RISKS-LIST: Risks-Forum Digest Wednesday 4 September 2013 Volume 27 : Issue 46 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/27.46.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Our Newfound Fear of Risk (Bruce Schneier) 'Walkie-Talkie' skyscraper melts Jaguar car parts (Martyn Thomas) How the "Internet of Things" May Change the World (Matthew Kruk) "Video: PostgreSQL succeeds where MySQL fails" (Pete Babb via Gene Wirchenko) "Developers hack Dropbox and show how to access user data" (Lucas Mearian via Gene Wirchenko) No password is safe from new breed of cracking software (Salon.com via David Farber) Windows 8 Picture Passwords Easily Cracked (ACM TechNews) Password must be 10 characters and begin and end with a number (jidanni) Test 'reveals Facebook, Twitter and Google snoop on e-mails' (Martin Delgado via Henry Baker) "IBM starts restricting hardware patches to paying customers" (Joab Jackson via Gene Wirchenko) The Ghost Messages of Yahoo's Recycled IDs (Lauren Weinstein) "Report: NSA pays millions for US telecom access" (Joab Jackson via Gene Wirchenko) Re: HuffPo Edward Snowden Impersonated NSA Officials (Dimitri Maziuk, Paul Schreiber) Re: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (Amos Shapir) Re: Sensitive data left on hard drives (David Alexander) Re: Text a driver in New Jersey, and you could see your day in court (B.J. Herbison, Larry Sheldon, Paul Robinson) Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (Paul Robinson) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 04 Sep 2013 12:37:09 -0500 From: Bruce Schneier <schneier@schneier.com> Subject: Our Newfound Fear of Risk Bruce Schneier, Our Newfound Fear of Risk http://www.schneier.com/blog/archives/2013/09/our_newfound_fe.html We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren't free. They cost money, of course, but they cost other things as well. They often don't provide the security they advertise, and -- paradoxically -- they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man-made risks. Three examples: * We have allowed the police to turn themselves into a paramilitary organization. They deploy SWAT teams multiple times a day, almost always in nondangerous situations. They tase people at minimal provocation, often when it's not warranted. Unprovoked shootings are on the rise. One result of these measures is that honest mistakes -- a wrong address on a warrant, a misunderstanding -- result in the terrorizing of innocent people, and more death in what were once nonviolent confrontations with police. * We accept zero-tolerance policies in schools. This results in ridiculous situations, where young children are suspended for pointing gun-shaped fingers at other students or drawing pictures of guns with crayons, and high-school students are disciplined for giving each other over-the-counter pain relievers. The cost of these policies is enormous, both in dollars to implement and its long-lasting effects on students. * We have spent over one trillion dollars and thousands of lives fighting terrorism in the past decade -- including the wars in Iraq and Afghanistan -- money that could have been better used in all sorts of ways. We now know that the NSA has turned into a massive domestic surveillance organization, and that its data is also used by other government organizations, which then lie about it. Our foreign policy has changed for the worse: we spy on everyone, we trample human rights abroad, our drones kill indiscriminately, and our diplomatic outposts have either closed down or become fortresses. In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes. There are lots more examples, but the general point is that we tend to fixate on a particular risk and then do everything we can to mitigate it, including giving up our freedoms and liberties. There's a subtle psychological explanation. Risk tolerance is both cultural and dependent on the environment around us. As we have advanced technologically as a society, we have reduced many of the risks that have been with us for millennia. Fatal childhood diseases are things of the past, many adult diseases are curable, accidents are rarer and more survivable, buildings collapse less often, death by violence has declined considerably, and so on. All over the world -- among the wealthier of us who live in peaceful Western countries -- our lives have become safer. Our notions of risk are not absolute; they're based more on how far they are from whatever we think of as "normal." So as our perception of what is normal gets safer, the remaining risks stand out more. When your population is dying of the plague, protecting yourself from the occasional thief or murderer is a luxury. When everyone is healthy, it becomes a necessity. Some