[27032] in RISKS Forum
Risks Digest 28.45
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Mon Jan 12 19:15:47 2015
From: RISKS List Owner <risko@csl.sri.com>
Date: Mon, 12 Jan 2015 16:15:30 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Monday 12 January 2015 Volume 28 : Issue 45
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/28.45.html>
The current issue can be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Ford recalls SUVs because drivers are accidentally turning them off
(Ben Rothke)
Green Bank, WV: The Town Without Wi-Fi (Monty Solomon)
Risks in Using Social Media to Spot Signs of Mental Distress (Monty Solomon)
EU response to free speech killings? More Internet censorship! (Gigaom
via Lauren Weinstein)
Snowden: U.S. puts too much emphasis on cyber-offense, needs defense
(Dewayne Hendricks)
Biometric Identification (Anthony Thorn)
Memory corruption (Martyn Thomas)
Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an Online
Site (Nathaniel Popper via Monty Solomon)
US banks trace credit fraud to Chick-fil-A locales in possible data breach
(Ars via Monty Solomon)
Re: "Could e-voting be on its way in the UK?" (Amos Shapir, Tony Finch)
An oldie but goodie ODBC risk (Bernard Peek)
Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm
(Cieply and Barnes via Monty Solomon)
World's first *known* bootkit for OS X can permanently backdoor Macs
(Dan Goodin)
Spotlight search in OS X Yosemite exposes private user details to spammers
(Monty Solomon)
Apps Everywhere, but No Unifying Link (Monty Solomon)
Re: Gogo Issues False SSL Certificates, Allowing them to decode SSL
Traffic (Bob Gezelter)
ASUS Routers reportedly vulnerable to local area network command execution
exploit (Bob Gezelter)
Re: Too many pilots can't handle an emergency (Craig Burton)
Re: Lenovo recalls more than 500,000 power cords (david lewis, Dick Mills)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 6 Jan 2015 19:09:51 -0500
From: Ben Rothke <brothke@hotmail.com>
Subject: Ford recalls SUVs because drivers are accidentally turning them off
Perhaps Ford didn't do enough UI testing...
http://www.autonews.com/article/20141231/RETAIL05/141239986/lincoln-mkc-recalled-to-move-push-button-start-from-near-touchscreen
Ford is recalling about 13,500 2015 Lincoln MKC because drivers are shutting
the vehicle off by mistake.
Drivers are mistakenly touching the crossover SUV's push-button ignition
button while the car is driving, Ford found.
``Due to the switch's close proximity to other controls occupants are
inadvertently shutting off the engine while driving,'' Ford said in a
statement.
------------------------------
Date: Sun, 11 Jan 2015 23:42:20 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Green Bank, WV: The Town Without Wi-Fi
The residents of Green Bank, West Virginia, can't use cell phones, wifi, or
other kinds of modern technology due to a high-tech government telescope.
Recently, this ban has made the town a magnet for technophobes, and the
locals aren't thrilled to have them.
http://www.washingtonian.com/articles/people/the-town-without-wi-fi/
------------------------------
Date: Fri, 26 Dec 2014 21:32:18 -0800
From: Monty Solomon <monty@roscom.com>
Subject: Risks in Using Social Media to Spot Signs of Mental Distress
http://www.nytimes.com/2014/12/27/technology/risks-in-using-social-posts-to-spot-signs-of-distress.html
The ill-fated introduction in Britain of an app to detect predictors of
suicide shows what may happen when social media posts are scrutinized for
cues about a person's mental health.
------------------------------
Date: Mon, 12 Jan 2015 09:46:02 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: EU response to free speech killings? More Internet censorship!
(Gigaom):
https://gigaom.com/2015/01/11/eu-response-to-free-speech-killings-more-internet-censorship/?utm_medium=social&utm_campaign=socialflow&utm_source=twitter&utm_content=eu-response-to-free-speech-killings-more-internet-censorship_905730
The interior ministers of France, Germany, Latvia, Austria, Belgium,
Denmark, Spain, Italy, the Netherlands, Poland, Sweden and the U.K. said
in a statement (PDF) that, while the Internet must remain ``in scrupulous
observance of fundamental freedoms, a forum for free expression, in full
respect of the law.'' ISPs need to help ``create the conditions of a swift
reporting of material that aims to incite hatred and terror and the
condition of its removing, where appropriate/possible.''
