precedence: bulk Subject: Risks Digest 26.72 RISKS-LIST: Risks-Forum Digest Sunday 12 February 2012 Volume 26 : Issue 72 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Programming error doomed Russian Mars probe (Lauren Weinstein) ... or maybe radiation, not programming, killed the Russian probe (LW) The Research Works Act (PGN) HGI scientists break satellite telephony security standards (Horst Goertz Inst) PayPal STILL doesn't get it (Jim Garrison) FBI to track social networks (Antony Savvas via Gene Wirchenko) Twitter can now block tweets in specific countries (Stephen Lawson via GW) Evidence of massive Iranian Internet blocking -- SSL, etc. (LW) "Man-in-the-middle" corporate attack in the wild (Jim Ausman) Symantec recommends disabling pcAnywhere (via Monty Solomon) "Got remote access? Lock it down" (Robert Lemos via GW) Aloha Privacy! - Hawaii bill would track all Web surfing in detail (via LW) Privacy on the Barbie! - Australia considers unlimited communications data retention (via LW) Lawyer sues ex-girlfriend over Google Search results (via LW) Inside China's censorship machine (via LW) Hackers take over Boston Police Department website; message cites handling of Occupy Boston protest (via Monty Solomon) Risks: Conviction of Card Scam operators. How the Scam worked. (Len Spyker) Would the US Extradite UK Blogger for Linking to Works in the Public Domain in Other Countries? (Dewayne Hendricks via Dave Farber's IP) The Heartbreaking Truth About Online Dating Privacy (EFF) Over 3 years later, "deleted" Facebook photos are still online (via LW) Re: deducing causality (Richard O'Keefe) Re: Pocket-dialed 911 calls increasingly common (Danny Burstein) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 7 Feb 2012 11:28:23 -0800 From: Lauren Weinstein Subject: Programming error doomed Russian Mars probe A report presented to Russian Deputy Prime Minister Dmitry Rogozin concludes that the primary source of the failure of Russia's Phobos-Grunt Mars spacecraft launched on 9 Nov 2011 was a programing error that "led to a simultaneous reboot of two working channels of an onboard computer" that prevented the probe from escaping earth orbit. http://news.discovery.com/space/programming-error-doomed-mars-probe.html ------------------------------ Date: Tue, 7 Feb 2012 14:14:41 -0800 From: Lauren Weinstein Subject: ... or maybe radiation, not programming, killed the Russian probe http://www.newscientist.com/blogs/shortsharpscience/2012/02/space-radiation-killed-russian.html ------------------------------ Date: Fri, 27 Jan 2012 13:24:18 PST From: "Peter G. Neumann" Subject: The Research Works Act This bill would make it illegal to require researchers to make their work available publicly. [Does the Research Works Act work? Probably not. Do Research Works act? No, although this act might seem theatrical! Does Research work? Yes. Sometimes it can be very valuable, even if often ignored in development communities. However, much past research is widely ignored. On the other hand, the answer is No, if its existence is hidden or otherwise obscured! PGN] > Date: Thu, 26 Jan 2012 17:21:43 -0500 > From: David Farber > Subject: [IP] A small bill in the US, a giant impact for research worldwide > http://theconversation.edu.au/a-small-bill-in-the-us-a-giant-impact-for-research-worldwide-4996 ------------------------------ Date: 8 Feb 2012 17:45:13 +0100 From: Newsletter of the Horst Goertz Institute of IT Security in Bochum Subject: HGI scientists break satellite telephony security standards Satellite telephony was thought to be secure against eavesdropping. Researchers at the Horst Goertz Institute for IT-Security (HGI) at the Ruhr University Bochum have cracked the encryption algorithms of the European Telecommunications Standards Institute (ETSI), which is used globally for satellite telephones, and revealed significant weaknesses. With simple equipment, they found the crypto key which is needed to intercept telephone conversations. Using open-source software and building on their previous research results, they were able to exploit the security weaknesses. Telephoning via satellite In some regions of the world standard cell phone communication is still not available. In war zones, developing countries and on the high seas, satellite phones are used instead. Here, the telephone is connected via radio directly to a satellite. This passes the incoming call to a station on the ground. From there, the call is fed into the public telephone network. So far this method, with the ETSI’s encryption algorithms A5-GMR-1 and A5-GMR-2, was considered secure. Simple equipment -- fast decryption For their project, the interdisciplinary group of researchers