precedence: bulk Subject: Risks Digest 25.98 RISKS-LIST: Risks-Forum Digest Thursday 1 April 2010 Volume 25 : Issue 98 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: [The catless RISKS mirror may not yet reflect this issue.] The 2010 Census as of April 1 (Rebecca Mercuri) Silver Iodide Can Seed Cloud Computing (PGN) Clouding Men's Minds (Cecelia Kang via PGN) CalJOBS Security is a Mess (Tony Lima) Why Won't USPS Let Me File This Complaint? (Jim Reisert) Incorrect software change to emergency ambulance call-handling system may have resulted in hundreds of deaths (Bruce Horrocks) Ohioans are dunned for long-paid fines ((Peter Zilahy Ingerman) User-friendly speed cameras in Belgium (Peter Houppermans) Academic Paper in China Sets Off Alarms in U.S. (Markoff/Barboza) Water-treatment computer: No, not the Three Stooges, but close (Jeremy Epstein) 3.3 million student-loan records pilfered (Gene Wirchenko) Old-fashioned computer risks, Re: 3.3 million student-loan data (Jeremy Epstein) High-tech copy machines a gold mine for data thieves (David Hollman) Survey: Millions of users open spam e-mails, click on links (Dancho Danchev via Monty Solomon) Plain Dealer sparks ethical debate by unmasking anonymous poster (Ferdinand Reinke) In Bid to Sway Sales, Cameras Track Shoppers (Stephanie Rosenbloom via Monty Solomon) TJX Hacker Sentenced (Gene Wirchenko) USENIX Health Security and Privacy Workshop due 9 Apr 2010 (Kevin Fu) GameSec 2010: Conference on Decision and Game Theory for Security (Albert Levi) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 1 Apr 2010 00:31:56 -0500 From: "R. Mercuri" Subject: The 2010 Census as of April 1 [Rebecca suggested this in response to Thomas Friedman's article supporting IRV in *The New York Times*, 24 Mar 2010. PGN] http://www.nytimes.com/2010/03/24/opinion/24friedman.html I was recently reading the FairVote (an Instant Runoff Voting advocacy group) newsletter where the Census is mentioned, and OF COURSE, one should note (though the author didn't) that it is STILL done on PAPER, not on the Internet. I sure hope that continues. Anyway, it caused me to try to think of an IRV analogy to the Census -- perhaps filers would instead list the number of people they'd LIKE to have living in their homes on April 1, rather than the actual number of people that ARE living there. So people who are getting divorced would say 1, and people who are on the verge of giving birth would say 2 (or 9 if they are an octomom), and people who are about to die would say 0, and so on. It would be really interesting trying to figure out how to count that up accurately. And of course, since the computers would be doing advanced fuzzy math to determine the population for the subsequent gerrymandering, the software algorithms would be far too complex for anyone to ever check (also because they'd be written by some contractor who would decide that the code is a proprietary trade secret). After the results come out, we'd miraculously discover that Omaha Nebraska (gee, I wonder why it's *that* particular city) would be entitled to 25 members of Congress. Hmmm....maybe that *is* what's going on (or if not, I'm sure some folks with deep pockets of cash would love to make it happen). Rebecca Mercuri ------------------------------ Date: Thu, 1 Apr 2010 01:23:45 GMT From: "Peter G. Neumann" Subject: Silver Iodide Can Seed Cloud Computing At a rump session at the annual meeting of the American Chemical Society in San Francisco last week, A. Poulter Geist, a physical chemist with a remarkably strong background in both mathematics and computer science, claimed that silver iodide (which has been used for many years to seed potential rain clouds, albeit with considerable dispute as to its actual effectiveness) could also be used to seed random-number generators used in cryptographic key generation and hash coding, to provide better security in cloud computing and cloud data-storage. Perhaps somewhat simplistically, he also suggested that the literal string "silver iodide" might even be used as a public key in identity-based and attribute-based encryption, greatly simplifying key management. However, he rather explicitly ceded responsibility for the clouds in cloud computing itself. [Poulter may be a distant relative of Tom "Doc" Poulter, director of the eponymous lab at SRI that still exists today. On the other hand, I note that a "poltergeist" is known for unexplained rappings, and cloud computing is likely to need wrappers in the sky -- which thus far have been easily compromised. PGN] ------------------------------ Date: Sat, 27 Mar 2010 