of this fear results from imperfect risk perception. We're bad at accurately assessing risk; we tend to exaggerate spectacular, strange, and rare events, and downplay ordinary, familiar, and common ones. This leads us to believe that violence against police, school shootings, and terrorist attacks are more common and more deadly than they actually are -- and that the costs, dangers, and risks of a militarized police, a school system without flexibility, and a surveillance state without privacy are less than they really are. Some of this fear stems from the fact that we put people in charge of just one aspect of the risk equation. No one wants to be the senior officer who didn't approve the SWAT team for the one subpoena delivery that resulted in an officer being shot. No one wants to be the school principal who didn't discipline -- no matter how benign the infraction -- the one student who became a shooter. No one wants to be the president who rolled back counterterrorism measures, just in time to have a plot succeed. Those in charge will be naturally risk averse, since they personally shoulder so much of the burden. We also expect that science and technology should be able to mitigate these risks, as they mitigate so many others. There's a fundamental problem at the intersection of these security measures with science and technology; it has to do with the types of risk they're arrayed against. Most of the risks we face in life are against nature: disease, accident, weather, random chance. As our science has improved -- medicine is the big one, but other sciences as well -- we become better at mitigating and recovering from those sorts of risks. Security measures combat a very different sort of risk: a risk stemming from another person. People are intelligent, and they can adapt to new security measures in ways nature cannot. An earthquake isn't able to figure out how to topple structures constructed under some new and safer building code, and an automobile won't invent a new form of accident that undermines medical advances that have made existing accidents more survivable. But a terrorist will change his tactics and targets in response to new security measures. An otherwise innocent person will change his behavior in response to a police force that compels compliance at the threat of a Taser. We will all change, living in a surveillance state. When you implement measures to mitigate the effects of the random risks of the world, you're safer as a result. When you implement measures to reduce the risks from your fellow human beings, the human beings adapt and you get less risk reduction than you'd expect -- and you also get more side effects, because we all adapt. We need to relearn how to recognize the trade-offs that come from risk management, especially risk from our fellow human beings. We need to relearn how to accept risk, and even embrace it, as essential to human progress and our free society. The more we expect technology to protect us from people in the same way it protects us from nature, the more we will sacrifice the very values of our society in futile attempts to achieve this security. This essay previously appeared on Forbes.com. ------------------------------ Date: Mon, 02 Sep 2013 19:29:55 +0100 From: Martyn Thomas <martyn@thomas-associates.co.uk> Subject: 'Walkie-Talkie' skyscraper melts Jaguar car parts A risk overlooked in the CAD program? http://www.bbc.co.uk/news/uk-england-london-23930675 [This is strange. A London skyscraper under construction is apparently being blamed for intensifying the sun's rays and reflecting light on a nearby automobile in which various parts melted. Martyn suggests that the possibility of such an occurrence might have been ignored by the architectural CAD program used to design and spec the building. Waggin' the tale of the Jaguar? PGN] ------------------------------ Date: Mon, 2 Sep 2013 23:50:25 -0600 From: "Matthew Kruk" <mkrukg@gmail.com> Subject: How the "Internet of Things" May Change the World http://news.nationalgeographic.com/news/2013/08/130830-internet-of-things-te... ------------------------------ Date: Wed, 04 Sep 2013 10:30:48 -0700 From: Gene Wirchenko <genew@telus.net> Subject: "Video: PostgreSQL succeeds where MySQL fails" (Pete Babb) Pete Babb, InfoWorld, 03 Sep 2013 Head-to-head comparison shows MySQL failing to report major data errors, which would lead to big headaches for developers http://www.infoworld.com/t/sql/video-postgresql-succeeds-where-mysql-fails-2... selected text: In the above video, Conery sets up a basic MySQL query, including a directive that nulls should not be allowed. He then intentionally tries to add data with nulls, hoping that MySQL will catch the error. It doesn't. Conery notes, "MySQL