizes and dates of creation, all of the apps installed on the device, filenames of all of the email attachments on the device and all of the email accounts configured on the device. It also can provide a copy of the keyboard's autocorrect cache, all of the photos in the user's album and the user's voicemail database. Zdziarski: ``Some of this data shouldn't be on the phone. HFSMeta creates a disk image of everything that's on the phone, not the content but the metadata. There's not even an engineering use for that.'' Some of the undocumented services and features in iOS map pretty closely to capabilities attributed to some of the NSA's tools, specifically DROPOUTJEEP, which was revealed by documents leaked by Edward Snowden. Zdziarski said that he is not pointing to these services as intentional backdoors for the intelligence community, but he believes there is evidence that the agency may be using them, nonetheless. ``I'm not saying at all that Apple is working with the NSA. But at the very least, there's a very strong case to say that the NSA knows about and exploits these capabilities.'' About Dennis Fisher Dennis Fisher is a journalist with more than 13 years of experience covering information security. ------------------------------ Date: Sun, 20 Jul 2014 10:53:05 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Domain Registry Of America Suspended By ICANN Internet News via NNSQUAD http://www.internetnews.me/2014/07/19/domain-registry-america-suspended-icann/ "Since at least 2009, ICANN has received numerous complaints from Registered Name Holders, registrars, and various ICANN Supporting Organizations and Advisory Committees regarding the business solicitation practices of Brandon Gray's resellers. Such practices were not specifically prohibited under the 2001 and 2009 RAAs. Section 3.12 of the 2013 RAA, however, requires registrars to ensure its reseller's actions comply with the RAA, as well as the Registrants' Benefits and Responsibilities Specification, which protects Registered Name Holders from false or deceptive practices. Brandon Gray's reseller Registration Services Inc. ("RSI") conducts business through the brands Domain Registry of America ("DROA"), Domain Registry Services ("DRS"), Domain Registry of Canada ("DROC"), and Domain Renewal Group ("DRG"). As detailed below, the domain renewal notices sent by RSI through its brands deceive Registered Name Holders to transfer domain names to Brandon Gray." - - - Only took ICANN five years to act. ------------------------------ Date: Fri, 18 Jul 2014 12:05:09 -0700 From: Henry Baker <hbaker1 () pipeline com> Subject: Routing around insanity & mendacity FYI -- Verizon and other telcos have made most of their money over the past century by manufacturing artificial bandwidth scarcity, and then paying lawyers & lobbyists to get the FCC to enforce this artificial scarcity. However, it is getting harder and harder to hide behind this artificially manufactured scarcity, as this article demonstrates. http://iamnotaprogrammer.com/Verizon-Fios-Netflix-Vyprvpn.html Colin Nederkoorn's Blog Verizon made an enemy tonight On a flight back to New York I read Level 3's assessment of the latest round of the Netflix vs Internet Provider debacle. The summarized version is that basically Netflix is slow because Verizon refuses to add capacity to peer with Level 3. Fixing the situation would cost Verizon on the order of a few thousand (that's right thousand) dollars. Level 3 is even willing to foot the bill. But Verizon refuses. Is Netflix actually slow on Verizon Fios? I wasn't sure how to test my Netflix speed. After a bit of googling I found an article by Wired on how to test your Netflix streaming speed. I followed their steps and I was shocked. The video on netflix actually shows you how fast it is streaming to you, which is helpful for diagnostics. Here's the test video on Netflix for quick reference. Keep in mind, I pay Verizon for 75 mbps down, 35 mbps up on my Fios connection. This Netflix video streams at 375 kbps (or 0.375 mbps -- 0.5% of the speed I pay for) at the fastest. I was shocked. Then I decided to try connecting to a VPN service to compare. Can a VPN make streaming Netflix faster? My hypothesis here was that by connecting to a VPN, my traffic might end up getting routed through uncongested tubes. Basically, if Verizon is not upgrading the tubes that go to Netflix, maybe I can connect to a different location (via VPN) first where Verizon will have good performance and there will be no congestion between location 2 and and Netflix. Was I successful? Here's a recording of my test: Watch the video to feel the full pain. What you'll see is that on Fios it streams at 375 kbps at the fastest. The experience sucks. It takes an eternity to buffer. Then I connect to a VPN (in this case VyprVPN) and I quickly get up to full speed at 3000 kbps (the max on Netflix), about 10x the speed I was getting connecting directly via Verizon. The bastards! It seems absurd to me that adding another hop via a VPN actually improves streaming speed. Clearly it's not Netflix that doesn't have the capacity. It seems that Verizon is deliberately dragging their feet and failing to provide service that people have paid for. Verizon, tonight you made an enemy, and doing my own tests have proven (at least to me) that you're in the wrong here. But, luckily I'm resourceful and can usually solve my own problems. How to keep the VPN connection open We sometimes watch netflix on the TV, sometimes on the iPad. I didn't want to have to think about how we connected, so I wanted to find a way to connect the router to the VPN so it would