risks-info March 2011 archive
Main Archive Page > Month Archives  > risks-info archives
risks-info: [RISKS] Risks Digest 26.36

[RISKS] Risks Digest 26.36

From: RISKS List Owner <risko_at_nospam>
Date: Sat Mar 05 2011 - 22:15:07 GMT
To: risks-resend@csl.sri.com

RISKS-LIST: Risks-Forum Digest Saturday 5 March 2011 Volume 26 : Issue 36

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/26.36.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Swiss Officials Order Citizens to Wear Masks in Public -- Ban Tourists
  Posting Photos on Web (Lauren Weinstein)
An Outbreak Of Out Of Order Moles Whac-a-moles (Hans Polzer)
Matt Blaze: "Shaking Down Science" (PGN)
Raining on cloud computing: Gmail outage (Mark Thorson)
500,000 Gmail accounts go offline, some users lose all their data
  (David Farber)
Restoration of Gmail accounts from tape almost completed (Lauren Weinstein)
Mac OS X backdoor Trojan, now in beta? (Chester Wisniewski via Monty Solomon)
Risks in health records (DKross)
NY Assembly candidate's law shoots him in the foot (Celeste Katz)
SSD Erasure Unreliable (Gene Wirchenko)
"Can You Frisk a Hard Drive?" (David K. Shipler)
Facebook To Share Users' Home Addresses, Phone Numbers With External Sites
  (Huffington Post)
Vulnerable social networking platforms (jidanni)
Re: Kill Switch, Anyone? (Jonathan Kamens)
Re: Tree octopus exposes Internet illiteracy (Daniel A Graifer)
Susan Landau: Surveillance or Security? (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 24 Feb 2011 14:04:22 -0800
From: Lauren Weinstein
Subject: Swiss Officials Order Citizens to Wear Masks in Public --
   Ban Tourists Posting Photos on Web

BERNE (ZAP) -- In a bold move to demonstrate that the Swiss government is as
serious about privacy for its citizens as it has historically been regarding
the protection of illicit foreign assets in Swiss bank accounts, the head of
the newly created Switzerland Federal Department of Facial Anonymity,
Nicolas J. Biellmann, today issued a preliminary order requiring that all
Swiss citizens wear "full head coverage" masks at all times when outside
their homes or places of business within the borders of Switzerland.

This groundbreaking move, being enthusiastically supported by radical
pro-privacy groups in Switzerland and around the world, comes on the heels
of previous Swiss orders that search giant Google must obscure every single
human face -- even if this must be done manually -- that appears in their
"Street View" images, or else potentially terminate Street View services for
Switzerland ( http://j.mp/gj2V68 [Lauren's Blog] ).

"Upon due reflection," said Biellmann, "we realized that Google Street View
was only the tip of the iceberg. After all, Street View imagery is usually
only updated after months or even years. But there are lots of other people
out there taking photos of Swiss faces every day -- whom we must protect our
citizens against as well."

The "mask order" comes in conjunction with other new regulations banning
tourists in Switzerland from posting to the Internet any photos of Swiss
citizens, even taken in public places and gatherings. Under this new law,
any such photos that are subsequently posted to the Web, will bring about
swift action by Swiss authorities. This may involve Web site shutdown
orders, extradition of the tourist photographers back to Switzerland if they
have already left the country, and in extreme cases the so-called Swiss
"doomsday" option -- the remote and permanent shutdown of any and all cuckoo
clocks associated with the photos' perpetrators.

At a press conference in downtown Berne today, reporters were provided with
examples of the government-approved masks that would be required under the
new order [editors, see photo DS0393-A3 - http://j.mp/fUrVNf (Lauren's
Blog)]. Officials noted that approved masks would be available in a wide
range of styles, and would include characteristics of popular Swiss folk
heroes, characters from major films, and even a wide range of cute animals.

In answer to a reporter's question, Biellmann explained that approved masks
would be constructed from special materials that are essentially transparent
to government real-time surveillance closed-circuit television (CCTV)
cameras. "We want to assure everyone that the government will still be able
to track your every move via our CCTV systems. Our goal here is simply to
make sure that firms like Google, and individual tourists, are blocked from
citizen photography. You can be confident that law enforcement and other
aspects of the government will have full access to your actual faces at all
times, everywhere you go in public. Your ugliness will not be seen by
anyone else," said Biellmann.

After a brief comment period, the new masking and anti-tourist photography
regulations are expected to become law on April 1, 2011.

              http://lauren.vortex.com/archive/000818.html
 - - -

Update (February 25, 2011): Yes, except for the part about Switzerland
demanding that Google obscure every single Swiss face in Street View -- even
if it has to be done manually -- the rest of the story described in this
posting is of course a satire. But you already knew that.

