[26623] in RISKS Forum
Risks Digest 28.33
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Nov 4 14:58:16 2014
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 4 Nov 2014 11:58:12 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 4 November 2014 Volume 28 : Issue 33
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.33.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Online voting rife with hazards (Barbara Simons)
Risks of assuming votes are accurate (John Long)
Open Surveillance (Bryan Ford)
Smart Televisions are highly susceptible to hacking by radio transmission
(robert schaefer)
"Cyber espionage group launches sophisticated phishing attacks against
Outlook Web App users" (Lucian Constantin via Gene Wirchenko)
"Tor Project flags Russian 'exit node' server delivering malware"
(Jeremy Kirk)
"Advisory says to assume all Drupal 7 websites are compromised"
(Steve Ragan)
"Drupal sites, assume you've been hacked" (Serdar Yegulalp)
How a dumb software glitch kept thousands from reaching 911 (Brian Fung)
Verizon, AT&T tracking their users with 'supercookies' (Craig Timberg)
Somebody's Already Using Verizon's ID to Track Users (Angwin and Larson)
Cell carrier was weakest link in hack of Google, Instagram accounts
(Sean Gallagher)
Critics chafe as Macs send sensitive docs to iCloud without warning
(Dan Goodin)
AT&T's outdated unlock policies cost it a loyal customer: me
(Lee Hutchinson)
With School Ban Nearing End, New York City Works on How and When to
Allow Cellphones (NYT)
"Have we gotten so pathetically lame that you need to be notified by email
that your laundry is done?" *Matthew Kruk)
Why Adobe got away with monitoring users (Kurt Seifried)
Windows Update intentionally destroys chips (Michael Kohne)
Re: The NSA has no interest in protecting you & me (Gene Spafford)
Did anyone call a taxi? (Ed Ravin)
The 7th annual Underhanded C Contest is now open (robert schaefer)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 4 Nov 2014 10:22:43 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Online voting rife with hazards (Barbara Simons)
[It's Election Day in the U.S. today. Stand by for possible RISKS items
in the next few days, with several critical runoffs expected to delay the
outcomes. PGN]
Barbara Simons, *USA Today* (op-ed), 4 Nov 2014
Casting ballots on Internet may be a new trend, but it is neither secure nor trustworthy.
http://www.usatoday.com/story/opinion/2014/11/04/barbara-simons-online-voting-problems/18461679/
Today Americans are voting in an election that could shift control of the
U.S. Senate and significantly impact the direction our nation will take in
the next few years. Yet, 31 states will allow over 3 million voters to cast
ballots over the Internet in this election, a practice that computer
security experts in both the federal government and the private sector have
warned is neither secure nor trustworthy.
Most states' online voting is limited to military and overseas voters, but
Alaska now permits all voters to vote over the Internet. With a hotly
contested Senate seat in Alaska, the use of an online voting system raises
serious concerns about the integrity of Alaska's election results. Alaska's
State Election Division has even acknowledged that its "secure online voting
solution" may not be all that secure by posting this disclaimer on its
website: "When returning the ballot through the secure online voting
solution, your are [sic] voluntarily waving [sic] your right to a secret
ballot and are assuming the risk that a faulty transmission may occur."
Unfortunately, faulty transmission is only one of the risks of Internet
voting. There are countless ways ballots cast over the Internet can be
hacked and modified by cyber criminals. The National Institute of Standards
and Technology, at the direction of Congress, has conducted extensive
research into Internet voting in the last decade and published several
reports that outline all the ways votes sent over the Internet can be
manipulated without detection. After warning that there are many possible
attacks that could have an undiscovered large-scale impact, the institute
concluded that secure Internet voting is not yet achievable.
Securing transactions online is a major national challenge, as demonstrated
by nearly daily reports of new cyber intrusions into networks of some of our
largest financial institutions, corporations and government
agencies. Election are even more difficult to protect, because unlike other
online transactions, elections are especially vulnerable to undetectable
hacking.
Since we vote by secret ballot, there is no way to reconcile electronic
images of ballots received with the version the voter intended to send. In
other words, it is impossible to know if voter choices have been tampered
with somewhere between the voter's computer and election official's machine,
thereby making it virtually impossible to confirm an attack on an online
election system.