from the areas of Embedded Security and System Security used commercially available equipment, and randomly selected two widely used satellite phones. A simple firmware update was then loaded from the provider's website for each phone and the encryption mechanism reconstructed. Based on the analysis, the encryption of the GMR-1 standard demonstrated similarities to the one used in GSM, the most common mobile phone system. ``Since the GSM cipher had already been cracked, we were able to adopt the method and use it for our attack,'' explained Benedikt Driessen, of the Chair for Embedded Security (Prof. Christof Paar). To verify the results in practice, the research group recorded their own satellite telephone conversations and developed a new attack based on the analysis. ``We were surprised by the total lack of protection measures, which would have complicated our work drastically'', said Carsten Willems of the Chair for System Security at the RUB. Invasion of privacy Encryption algorithms are implemented to protect the privacy of the user. ``Our results show that the use of satellite phones harbours dangers and the current encryption algorithms are not sufficient'', emphasized Ralf Hund of the Chair for System Security (Prof. Thorsten Holz). There is, as yet, no alternative to the current standards. Since users cannot rely on their security against interception, similar to the security of standard cell phones, they will have to wait for the development of new technologies and standards, or make use of other means of communication for confidential calls. "We were able to completely reverse engineer the encryption algorithms employed," said Benedikt Driessen and Ralf Hund of Ruhr University Bochum as they announced their report, "Don't Trust Satellite Phones". ------------------------------ Date: Fri, 10 Feb 2012 10:41:07 -0800 From: Jim Garrison Subject: PayPal STILL doesn't get it Last week I received an e-mail from PayPal with the subject Your action is needed to continue using your PayPal account and containing lines like Log in to agree to our Electronic Communications Delivery Policy ... an important NOTICE FROM PayPal: YOUR CONSENT IS REQUIRED LOGIN TO CONSENT [link] Of course, this looks *exactly* like the millions of other phishing e-mails that are this very moment flying across the Internet. But this one looked really well put together, unlike most others, so I took a look at the source. It's real. All the links are legit, and when I logged in (by typing in the PayPal URL, not clicking a link) there indeed was a notice of updated terms. As we all know, the e-mail should have contained no login links and should have advised the recipient to login by entering the URL manually. Somebody at PayPal deserves a dope-slap. I decided to submit it to PayPal's spoof-investigation address to point out the error of their ways, and today received this: Our security team is working to identify if the e-mail you forwarded to us is a phishing e-mail. We will get in touch shortly to let you know our findings. I await their findings with interest :-) ------------------------------ Date: Fri, 27 Jan 2012 10:26:23 -0800 From: Gene Wirchenko Subject: FBI to track social networks (Antony Savvas) Antony Savvas, App would crawl Twitter and Facebook, *IT Business*, 27 Jan 2012 The US Federal Bureau of Investigation (FBI) is planning to develop an application that can track the public's postings to Facebook, Twitter and other social networks, in order to aid how it predicts and reacts to criminal behaviour, including public disorder and terrorism. ... http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=65839 ------------------------------ Date: Fri, 27 Jan 2012 10:24:29 -0800 From: Gene Wirchenko Subject: "Twitter can now block tweets in specific countries" Stephen Lawson, *IT Business*, 27 Jan 2012 http://www.itbusiness.ca/IT/client/en/CDN/News.asp?id=65840 The messages would be visible elsewhere in the world and the removal would be clearly marked, Twitter said. ------------------------------ Date: Fri, 10 Feb 2012 09:53:05 -0800 From: Lauren Weinstein Subject: Evidence of massive Iranian Internet blocking (SSL, etc.) Evidence of massive Iranian Internet blocking -- SSL, etc. [From NNSquad] http://j.mp/wmu13o (Google+) http://j.mp/AaJ27E (Google+) ------------------------------ Date: Feb 7, 2012 4:49 PM From: "Jim Ausman" Subject: "Man-in-the-middle" corporate attack in the wild (From Dave Farber's IP) Trustwave, a Certificate Authority, issued a certificate that allowed the owner to issue any valid certificate to facilitate man-in-the-middle attacks on their employees. http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html They say