Lauren Weinstein (lauren_at_vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org
http://lauren.vortex.com Tel: +1 (818) 225-2800

------------------------------

Date: Mon, 28 Feb 2011 12:59:47 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: An Outbreak Of Out Of Order Moles Whac-a-moles (Hans Polzer)

  [From Hans Polzer via Will Tracz (Editor of the ACM SIGSOFT Software
  Engineering Notes, and General Chair ACM SIGSOFT 2012 - FSE 20
    http://www.sigsoft.org/fse20; +1 607 741-2666). PGN]

An Outbreak of Out-of-Order Moles [OoOoOMs!]

What happens when your Whac-A-Moles stop popping up? Well, the game gets
slapped with an out of order sign and no longer generates any revenue...it
just takes up space. So when an unusual outbreak of Whac-A-Mole
malfunctions forced amusement park operators to start making service
requests, did anyone think much of it? Well, yes, and no.
  http://www.cfmediaview.com/lp1.aspx?v=13_11270447_688_5
  http://www.todaysfacilitymanager.com/facilityblog/2011/02/friday-funny-an-outbreak-of-out-of-order-moles.html

------------------------------

Date: Mon, 28 Feb 2011 12:59:47 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Matt Blaze: "Shaking Down Science"

  Some time in January, the IEEE apparently quietly revised its copyright
  policy to explicitly forbid us authors from sharing the "final" versions
  of our papers on the web, now reserving that privilege to themselves
  (available to all comers, for the right price).

http:www.crypto.com/blog/copywrongs

  [This item by Matt is very important for you all to read. I am inclined
  to openly include Matt's entire text here, but it is even more important
  for RISKS readers to go to the source and see how this item fits in to the
  rest of what Matt has available. Organizations such as ACM and IEEE are
  clearly having difficulties adapting to the non-print world of the
  Internet. But preventing authors who believe in the importance of
  openness in research from distributing their own publications is a
  horrendous step backwards. PGN]

------------------------------

Date: Mon, 28 Feb 2011 14:02:47 -0800
From: Mark Thorson <eee@sonic.net>
Subject: Raining on cloud computing: Gmail outage

Yesterday, Google wiped out the e-mail for an unknown number of users.
Early estimates were as high as 150,000, but later estimates have pared
that down to a number still in the tens of thousands.

http://news.yahoo.com/s/ap/20110228/ap_on_hi_te/us_tec_google_e_mail_problem_3

Google predicts being able to restore all accounts by the end of today
(2/28).

http://news.yahoo.com/s/afp/20110228/tc_afp/usitcompanyinternetgmailgoogle_20110228205419

I've been skeptical about the whole concept of cloud computing since I first
heard about it. You're taking your most important stuff -- your data and
applications -- and placing it out of your control in the cloud. How many
more incidents like this will it take to completely discredit cloud
computing? When will cloud computing have its Hindenburg disaster?

------------------------------

Date: Mon, 28 Feb 2011 10:30:15 -0500
From: David Farber <dave@farber.net>
Subject: 500,000 Gmail accounts go offline, some users lose all their data

Geek.com:
http://www.geek.com/articles/geek-pick/500000-gmail-accounts-go-offline-som=
e-users-lose-all-their-data-20110228/

------------------------------

Date: Tue, 1 Mar 2011 13:11:50 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Restoration of Gmail accounts from tape almost completed

A number of people have asked me about this incident, especially the "how
could multiple copies of data be damaged/lost?" question.

While I wouldn't assert that this example is strictly relevant in this
particular case, RAID may provide a useful example.

I've been warning folks for years that even the higher levels of RAID
(Redundant Array of Independent Disks) protection do not necessarily
mean that data won't be lost, especially when those disks all share
a single controller.

If the controller in such a situation fails in a particularly nasty
way, it could potentially corrupt enough of the data across the entire
array of RAID disks to cause unrecoverable data loss.

Even when your redundant data is stored at different locations, it is
possible for failure (in this case, likely a software-related problem) to
cause data loss or corruption that may not be detected until it has been
copied across to other replicated versions of the files. Even if you kept
multiple copies of an e-mail index, it's possible to have failure modes
where problems in one copy spread to the other copies prior to detection.

That's why having completely isolated backups -- such as tape in Google's
case -- makes excellent sense.