14:00:06 PDT From: "Peter G. Neumann" Subject: Clouding Men's Minds (Cecelia Kang) Behind Facebook, Gmail, and the Bing search engine is a multibillion-dollar shift in technology that users don't see and Washington doesn't quite know how to handle: cloud computing, the hosting of data on remote servers that can be tapped from any computer connected to the Web. ... [Source: Cecelia Kang, Washington debates Cloud Computing, *The Washington Post*, 26 Mar 2010; PGN-ed. For you old-timers, the subject line refers to The Shadow.] http://voices.washingtonpost.com/posttech/2010/03/what.html http://bit.ly/av3CRy ------------------------------ Date: Tue, 30 Mar 2010 15:12:41 -0700 From: Tony Lima Subject: CalJOBS Security is a Mess There are major problems with the CalJOBS website, specifically the security system. Quite a bit of this will sound all too familiar to RISKS readers. The Employment Development Department (EDD) of the state of California runs a website for job seekers and employers called CalJOBS. A recent security upgrade, however, has made it impossible for at least one user (me) to log in at all. The new website requires a user name and password. There are restrictions on both the name and password. The user name must be 6 to 11 alphanumeric characters. So far so good. The password must be 6 to 8 characters. Only after you enter the password (twice) and the answers to your two security questions (see below) do you see this: **Password must contain 3 of the following 4 items: 1) capital letters A-Z, 2) lowercase letters a-z, 3) numbers 0-9, 4) special characters ! # $ % ? + - _ @ ** Then you are asked for the answers to two security questions. I have no idea who made up these questions, but they are just plain bizarre. Two examples: "What was your childhood nickname?" and "On what street is your favorite restaurant located?" (The complete lists, as well as other screen shots, are available at my blog http://TonyLimaAssociates.posterous.com.) Even worse, as you fill in the answers to the questions, they are blacked out. You can't see any of the characters you type, but you do have to answer each security question twice. You're out of luck if you manage to make the same typo twice. (Screen capture available on blog.) If you make a mistake, you're really out of luck. The website instructs you to call EDD at (800) 758-0398. If there are any human beings behind the voicemail, I haven't found them yet. To top it all off, when I tried to submit a bug report on the EDD website, I consistently got a message saying my message included illegal characters. I swear, all the characters were legal. No wonder the state unemployment rate is still in double digits. Tony Lima Associates, Los Altos, CA, USA 1-650-243-1286 ------------------------------ Date: Tue, 30 Mar 2010 15:59:43 -0600 From: Jim Reisert AD1C Subject: Why Won't USPS Let Me File This Complaint? http://consumerist.com/2010/03/why-wont-usps-let-me-file-this-complaint.html "According to Sarah, she attempted to file the below note using USPS.com's complaint form, but was told it could not be accepted because it contains a prohibited word. But neither she nor we can figure out what that word may be." I'd like to say the risk here is being forced to complain to the USPS using a snail-mail (i.e. USPS) method instead of their website. Jim Reisert AD1C , http://www.ad1c.us ------------------------------ Date: Tue, 30 Mar 2010 01:00:01 +0100 From: Bruce Horrocks Subject: Incorrect software change to emergency ambulance call-handling system may have resulted in hundreds of deaths UK call centers dealing with emergency ambulance calls use software to automate the prioritization of calls. Over a decade ago, a change was requested to downgrade the severity of incidents involving a fall of 10ft or more. The change was 'literally' implemented with the consequence that all incidents involving a fall were downgraded, irrespective of the severity of other symptoms. The error came to light when a woman who had fallen 12ft, was unconscious and had breathing difficulties died after being left to wait because priority was given to a drunk who had collapsed on the street. http://www.telegraph.co.uk/health/healthnews/7489663/Hundreds-may-have-died-in-999-ambulance-blunder.html It's not clear from the article whether the change was incorrectly implemented or exactly as requested. The risk is that requirements used to generate safety related software must be as rigorously checked as the software. ------------------------------ Date: Wed, 31 Mar 2010 14:48:27 -0400 From: Peter Zilahy Ingerman Subject: Ohioans are