Subject: Risks Digest 24.44 - msg#00004

Previous Message by Date:

Risks Digest 24.43

RISKS-LIST: Risks-Forum Digest Thurs 21 September 2006 Volume 24 : Issue 43 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/24.43.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Air Traffic Controllers Chafe at Plan to Cut Staff (PGN) Should you wear a helmut while bicycling? (Jerry Leichter) Cost of online banking typo put on consumer (Kjetil Torgrim Homme) Risks of reprogrammable ATMs (Mark Brader) Segway software gives hard landing (PGN) Yet Another Power Outage (Mike Swaim) Careful with that Fedex account number (Matt Wilbur) Hotel minibar keys open Diebold voting machines (Ed Felten via PGN) Cuyahoga County Primary Election Report (David Lesher) Re: Avi Rubin's latest report as an election judge (Kurt Fredriksson) SSN-as-ID under scrutiny - again (Peter B. Ladkin) New way to break into cars (Gerrit Muller) Thieves sabotage telecom infrastructure (Gerrit Muller) Cops say teen concocted radio calls (S Hutto) Regarding High-tech Product Sabotage (Phil Singer) REVIEW: "Computer Security Basics", Lehtinen/Russell/Gangemi (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 20 Sep 2006 11:18:07 PDT From: "Peter G. Neumann" <neumann@xxxxxxxxxxx> Subject: Air Traffic Controllers Chafe at Plan to Cut Staff A drive by the Federal Aviation Administration to cut the number of air traffic controllers nationally by 10 percent below negotiated levels, and even more sharply at places like the busy radar center here, is producing tension, anger and occasional shows of defiance among controllers. One of the new changes may have safety implications: ending of contractual protection against being kept working on a controller's radar screen for more than two hours without a break. Having just one controller on duty is also problematic [as noted in the recent wrong-runway episode in Lexington KY (RISKS-24.41)]. [Source: Matthew L. Wald, *The New York Times*, 20 Sep 2006; PGN-ed, TNX to Lauren Weinstein] http://www.nytimes.com/2006/09/20/washington/20control.html ------------------------------ Date: Sat, 16 Sep 2006 19:35:18 -0400 From: Jerry Leichter <jerroldleichter@xxxxxxx> Subject: Should you wear a helmut while bicycling? We've had previous discussion in RISKS of the unexpected side-effects that can result when human beings respond to safety measures by changing their behavior, taking on risks that previously were too great to feel acceptable. http://www.eurekalert.org/pub_releases/2006-09/uob-wah091106.php is a news release about some research in this area. Dr. Ian Walker spend a great deal of time bicycling around the UK on a bicycle with equipment that measured how close drivers of different kinds of vehicles came to him when passing. Half the time, he wore a helmet; half the time, he didn't. Result: Drivers approached closer (and average of 8.5 cm) when he was wearing a helmet. Walker's hypothesis is that drivers see bicyclists wearing helmets as more experienced and competent, hence not in need of consideration. In other interesting results, when Walker wore a wig so that he looked like a woman, he was given significantly more room. He also confirmed a feeling all bicyclist have: Yes, indeed, trucks and buses do approach bicycles more closely (average of 19 cm for trucks and 23 cm for buses) than cars do. As Walker points out, helmets definitely do protect a rider in low-speed falls. How much they help in collisions with vehicles is harder to say - and if wearing a helmet makes a collision more likely, the net effect is difficult to predict. (Walker was hit twice, once by a bus and once by a truck, during his experiments. He was wearing a helmet both times.) ------------------------------ Date: Tue, 19 Sep 2006 10:25:40 +0200 From: Kjetil Torgrim Homme <kjetilho@xxxxxxxxxx> Subject: Cost of online banking typo put on consumer Grete Fossbakk wanted to transfer NOK 500,000 (USD 76400) to her daughter using her online bank account, but entered a digit too many in the account number field. The bank software stripped it silently and transferred the money to a third party. Unfortunately, the recipient immediately withdrew the bounty and started to gamble it away. Meanwhile, the daughter was on vacation, so the mishap wasn't discovered until three weeks had passed. The matter was reported to the police, and they were able to reclaim NOK 100,000 in cash in the man's apartment. Ms Fossbakk has launched a civil claim against the man for the remainder of the money, but since he lives off social security, the chances of getting it back are slim. The bank, Sparebank1 Nord-Norge, claims that if you type the wrong number, you have the bear the consequences yourself. The Norwegian bank industry's board of complaints (Bankklagenemnda) will hopefully decide in the case in time for Christmas. The Minister for Consumer Affairs, Karita Bekkemellem, has stated this is an important issue, and will consider to propose new legislation if the banks don't accept responsibility. Articles in Norwegian: http://www.dn.no/privatokonomi/article875204.ece http://www.dn.no/forsiden/politikkSamfunn/article876885.ece [Also noted by Tore A. Klock. PGN] ------------------------------ Date: Thu, 14 Sep 2006 23:18:36 -0400 (EDT) From: msb@xxxxxxx (Mark Brader) Subject: Risks of reprogrammable ATMs Surveillance footage on a gas station ATM shows a man swiping an ATM card, punching in a series of numbers, and breaking the machine's security code. He apparently reprogrammed the ATM to disburse $20 bills while recording the transaction as a $5 debit. He then apparently used a prepaid debit card. The shortfall was not noticed until nine days later, when a customer reported receiving four times what was requested. [PGN-ed] http://apnews.myway.com/article/20060913/D8K496CO4.html ------------------------------ Date: Fri, 15 Sep 2006 8:59:18 PDT From: "Peter G. Neumann" <neumann@xxxxxxxxxxx> Subject: Segway software gives hard landing [Source: Linda Rosencrance, Software glitch prompts Segway recall; Six injuries reported when transporter unexpectedly reverses direction *Computerworld*, 14 Sep 2006, PGN-ed; TNX to Nelson H. F. Beebe, U Utah.] http://cwflyris.computerworld.com/t/854524/419952/33869/2/ Segway Inc. is recalling all of its 23,500 Segway Personal Transporters because of a software problem that can cause the wheels of the device to unexpectedly reverse direction and cause a rider to fall. Consumers should stop using the device immediately and contact the company for a free software upgrade, according to the U.S. Consumer Product Safety Commission, which is working with Segway on the recall. Bedford, N.H.