that they used a special hardware container to ensure that this could not be used for anything other than the intended purpose, but this still indicates that a long-suspected weakness in the CA infrastructure is being exploited to eavesdrop on traffic. http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html EFF sent out an alert about the fact that Iran was doing this a few months ago, but this is the first I have heard of a corporation doing it. https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google ------------------------------ Date: Fri, 27 Jan 2012 09:00:15 -0500 From: Monty Solomon Subject: Symantec recommends disabling pcAnywhere Symantec pcAnywhere Security Recommendations Introduction Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. With this incident pcAnywhere customers have increased risk. Malicious users with access to the source code have an increased ability to identify vulnerabilities and build new exploits. Additionally, customers that are not following general security best practices are susceptible to man-in-the-middle attacks which can reveal authentication and session information. General security best practices include endpoint, network, remote access, and physical security, as well as configuring pcAnywhere in a way that minimizes potential risks. At this time, Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks. For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow the general security best practices discussed herein. This document is designed to help customers understand the situation and to provide remediation steps to maintain the protection of their devices and information. ... http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf ------------------------------ Date: Fri, 10 Feb 2012 15:05:10 -0800 From: Gene Wirchenko Subject: "Got remote access? Lock it down" (Robert Lemos) http://www.infoworld.com/t/application-security/got-remote-access-lock-it-down-186194 Robert Lemos, InfoWorld, 10 Feb 2012 Got remote access? Lock it down Poorly configured remote-access software is to blame for the majority of data breaches by hackers, according to security reports from Verizon and Trustwave opening text: While the theft of source code for Symantec's pcAnywhere has put the remote-access program in the spotlight, the security issues posed by remote management products are not new. In fact, data released over the last year shows that poorly configured remote-access programs routinely account for a significant portion of data breaches and network security incidents. Remote-access software, for example, led to a stunning 62 percent of breaches studied by security firm Trustwave in its recently released global security report. ------------------------------ Date: Thu, 26 Jan 2012 09:49:06 -0800 From: Lauren Weinstein Subject: Aloha Privacy! - Hawaii bill would track all Web surfing in detail http://j.mp/wYfWgu (CNET via NNSquad) Hawaii's legislature is weighing an unprecedented proposal to curb the privacy of Aloha State residents: requiring Internet providers to keep track of every Web site their customers visit. ------------------------------ Date: Thu, 26 Jan 2012 09:46:56 -0800 From: Lauren Weinstein Subject: Privacy on the Barbie! - Australia considers unlimited communications data retention http://j.mp/A5Opfx (Slashdot via NNSquad) Australia would like to follow the EU down the 'European Directive on Data Retention' path. Law enforcement agencies may have the option to request a log of all a users of interest telco usage without any review or time limits. ------------------------------ Date: Thu, 26 Jan 2012 10:24:16 -0800 From: Lauren Weinstein Subject: Lawyer sues ex-girlfriend over Google Search results http://j.mp/xhJiCo (FOX via NNSquad) But in Matt's case, his "slanderer" isn't so anonymous. In fact, Amanda Ryncarz, Matt's former girlfriend, fully admits posting on the site about their three-year relationship. "I posted on liarscheatersrus.com," she said in a written statement, "because I wanted to warn other women in order to protect them from what I suffered." Couloute is now suing Ryncarz for "tortuous interference with prospective business relations. It's a case that could determine what people are and are not allowed to post on the Web. ------------------------------ Date: Sun, 29 Jan 2012 17:18:36 -0800 From: Lauren Weinstein Subject: Inside China's censorship machine http://j.mp/yILrSa (Full Comment, via NNSquad) China's censorship system is complex and multilayered. The outer layer is generally known as the "great firewall" of China, through which hundreds of thousands of websites are blocked from view on the Chinese Internet. What this system means in practice