be always on. I bought an Asus RT-AC66U. I really like this router and it works a lot better than my old Airport Extreme. However, in order to connect it to a VPN, I had to flash it with a custom firmware from some wizard named Merlin. After updating the router, you'll now have a screen where you can connect to a VPN and tell the router to always be connected. Asus Router Config Your router might be different, and there's also Tomato and DD-WRT as alternative firmware. Problem solved So in the space of about an hour, I got furious at Verizon, found a way around the problem, and then fixed it for good (for my household). Nothing quite motivates me like when something shouldn't be the way that it is. Netflix subscribers: What happens when you do the Netflix test?. Do you max out at 3000 kbps? Or struggle to even play the video? I'd love to know in the comments. ------------------------------ Date: Sat, 19 Jul 2014 14:41:00 +1000 From: Lindsay Harris <lindsay () bluegum com> Subject: Re: Unix "*" wildcards considered harmful (Horsfall, RISKS-28.07) This is not an easy bug to fix properly. The issue is that the shell does the filename expansion, so the program is unaware as to whether any given parameter is intended to be a flag or non-flag. A mostly effective solution is to check each file name against any possible parameter, and ignore it as a flag, and perhaps as a file name too. But then, how do you delete a file called -rf, for instance? This may require the return of the dsw command -- delete from switch register. It's logically the equivalent of rm -i, but without flags and thus immune from the wildcard expansion issue. Any (recent) mentions of program names/parameters that have terminal control codes to alter the display when running ps? That arose in the early 1980s, from memory. I think screen capture was one possibility. P.S. I looked up the dsw command to verify my recollection. The first search item was at http://man.cat-v.org I chuckled over the URL's reference to the paper "Cat -v considered harmful", a paper by Rob Pike at the 1983 Usenix conference, after Dijkstra's CACM note "Goto Considered Harmful" ------------------------------ Date: Sun, 20 Jul 2014 02:29:09 -0700 From: Barry Gold <BarryDGold () ca rr com> Subject: Re: Disk-sniffing dogs find thumb drives, DVD's?
State Police Detective Adam Houston takes Thoreau from his cruiser. The yellow lab, 2, is trained to sniff out devices such as thumb drives and hard drives that child porn traffickers use to store photos of children.
07 Jul 2014? Are you sure you have the date right? Are you, perhaps, off by 3 months and 3 days? Okay, so you've located a thumb drive, DVD, or hard drive. Now... where's your Probable Cause to believe it has child porn (or any other "contraband" information) instead of perfectly innocent photos of the family dog playing Frisbee? And besides the legal problems, they are rewarding the dog with food. You do _not_ reward any working dog with food. This has been known since they started training guide dogs if not before. 1. After a certain point, the value of food to the dog decreases (once the stomach is full...) 2. Rewarding the dog with food means that "bad guys" can distract the dog with food. 3. Even in the absence of intent to create trouble, random passersby with food in their hands may distract the dog. Or children may offer the dog food, thinking "good doggie, let me feed the good doggie." You reward the dog with a particular ball whose scent he knows. Or something else that is not easily available and doesn't depend on the dog's appetite. What is this? An episode of Beavis and Butthead? ------------------------------ Date: Mon, 21 Jul 2014 15:38:12 -0400 From: John Mainwaring <john () mhn org> Subject: Re: Lethal Weapon: The Self Driving Car (RISKS-28.08) The submission raises the frightful prospect that suspected criminals would be able to fire weapons at pursuing police cars. Two gangsters can manage this astonishing feat today, as long as one drives drives and the other wields the gat. On the other hand, the self-driving car would be likely to obey the speed limit. Its collision avoidance features should make it fairly easy for the police to stop it at a road block. In the gangster movies of the 1992s, the live driver would have plowed through the road block at incredible speed on two wheels, in truly spectacular fashion. I can=92t see see self-drive making for really good action movies, but = they might make the drove to and from the multi-screen safer, and = possibly even allow for some canoodling in the back seat on the way... = I knew there must be a way they'd be illegal, immoral or a shame. ------------------------------ Date: Mon, 21 Jul 2014 10:14:58 -0700 From: Rex Sanders <rsanders () usgs gov> Subject: Risks of apps versus web browsers, deja vu Sean Gallagher at ArsTechnica watched what his iOS and Android apps were doing for a while, and was shocked, shocked by the private information these apps transmitted: http://arstechnica.com/security/2014/07/mobile-apps-cookies-leave-a-data-trail-behind-you/ On December 6, 2010, I sent this message to RISKS, but it was not published. Many online media outlets, social networking sites, and other web sites, are pushing smart phone apps, in place of standard web browsers. Many of these apps are nothing more than re-skinned web browsers. Some apps offer expanded content or other features which are not available through standard browsers. TANSTAAFL. With web browsers, you have some limited control over cookies, history, caching, and other privacy or security features. You have none of those controls with dedicated