decided, 'You tried to insert null, but what you really meant was zero.' ------------------------------ Date: Fri, 30 Aug 2013 13:35:17 -0700 From: Gene Wirchenko <genew@telus.net> Subject: "Developers hack Dropbox and show how to access user data" (Lucas Mearian) Lucas Mearian, Computerworld, 28 Aug 2013 The cloud storage provider's two-factor authentication was bypassed to gain access to user data http://www.infoworld.com/d/security/developers-hack-dropbox-and-show-how-acc... ------------------------------ Date: Sun, 1 Sep 2013 15:40:16 -0400 From: David Farber <dave@farber.net> Subject: No password is safe from new breed of cracking software - Salon.com http://www.salon.com/2013/09/02/no_password_is_safe_from_new_breed_of_cracki... No password is safe from new breed of cracking software. Chances are you need to change your password. No matter how long it is. [This article originally appeared on The Daily Dot.] Over the weekend, the free password cracking and recovery tool oclHashcat-plus released a new version, 0.15, that can handle passwords up to 55 characters. It works by guessing a lot of common letter combinations. A lot. Really really fast. Other long-string password-crackers exist, such as Hashcat and oclHashcat-lite, though they take a great deal more time to cycle through. This improvement runs at 8 million guesses per second while also allowing users to cut down the number of guesses required by shaping their attacks based on the password-construction protocol followed by a company or group. A combination of increasing awareness of official scrutiny, such as the NSA leaks, growing instances of hacking of all kinds and leaked password lists, has inspired users to radically lengthen their passwords and use passphrases instead. As Dan Goodin noted in Ars Technica, ``Crackers have responded by expanding the dictionaries they maintain to include phrases and word combinations found in the Bible, common literature, and in online discussions.'' One security researcher cracked the passphrase Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1 -- a phrase from an H.P. Lovecraft horror story. It was less impossible than it was super easy, crackable in minutes, because it was in an easily available hacker word list. The release notes state that the ability to target increased character counts was their most requested change in a development process which took the team six months, who modified 618,473 lines of source code, more than half the code in the product. ------------------------------ Date: Wed, 4 Sep 2013 11:59:27 -0400 From: ACM TechNews <technews@HQ.ACM.ORG> Subject: Windows 8 Picture Passwords Easily Cracked [From ACM TechNews; 4 Sep 2013] Read the TechNews Online at: http://technews.acm.org [Source: *InformationWeek*, 30 Aug 2013, Thomas Claburn] Microsoft Windows 8's picture gesture authentication (PGA) system is not difficult to crack, according to security researchers from Arizona State and Delaware State universities. The researchers say their experimental model and attack framework enabled it to crack 48 percent of passwords for previously unseen pictures in one dataset and 24 percent in another, in a paper presented at the recent Usenix Conference in August. The researchers also believe their results could be improved with a larger training set and stronger picture-categorization and computer-vision techniques. Windows 8 offers gesture-based passwords and traditional text-based passwords. Setting up a gesture-based password involves choosing a photo from the Picture Library folder and drawing three points on the image to be stored as grid coordinates. However, users tend to pick common points of interest, such as eyes, faces, or discrete objects, and the passwords derived from this constrained set have much less variability than randomly generated passwords. The researchers suggest Microsoft could implement a picture-password-strength meter, and integrate its PGA attack framework to inform users of the potential number of guesses it would take to access the system. http://www.informationweek.com/security/vulnerabilities/windows-8-picture-pa... ------------------------------ Date: Sun, 01 Sep 2013 11:41:21 +0800 From: jidanni@jidanni.org Subject: Password must be 10 characters and begin and end with a number Signing up at http://www.ellisisland.org/ Password __________ (Must be 10 characters and begin and end with a number) Gee, doesn't pinning it down so firmly merely help the crackers? PCRE /^\d.