dunned for long-paid fines Some motorists are complaining that old traffic fines they already paid to one Ohio county are coming back to haunt them. About 1,000 people have contacted officials in southeast Ohio's Hocking County this week to say they've heard from a collection agency about tickets already resolved, in some cases as far back as 20 years ago. Municipal Court Clerk Michele Bell said Tuesday that a glitch that occurred in 1999, when the court changed data systems. The problem surfaced amid the county's ongoing efforts to recover outstanding debts and bolster its budget. About 10,000 debt-collection letters went out last week. Bell says she's not sure how many were sent by mistake and how many went to people who still owe money. http://apnews.excite.com/article/20100331/D9EPNS7G0.html ------------------------------ Date: Sun, 28 Mar 2010 15:29:16 +0200 From: Peter Houppermans Subject: User-friendly speed cameras in Belgium A Belgian Flemish MP (Jurgen Verstrepen) opened an interesting can of worms: he publicly asked why speed cameras weren't better protected. It turns out that every camera has the electricity supply cabinet right next to it, which is totally standard - and that standardisation includes the key (which you can buy legally for about EUR 14). It gets better: opening the cabinet and killing the power to the camera does not get you in trouble with the law as there is no actual damage. It so also won't signal the police, which it would do in case of damage. All of this was reported in the Belgian press today. Given the popularity of speed cameras in general I suspect Monday will start with a run on those keys, and end with not a single static camera left operational. I'm not entirely sure that was the original intention.. http://www.autokanaal.be/nieuws/guid/3905ffc1-f11b-4ac2-a123-484bb84b0807.aspx ------------------------------ Date: Sun, 28 Mar 2010 9:55:04 PDT From: "Peter G. Neumann" Subject: Academic Paper in China Sets Off Alarms in U.S. Larry M. Wortzel, in a hearing of the U.S. House Foreign Affairs Committee on 10 Mar 2010: "Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S." [Source: John Markoff and David Barboza, *The New York Times*, 20 Mar 2010. The NYTimes article is nicely nuanced, and discusses a very complex issue. It deserves your reading. The graduate-student Chinese author, Wang Jianwei, claims he was trying to find ways to enhance the stability of power grids, not trying to bring down the grid. But it should be no surprise to RISKS readers that vulnerabilities exist! PGN] http://www.nytimes.com/2010/03/21/world/asia/21grid.html ------------------------------ Date: Mon, 29 Mar 2010 12:26:27 -0400 From: Jeremy Epstein Subject: Water-treatment computer: No, not the Three Stooges, but close The theft of a computer from the Molalla Oregon water treatment facility is being considered a federal crime by authorities. Someone broke into the water plant on 27 Mar 2010 through a back window and stole the computer, which was what kept the plant working on auto pilot, with remote monitoring of water pumps and reservoir and chlorine levels. Water service was not affected, as the plant could still be operated manually. The next day, the computer was found in a nearby pond. City officials said it's destroyed, but a technician is trying to salvage the hard drive and the costly programming on it. [Source: Fox 12, KPTV.com, 26 Mar2010; PGN-ed] http://www.kptv.com/news/22964989/detail.html [So let's see, the single computer that controls their water system is in a loosely controlled building, and there's no real-time or offline backup system. Certainly a less scary attack from the cyber perspective, and hard to do from China or on a large scale, but no less effective! JE] Jeremy Epstein, Senior Computer Scientist, SRI International 1100 Wilson Blvd, Suite 2800, Arlington VA 22209, 703-247-8708 ------------------------------ Date: Tue, 30 Mar 2010 12:37:33 -0700 From: Gene Wirchenko Subject: 3.3 million student-loan records pilfered (Jeremy Kirk) Confidential data on students applying for loans including names, addresses, birth dates and Social Security numbers has been stolen, according to a non-profit company that helps with student loan financing. [Source: Jeremy Kirk, *IT Business*, 30 Mar 2010.] http://www.itbusiness.ca/it/client/en/home/News.asp?id=56987 Selected quotes: "Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing. The theft occurred on 20 or 21 Mar 2010 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut. The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release." "ECMC didn't