Nonetheless online voting is expanding around the country. Vendors of
commercial online voting systems are exploiting the understandable desire to
help remote voters by exhorting well-meaning state legislators and election
officials to forge ahead with online voting. Aggressive marketing practices
in an unregulated market have created a perfect storm.
We cannot afford to continue putting our elections at risk by allowing the
use of insecure Internet voting systems. Alaska's online voting system is
vulnerable to hackers from anywhere in the world. If this election is
attacked, the outcome may be determined by the attackers and Alaskans (and
the rest of us) may never even know. It's time for state leaders to reject
online voting unless and until it is secure.
Barbara Simons is chair of the Board of Directors of Verified Voting and a
member of the Board of Advisers of the U.S. Election Assistance
Commission. She is a former computer researcher for IBM and past-president
of the Association for Computing Machinery.
------------------------------
Date: Sat, 01 Nov 2014 23:03:22 -0400
From: John Long <j1long@mindspring.com>
Subject: Risks of assuming votes are accurate
After many years of concerns on RISKS about fraud concerning voting
machines, it appears that it has come true. In two states, voting machines
have been observed switching a vote from a Republican candidate to the
Democratic candidate. [Again? This is hardly new. PGN] The interesting
thing is that the voter could actually observe the fraud taking place. Makes
you wonder what is actually happening in those situations where the voter
could not observe the fraud.
http://www.foxnews.com/on-air/fox-and-friends/blog/2014/10/30/expert-confirms-voting-machines-illinois-and-maryland-rigged-democrats
In addition, there seemed to have been a false assumption that allowing
illegal immigrants to get drivers licenses would not have any deleterious
effects. In fact, obtaining a driver's license allowed those individuals to
also register to vote. All one had to do to register was show a driver's
license. No one actually checked to see whether they were, in fact,
citizens.
http://www.nationalreview.com/article/391474/non-citizens-are-voting-john-fund
------------------------------
Date: Mon, 3 Nov 2014 15:09:09 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Open Surveillance (Bryan Ford)
Bryan Ford (Yale)
Cryptography could keep electronic investigations under control
*MIT Technology Review*, page 11. vol 117, no 6, November-December 2014.
http://www.technologyreview.com/view/531681/open-surveillance/
There's also a nice short item from Dave Farber in the same section,
The Wrong Fix: Want regulations to preserve the open Internet? Be careful
what you wish for.
Also in that issue, George Anders, The Right Way to Fix the Internet: We
need to let go of Network Neutrality... pp. 28--34.
------------------------------
Date: Mon, 3 Nov 2014 11:46:10 -0500
From: robert schaefer <rps@haystack.mit.edu>
Subject: Smart Televisions are highly susceptible to hacking by radio
transmission
``Researchers discover a massive security flaw in smart TV's that allow
hackers to intercept data broadcasts, insert malicious code, and transform
the TV into an antenna that infects all other Internet-connected devices in
the household. Once the television is infected, it seeks out all other
devices connected to the router. The attacks are untraceable as no source IP
address or DNS server is ever presented, instead, hackers perform a classic
man-in-the-middle attack using radio transmissions. "
http://www.electronicproducts.com/Analog_Mixed_Signal_ICs/Communications/Smart_Televisions_are_highly_susceptible_to_hacking_by_radio_transmission.aspx
robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886 http://www.haystack.mit.edu 781-981-5767
------------------------------
Date: Mon, 03 Nov 2014 12:13:14 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Cyber espionage group launches sophisticated phishing attacks
against Outlook Web App users" (Lucian Constantin)
Lucian Constantin, Infoworld, 24 Oct 2014
Pawn Storm attacks target military agencies, embassies, defense
contractors, and media organizations, Trend Micro says
http://www.infoworld.com/article/2838223/security/cyber-espionage-group-launches-sophisticated-phishing-attacks-against-outlook-web-app-users.html
opening text:
A cyberespionage group has been using advanced spear-phishing techniques to
steal email log-in credentials from the employees of military agencies,
embassies, defense contractors and international media outlets that use
Office 365's Outlook Web App.