{8}\d$/ [Yes. Old topic in RISKS, still lives. PGN.] ------------------------------ Date: Sun, 01 Sep 2013 13:41:33 -0700 From: Henry Baker <hbaker1@pipeline.com> Subject: Test 'reveals Facebook, Twitter and Google snoop on e-mails' (Martin Delgado) Sunday, Sep 01 2013 9PM 87°F 12AM 84°F 5-Day Forecast Test 'reveals Facebook, Twitter and Google snoop on e-mails': Study of net giants spurs new privacy concerns * Study set out to test confidentiality of 50 of the biggest Internet companies * Researchers sent unique web address in private messages through firms * They found six of the companies opened the link from the message Martin Delgado, *Daily Mail*, 31 Aug 2013 http://www.dailymail.co.uk/news/article-2407949/Test-reveals-Facebook-Twitte... Facebook, Twitter and Google have been caught snooping on messages sent across their networks, new research claims, prompting campaigners to express concerns over privacy. The findings emerged from an experiment conducted following revelations by US security contractor Edward Snowden about government snooping on Internet accounts. Cyber-security company High-Tech Bridge set out to test the confidentiality of 50 of the biggest Internet companies by using their systems to send a unique web address in private messages. Experts at its Geneva HQ then waited to see which companies clicked on the website. During the ten-day operation, six of the 50 companies tested were found to have opened the link. Among the six were Facebook, Twitter, Google and discussion forum Formspring. High-Tech Bridge chief executive Ilia Kolochenko said: ``We found they were clicking on links that should be known only to the sender and recipient. If the links are being opened, we cannot be sure that the contents of messages are not also being read. All the social network sites would like to know as much as possible about our hobbies and shopping habits because the information has a commercial value. ``The fact that only a few companies were trapped does not mean others are not monitoring their customers. They may simply be using different techniques which are more difficult to detect.'' Earlier this year scientists in Germany claimed another big computer company, Microsoft, was spying on customers using its Skype instant messaging service. Facebook declined to comment on the latest research but said it had complex automated systems in place to combat phishing (Internet identity fraud) and reduce malicious material. Twitter also declined to comment directly but said it used robotic systems to bar spam messages from customer accounts. A source at Google said: ``There is nothing new here. It simply isn't an issue.'' An independent expert explained: ``In principle these companies should not be opening the links, but in practice they are giving a service to customers. The protection provided outweighs any potential commercial gain.'' But campaigners called for stricter safeguards. Nick Pickles, director of pressure group Big Brother Watch, said: ``This is yet another reminder that profit comes before privacy every day for some businesses. Companies such as Google and Facebook rely on capturing as much data as possible to enhance their advertising targeting. They intrude on our privacy to build an ever more detailed picture of our lives.'' ------------------------------ Date: Fri, 30 Aug 2013 14:16:40 -0700 From: Gene Wirchenko <genew@telus.net> Subject: "IBM starts restricting hardware patches to paying customers" (Joab Jackson) Joab Jackson, InfoWorld, 28 Aug 2013 Following an Oracle practice, IBM starts to restrict hardware patches to holders of maintenance contracts http://www.infoworld.com/d/computer-hardware/ibm-starts-restricting-hardware... ------------------------------ Date: Tue, 3 Sep 2013 19:40:04 -0700 From: Lauren Weinstein <lauren@vortex.com> Subject: The Ghost Messages of Yahoo's Recycled IDs Eva Chan knows the value of a good username. She's had @EC on Twitter "longer than Twitter has had vowels." So when Yahoo started offering recycled user IDs, she put a few names on her wishlist. A little later, Yahoo gave her one of those names. Then she started getting e-mails about a stranger's cancer. http://j.mp/176KZQf (Medium via NNSquad) ------------------------------ Date: Wed, 04 Sep 2013 10:33:34 -0700 From: Gene Wirchenko <genew@telus.net> Subject: "Report: NSA pays millions for US telecom access" (Joab Jackson) Joab Jackson, InfoWorld, 30 Aug 2013 The Washington Post reports the NSA paid telecom companies $278 million this fiscal year to intercept phone calls, e-mail, and instant messages http://www.infoworld.com/d/security/report-nsa-pays-millions-us-telecom-acce... ------------------------------ Date: Fri, 30 Aug 2013 15:26:59 -0500 From: Dimitri Maziuk <dmaziuk@bmrb.wisc.edu> Subject: Re: HuffPo Edward Snowden Impersonated NSA Officials (RISKS-27.45)

'Every day, they are learning how brilliant [Snowden] was, an anonymous former intelligence official told NBC, `'This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.''