is that when one goes online from an ordinary commercial Internet connection inside China and tries to visit a website such as hrw.org, the website belonging to Human Rights Watch, the web browser shows an error message saying, "This page cannot be found." This blocking is easily accomplished because the global Internet connects to the Chinese Internet through only eight "gateways," which are easily "filtered." ------------------------------ Date: Sat, 4 Feb 2012 21:13:34 -0500 From: Monty Solomon Subject: Hackers take over Boston Police Department website; message cites handling of Occupy Boston protest http://www.boston.com/Boston/metrodesk/2012/02/hackers-take-over-boston-police-department-website/mKzINebAXJWcv7uBZKZB0K/index.html ------------------------------ Date: Sun, 5 Feb 2012 10:05:51 +0800 From: "Len Spyker" Subject: Risks: Conviction of Card Scam operators. How the Scam worked. Hooray! Two people running a card swipe scam mainly in Perth Australia have been convicted on $3.5 million dollar scam. Over 400 people were defrauded. http://au.news.yahoo.com/thewest/a/-/breaking/12804738/man-found-guilty-of-m cdonalds-card-scam/ The expert witness for the DA and the lay jury bravely handled the attempt by the highly technically savvy defence team to throw doubt on the technical testimony. A small group of Perth gurus, with backgrounds in design of card reader hardware, software and security, aided the police investigation and provided support for the DA's team. This scam was achieved by substituting at fast food drive-throughs, modified same make handheld terminals that were previously stolen. Yet, how this substitution could be done without anyone noticing, is described later on. The criminals applied a set of clever modifications INSIDE the terminal. Undetectable from the outside. These bugged terminals were then handed over to customers, in cars at fast food drive throughs, throughout the Perth area. The modified terminals sent the customer's CARD swipe and PIN codes by radio link to a nearby cars staffed by yet uncaught associates. New cards were created with this information and all the funds sucked out of many accounts. Caveat- some of the below is based on off the record rumours : Security failures: [1] There was no inside job: Sadly the drive through sites themselves provided the "Open Sesame" for these baddies quite by accident. The card terminals that were handed to the car, had the spiral cable security clamps REMOVED because of the habit of this brand of terminals to lock up and ONLY by unplugging would the terminal reset. This fault occurred so often that the under pressure staff worked out a "solution" and just left the cable's security clamp off! Terminal Swap out technique: The crook's car enters the drive through as normal. They order, the staff hands over a (unclamped) terminal, a normal transaction occurs. Then the modified terminal is substituted in just a few seconds, and handed back. This clean terminal is then modified and taken to a new store. A nearly perfect Do While loop with one exit case, "If Police" then break. [2] So why was this swap not detected? My guess is that there was software in the card host controller which allowed new or different terminals to be rapidly connected and re-activated without causing any alarms or requiring a manual log-in. Many possible reasons: Code flaws, poor testing, misguided directions from a client? I do hope this may be made public one day. Do not treat this as a one off down under crime. This crime is likely to be part of a worldwide scam. A smart techno crook has noticed the physically unprotected terminal cable and worked out how to get rich quick. Notify the store, police or newspaper in your area if you see an unclamped cable when you are handed a terminal in a drive through. If you can unplug it so can the crooks. Len Spyker Perth Australia. ------------------------------ Date: Mon, Feb 6, 2012 at 11:10 AM From: Dewayne Hendricks Subject: Would the US Extradite UK Blogger for Linking to Works in the Public Domain in Other Countries? [From Dave Farber's IP distribution. PGN] Would The US Extradite UK Blogger For Linking To Works In The Public Domain In Other Countries? from the insanity-of-today's-copyright-laws dept http://www.techdirt.com/articles/20120201/00455517613/would-us-extradite-uk-blogger-linking-to-works-public-domain-other-countries.shtml James Firth has an interesting post, talking about some of the more ridiculous consequences of current US law enforcement interpretation of copyright law. Looking at the case of Richard O'Dwyer, the computer science student that the US is getting closer to extraditing to the US to face criminal copyright