-based Segway said no hardware changes are required. A commission spokesman said Segway received reports of six incidents that involved facial and wrist injuries. One user required facial surgery and another was hospitalized overnight. Others suffered broken teeth, he said. "A condition has been identified in which the Segway PT can unexpectedly reverse the direction of the wheels, which can cause a rider to fall," the company said today. "This can occur when the PT's Speed Limiter tilts back the machine to slow it down and the rider goes off and then back onto the PT within a short period of time." The voluntary recall applies to all Segway PTs sold to date, including all Segway PT i Series, e Series, p Series, XT, GT and i2 models. The Segway x2, due for release later this month, is not affected by the recall. All new shipments of the I2 are being shipped with the new software release, the company said in the statement. [This was also noted by Howard Israel and Jeremy Epstein.] ------------------------------ Date: Wed, 6 Sep 2006 12:27:41 -0500 From: "Mike Swaim" <mswaim@xxxxxxxxxxxxx> Subject: Yet Another Power Outage Here's yet another power outage story that features a failure mode that I don't think has been mentioned yet. Back around 2000 or so, when I was at Enron, we lost power to most of the production database servers used for gas and power trading. Only the servers were affected, and the power outage wasn't caused by the failure of anything electronic. The raised floor under the power director feeding the servers collapsed. When the director sensed the sudden motion, it immediately shut off, taking all of the servers with it. After a couple of hours it was jacked back into a level position, and turned back on, bringing everything else back to life. That weekend the floor was repaired. Mike Swaim swaim@xxxxxxxxxx MD Anderson Dept. of Biostatistics & Applied Mathematics mpswaim@xxxxxxxxxxxxxx or mswaim@xxxxxxxxxxxxx at work ------------------------------ Date: Wed, 20 Sep 2006 10:45:49 -0700 From: Matt Wilbur <matt@xxxxxxx> Subject: Careful with that Fedex account number Sending packages with Fedex is now easier than ever, thanks to the fedex.com website. Unfortunately, it's too easy. In most cases, if you know a company's account number, you can send whatever you like using the site, assuming you have a pulse, a browser, and access to the Internet. We recently had an angry ex-employee use our account number to send multiple small dollar amount packages all over the place. The dollar value was too low for the authorities, and it was really just a nuisance. Our "Fedex person" called Fedex to stop this, and customer service told her the only way was to change our account number. This would be painful, so we sent him letters telling him to stop. It didn't. We called Fedex again, this time asking for security, using words/phrases like "fraud," "theft," and "you will have to pay when we reverse the charges." We didn't get anyone from Security, but they did begin to listen. After being bounced around at fedex, we learned the following: * Unless you take specific action (enable and configure Shipping Administration for your account within Ship Manager on the website), anyone on the planet can create a fedex.com account, associate it with your account number, and ship whatever, wherever they way, third party included. * there is no way, even with shipping administrator, within fedex.com, to view the logins associated with your account. We had to call and insist on a list - for "security" reasons they could not email or otherwise send us a list, but were able to tell us logins, names, last login, and email of active accounts. After setting up Shipping Administration, we verified that this ex-employee (or anyone else we don't approve) can no longer set up a new login and associate it with our account. After about an hour on the phone, we were able to get his login deleted (and learn all of this additional information about their system). Risks? For Fedex? Not defaulting to a more secure configuration (like, want to use fedex on the web? First sign-in associated with that fedex account must set up "Shipping Administrator" to prevent unauthorized use). Building an application with all the shipping capabilities imaginable available, and very little for the account holder to manage access and security. Not having a security contact or phone number listed, or accessible by calling in to customer service. Money lost to fraud by abuse of this system. For the Fedex user? Giving your fedex account number to third parties who may ship things to you, unless you know and trust them, and trust their handling of your account number. Not watching your bills closely. Signing up and using for a service that, when you think about it, is far too easy to use to have any built-in safety. ------------------------------ Date: Thu, 21 Sep 2006 9:47:01 PDT From: "Peter G. Neumann" <neumann@xxxxxxxxxxx> Subject: Hotel minibar keys open Diebold voting machines The access panel door on a Diebold AccuVote-TS voting machine --- the door that protects the memory card that stores the votes, and is the main barrier to the injection of a virus --- can be opened with a standard key that is widely available on the Internet. ... we did a live demo for our Princeton Computer Science colleagues of the vote-stealing software described in our paper and video. Afterward, Chris Tengi, a technical staff member, asked to look at the key that came with the voting machine. He noticed an alphanumeric code printed on the key, and remarked that he had a key at home with the same code on it. The next day he brought in his key and sure enough it opened the voting machine. See Ed Felten's blog: http://www.freedom-to-tinker.com/?p=1064 ------------------------------ Date: Sun, 17 Sep 2006 17:01:11 -0400 (EDT) From: "David Lesher" <wb8foz@xxxxxxxxx> Subject: Cuyahoga County Primary Election Report Cuyahoga County [which includes Cleveland] had a major meltdown in their May 2006 primary election. A Review Panel [comprised of a local judge, the head of the Ohio Lottery, an academic, with local law students as staff] issued a report on the event, and what needs to be fixed. <http://www.votingintegrity.org/pdf/cerp_rpt06.pdf> While Diebold DRE machines are deeply embedded in the debacle, the report is not about the problems with machine's security [as Ed Felten's is] as much as the issues of acquiring, configuring and deploying them. The Road To Hell is paved with good intentions, and this report has asphalt enough to go around. It's an example of how you can you can make any problem too hard to handle if only there is enough money & patronage floating around... RISK readers can easily identify all the Usual Suspects; you could almost duplicate it with cut and paste from say, DIVAD/Sergeant York, Virtual Case File, and oh the Second Ave subway project escapades. Cuyahoga County Board of Elections says they were told they were buying, from the sole source vendor, "seamless integration" between the registered voter database and ballot creation processes; while the vendor was seemingly wearing hooded white robes. [Diebold bought the West Coast voter database company but it was still a separate operation who {oops} wanted