say whether the data taken was encrypted." [On that last bit, why not? For that much data, should it not be a given that it would have been encrypted?] ------------------------------ Date: Sat, 27 Mar 2010 10:16:24 -0400 From: Jeremy Epstein Subject: Old-fashioned computer risks, Re: 3.3 million student-loan data In the wake of many data breaches, let's not forget the old fashioned kind. Information on 3.3 million college students with loans through ECMC was stolen in a burglary of the ECMC offices in Minnesota. It's not clear from the report whether the thieves targeted the storage device (described as "portable media with personally identifiable information"), or whether that was incidental to a theft of other equipment. The Risk? Assuming that all data thefts are cyberthefts! http://www.ecmc.org/details/Announcement.html ------------------------------ Date: Tue, 30 Mar 2010 13:21:42 +0100 From: David Hollman Subject: High-tech copy machines a gold mine for data thieves http://www.thestar.com/news/gta/article/781567--high-tech-copy-machines-a-gold-mine-for-data-thieves "..businesses are completely unaware of the potential information security breach when the office photocopier is replaced. They think the copier is just headed for a junkyard but, in most cases, when the machine goes, so does sensitive data that have been stored on the copier's hard drive for years. ... Of the dozens of multi-purpose copiers [he] has cleaned out in the past two years, he has seen hundreds of scanned documents that would be considered confidential." Other points: * Many copiers are networked, allowing for another way of accessing unprotected data * Employees use work copiers for personal business and you'd expect to find all kinds of sensitive personal information as well as company information. The risk seems to be the fact that many/most people wouldn't realize that a computer is part of an everyday device like a copier, coupled with the fact that said device gets to read all kinds of sensitive things. I wonder if there are other cases where both of those things are true...? Web-enabled TV boxes perhaps? Surely there are other examples. ------------------------------ Date: Thu, 25 Mar 2010 23:32:53 -0400 From: Monty Solomon Subject: Survey: Millions of users open spam e-mails, click on links Dancho Danchev, Survey: Millions of users open spam e-mails, click on links, ZDNet, 25 Mar 2010 How many users access spam e-mails, click on the links found within, and open attachments intentionally? Why are they doing it, and who are they holding responsible for the spread of malware and spam in general, in between conveniently excluding themselves? A newly released survey from the Messaging Anti-Abuse Working Group (MAAWG), summarizing the results of the group's second year survey of e-mail security practices, offers an interesting insight into the various interactions end users tend to have with spam e-mails. Key findings of the survey: Nearly half of those who have accessed spam (46%) have done so intentionally - to unsubscribe, out of curiosity, or out of interest in the products or services being offered. Four in ten (43%) say that they have opened an e-mail that they suspected was spam. Among those who have opened a suspicious e-mail, over half (57%) say they have done so because they weren't sure it was spam and one third (33%) say they have done so by accident. Canadian users are those most likely to avoid posting their e-mail address online (46%). Those in the U.S., Canada and Germany are most likely to set up separate e-mail addresses in order to avoid receiving spam. Many users do not typically flag or report spam or fraudulent e-mail. When it comes to stopping the spread of viruses, fraudulent e-mail, spyware and spam, e-mail users are most likely to hold ISPs and ESPs (65%) and anti-virus software companies (54%) responsible. Less than half of users (48%) hold themselves personally responsible for stopping these threats. ... http://blogs.zdnet.com/security/?p=5889 [A fool and his password are soon parted. PGN] ------------------------------ Date: Sat, 27 Mar 2010 09:18:36 -0400 From: reinke ferdinand Subject: Plain Dealer sparks ethical debate by unmasking anonymous poster http://blog.cleveland.com/metro/2010/03/plain_dealer_sparks_ethical_de.html Plain Dealer sparks ethical debate by unmasking anonymous Cleveland.com poster By Henry J. Gomez, *The Plain Dealer*, 26 Mar 2010 By unmasking an anonymous poster at its companion website, The Cleveland Plain Dealer finds itself in an ethical quandary, stirring a debate that balances the public's need to