And for those of you attempting to use this case as an argument against
cloud computing, I would simply note that only a relatively small number of
Google's users were affected, it appears that their data will be
successfully recovered, and when most people's home or business PC disks
fail, they probably haven't been backed up at all. Technical term for that:
S.O.L.

http://j.mp/hN0gYu (Official Gmail Blog)

Lauren Weinstein (lauren_at_vortex.com): http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org
Network Neutrality Squad: http://www.nnsquad.org +1 (818) 225-2800
PRIVACY Forum: http://www.vortex.com

------------------------------

Date: Mon, 28 Feb 2011 09:19:53 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Mac OS X backdoor Trojan, now in beta? (Chester Wisniewski)

Chester Wisniewski. *Sophos*, 26 Feb 2011

It appears there is a new backdoor Trojan in town and it targets users of
Mac OS X. As even the malware itself admits, it is not yet finished, but it
could be indicative of more underground programmers taking note of Apple's
increasing market share.

SophosLabs analyzed the sample we received and determined that it is a
variant of a well-known Remote Access Trojan (RAT) for Windows known as
darkComet. The author of the Trojan refers to it as the 'BlackHole RAT', as
you can see from the screenshots, but Sophos calls it OSX/MusMinim-A, or
'MusMinim' for short.

The name 'Black Hole' is already used by a legitimate application which
actually aims to increase security on your Mac by helping you get rid of
potentially sensitive information such as recently-used file lists, data
left in the clipboard, and more.

MusMinim is very basic and there appears to be a mix of German and English
in the user interface. Its functions include:

* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to
click reboot
* Sending URLs to the client to open a website
* Popping up a fake "Administrator Password" window to phish the target...

http://nakedsecurity.sophos.com/2011/02/26/mac-os-x-backdoor-trojan-now-in-beta/

------------------------------

Date: Mon, 28 Feb 2011 14:48:53 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Risks in health records

  [Thanks to dkross]

http://online.wsj.com/article/SB10001424052748703312904576146371931841968.html?mod=WSJ_0_0_WP_2715_RIGHTTopCarousel_1

"... What's more, some health-care experts say the number of errors could
jump in coming years. That's because the 2009 economic-stimulus legislation
included $19 billion in spending to encourage the use of electronic health
records—a major source of billing mistakes, says Ross Koppel, a sociology
professor at University of Pennsylvania's Center for Clinical Epidemiology
and Biostatistics who has studied electronic records extensively. The
U.S. Department of Health and Human Services estimates that 80% of hospitals
will use electronic records by 2014, up from 16% now.

... But those bills are sometimes inaccurate—often as a result of
electronic billing snafus. Among their benefits, electronic records can
reduce the risk of duplicate testing by enabling doctors to track patients'
care. David Blumenthal, national coordinator for electronic health records
at the U.S. Department of Health and Human Services, says the technology
helps prevent potentially fatal errors such as prescribing medication that a
patient is allergic to. Electronic health records will "improve care for
patients and bring about greater cost-effectiveness in our health sector,"
he says...."

------------------------------

Date: Wed, 23 Feb 2011 16:12:21 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: NY Assembly candidate's law shoots him in the foot (Celeste Katz)

Celeste Katz,
Dem Frank Skartados doomed by vague election law crafted by his own lawyer,
*New York Daily News*, 21 Feb 2011
  http://www.nydailynews.com/authors/Celeste%20Katz

Assembly Speaker Sheldon Silver's former adviser wrote the state law that
may have cost him his powerful, veto-proof, Democratic supermajority.
Democrat Frank Skartados was forced to concede the seat for the 100th
Assembly District last week when he was a mere 15 votes behind. In his
heart of hearts, he believes he won.

But in a double whammy of irony, Skartados was seemingly doomed by a vague
election law that was crafted by his own lawyer, Kathleen O'Keefe, while she
worked as Silver's chief election counsel. O'Keefe's strict interpretation
of her own law walled off one of Skartados' last hopes of fighting for the
seat. "I couldn't do anything with the way the law was written," said
Skartados, who conceded to Republican Tom Kirwan after one of the most
drawn-out contests in state history. "But I feel that justice was not served
because the voices of everyone were silenced by the courts."