to be paid extra for their added work; work allegedly never mentioned by the corporate salesman who sold the "seamless" package to the BoE.] The BoE didn't even have the authority to spend the money they thought was "theirs" and thus never asked the County Commissioners. It also touches on the very real issue of poll workers/election day staff. Elections are transient events, and many of the polling places are likely to be staffed by people not just with little or no computer experience; but often computerphobia. Add training problems and you have a disaster brewing. There are VERY few Avi Rubin's working at polling places; and outside of Silicon Valley, I bet do no more than start Word. I wonder how many RISK readers do so? I'm almost tempted to say there should be Election Day Duty al-la Jury Duty. For now, employers could show their support by encouraging both senior staff & IT support to volunteer. Both would get a valuable reminder in Real World 101. The only good aspect is the Ohio Legislature required honest-to-gosh paper as the ballot of record. While that makes jammed printers important, it means there is something to recount when, not if, things go wrong... ------------------------------ Date: Wed, 13 Sep 2006 23:50:08 +0200 From: "Kurt Fredriksson" <kurt.fredriksson@xxxxxxxx> Subject: Re: Avi Rubin's latest report as an election judge I'm a Swede and is a bit puzzled about the eletronic voting that seems to become so popular in the US. As we are going to have a general election this sunday (sept 17), I can't help making a comparison. The precinct Avi was reporting from had over 1000 voters. The precinct I am going to use this sunday has around 1200 voters of which around 1000 usually show up. Thus quite similar in size. Avi had 12 machines and 16 judges, opening hours 0700 - 2200, long queues. We have no machines (old fashion paper ballots) and 3 + 3 layman officials, opening hours 0800 - 2000, no queues. After 2000 (8 pm) the votes for the the Swedish Parliament are handcounted at the precinct in the presence of all interested. That takes about one hour. These results are then telephoned to the central authority. All votes are then recounted a couple of days later, to get the official result. This recount is also performed in the presence of all interested. All votes are kept in sealed and secured boxes during transport. What are the advantages with electronic voting? Reading Avi's blog makes one wonder. ------------------------------ Date: Tue, 12 Sep 2006 08:08:11 +0200 From: "Peter B. Ladkin" <ladkin@xxxxxxxxxxxxxxxxxxxx> Subject: SSN-as-ID under scrutiny - again The insecure method of trying to use a verbal report of a U.S. Social Security Number (SSN) as personal identification is coming under wider scrutiny because of the brouhaha about the Hewlett-Packard board. The Chairman apparently ordered an investigation into who was giving privileged information to news media, and the investigators hired pretexters to obtain phone records of board members. Pretexters are people who use "social engineering" skills to impersonate a third person while communicating with a service provider, in order to obtain information about the services provided to that person. In this case, the pretexters wanted to obtain the telephone-call records of HP board members. The International Herald Tribune recounts the practice at http://www.iht.com/articles/2006/09/11/business/hpspy.php in a story from the New York Times by Matt Richtel and Miguel Helft. One investigator who helps auto-repossession agencies demonstrated: "In most cases [the investigator] said, he already had the Social Security number from the lien holder. But if necessary, he could find it in commercial databases. To demonstrate, he asked a reported his full name and state of residence, and read him back his Social Security number within seconds." [op.cit.] Among companies who have adapted belatedly to this reality are Verizon, who apparently stopped using SSN as "a chief way to establish [a customer's] identity" last year. Among those who have not yet adapted are AT&T, which "[continues] to accept Social Security numbers as a central means of identification." The article discusses the legality of pretexting, which may already be generally illegal in many jurisdictions and is so for particular goals such as obtaining financial records, and efforts to make it more explicitly illegal. The legality of pretexting is obviously a different issue from the insecurity of authentication through SSN, just as the legality of thievery is a different issue from whether I lock my front door when I leave the house. It has been known for years, and not just to RISKS readers, just how dysfunctional the practice is of trying to authenticate people through basic information such as residential address and SSN. Perhaps it persists because the perpetrators (service companies) are not the sufferers (their customers). There is, however, a general legal notion of "due diligence", whereby if a company uses a method which is known to be ineffective, it can be held responsible for deleterious consequences, as having not exercise due diligence. So, when it becomes sufficiently "well known" that divulging SSN is ineffective as authentication, practice could change. The HP story might help to tip the scales. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de ------------------------------ Date: Tue, 12 Sep 2006 10:08:55 +0200 From: Gerrit Muller <gerrit.muller@xxxxxxxxxxxxxxxxxx> Subject: New way to break into cars Dutch media report on a new way thieves are using to break into cars with electronic locks, see for instance: http://www.rtvnoord.nl/nieuws/index.asp?actie=totaalbericht&pid=60184 In Stadskanaal, in the North of the Netherlands, at least 30 cars have been illegally opened without any trace or damage. Thieves appear mostly to look for car documents. The police don't have any clue how the cars have been opened. One of the possibilities being looked into is the existence of some new electronic device acting as a passkey. If such an electronic passkey would exist, then we see the next phase in the (electronic) security rat-race. Gaudi systems architecting <http://www.gaudisite.nl/> ------------------------------ Date: Tue, 12 Sep 2006 10:02:29 +0200 From: Gerrit Muller <gerrit.muller@xxxxxxxxxxxxxxxxxx> Subject: Thieves sabotage telecom infrastructure Several Dutch media report the sabotage of telecom infrastructure at a business park in Blerick, near Venlo, in the South of the Netherlands, e.g., http://www.telegraaf.nl/binnenland/49777581/KPN_heeft_handenvol_aan_gesaboteerde_kastjes.html In Blerick the cabinets of KPN (Dutch Telecom provider) were broken down. Apparently the inflictors wanted to eliminate the security of businesses at the park. They succeeded and stole for 100k's Euro's from DHL, the courier company. The same attempt was made at the business park in Herkenbosch, another small town in the South. However