know against the privacy concerns of online participants. The newspaper traced the identity of `lawmiss' after someone using that moniker left a comment about the mental state of a relative of reporter Jim Ewinger. The comment was removed for violating cleveland.com's community rules, which do not allow personal attacks. Users are required to register with a valid e-mail address before posting at cleveland.com. Upon learning of the Ewinger issue Monday, an online editor looked up lawmiss's e-mail address, which like all others, is accessible through software used to post stories to the website. "It does raise the question of the wisdom and fairness of the newspaper using the registration system of the website for reporting purposes," Steele said in a telephone interview. The newspaper's decisions could have a chilling effect on conversation at cleveland.com, said Rebecca Jeschke of the Electronic Frontier Foundation, an online privacy rights group. "I would think twice before participating in a message board where I had to give my e-mail address knowing that management could access it at any time," Jeschke said. "It seems appropriate in this case, but ... it's hard not to imagine scenarios where it's abused." Other news organizations already hide such information from their editorial staff, said Steve Yelvington, a strategist for Morris Digital Works, the online division of Morris Communications. The company runs 13 daily newspapers in Florida, Georgia, Texas and other states. "We are careful to firewall our business records from our journalists," Yelvington said. Regardless of where one comes down on the issue of Internet privacy (IMHO there ain't none), or how much should you trust anything on the inet (IMHO zero trust), and technology in general (IMHO we give boobs the equivalent of loaded guns and they are astonished when some one gets hurt), this was completely preventable. Use a "disposable" e-mail account! Haven't these people ever heard of GMAIL? No invitation required now! You can even use multiple ones! Ask any "child" who wants to break free from Mom and Dad's supervision. That's without even getting "tricky" of using one of the "disposable websites that create e-mail addresses that only work for a very limited time; perfect for "e-mail validation" requirements. If Chinese bloggers can hide form their oppressive regime, then we can conclude that most of us who want "privacy" can figure out a way to do it. In this case, the technology-naive are getting a very expensive education in "technology". And, this wasn't even the government seeking to find out who made a nasty comment. Wait till the Internet-using public says something the government doesn't like. Such as "taxes are too high", "the is inept, corrupt, or stupid", or quote Jefferson, Lysander Spooner, or Sam Adams. Then, the proctology exam will begin. Replies will be considered at A953Dy7n1iLK360@gmail.com or ns9288E5T0JMvV5@yahoo.com or YCiR5V5J6I3WSYR@hotmail.com. (How long before these e-mail address get a Nigerian "offer" letter? For the totally clueless, these accounts are NOT real. Merely illustrations of the above point.) [I hate to be an a-lawmiss-t (perhaps with a Boston accent?), but RISKS readers certainly realize by now that privacy risks in social computing are *huge*. PGN] ------------------------------ Date: Sat, 20 Mar 2010 16:51:57 -0400 From: Monty Solomon Subject: In Bid to Sway Sales, Cameras Track Shoppers (Stephanie Rosenbloom) The curvy mannequin piqued the interest of a couple of lanky teenage boys... A father emerged from a store dragging his unruly young son by the scruff... These scenes may seem like random shopping bloopers, but they are meaningful to stores that are striving to engineer a better experience for the consumer, and ultimately, higher sales for themselves. Such clips, retailers say, can help them find solutions to problems in their stores - by installing seating and activity areas to mollify children, for instance, or by lowering shelves so merchandise is within easy reach. Privacy advocates, though, are troubled by the array of video cameras, motion detectors and other sensors monitoring the nation's shopping aisles. ... [Stephanie Rosenbloom, *The New York Times*, 19 Mar 2010; PGN-ed] http://www.nytimes.com/2010/03/20/business/20surveillance.html ------------------------------ Date: Mon, 29 Mar 2010 13:42:31 -0700 From: Gene Wirchenko Subject: TJX Culprits Sentenced Albert Gonzalez, the hacker mastermind behind the TJX credit card scam, was sentenced to two concurrent 20-year stints in prison -- as his parents and sister silently