As a Unix systems administrator, I have access to files owned by, or can assume the identity of, any user of this system. Including my superiors -- there's nothing brilliant about that, it's how Unix works. (I haven't done Windows since last century, so I'm not sure what security knobs are available in the recent versions. I expect the above is also true of MS Windows -- and OSX of course has a Unix inside.) So, - is it that NSA is using its own highly secure OS where the administrator's access is limited, and Snowden brilliantly hacked through its security layers? And if so, I'm curious: how do the subcontractors' computers interoperate with it, what kind of security clearance do you need to see the API, what does EULA look like, and so on. - or is is that NSA and its subcontractors are using COTS OS and have zero to no understanding of the levels of security and access actually afforded by the system? Or if they do understand, how do they subcontract sysadminning to someone without the highest NSAnet security clearance? Dimitri Maziuk, Programmer/sysadmin, BioMagResBank, UW-Madison http://www.bmrb.wisc.edu ------------------------------ Date: Fri, 30 Aug 2013 20:57:02 -0400 From: Paul Schreiber <paulschreiber@gmail.com> Subject: Re: HuffPo Edward Snowden Impersonated NSA Officials (Kramer, R-27 45)

'Every day, they are learning how brilliant [Snowden] was, ...

To me, this sounds like a nontechnical user trying to explain how sudo su [1] works. `Impersonating' is too attention-grabbing. [1] Or its GUI equivalent for their Intranet (View page as ...) ------------------------------ Date: Sun, 1 Sep 2013 18:32:20 +0300 From: Amos Shapir <amos083@gmail.com> Subject: Re: In ACLU lawsuit, scientist demolishes NSA's `It's just metadata' (RISKS-27.44) If current laws and technology were in effect 40 years ago, Nixon wouldn't need clumsy "plumbers" -- the NSA could have bugged the Watergate offices legally (collecting only "metadata" of course), Deep Throat would be sent to jail, and the Washington Post would be prohibited from reporting anything about the whole affair! ------------------------------ Date: Sat, 31 Aug 2013 07:34:53 +0100 (BST) From: David Alexander <davidalexander440@btinternet.com> Subject: Re: Sensitive data left on hard drives The only news aspect of this article is that people are still doing it. Andy Jones and Andrew Blyth at the University of Glamorgan were doing surveys like this and publishing the results at least 10 years ago, with the same findings. I watched the movie "Grosse Point Blank" again recently and was amused to see Joan Cusack 'destroying' a PC by hitting the casing with a club hammer. The really funny thing is that some people actually think it works -- <irony>I presume the blows must knock the data bits off of the surface of the hard drive </irony> ------------------------------ Date: Sun, 01 Sep 2013 19:08:32 -0400 From: "B.J. Herbison" <bj@herbison.com> Subject: Re: Text a driver in New Jersey, and you could see your day in court

Even the theoretical concept of holding the person at the other end of an electronic communication (hell, even another person just talking in the same vehicle) responsible for a driver's stupidity is beyond ludicrous.