A Brooklyn appeals court ruled unanimously in favor of Kirwan when it tossed
out about 60 contested affidavit ballots. That left Skartados just 15 votes
behind. In New York City, Board of Elections rules automatically require a
hand inspection of the paper trail from voting machines in any election
where the margin is 0.5% or less. State election law doesn't - and in races
as close as the one for this Hudson Valley seat, it could make all the
difference. "New York law offers very little guidance as to when a full
recount is required," elections law expert Jerry Goldfeder said. "The law
needs to be clarified."

http://www.nydailynews.com/ny_local/2011/02/21/2011-02-21_oops_when_not_all_votes_really_count.html#ixzz1EeWe9CI3
http://www.nydailynews.com/ny_local/2011/02/21/2011-02-21_oops_when_not_all_votes_really_count.html#ixzz1EeSlVZzj

------------------------------

Date: Tue, 22 Feb 2011 12:48:24 -0800
From: Gene Wirchenko <genew@ocis.net>
Subject: SSD Erasure Unreliable

InfoWorld Home / InfoWorld Tech Watch
Woody Leonhard, *InfoWorld*, 22 Feb 2011
http://www.infoworld.com/t/solid-state-drives/flash-based-solid-state-drives-nearly-impossible-erase-263

Flash-based solid-state drives nearly impossible to erase
Think you got rid of that confidential information on your SSD?
The results of a new study will come as a rude awakening

selected text:

Researchers from the University of California at San Diego delivered a paper
at the FAST-11 Conference in San Jose, Calif., last week that shows it's
almost impossible to reliably erase data from a solid state drive.

The tome, "Reliably Erasing Data from Flash-Based Solid State Drives" (PDF),
goes through all of the known techniques for erasing data and comes up short
in every case. The study's method is straightforward: They put repeating
data on an SSD or USB drive, tried using various erasing techniques, took
the SSD or USB drive apart, and pulled raw data off the chips. If any of the
original data remained, erasing didn't work.

The culprit? SSD's so-called Flash Translation Layer, a firmware interface
that makes an SSD appear to the PC like a big fat, uh, FAT device. Operating
systems want to work with file allocation tables and clusters. SSDs have to
deal with the vagaries of Flash media, which are quite different from
rotating magnetic layers. For example, SSD blocks have to be erased before
they can be written, and erasing takes a lot of time. FTL figures out how to
erase unused blocks of memory when the SSD isn't doing anything else. SSD
devices wear out faster if the same blocks are written and rewritten, so FTL
balances the write load across all of the available memory.

You might imagine with all of these delayed erases running around and blocks
of data being intentionally scattered to remote corners, there's some
potential for error. Ends up, there's more than just a potential.

  Perhaps some day we'll see the recommendations applied to an SSD
  device. In the meantime, the only sure way to erase the data on an SSD or
  USB drive requires a very large hammer.

 - - -

  [PGN adds: Lauren Weinstein commented in his various distributions on
  this quote:

     "Our results show that naively applying techniques designed for
      sanitizing hard drives on SSDs, such as overwriting and using
      built-in secure erase commands is unreliable and sometimes
      results in all the data remaining intact. Furthermore, our
      results also show that sanitizing single files on an SSD is much
      more difficult than on a traditional hard drive."

  With the rise of SSD memory as a replacement for traditional hard disks,
  the security and privacy aspects of this situation seem quite noteworthy,
  to say the least. You can bet that those parties (legit or not) who wish
  to extract data from laptops, iPads, smartphones, or other SSD-based
  devices will already be ahead of the curve. Ya' think you really deleted
  that cleartext before sending out the encrypted version? You sure you
  actually deleted that company confidential material (or that porn!) before
  you head back through U.S. Customs? Lauren]

------------------------------

Date: Sun, 20 Feb 2011 20:12:09 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: "Can You Frisk a Hard Drive?" (David K. Shipler)

David K. Shipler), Can You Frisk a Hard Drive? *The New York Times*,
19 Feb 2011 http://j.mp/geIRBa

My comments:

Anyone who travels internationally with a laptop containing anything
significant beyond the bare necessities for accessing cloud-based data under
password and/or other security controls, is unfortunately simply asking for
trouble.

This holds especially true for the vast majority of travelers -- who have
done nothing wrong -- but may still have their devices' (laptops,
smartphones, etc.) data copied and searched in detail without a warrant or
any indication that they are criminals, terrorists, or even overdue library
book villains.

A laptop similar to Google's CR-48 and a good SSH program (e.g. in a Java
applet), can be an enormous help in this regard.

In the long run, a more formal approach, as I outlined in:

"Urgent Call for Privacy-Enhanced Mobile Data Storage and
Self-Destruct Mechanisms - http://j.mp/gE1jUF (Lauren's Blog)
would seem useful at least for consideration.