apps. On the other hand, sidejacking your credentials, and similar attacks, could be much more difficult. I would rather have some control over my privacy, than worry about sidejacking low value credentials. Your risk analysis might be different. But you should think before using that app. ------------------------------ Date: Mon, 21 Jul 2014 11:07:54 -0700 From: Gene Wirchenko <genew () telus net> Subject: "New variant of malware, Gyges, can quietly exfiltrate government data" (Candice So) Candice So, *IT Business*, 18 July 2014 http://www.itbusiness.ca/news/new-variant-of-malware-gyges-can-quietly-exfiltrate-government-data/50066 ------------------------------ Date: Sun, 20 Jul 2014 13:22:08 -0400 From: "David Farber via ip" <ip () listbox com> Subject: Calling All Hackers: Help Us Build an Open Wireless Router EFF is releasing an experimental hacker alpha release of wireless router software specifically designed to support secure, shareable Open Wireless networks. We will be officially launching the Open Wireless Router today at the HOPE X (Hackers on Planet... https://www.eff.org/deeplinks/2014/07/building-open-wireless-router ------------------------------ Date: Jul 21, 2014 10:11 AM From: "EFF Press" <press () eff org> Subject: Stop Sneaky Online Tracking with EFF's Privacy Badger Electronic Frontier Foundation Media Release For Immediate Release: Monday, July 21, 2014 Contact: Peter Eckersley Technology Projects Director Electronic Frontier Foundation pde () eff org +1 415 436-9333 x131 Stop Sneaky Online Tracking with EFF's Privacy Badger Add-On for Firefox and Chrome Prevents Spying by Ads, Social Widgets, and Hidden Trackers San Francisco - The Electronic Frontier Foundation (EFF) has released a beta version of Privacy Badger, a browser extension for Firefox and Chrome that detects and blocks online advertising and other embedded content that tracks you without your permission. Privacy Badger was launched in an alpha version less than three months ago, and already more than 150,000 users have installed the extension. Today's beta release includes a feature that automatically limits the tracking function of social media widgets, like the Facebook "Like" button, replacing them with a stand-in version that allows you to "like" something but prevents the social media tool from tracking your reading habits. "Widgets that say 'Like this page on Facebook' or 'Tweet this' often allow those companies to see what webpages you are visiting, even if you never click the widget's button," said EFF Technology Projects Director Peter Eckersley. "The Privacy Badger alpha would detect that, and block those widgets outright. But now Privacy Badger's beta version has gotten smarter: it can block the tracking while still giving you the option to see and click on those buttons if you so choose." EFF created Privacy Badger to fight intrusive and objectionable practices in the online advertising industry. Merely visiting a website with certain kinds of embedded images, scripts, or advertising can open the door to a third-party tracker, which can then collect a record of the page you are visiting and merge that with a database of what you did beforehand and afterward. If Privacy Badger spots a tracker following you without your permission, it will either block all content from that tracker or screen out the tracking cookies. Privacy Badger is one way that Internet users can fight the decision that many companies have made to ignore Do Not Track requests, the universal Web tracking opt-out you can enable in your browser. Privacy Badger enforces users' preferences whether these companies respect your Do Not Track choice or not. Advertisers and other third-party domains that are blocked in Privacy Badger can unblock themselves by making a formal commitment to respect their users' Do Not Track requests. "Users who install Privacy Badger aren't just getting more privacy and a better browsing experience for themselves--they are providing incentives for improved privacy practices and respect for Do Not Track choices across the Internet," said Eckersley. "Using Privacy Badger helps to make the Web as a whole better for everyone." EFF wishes to thank Professor Franziska Roesner at the University of Washington for exceptional work in enhancing Privacy Badger's widget-handling algorithms. To install the beta version of Privacy Badger: https://www.eff.org/privacybadger For this release: https://www.eff.org/press/releases/stop-sneaky-online-tracking-effs-privacy-badger [...] ------------------------------ Date: Fri, 18 Jul 2014 18:19:29 -0400 From: Gary McGraw <gem () cigital com> Subject: Silver Bullet 100 launches 23 Jul 2014 Believe it or not, we've produced Silver Bullet Security Podcasts for 100 months in a row without fail! To celebrate this accomplishment, we produced a video for episode 100 that will debut next Wednesday morning. To date we have almost 1,000,000 podcast downloads (an average episode has about 10,000 listens). Keep your eye on twitter (@cigitalgem) and the Silver Bullet website: http://www.cigital.com/silverbullet p.s. http://www.cigital.com/silver-bullet/show-014/ ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request () csl sri com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe () csl sri com or risks-unsubscribe () csl sri com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall () newcastle ac uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line. *** NOTE: Including the string `notsp' at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 28.09 ************************
Current thread:
- Risks Digest 28.09 RISKS List Owner (Jul 22)