an attempt to break in at an attraction park here didn't succeed, because the alarm was still functional. This example again illustrates the often invisible dependencies of modern interlinked systems. Many modern security services depend on public infrastructure. How many of them have these single points of vulnerability? ------------------------------ Date: Mon, 11 Sep 2006 22:01:31 -0600 From: "S Hutto" <shuttoj@xxxxxxxxx> Subject: Cops say teen concocted radio calls Westword, a Denver area weekly, has published a long article on the teen who was arrested for impersonating an officer on local police radio bands in 2001. According to the article, he had been routinely communicating on police bands for about three months, requesting licence plate checks and once reporting a fake hit-and-run accident. He was found guilty and sentenced to six months in the Division of Youth Corrections and two years' probation. The article provides some mundane technical details on the incident. RISKS readers may be interested in the somewhat dramatized events and motivations that drove the teen to impersonate a law enforcement officer. In 2006, he was arrested and charged with impersonating an EMT and theft by receiving. The article will be available for some amount of time here: http://www.westword.com/Issues/2006-08-31/news/feature.html ------------------------------ Date: Wed, 06 Sep 2006 20:17:39 -0400 From: Phil Singer <psinger1@xxxxxxxxxxxxx> Subject: Regarding High-tech Product Sabotage (Mellor, RISKS-24.41) During the early 1980's the place I worked at had a Honeywell-compatible version of the venerable IBM 1401. It came in several models (I don't remember the model numbers - call them Model A for the lowest end up to Model D for the top end). We found out the hard way that the only difference between them was one resistor - take it out and a Model A was as fast as a Model D (but leased for tens of thousands less). Our field engineer did not like to waste time, so he always disconnected the resistor when he did his P.M. In fact he hated wasting time so much that he never bothered to reconnect it. On one periodic maintenance day, he was on vacation and a somewhat more conscientious engineer took his place. The resistor was replaced. The director wanted to know why everything slowed down. When he found out, he immediately terminated the lease. [This is indeed an old phenomenon. Long ago, during my Bell Labs days, I requested an upgrade for a telephone modem, which was made by snipping a single wire with a disproportionate increase in the monthly rental. PGN] ------------------------------ Date: Mon, 18 Sep 2006 11:57:20 -0800 From: Rob Slade <rmslade@xxxxxxx> Subject: REVIEW: "Computer Security Basics", Lehtinen/Russell/Gangemi BKCMPSEC.RVW 20060819 "Computer Security Basics", Rick Lehtinen/Deborah Russell/G. T. Gangemi Sr., 2006, 0-596-00669-1, U$39.99/C$51.99 %A Rick Lehtinen %A Deborah Russell %A G. T. Gangemi Sr. %C 103 Morris St., Suite A, Sebastopol, CA 95472-9902 %D 2006 %G 0-596-00669-1 %I O'Reilly and Associates, Inc. %O U$39.99/C$51.99 %O http://www.amazon.com/exec/obidos/ASIN/0596006691/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596006691/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596006691/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 296 p. %T "Computer Security Basics, Second Edition" I've been waiting a long time for an updated version of this classic. "Computer Security Basics" was a pretty accurate name for the first edition. The book was an overview of many aspects that go into the security of computers and data systems. While not exhaustive, it provided a starting point from which to pursue specific topics that required more detailed study. Such is no longer the case. Part one looks at security for today. Chapter one starts with 9/11, then talks about various infosec groups, and only then gets to an introduction of what security is, and how to evaluate potential loopholes. The definition points out the useful difference between the problems of confidentiality and availability, and now adds integrity. The distinction between threats, vulnerabilities and countermeasures is helpful, but may fail to resolve certain issues. Ironically, in view of the title of this section, chapter two gives some historical background to the development of modern data security. Part two deals with computer security itself. Chapter three looks at access control, but is somewhat unstructured. Malware and viruses receive the all-too-usual mix of advice and inaccuracies in chapter four. Policy is supposed to be the topic of chapter five, but most of the text is concerned with matters of operations. Internet and Web technologies, and a few network attacks, are listed in chapter six. The prior inclusion of network topics is rather funny, since part three delves into communications security. Chapter seven turns first to encryption, which could be presumed to have applications in more than communications, although it is important in that field. The material on encryption is quite scattered and disorganized, and the explanation of asymmetric systems is probably more confusing than helpful. A lot about networks, a list of network security components, and not much that is useful makes up chapter eight. Part four turns to other types of security. Chapter nine takes a confused look at physical security, and includes biometrics: as with encryption and communications, the topic that could be related to physical security, but might more properly be dealt with elsewhere. Chapter ten reviews wireless LANs, mentioning threats, but only tersely listing security measures, with no detail for use or implementation. The original version of the book was a good starting point for beginners who had to deal with computer security at a basic level. This second edition is a tremendous disappointment: Lehtinen has done a disservice not only to Russell and Gangemi, but also to those relying on this foundational guide. The tone of the first edition may have been too pompous, but the contents were informed by the primary concerns for information security. This update has introduced random new technical trivia, muddied the structure and flow, and reduced the value of the reference overall. copyright Robert M. Slade, 1993, 2002, 2006 BKCMPSEC.RVW 20060819 rslade@xxxxxxxxx slade@xxxxxxxxxxxxxx rslade@xxxxxxxxxxxxxxxxx http://victoria.tc.ca/techrev/rms.htm ------------------------------ Date: 2 Oct 2005 (LAST-MODIFIED) From: RISKS-request@xxxxxxxxxxx Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@xxxxxxxxxxx containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@xxxxxxxxxxx or risks-unsubscribe@xxxxxxxxxxx depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall@xxxxxxxxxxxxxxx>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@xxxxxxxxxxx with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ------------------------------ End of RISKS-FORUM Digest 24.43 ************************