------------------------------
Date: Mon, 03 Nov 2014 12:11:21 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Tor Project flags Russian 'exit node' server delivering malware"
(Jeremy Kirk)
Jeremy Kirk, Infoworld, 27 Oct 2014
The server used a technique to append malware to legitimate code
http://www.infoworld.com/article/2839135/security/tor-project-flags-russian-exit-node-server-delivering-malware.html
opening text:
The Tor Project has flagged a server in Russia after a security researcher
found it slipped in malware when users were downloading files.
------------------------------
Date: Mon, 03 Nov 2014 12:25:15 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Advisory says to assume all Drupal 7 websites are compromised"
(Steve Ragan)
Steve Ragan, CSO, 30 Oct 2014
Drupal urged users to apply an update on Oct. 13, but only those who
patched within seven hours may be in the clear
http://www.infoworld.com/article/2840939/security/advisory-says-to-assume-all-drupal-7-websites-are-compromised.html
opening text:
If your organization uses Drupal, you might have a serious problem on your
hands. On Oct. 15, Drupal urged users to apply an update that fixed a SQL
Injection flaw. However, unless that patch was installed within seven hours,
Drupal now says it's best to assume the website was completely compromised.
------------------------------
Date: Mon, 03 Nov 2014 12:27:02 -0800
From: Gene Wirchenko <genew@telus.net>
Subject: "Drupal sites, assume you've been hacked" (Serdar Yegulalp)
Serdar Yegulalp, InfoWorld, 30 Oct 2014
SQL injection bug threatens the websites of enterprises, governments,
and many other institutions using the open source Drupal CMS
http://www.infoworld.com/article/2841068/application-security/drupal-bug-leaves-enterprise-content-management-vulnerable.html
opening text:
Word broke yesterday of a major-league security issue involving Drupal, the
open source content management system (CMS) used widely in enterprises and
government. Come to think of it, "major league" doesn't begin to cover it:
Drupal developers have admitted that if your installation wasn't patched
before Oct. 15, 11 p.m. UTC, it's best to consider the entire site
compromised.
------------------------------
Date: Tue, 4 Nov 2014 12:51:09 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How a dumb software glitch kept thousands from reaching 911
(Brian Fung)
Brian Fung, *The Washington Post*, 20 Oct 2014
Who ever thinks that their call to 911 would go unanswered? But in a
terrifying incident this spring, thousands of Americans found themselves in
need of help - and got none.
For six hours, emergency services went dark for more than 11 million people
across seven states. The entire state of Washington found itself
disconnected from 911. The outage may have gone unnoticed by some, but for
the more than 6,000 people trying to reach help, April 9 may well have been
the scariest time of their lives.
Now a study from the Federal Communications Commission offers the most
in-depth explanation of the outage and why it occurred. In a 40-page report,
the FCC found that an entirely preventable software error was responsible
for causing 911 service to drop. The incident affected 81 call dispatch
centers, rendering emergency services inoperable in all of Washington and
parts of North Carolina, South Carolina, Pennsylvania, California, Minnesota
and Florida. ...
http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/20/how-a-dumb-software-glitch-kept-6600-calls-from-getting-to-911/
------------------------------
Date: Tue, 4 Nov 2014 12:53:48 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Verizon, AT&T tracking their users with 'supercookies'
(Craig Timberg)
Craig Timberg, *The Washington Post*, 3 Nov 2014
Verizon and AT&T have been quietly tracking the Internet activity of more
than 100 million cellular customers with what critics have dubbed
"supercookies" - markers so powerful that it's difficult for even savvy
users to escape them.
The technology has allowed the companies to monitor which sites their
customers visit, cataloging their tastes and interests. Consumers cannot
erase these supercookies or evade them by using browser settings, such as
the "private" or "incognito" modes that are popular among users wary of
corporate or government surveillance.