infringement charges for merely linking to infringing works (something that had already been found legal in the UK multiple times), Firth takes it to its logical ends. He points out that George Orwell's works, Animal Farm and 1984 have gone into the public domain in South Africa, Canada or Australia. And thus, there are completely legal free copies of such works online. But they're only legal in those countries. In the US and the UK, both remain under the yoke of copyright thanks to copyright extensions. This leads to a simple fear. If he merely pointed people to the location of these completely legalversions of the work, he would now be just as "guilty" as Richard O'Dwyer under the interpretation of the US Justice Department. After all, he is using a .com domain (American property, according to the stretched interpretation of the DOJ) to link to works that technically infringe in both the UK -- where he is -- and the US, where the DOJ has suddenly become the US entertainment industry's private police force. ... ------------------------------ Date: Feb 10, 2012 10:30 AM From: "EFF Press" Subject: The Heartbreaking Truth About Online Dating Privacy (EFF) Electronic Frontier Foundation Media Release For Immediate Release: Friday, February 10, 2012 The Heartbreaking Truth About Online Dating Privacy Users Beware: Many Sites Have Serious Security Holes San Francisco - Millions of people use Internet dating sites to search for love and connection every day, but it could come a big cost for their privacy and security. The Electronic Frontier Foundation (EFF) has found that many services are taking shortcuts in safeguarding users' profiles and other sensitive data. In "Six Heartbreaking Truths About Online Dating Privacy," EFF identifies serious security holes and counter-intuitive privacy settings that could expose daters' private information. For example, your dating profile =96 including your photo =96 can hang around long after you think you've taken yourself off the market. Some sites are also sucking up the vast quantity of data their users share and selling it to online marketers. If you aren't careful, your profile can also be indexed by Google, perhaps popping up in search results if you have an unusual nickname or other unique ways of describing yourself. "Whether you signed up on a lark or maintained an active profile for years, you may be exposing more information about yourself than you know," said EFF Activism Director Rainey Reitman. "There are a number of ways your online dating profile can be connected to your real identity, exposing things like religious and political beliefs, drug and alcohol use, and sexual preferences. That's why we created this list of the biggest risks, and included some simple tips for online daters who want to protect themselves." As part of its campaign to raise awareness about the privacy and security risks on popular online dating sites, EFF analyzed the security practices of eight major sites. Many of the most popular sites, like eHarmony and Match.com, don't offer secure access through HTTPS by default, and OkCupid doesn't provide HTTPS access at all. That means every OkCupid username, e-mail, chat session, search, and page viewed are all transmitted in plaintext instead of in encrypted form. "OkCupid says it can limit who sees your profile -- for example, users who identify as gay or bisexual may opt out of being seen by straight people," said EFF Senior Staff Technologist Seth Schoen. "But without HTTPS, the fact that you identify as gay and don't want to be seen by some groups is sent in plaintext, making it easy for someone with the right skills to uncover it. Major sites like Twitter and Facebook have implemented HTTPS recently to protect their users. But dating sites like OkCupid are sadly lagging behind." Six Heartbreaking Truths About Online Dating Privacy: https://www.eff.org/deeplinks/**2012/02/six-heartbreaking-** truths-about-online-dating-**privacy Comparing Privacy and Security Practices on Online Dating Sites: https://www.eff.org/deeplinks/**2012/02/comparing-privacy-and-** security-online-dating-sites Find out more at https://www.eff.org. Contacts: Rainey Reitman Activist, Electronic Frontier Foundation, rainey@eff.org +1 415 436-9333 x140 Seth Schoen Senior Staff Technologist, Electronic Frontier Foundation, seth@eff.org +1 415 436-9333 x107 ------------------------------ Date: Sun, 5 Feb 2012 16:46:35 -0800 From: Lauren Weinstein Subject: Over 3 years later, "deleted" Facebook photos are still online [From nnsquad@nnsquad.org] "Facebook is still working on deleting photos from its servers in a timely manner nearly three years after Ars first brought attention to the topic. The