Previous Message by Thread:

Risks Digest 24.43

RISKS-LIST: Risks-Forum Digest Thurs 21 September 2006 Volume 24 : Issue 43 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/24.43.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Air Traffic Controllers Chafe at Plan to Cut Staff (PGN) Should you wear a helmut while bicycling? (Jerry Leichter) Cost of online banking typo put on consumer (Kjetil Torgrim Homme) Risks of reprogrammable ATMs (Mark Brader) Segway software gives hard landing (PGN) Yet Another Power Outage (Mike Swaim) Careful with that Fedex account number (Matt Wilbur) Hotel minibar keys open Diebold voting machines (Ed Felten via PGN) Cuyahoga County Primary Election Report (David Lesher) Re: Avi Rubin's latest report as an election judge (Kurt Fredriksson) SSN-as-ID under scrutiny - again (Peter B. Ladkin) New way to break into cars (Gerrit Muller) Thieves sabotage telecom infrastructure (Gerrit Muller) Cops say teen concocted radio calls (S Hutto) Regarding High-tech Product Sabotage (Phil Singer) REVIEW: "Computer Security Basics", Lehtinen/Russell/Gangemi (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 20 Sep 2006 11:18:07 PDT From: "Peter G. Neumann" <neumann@xxxxxxxxxxx> Subject: Air Traffic Controllers Chafe at Plan to Cut Staff A drive by the Federal Aviation Administration to cut the number of air traffic controllers nationally by 10 percent below negotiated levels, and even more sharply at places like the busy radar center here, is producing tension, anger and occasional shows of defiance among controllers. One of the new changes may have safety implications: ending of contractual protection against being kept working on a controller's radar screen for more than two hours without a break. Having just one controller on duty is also problematic [as noted in the recent wrong-runway episode in Lexington KY (RISKS-24.41)]. [Source: Matthew L. Wald, *The New York Times*, 20 Sep 2006; PGN-ed, TNX to Lauren Weinstein] http://www.nytimes.com/2006/09/20/washington/20control.html ------------------------------ Date: Sat, 16 Sep 2006 19:35:18 -0400 From: Jerry Leichter <jerroldleichter@xxxxxxx> Subject: Should you wear a helmut while bicycling? We've had previous discussion in RISKS of the unexpected side-effects that can result when human beings respond to safety measures by changing their behavior, taking on risks that previously were too great to feel acceptable. http://www.eurekalert.org/pub_releases/2006-09/uob-wah091106.php is a news release about some research in this area. Dr. Ian Walker spend a great deal of time bicycling around the UK on a bicycle with equipment that measured how close drivers of different kinds of vehicles came to him when passing. Half the time, he wore a helmet; half the time, he didn't. Result: Drivers approached closer (and average of 8.5 cm) when he was wearing a helmet. Walker's hypothesis is that drivers see bicyclists wearing helmets as more experienced and competent, hence not in need of consideration. In other interesting results, when Walker wore a wig so that he looked like a woman, he was given significantly more room. He also confirmed a feeling all bicyclist have: Yes, indeed, trucks and buses do approach bicycles more closely (average of 19 cm for trucks and 23 cm for buses) than cars do. As Walker points out, helmets definitely do protect a rider in low-speed falls. How much they help in collisions with vehicles is harder to say - and if wearing a helmet makes a collision more likely, the net effect is difficult to predict. (Walker was hit twice, once by a bus and once by a truck, during his experiments. He was wearing a helmet both times.) ------------------------------ Date: Tue, 19 Sep 2006 10:25:40 +0200 From: Kjetil Torgrim Homme <kjetilho@xxxxxxxxxx> Subject: Cost of online banking typo put on consumer Grete Fossbakk wanted to transfer NOK 500,000 (USD 76400) to her daughter using her online bank account, but entered a digit too many in the account number field. The bank software stripped it silently and transferred the money to a third party. Unfortunately, the recipient immediately withdrew the bounty and started to gamble it away. Meanwhile, the daughter was on vacation, so the mishap wasn't discovered until three weeks had passed. The matter was reported to the police, and they were able to reclaim NOK 100,000 in cash in the man's apartment. Ms Fossbakk has launched a civil claim against the man for the remainder of the money, but since he lives off social security, the chances of getting it back are slim. The bank, Sparebank1 Nord-Norge, claims that if you type the wrong number, you have the bear the consequences yourself. The Norwegian bank industry's board of complaints (Bankklagenemnda) will hopefully decide in the case in time for Christmas. The Minister for Consumer Affairs, Karita Bekkemellem, has stated this is an important issue, and will consider to propose new legislation if the banks don't accept responsibility. Articles in Norwegian: http://www.dn.no/privatokonomi/article875204.ece http://www.dn.no/forsiden/politikkSamfunn/article876885.ece [Also noted by Tore A. Klock. PGN] ------------------------------ Date: Thu, 14 Sep 2006 23:18:36 -0400 (EDT) From: msb@xxxxxxx (Mark Brader) Subject: Risks of reprogrammable ATMs Surveillance footage on a gas station ATM shows a man swiping an ATM card, punching in a series of numbers, and breaking the machine's security code. He apparently reprogrammed the ATM to disburse $20 bills while recording the transaction as a $5 debit. He then apparently used a prepaid debit card. The shortfall was not noticed until nine days later, when a customer reported receiving four times what was requested. [PGN-ed] http://apnews.myway.com/article/20060913/D8K496CO4.html ------------------------------ Date: Fri, 15 Sep 2006 8:59:18 PDT From: "Peter G. Neumann" <neumann@xxxxxxxxxxx> Subject: Segway software gives hard landing [Source: Linda Rosencrance, Software glitch prompts Segway recall; Six injuries reported when transporter unexpectedly reverses direction *Computerworld*, 14 Sep 2006, PGN-ed; TNX to Nelson H. F. Beebe, U Utah.] http://cwflyris.computerworld.com/t/854524/419952/33869/2/ Segway Inc. is recalling all of its 23,500 Segway Personal Transporters because of a software problem that can cause the wheels of the device to unexpectedly reverse direction and cause a rider to fall. Consumers should stop using the device immediately and contact the company for a free software upgrade, according to the U.S. Consumer Product Safety Commission, which is working with Segway on the recall. Bedford, N.H.