wept. [Source: Nancy Weil, Family weeps as TJX hacker gets 20 years in slammer, 29 Mar 2010] http://www.itbusiness.ca/it/client/en/home/news.asp?id=56970 [Christopher Scott, who had collected credit- and debit-card numbers used by Gonzalez, was sentenced to seven years and one day, according to an item on 29 Mar 2010 by Kim Zetter in WiReD.com. The TJX saga has been ongoing for quite a while, and is well covered in previous RISKS and by what your favorite search engines can find. Too much to summarize here. PGN] ------------------------------ Date: Tue, 30 Mar 2010 17:34:07 -0400 From: Kevin Fu Subject: USENIX Health Security and Privacy Workshop due 9 Apr 2010 [This item should be of particular interest to many RISKS readers. Perform an operation in the next week that creates two inspiring pages and send them in to HealthSec10. Be sure to reflect on what you have learned over the years of reading RISKS! PGN] Call for Papers 1st USENIX Workshop on Health Security and Privacy (HealthSec '10) Submissions deadline: April 9, 2010, 11:59 p.m. PDT http://www.usenix.org/healthsec10/cfpb/ HealthSec '10 is intended as a forum for lively discussion of aggressively innovative and potentially disruptive ideas on all aspects of medical and health security and privacy. A fundamental goal of the workshop is to promote cross-disciplinary interactions between fields, including, but not limited to, technology, medicine, and policy. Surprising results and thought-provoking ideas will be strongly favored; complete papers with polished results in well-explored research areas are comparatively discouraged. Given the goals for HealthSec '10, the submission requirements are modest: 2-page papers that clearly espouse a position and that will promote discussion. Position papers will be selected for their potential to stimulate or catalyze further research and explorations of new directions, as well as for their potential to spark productive discussions at the workshop. Workshop topics are solicited in all areas relating to healthcare information security and privacy, including: * Security and privacy models for healthcare information systems * Industrial experiences in healthcare information systems * Deployment of open systems for secure and private use of healthcare information technology * Security and privacy threats against and countermeasures for existing and future medical devices * Regulatory and policy issues of healthcare information systems * Privacy of medical records * Usability issues in healthcare information systems * Threat models for healthcare information systems For more details on the submission process, please see the complete Call for Papers at: http://www.usenix.org/healthsec10/cfpb/ We look forward to receiving your submissions! Kevin Fu, University of Massachusetts Amherst Tadayoshi Kohno, University of Washington Avi Rubin, Johns Hopkins University HealthSec '10 Program Chairs healthsec10chairs@usenix.org ------------------------------ Date: Mon, 22 Mar 2010 13:33:36 +0200 From: Albert Levi Subject: GameSec 2010: Conference on Decision and Game Theory for Security GameSec 2010, the inaugural Conference on Decision and Game Theory for Security will take place on the campus of Technical University Berlin, Germany, on November 22-23, 2010, under the sponsorships of Deutsche Telekom Laboratories, Frauenhofer HHI and IEEE Control System Society. The paper submission deadline is May 15, 2010. GameSec conference aims to bring together researchers who aim to establish a theoretical foundation for making resource allocation decisions that balance available capabilities and perceived security risks in a principled manner. The conference focuses analytical models based on game, information, communication, optimization, decision, and control theories that are applied to diverse security topics. At the same time, the connection between theoretical models and real world security problems are emphasized to establish the important feedback loop between theory and practice. Observing the scarcity of venues for researchers who try to develop a deeper theoretical understanding of the underlying incentive and resource allocation issues in security, we believe that GameSec will fill an important void and serve as a distinguished forum of highest standards for years to come. For more information, please visit http://www.gamesec-conf.org/ Albert Levi, Sabanci University, Faculty of Engineering and Natural Sciences, Orhanli, Tuzla TR-34956, Istanbul TURKEY +90 (216) 483 9563 ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 25.98 ************************