- - -
European leaders seem lately to be reliably wrong on most free speech issues
coming down the pipe. It's especially damaging when they try to extend their
misguided, counterproductive views on this subject to the world beyond
Europe. Censorship doesn't work in the Internet era. Trying to remove or
de-index materials you fear or dislike only drives them underground in more
dangerous ways.
------------------------------
Date: Jan 8, 2015 2:45 PM
From: "Dewayne Hendricks" <dewayne@warpspeed.com>
Subject: Snowden: U.S. puts too much emphasis on cyber-offense, needs defense
[via Dave Farber]
Sean Gallagher, Ars Technica, 8 Jan 2015
In PBS NOVA interview, Snowden warns that U.S. cyber warfare strategy could
backfire.
http://arstechnica.com/tech-policy/2015/01/snowden-us-has-put-too-much-emphasis-on-cyber-offense-needs-defense/
In an on-camera interview with James Bamford for an upcoming episode of PBS'
NOVA, Edward Snowden warned that the U.S. Department of Defense and National
Security Agency have over-emphasized the development of offensive network
capabilities, placing the U.S.'s own systems at greater risk. With other
countries now developing offensive capabilities that approach those of the
NSA and the U.S. Cyber Command, Snowden believes the U.S. has much more at
stake.
The raw transcript of the NOVA interview showed Snowden in full control, to
the point of giving direction on questions and even suggesting how to
organize the report and its visual elements. Snowden frequently steered
questions away from areas that might have revealed more about NSA
operations, or he went into areas such as White House policy that he
considered "land mines." But the whistleblower eloquently discussed the
hazards of cyber warfare and the precariousness of the approach that the NSA
and Cyber Command had taken in terms of seeking to find and exploit holes in
the software of adversaries. In fact, he says the same vulnerabilities are
in systems in the U.S.. "The same router that's deployed in the United States
is deployed in China," Snowden explained. "The same software package that
controls the dam floodgates in the United States is the same as in
Russia. The same hospital software is there in Syria and the United States."
Some of the interview, which took place last June in Russia, possibly
foreshadowed the cyber attack on Sony Pictures. Snowden said that the
capabilities for cyber attacks such as the "Shamoon" malware attack in 2012
and other "wiper" attacks similar to what happened to Sony Pictures were
"sort of a Fisher Price, baby's first hack kind of a cyber campaign,"
capable of disruption but not really of creating long-term damage. But he
said more sophisticated organizations, including nation-state actors, are
"increasingly pursuing the capability to launch destructive cyber attacks as
opposed to the disruptive kinds that you normally see online...and this is a
pivot that is going to be very difficult for us to navigate."
"I don't want to hype the threat," Snowden told Bamford. "Nobody's going to
press a key on their keyboard and bring down the government. Nobody's going
to press a key on their keyboard and wipe a nation off the face of the
earth." But Snowden emphasized that the U.S. should be focusing more on
defending against adversaries than trying to penetrate their networks to
collect information and do damage.
"When you look at the problem of the U.S. prioritizing offense over defense,
imagine you have two bank vaults, the United States bank vault and the Bank
of China," Snowden explained. "The U.S. bank vault is completely full. It goes
all the way up to the sky. And the Chinese bank vault or the Russian bank
vault or the African bank vault or whoever the adversary of the day is,
theirs is only half full or a quarter full or a tenth full." But because the
U.S. has focused on being able to break into other networks, he said, it has
made its own technology vulnerable -- and other countries can use the same
vulnerabilities to attack the U.S.'s networks. [...]
------------------------------
Date: Wed, 07 Jan 2015 12:14:43 +0100
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: Biometric Identification
The recent CCC (Chaos Computer Club) presentation about defeating biometric
identification using cameras demonstrates the vulnerability of Iris, Face
and Fingerprint methods. The theoretical risk is obvious, but here are the
practical demonstrations.
Dubbed in English:
https://www.youtube.com/watch?v=VVxL9ymiyAU&feature=youtu.be
Should be good for sales of gloves, latex, pencils...
------------------------------
Date: Tue, 06 Jan 2015 08:48:36 +0000
From: Martyn Thomas <martyn@thomas-associates.co.uk>
Subject: Memory corruption
https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf
"In this paper, we expose the vulnerability of commodity DRAM chips to
disturbance errors. By reading from the same address in DRAM, we show that
it is possible to corrupt data in nearby addresses. More specifically,
activating the same row in DRAM corrupts data in nearby rows. We demonstrate
this phenomenon on Intel and AMD systems using a malicious program that
generates many DRAM accesses. We induce errors in most DRAM modules (110
out of 129) from three major DRAM manufacturers."