-based Segway said no hardware changes are required. A commission spokesman said Segway received reports of six incidents that involved facial and wrist injuries. One user required facial surgery and another was hospitalized overnight. Others suffered broken teeth, he said. "A condition has been identified in which the Segway PT can unexpectedly reverse the direction of the wheels, which can cause a rider to fall," the company said today. "This can occur when the PT's Speed Limiter tilts back the machine to slow it down and the rider goes off and then back onto the PT within a short period of time." The voluntary recall applies to all Segway PTs sold to date, including all Segway PT i Series, e Series, p Series, XT, GT and i2 models. The Segway x2, due for release later this month, is not affected by the recall. All new shipments of the I2 are being shipped with the new software release, the company said in the statement. [This was also noted by Howard Israel and Jeremy Epstein.] ------------------------------ Date: Wed, 6 Sep 2006 12:27:41 -0500 From: "Mike Swaim" <mswaim@xxxxxxxxxxxxx> Subject: Yet Another Power Outage Here's yet another power outage story that features a failure mode that I don't think has been mentioned yet. Back around 2000 or so, when I was at Enron, we lost power to most of the production database servers used for gas and power trading. Only the servers were affected, and the power outage wasn't caused by the failure of anything electronic. The raised floor under the power director feeding the servers collapsed. When the director sensed the sudden motion, it immediately shut off, taking all of the servers with it. After a couple of hours it was jacked back into a level position, and turned back on, bringing everything else back to life. That weekend the floor was repaired. Mike Swaim swaim@xxxxxxxxxx MD Anderson Dept. of Biostatistics & Applied Mathematics mpswaim@xxxxxxxxxxxxxx or mswaim@xxxxxxxxxxxxx at work ------------------------------ Date: Wed, 20 Sep 2006 10:45:49 -0700 From: Matt Wilbur <matt@xxxxxxx> Subject: Careful with that Fedex account number Sending packages with Fedex is now easier than ever, thanks to the fedex.com website. Unfortunately, it's too easy. In most cases, if you know a company's account number, you can send whatever you like using the site, assuming you have a pulse, a browser, and access to the Internet. We recently had an angry ex-employee use our account number to send multiple small dollar amount packages all over the place. The dollar value was too low for the authorities, and it was really just a nuisance. Our "Fedex person" called Fedex to stop this, and customer service told her the only way was to change our account number. This would be painful, so we sent him letters telling him to stop. It didn't. We called Fedex again, this time asking for security, using words/phrases like "fraud," "theft," and "you will have to pay when we reverse the charges." We didn't get anyone from Security, but they did begin to listen. After being bounced around at fedex, we learned the following: * Unless you take specific action (enable and configure Shipping Administration for your account within Ship Manager on the website), anyone on the planet can create a fedex.com account, associate it with your account number, and ship whatever, wherever they way, third party included. * there is no way, even with shipping administrator, within fedex.com, to view the logins associated with your account. We had to call and insist on a list - for "security" reasons they could not email or otherwise send us a list, but were able to tell us logins, names, last login, and email of active accounts. After setting up Shipping Administration, we verified that this ex-employee (or anyone else we don't approve) can no longer set up a new login and associate it with our account. After about an hour on the phone, we were able to get his login deleted (and learn all of this additional information about their system). Risks? For Fedex? Not defaulting to a more secure configuration (like, want to use fedex on the web? First sign-in associated with that fedex account must set up "Shipping Administrator" to prevent unauthorized use). Building an application with all the shipping capabilities imaginable available, and very little for the account holder to manage access and security. Not having a security contact or phone number listed, or accessible by calling in to customer service. Money lost to fraud by abuse of this system. For the Fedex user? Giving your fedex account number to third parties who may ship things to you, unless you know and trust them, and trust their handling of your account number. Not watching your bills closely. Signing up and using for a service that, when you think about it, is far too easy to use to have any built-in safety. ------------------------------ Date: Thu, 21 Sep 2006 9:47:01 PDT From: "Peter G. Neumann" <neumann@xxxxxxxxxxx> Subject: Hotel minibar keys open Diebold voting machines The access panel door on a Diebold AccuVote-TS voting machine --- the door that protects the memory card that stores the votes, and is the main barrier to the injection of a virus --- can be opened with a standard key that is widely available on the Internet. ... we did a live demo for our Princeton Computer Science colleagues of the vote-stealing software described in our paper and video. Afterward, Chris Tengi, a technical staff member, asked to look at the key that came with the voting machine. He noticed an alphanumeric code printed on the key, and remarked that he had a key at home with the same code on it. The next day he brought in his key and sure enough it opened the voting machine. See Ed Felten's blog: http://www.freedom-to-tinker.com/?p=1064 ------------------------------ Date: Sun, 17 Sep 2006 17:01:11 -0400 (EDT) From: "David Lesher" <wb8foz@xxxxxxxxx> Subject: Cuyahoga County Primary Election Report Cuyahoga County [which includes Cleveland] had a major meltdown in their May 2006 primary election. A Review Panel [comprised of a local judge, the head of the Ohio Lottery, an academic, with local law students as staff] issued a report on the event, and what needs to be fixed. <http://www.votingintegrity.org/pdf/cerp_rpt06.pdf> While Diebold DRE machines are deeply embedded in the debacle, the report is not about the problems with machine's security [as Ed Felten's is] as much as the issues of acquiring, configuring and deploying them. The Road To Hell is paved with good intentions, and this report has asphalt enough to go around. It's an example of how you can you can make any problem too hard to handle if only there is enough money & patronage floating around... RISK readers can easily identify all the Usual Suspects; you could almost duplicate it with cut and paste from say, DIVAD/Sergeant York, Virtual Case File, and oh the Second Ave subway project escapades. Cuyahoga County Board of Elections says they were told they were buying, from the sole source vendor, "seamless integration" between the registered voter database and ballot creation processes; while the vendor was seemingly wearing hooded white robes. [Diebold bought the West Coast voter database company but it was still a separate operation who {oops} wanted to be paid extra