Verizon and AT&T say they have taken steps to alert their customers to the
tracking and to protect customer privacy as the companies develop programs
intended to help advertisers hone their pitches based on individual Internet
behavior. But as word has spread about the supercookies in recent days,
privacy advocates have reacted with alarm, saying the tracking could expose
user Internet behavior to a wide range of outsiders - including intelligence
services - and may also violate federal telecommunications and wiretapping
laws. ...
http://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html
Robert Lemos, Ars Technica, 24 Oct 2014
Verizon Wireless injects identifiers that link its users to Web requests
The provider adds cookie-like tokens to alert advertisers to users' interests.
http://arstechnica.com/security/2014/10/verizon-wireless-injects-identifiers-link-its-users-to-web-requests/
------------------------------
Date: Tue, 4 Nov 2014 12:56:59 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Somebody's Already Using Verizon's ID to Track Users
(Angwin and Larson)
Julia Angwin and Jeff Larson, ProPublica, 30 Oct 2014
Twitter is using a newly discovered hidden code that the telecom carriers
are adding to every page you visit - and it's very hard to opt out.
http://www.propublica.org/article/somebodys-already-using-verizons-id-to-track-users
------------------------------
Date: Tue, 4 Nov 2014 12:58:51 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Cell carrier was weakest link in hack of Google, Instagram accounts
(Sean Gallagher)
Sean Gallagher, 3 Nov 2014, Ars Technica
Carrier was social-engineered by hacker to steal man's two-letter Instagram
name.
If you think the two-factor authentication offered by Google and other cloud
services will keep your account out of the hands of an attacker, think
again. One developer found out this weekend the hard way; Google's account
protection scheme can be bypassed by going after something most people would
consider an even harder target-the user's cell phone account. ...
http://arstechnica.com/security/2014/11/cell-carrier-was-weakest-link-in-hack-of-google-instagram-accounts/
------------------------------
Date: Tue, 4 Nov 2014 12:55:19 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Critics chafe as Macs send sensitive docs to iCloud without
warning (Dan Goodin)
PSA: Turn off autosave of in-progress documents containing sensitive data.
Dan Goodin, Ars Technica,3 Nov 2014
Representing a potential privacy snare for some users, Mac OS X Yosemite
uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers
by default, even if the files are later closed without ever having been
saved.
The behavior, as noted in an article from Slate, is documented in a
Knowledge Base article from December. But it nonetheless came as a surprise
to researcher Jeffrey Paul, who said he was alarmed to recently discover a
cache of in-progress files he intended to serve as "temporary Post-It notes"
that had been silently uploaded to his iCloud account even though he never
intended or wished them to be. ...
http://arstechnica.com/security/2014/11/critics-chafe-as-macs-send-sensitive-docs-to-icloud-without-warning/
------------------------------
Date: Tue, 4 Nov 2014 13:07:10 -0500
From: Monty Solomon <monty@roscom.com>
Subject: AT&T's outdated unlock policies cost it a loyal customer: me
(Lee Hutchinson)
Lee Hutchinson, 3 Nov 2014, Ars Technica
Refuse to unlock my device for international travel? Goodbye forever.
http://arstechnica.com/staff/2014/11/atts-outdated-unlock-policies-cost-it-a-loyal-customer-me/
------------------------------
Date: Sat, 1 Nov 2014 00:43:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: With School Ban Nearing End, New York City Works on How and When to
Allow Cellphones
http://www.nytimes.com/2014/11/01/nyregion/with-school-ban-nearing-end-new-york-city-works-on-how-and-when-to-allow-cellphones.html
------------------------------
Date: Sun, 2 Nov 2014 18:29:47 -0700
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: "Have we gotten so pathetically lame that you need to be notified
by an email that your laundry is done?"
http://www.smh.com.au/technology/technology-news/why-whirlpools-smart-washing-machine-was-a-dumb-idea-20141101-11flym.html
[The Internet of Thinks? PGN]
------------------------------
Date: Fri, 31 Oct 2014 19:29:32 -0600
From: Kurt Seifried <kurt@seifried.org>
Subject: Why Adobe got away with monitoring users
I asked Mitre to assign a CVE for this issue, it seems pretty clearly to
be a security issue. One thing I've noticed over the last decade is
increasingly "if no CVE, then not a security issue" due to CVE's being used
to track issues/act as a name (I've literally never seen a customer/client
make a big deal about a security flaw if it doesn't have a CVE). Mitre's
response:
http://seclists.org/oss-sec/2014/q4/206
== ==
So, for example, the
http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html article
would indicate to me that this is CVE worthy under #4.