company admitted on Friday that its older systems for storing uploaded content "did not always delete images from content delivery networks in a reasonable period of time even though they were immediately removed from the site," but said it's currently finishing up a newer system that makes the process much quicker. In the meantime, photos that users thought they "deleted" from the social network months or even years ago remain accessible via direct link." http://j.mp/xMjyV9 (ars technica) ------------------------------ Date: Tue, 31 Jan 2012 15:43:39 +1300 From: "Richard O'Keefe" Subject: Re: deducing causality (RISKS-26.71) In RISKS-26.71, PGN drew our attention to a *WiReD* article by Jonah Lehrer. I've read that article carefully, and have to say that it has some large leaps of illogic. A better title that 'Why Science is Failing Us' would have been 'Trials and Errors: How Scientific Testing Prevented Millions of People Being Killed'. Let me offer a translation for programmers: (1) Pfizer's scientific understanding of the cholesterol pathways was soundly based and their drug design rightly worth exploring. The drug had the immediate effects on that system that they expected it to. A closely related drug with the *same* target (that is, based on the same science) looks as though it may work, with less bad. (2) However, their understanding was *limited*. As is by now pretty well known, *most* drugs have multiple effects in many systems of the body. Pfizer's scientists understood quite well that understanding what a drug will do to the cholesterol pathway is NOT the same as understanding what it will do in a whole person. (3) The thing that makes scientific drug development science is TESTING. As Risks readers will surely understand, when the test phase said "OOPS!", that was NOT science failing, that was science working brilliantly. If the *drug* fails the test, that means the *test* did NOT fail. There are obvious lessons for programmers here. They are not the lessons ("causality is hallucination", "science is failing us") that Jonah Lehrer learned. The lesson is that the real world is always more complicated than our models of it (otherwise there wouldn't be any point in _having_ models); that there are always unexpected interactions in complex systems; and that there is no substitute for testing in the best approximation to the real world that you can get; and that failed tests count as successes of the testing process. It is *better* that Pfizer should lose $21e9 in value on the questionably real stock market than that millions of people should die from an untested drug. Anyone who expects (program or drug or bridge or highway or ...) designs to work without testing and without unexpected consequences must have slept through the entire 20th century. ------------------------------ Date: Thu, 26 Jan 2012 22:02:01 -0500 (EST) From: Danny Burstein Subject: Re: Pocket-dialed 911 calls increasingly common (Brader, RISKS-26.71) Risks-Forum Digest, Volume 26 : Issue 71, had the following (excerpted) From: msb@vex.net (Mark Brader) Subject: Pocket-dialed 911 calls increasingly common [snip... regarding "butt dialing" of 911 calls] Police are now campaigning to ask cellphone users to "lock it before you pocket", but some smartphones can dial 911 even when the phone is locked. - -------- For some value of "smartphones", and for that matter, "dumbphones", approaching pretty close to 100 percent. * A likely contributor to this problem is that a hefty percentage of cellphones will _also_ accept calls to "112", the GSM international standard for emergency calls. (There's another one as well which isn't as common, but many phones will accept that one, too.) And, per FCC (US) and similar rules in Canada, cell phones, even without a service plan, must be allowed to connect to the "911" call receiving centers (PSAPs). If you take, for example, a T-Mobile (USA) or Rogers (Canada) cellphone and remove the SIM card, you can still make calls to "911". And... if you punch in "112", the phone will contact the network, which will then handle is as if you dialed "911". Given the physical layout of keypads, I'd guess that "112" is probably the path for a hefty number of these calls. ------------------------------ Date: Mon, 6 Jun 2011 20:01:16 -0900 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users may contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume http://www.risks.org takes you to Lindsay Marshall's searchable archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing is no longer maintained up-to-date except for recent election problems. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 26.72 ************************