for their added work; work allegedly never mentioned by the corporate salesman who sold the "seamless" package to the BoE.] The BoE didn't even have the authority to spend the money they thought was "theirs" and thus never asked the County Commissioners. It also touches on the very real issue of poll workers/election day staff. Elections are transient events, and many of the polling places are likely to be staffed by people not just with little or no computer experience; but often computerphobia. Add training problems and you have a disaster brewing. There are VERY few Avi Rubin's working at polling places; and outside of Silicon Valley, I bet do no more than start Word. I wonder how many RISK readers do so? I'm almost tempted to say there should be Election Day Duty al-la Jury Duty. For now, employers could show their support by encouraging both senior staff & IT support to volunteer. Both would get a valuable reminder in Real World 101. The only good aspect is the Ohio Legislature required honest-to-gosh paper as the ballot of record. While that makes jammed printers important, it means there is something to recount when, not if, things go wrong... ------------------------------ Date: Wed, 13 Sep 2006 23:50:08 +0200 From: "Kurt Fredriksson" <kurt.fredriksson@xxxxxxxx> Subject: Re: Avi Rubin's latest report as an election judge I'm a Swede and is a bit puzzled about the eletronic voting that seems to become so popular in the US. As we are going to have a general election this sunday (sept 17), I can't help making a comparison. The precinct Avi was reporting from had over 1000 voters. The precinct I am going to use this sunday has around 1200 voters of which around 1000 usually show up. Thus quite similar in size. Avi had 12 machines and 16 judges, opening hours 0700 - 2200, long queues. We have no machines (old fashion paper ballots) and 3 + 3 layman officials, opening hours 0800 - 2000, no queues. After 2000 (8 pm) the votes for the the Swedish Parliament are handcounted at the precinct in the presence of all interested. That takes about one hour. These results are then telephoned to the central authority. All votes are then recounted a couple of days later, to get the official result. This recount is also performed in the presence of all interested. All votes are kept in sealed and secured boxes during transport. What are the advantages with electronic voting? Reading Avi's blog makes one wonder. ------------------------------ Date: Tue, 12 Sep 2006 08:08:11 +0200 From: "Peter B. Ladkin" <ladkin@xxxxxxxxxxxxxxxxxxxx> Subject: SSN-as-ID under scrutiny - again The insecure method of trying to use a verbal report of a U.S. Social Security Number (SSN) as personal identification is coming under wider scrutiny because of the brouhaha about the Hewlett-Packard board. The Chairman apparently ordered an investigation into who was giving privileged information to news media, and the investigators hired pretexters to obtain phone records of board members. Pretexters are people who use "social engineering" skills to impersonate a third person while communicating with a service provider, in order to obtain information about the services provided to that person. In this case, the pretexters wanted to obtain the telephone-call records of HP board members. The International Herald Tribune recounts the practice at http://www.iht.com/articles/2006/09/11/business/hpspy.php in a story from the New York Times by Matt Richtel and Miguel Helft. One investigator who helps auto-repossession agencies demonstrated: "In most cases [the investigator] said, he already had the Social Security number from the lien holder. But if necessary, he could find it in commercial databases. To demonstrate, he asked a reported his full name and state of residence, and read him back his Social Security number within seconds." [op.cit.] Among companies who have adapted belatedly to this reality are Verizon, who apparently stopped using SSN as "a chief way to establish [a customer's] identity" last year. Among those who have not yet adapted are AT&T, which "[continues] to accept Social Security numbers as a central means of identification." The article discusses the legality of pretexting, which may already be generally illegal in many jurisdictions and is so for particular goals such as obtaining financial records, and efforts to make it more explicitly illegal. The legality of pretexting is obviously a different issue from the insecurity of authentication through SSN, just as the legality of thievery is a different issue from whether I lock my front door when I leave the house. It has been known for years, and not just to RISKS readers, just how dysfunctional the practice is of trying to authenticate people through basic information such as residential address and SSN. Perhaps it persists because the perpetrators (service companies) are not the sufferers (their customers). There is, however, a general legal notion of "due diligence", whereby if a company uses a method which is known to be ineffective, it can be held responsible for deleterious consequences, as having not exercise due diligence. So, when it becomes sufficiently "well known" that divulging SSN is ineffective as authentication, practice could change. The HP story might help to tip the scales. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de ------------------------------ Date: Tue, 12 Sep 2006 10:08:55 +0200 From: Gerrit Muller <gerrit.muller@xxxxxxxxxxxxxxxxxx> Subject: New way to break into cars Dutch media report on a new way thieves are using to break into cars with electronic locks, see for instance: http://www.rtvnoord.nl/nieuws/index.asp?actie=totaalbericht&pid=60184 In Stadskanaal, in the North of the Netherlands, at least 30 cars have been illegally opened without any trace or damage. Thieves appear mostly to look for car documents. The police don't have any clue how the cars have been opened. One of the possibilities being looked into is the existence of some new electronic device acting as a passkey. If such an electronic passkey would exist, then we see the next phase in the (electronic) security rat-race. Gaudi systems architecting <http://www.gaudisite.nl/> ------------------------------ Date: Tue, 12 Sep 2006 10:02:29 +0200 From: Gerrit Muller <gerrit.muller@xxxxxxxxxxxxxxxxxx> Subject: Thieves sabotage telecom infrastructure Several Dutch media report the sabotage of telecom infrastructure at a business park in Blerick, near Venlo, in the South of the Netherlands, e.g., http://www.telegraaf.nl/binnenland/49777581/KPN_heeft_handenvol_aan_gesaboteerde_kastjes.html In Blerick the cabinets of KPN (Dutch Telecom provider) were broken down. Apparently the inflictors wanted to eliminate the security of businesses at the park. They succeeded and stole for 100k's Euro's from DHL, the courier company. The same attempt was made at the business park in Herkenbosch, another small town in the South. However an attempt to break