Currently not; Adobe has a statement quoted at:
http://arstechnica.com/security/2014/10/adobes-e-book-reader-sends-your-reading-logs-back-to-adobe-in-plain-text/
indicating that the information disclosure is intentional, and is
(from their point of view) useful to them. This is just an example of
a behavior that might also occur in an open-source product. The Adobe
issue itself is off-topic for this list.
== ==
So I guess vendors can avoid security flaws by saying "we meant to do
that, sending your information back to us without informed consent,
and doing it insecurely is ok, because we meant to."
I am disappointed to say the least.
------------------------------
Date: Sat, 1 Nov 2014 09:17:45 -0400
From: Michael Kohne <mhkohne@kohne.org>
Subject: Windows Update intentionally destroys chips (Baker, RISKS-28.32))
I just want to clarify one point here: The device is NOT 'useless forever'.
The ability to change the PID/VID/etc is an intentional feature of the
original FTDI chips, which is duplicated in the clones in question. As far
as I can tell from what I've read, FTDI simply used the appropriate calls to
change the PID. Anyone with an older (non-destructive) version of the FTDI
drivers and tools can use them to change the PID back to something sensible.
Secondly, has there been any legal action against FTDI over this? While FTDI
clearly has the right to make their driver reject other company's hardware,
actually trying to break end-users' equipment seems to me to be an
actionable offense. I'd hope that this is something that would in fact rise
to the level of a criminal complaint, not just civil. Am I wrong that
breaking people's stuff without notice is kind of against the law here?
------------------------------
Date: Sun, 2 Nov 2014 12:07:42 -0500
From: Gene Spafford <spaf@purdue.edu>
Subject: Re: The NSA has no interest in protecting you & me (Baker,
RISKS-28.32)
I don't think Henry Baker's contribution to RISKS 28.32 sounds insane,
although I am unsure of the amount of contribution of MAD to the madness.
There is a clear issue involved here, however, of the government putting too
much emphasis on a military solution to cyber security issues, and the
military once again focusing on fighting the last war.
I've spoken about this in invited talks over the last decade, and summarized
it (and related thoughts) in the CERIAS blog a while ago:
https://ceri.as/9er1z
------------------------------
Date: Sat, 1 Nov 2014 11:24:39 -0400
From: Ed Ravin <eravin@panix.com>
Subject: Did anyone call a taxi? (Re: Maziuk, RISKS-28.32)
> I'd be more worried about taxi drivers perusing the google's location
> history URL, finding areas where most destinations are, and staying
> there. The risk is then you can't get a cab anywhere else.
This already happened in New York City, no computer technology needed. Over
the last 40-50 years, the places where you could pick up a yellow cab have
contracted to Manhattan below 125th St, the airports, and a few outer
borough neighborhoods that are either near Manhattan or on the way to/from
the yellow taxi base stations. As yellow taxis were the only cabs allowed
to answer street hails, outer borough residents had to either reserve a cab
with a local taxi service or find a cabbie on the street that would
illegally pick them up (which might have been an unlicensed or "gypsy" cab
with no insurance).
The city recently created a new fleet of apple-green taxis that are
authorized to do street hails, but only in the areas that the yellow taxis
abandoned. Other than the color and the restrictions, they are pretty much
the same service as the yellow taxis. The map on this site shows the
Manhattan-centricity of where yellow cabs pick up fares:
http://www.nyc.gov/html/tlc/html/passenger/shl_passenger_background.shtml
[Also noted very similarly by John Levine. PGN]
------------------------------
Date: Mon, 3 Nov 2014 12:32:00 -0500
From: robert schaefer <rps@haystack.mit.edu>
Subject: The 7th annual Underhanded C Contest is now open.
``The goal of the contest is to write code that is as readable, clear,
innocent and straightforward as possible, and yet it must fail to perform at
its apparent function. To be more specific, it should do something subtly
evil.''
http://www.underhanded-c.org
robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory
Westford, MA 01886 http://www.haystack.mit.edu 781-981-5767
------------------------------
Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://lists.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.33
************************