Lauren Weinstein (lauren_at_vortex.com) http://www.vortex.com/lauren
People For Internet Responsibility: http://www.pfir.org +1 (818) 225-2800
Network Neutrality Squad: http://www.nnsquad.org

------------------------------

Date: Tue, 1 Mar 2011 05:29:39 -0500
From: David Farber <dave@farber.net>
Subject: Facebook To Share Users' Home Addresses, Phone Numbers With
 External Sites

http://www.huffingtonpost.com/2011/02/28/facebook-home-addresses-phone-numb=
ers_n_829459.html

------------------------------

Date: Tue, 01 Mar 2011 09:40:40 +0800
From: jidanni@jidanni.org
Subject: Vulnerable social networking platforms

http://socialnetworksecurity.org/en/vulnerable-websites.php
01 facebook.com 600,000,000
02 vk.com 135,000,000
03 bebo.com 130,000,000
04 badoo.com 110,000,000
05 netlog.com 74,000,000...

This website was launched with the goal to publish security related
vulnerabilities found on any social networking platform. In the past the
authors of this website have found lots of security related issues on well
known social networking platform and tried to contact the responsible owners
to provide detailed information on the found issues. During this we got
really frustrated because often there is no secur[e] e-mail available on the
social networking platform which means that we had to try to contact the
website providers via their "normal" help desk or ticketing system. This had
the consequence that in most case we got no answer or it took weeks till we
got any answers. When you initially contacted the vendors and asked for a
public PGP key or s/mime so that we can send the information encrypted, we
often got an answer saying that they don't use PGP or s/mime in their
company and that we should provide them the information via clear-text email
protocol. Some of them even asked us what is a PGP key or even worse - they
sent us their private PGP key (for their luck without the needed password).

------------------------------

Date: Tue, 22 Feb 2011 10:04:02 -0500
From: Jonathan Kamens <jik@kamens.us>
Subject: Re: Kill Switch, Anyone? (Wirchenko, RISKS-26.35)

I think it's actually pretty clear how mooo.com came to be seized along with
other child porn domains. There must have been trafficking happening on some
of the subdomains created by users underneath mooo.com, and the people
assembling the list of domains to seize categorized the entire second-level
domain, rather than the individual subdomains within it, as a trafficking
domain.

This is not a terribly surprising error. I would imagine that the percentage
of Internet .com domains where subdomains are owned and completely
controlled by different people than the second-level domain is minuscule,
and the community that utilizes such domains tends to be somewhat
self-contained and not familiar to people who aren't part of it.

Perhaps I'm wrong, but I don't think FreeDNS is particularly mainstream.

Note: I'm not trying to excuse the error; I'm just trying to explain how it
happened.

  [Note: Simplistic overreactions sometimes lead to simplistic
  over-and-under-overreactions:

    Mark Rockwell, Bill explicitly prohibits Internet shut down
    http://www.gsnmagazine.com/node/22491?c=cyber_security

    In hopes of dispelling fears of a federal "Internet kill switch," Senate
    homeland security and financial management leaders introduced a
    cybersecurity reform bill that would explicitly prohibit the President
    from shutting down the Internet.

  PGN]

------------------------------

Date: Mon, 21 Feb 2011 09:36:56 -0500
From: Daniel A Graifer
Subject: Re: Tree octopus exposes Internet illiteracy (RISKS-26.35)

My minimal legal knowledge is that courts have never accepted photographic
evidence as incontrovertible. They have always required the testimony of
the person who took the photo along with it -- i.e., testify that he/she
took the photo at the place and time alleged, and didn't alter it.

------------------------------

Date: Wed, 23 Feb 2011 17:14:37 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Susan Landau: Surveillance or Security?

Susan Landau
Surveillance or Security?
  The Risks Posed by New Wiretapping Technologies
MIT Press, 2011

This is an absolutely mandatory source book for everyone interested in the
would-be conflicts represented between and within each side of the "or" in
the title. It is truly remarkable, incisive, important, timely, superbly
researched, and copiously footnoted for those who want to dig even deeper.

Please read it. Of course, as RISKS readers are well aware, at the moment
we seem to have surveillance without security, and without sufficient
controls. However, the challenges of achieving adequate security *and*
legitimate surveillance *and* meaningful privacy (however you might wish to
define them) may be eternally unreachable -- especially in the absence of
security.

Here's a quote from Jonathan Zittrain from the back jacket of the book:

  ``Susan Landau has taken an exceptionally complex but vital subject and
  presented it in a clear and compelling way. The ability of a citizen to
  securely communicate with her peers lies at the heart of the rule of law.
  Landau demonstrates the necessity of protecting that right amidst the
  technological changes that can greatly alter the balance of power between
  citizens and governments.''

------------------------------

Date: Thu, 29 May 2008 07:53:46 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you. The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request@csl.sri.com
 containing only the one-word text subscribe or unsubscribe. You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address. Instructions
 are included in the confirmation message. Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 26.36
************************