in at an attraction park here didn't succeed, because the alarm was still functional. This example again illustrates the often invisible dependencies of modern interlinked systems. Many modern security services depend on public infrastructure. How many of them have these single points of vulnerability? ------------------------------ Date: Mon, 11 Sep 2006 22:01:31 -0600 From: "S Hutto" <shuttoj@xxxxxxxxx> Subject: Cops say teen concocted radio calls Westword, a Denver area weekly, has published a long article on the teen who was arrested for impersonating an officer on local police radio bands in 2001. According to the article, he had been routinely communicating on police bands for about three months, requesting licence plate checks and once reporting a fake hit-and-run accident. He was found guilty and sentenced to six months in the Division of Youth Corrections and two years' probation. The article provides some mundane technical details on the incident. RISKS readers may be interested in the somewhat dramatized events and motivations that drove the teen to impersonate a law enforcement officer. In 2006, he was arrested and charged with impersonating an EMT and theft by receiving. The article will be available for some amount of time here: http://www.westword.com/Issues/2006-08-31/news/feature.html ------------------------------ Date: Wed, 06 Sep 2006 20:17:39 -0400 From: Phil Singer <psinger1@xxxxxxxxxxxxx> Subject: Regarding High-tech Product Sabotage (Mellor, RISKS-24.41) During the early 1980's the place I worked at had a Honeywell-compatible version of the venerable IBM 1401. It came in several models (I don't remember the model numbers - call them Model A for the lowest end up to Model D for the top end). We found out the hard way that the only difference between them was one resistor - take it out and a Model A was as fast as a Model D (but leased for tens of thousands less). Our field engineer did not like to waste time, so he always disconnected the resistor when he did his P.M. In fact he hated wasting time so much that he never bothered to reconnect it. On one periodic maintenance day, he was on vacation and a somewhat more conscientious engineer took his place. The resistor was replaced. The director wanted to know why everything slowed down. When he found out, he immediately terminated the lease. [This is indeed an old phenomenon. Long ago, during my Bell Labs days, I requested an upgrade for a telephone modem, which was made by snipping a single wire with a disproportionate increase in the monthly rental. PGN] ------------------------------ Date: Mon, 18 Sep 2006 11:57:20 -0800 From: Rob Slade <rmslade@xxxxxxx> Subject: REVIEW: "Computer Security Basics", Lehtinen/Russell/Gangemi BKCMPSEC.RVW 20060819 "Computer Security Basics", Rick Lehtinen/Deborah Russell/G. T. Gangemi Sr., 2006, 0-596-00669-1, U$39.99/C$51.99 %A Rick Lehtinen %A Deborah Russell %A G. T. Gangemi Sr. %C 103 Morris St., Suite A, Sebastopol, CA 95472-9902 %D 2006 %G 0-596-00669-1 %I O'Reilly and Associates, Inc. %O U$39.99/C$51.99 %O http://www.amazon.com/exec/obidos/ASIN/0596006691/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596006691/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596006691/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 296 p. %T "Computer Security Basics, Second Edition" I've been waiting a long time for an updated version of this classic. "Computer Security Basics" was a pretty accurate name for the first edition. The book was an overview of many aspects that go into the security of computers and data systems. While not exhaustive, it provided a starting point from which to pursue specific topics that required more detailed study. Such is no longer the case. Part one looks at security for today. Chapter one starts with 9/11, then talks about various infosec groups, and only then gets to an introduction of what security is, and how to evaluate potential loopholes. The definition points out the useful difference between the problems of confidentiality and availability, and now adds integrity. The distinction between threats, vulnerabilities and countermeasures is helpful, but may fail to resolve certain issues. Ironically, in view of the title of this section, chapter two gives some historical background to the development of modern data security. Part two deals with computer security itself. Chapter three looks at access control, but is somewhat unstructured. Malware and viruses receive the all-too-usual mix of advice and inaccuracies in chapter four. Policy is supposed to be the topic of chapter five, but most of the text is concerned with matters of operations. Internet and Web technologies, and a few network attacks, are listed in chapter six. The prior inclusion of network topics is rather funny, since part three delves into communications security. Chapter seven turns first to encryption, which could be presumed to have applications in more than communications, although it is important in that field. The material on encryption is quite scattered and disorganized, and the explanation of asymmetric systems is probably more confusing than helpful. A lot about networks, a list of network security components, and not much that is useful makes up chapter eight. Part four turns to other types of security. Chapter nine takes a confused look at physical security, and includes biometrics: as with encryption and communications, the topic that could be related to physical security, but might more properly be dealt with elsewhere. Chapter ten reviews wireless LANs, mentioning threats, but only tersely listing security measures, with no detail for use or implementation. The original version of the book was a good starting point for beginners who had to deal with computer security at a basic level. This second edition is a tremendous disappointment: Lehtinen has done a disservice not only to Russell and Gangemi, but also to those relying on this foundational guide. The tone of the first edition may have been too pompous, but the contents were informed by the primary concerns for information security. This update has introduced random new technical trivia, muddied the structure and flow, and reduced the value of the reference overall. copyright Robert M. Slade, 1993, 2002, 2006 BKCMPSEC.RVW 20060819 rslade@xxxxxxxxx slade@xxxxxxxxxxxxxx rslade@xxxxxxxxxxxxxxxxx http://victoria.tc.ca/techrev/rms.htm ------------------------------ Date: 2 Oct 2005 (LAST-MODIFIED) From: RISKS-request@xxxxxxxxxxx Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@xxxxxxxxxxx containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe@xxxxxxxxxxx or risks-unsubscribe@xxxxxxxxxxx depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall@xxxxxxxxxxxxxxx>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks@xxxxxxxxxxx with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ------------------------------ End of RISKS-FORUM Digest 24.43 ************************