I disagree. If a passenger intentionally distracts a driver and a crash occurs the passenger has liability for the crash. Moving the distractor outside of the vehicle electronically shouldn't reduce the liability. The key though is "knows that the recipient is driving and texting". That is often unknowable and usually hard to prove. ------------------------------ Date: Fri, 30 Aug 2013 16:45:36 -0500 From: Larry Sheldon <lfsheldon@gmail.com> Subject: Re: Text a driver in New Jersey, and you could see your day in court (RISKS-27.45) There is no word in my vocabulary for how wrong this. One of my typical uses of electronic messaging is and has long been sending messages to people I know will be, at the time, asleep, eating a meal, in a meeting, or in some other way indisposed to real-time conversation. Under this insanity, the only safe thing for me is to never ever originate a message that might conceivably be delivered to a mobile device. ------------------------------ Date: Mon, 2 Sep 2013 18:44:13 -0700 (PDT) From: Paul Robinson <paul@paul-robinson.us> Subject: Re: Text a driver in New Jersey, and you could see your day in court (RISKS-27.45) ... holding responsible for a driver's stupidity is beyond ludicrous. And unconstitutional. This violates a number of United States Supreme Court -- and other courts -- decisions on a court's jurisdiction to hale a distant defendant into court to defend a lawsuit. Desktop Techs., Inc. v. Colorworks Reprod. & Design, 1999 U.S. Dist. Lexis 1034 (1999) is pretty much on point. A Canadian company merely running a website was not subject to jurisdiction in Pennsylvania. A mere usenet posting is of less quality for holding jurisdiction than a website. Griffis v. Luban, 646 N.W.2d 527 (2002 Minn.) found that a Usenet posting does not cause the poster to be subject to the jurisdiction of a foreign state. A text message doesn't even rise to the level of a Usenet posting, let alone a website, and therefore there should be no grounds to hold a person sending texts or e-mails, absent some criminal behavior such as threats or stalking or other First Amendment unprotected activity, liable for the transmission or give the courts standing to bring the sender in as the party to a case. There must be at least minimum contact with a state for the courts there to have jurisdiction. Hanson v. Denckla, 357 U.S. 235, 78 S. Ct. 1228, 2 L. Ed. 2d 1283 (1958); Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408, 104 S.Ct. 1868, 80 L.Ed.2d 404 (1984); International Shoe Co. v. Washington, 326 U.S. 310, 66 S. Ct. 154, 90 L. Ed. 95 (1945); Shaffer v. Heitner, 433 U.S. 186, 97 S. Ct. 2569, 53 L. Ed. 2d 683 (1977); World-Wide Volkswagen Corp. v. Woodson, 444 U.S. 286, 100 S. Ct. 559, 62 L. Ed. 2d 490 (1980). Paul Robinson <paul@paul-robinson.us> http://paul-robinson.us (My blog) ------------------------------ Date: Mon, 2 Sep 2013 16:42:04 -0700 (PDT) From: Paul Robinson <paul@paul-robinson.us> Subject: Re: DC, Maryland: Speed Camera Firms Move To Hide Evidence (Burstein, RISKS-27.41) It doesn't say if it was a British patent, which would mean it was unpatented in the United States and no royalties would be due, or if it was (or was also) patented in the U.S., in which case the patent, under the rules then, expired 17 years after issuance, and that's only if the intervening maintenance fees on the patent were also paid, which are due at 3, 7 and 11 years after issuance for all patents issued after December 12, 1980 or the patent automatically and irrevocably expires 6 months after the maintenance fee is not paid; paying it late will not reinstate the patent. So the patent would have expired at best, about 13 years ago. Now the rules are even stricter on expirations, you could tie a patent up in holds by constantly refiling with amendments (some inventors did that to try to capture current practices which were done in a way that unknowingly would infringe upon an applied for patent if the patent's original filing were revised to cover new practices the inventor discovered after filing the application), now, to stop that "practice" (pun unintentional; the filing of patents is called a "practice") U.S. patents expire 17 years after issuance, 20 years after the first filing, or six months after non-payment of maintenance fees, whichever comes first. Paul Robinson <paul@paul-robinson.us> http://paul-robinson.us (My blog) ------------------------------ Date: Sun, 7 Oct 2012 20:20:16 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing is no longer maintained up-to-date except for recent election problems. *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 27.46 ************************