------------------------------
Date: Wed, 7 Jan 2015 03:33:01 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Morgan Stanley Breach Put Client Data Up for Sale on Pastebin, an
Online Site
Nathaniel Popper, *The New York Times* blog, updated version, 5 Jan 2015
In mid-December, a posting appeared on the Internet site Pastebin offering
six million account records, including passwords and login data for clients
of Morgan Stanley.
Two weeks later, a new posting on the information-sharing site offered a
teaser of actual records from 1,200 accounts, and provided a link for people
interested in purchasing more, according to a person briefed on the
matter. The link pointed to a website that sells digital files for virtual
currencies like Bitcoin. In this case, the files were being sold for a more
obscure currency, Speedcoin.
The offer was quickly taken down the same day, 27 Dec, after Morgan Stanley
discovered the leak. In short order, the bank traced the breach to a
financial adviser working out of its New York offices, a 30-year-old named
Galen Marsh, according to a person involved in the investigation who spoke
on the condition of anonymity. ...
http://dealbook.nytimes.com/2015/01/05/morgan-stanley-fires-employee-saying-data-on-350000-clients-was-stolen/
------------------------------
Date: Thu, 1 Jan 2015 00:46:11 -0500
From: Monty Solomon <monty@roscom.com>
Subject: US banks trace credit fraud to Chick-fil-A locales in possible data breach
http://arstechnica.com/security/2014/12/us-banks-trace-credit-fraud-to-chick-fil-a-locales-in-possible-data-breach/
------------------------------
Date: Wed, 7 Jan 2015 19:00:57 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: "Could e-voting be on its way in the UK?"
The most important point that should not be missed, is that Internet voting
should be compared to postal votes, not traditional public voting station
methods. In the rush to make Internet voting more secure, we should not
forget that - like postal voting - it lacks the basic features: making
voting public, but the vote contents itself confidential.
The public aspect of traditional voting methods assures that everyone who is
eligible to vote can do it, freely and confidentially. Internet voting
misses this aspect, no matter how secure it can be made.
This is not a technical issue!
------------------------------
Date: Thu, 8 Jan 2015 13:23:07 +0000
From: Tony Finch <dot@dotat.at>
Subject: Re: Could e-voting be on its way in the UK? (Walker,
RISKS-28.44)
A couple of months ago I read an electoral court judgment on voting fraud
in the UK which was handed down in July 2013:
http://www.bailii.org/ew/cases/EWHC/QB/2013/2572.html
The judge goes off on a massive rant about the disgraceful state of voting
security in the UK and the lack of interest from the authorities in
dealing with it. I expect online voting will make it even worse. The whole
judgment is quite readable and informative. The rant starts:
> Sadly, therefore, this is yet another case where the United Kingdom's
> shambolic electoral system has led to an election being challenged on
> the ground of widespread fraud.
>
> The system of electoral registration has always been very insecure and
> remains so. The problems this caused were, in the past, largely
> mitigated by the fact that 'absent' voting (voting by post or by proxy)
> was very limited in scope and hedged about with procedural difficulties.
> The introduction of postal voting on demand in 2001, however, laid the
> electoral system wide open to massive and well-organised fraud. Warnings
> that this might be the case were blithely ignored by Parliament and, to
> some extent, by the Electoral Commission.
------------------------------
Date: Tue, 06 Jan 2015 21:20:19 +0000
From: Bernard Peek <bap@shrdlu.com>
Subject: An oldie but goodie ODBC risk
Not very long ago I came across an accounting and HR package which used ODBC
connections from each client computer to its central Microsoft SQL Server
database. Installing the client software required the creation of a "data
source" file on each client. This file can then be used by any ODBC client,
such as Microsoft Office software, without needing the user to know the
password.
I discovered that the supplier's engineers had persuaded the IT team to let
them use the default SA (System Administrator) ID when creating the data
sources. As a result of this any other ODBC software installed on a client
machine could be used to gain anonymous read/write/delete access to the
entire finance and HR databases without needing to use a password. I offered
to save the CFO some work by signing off my own invoices but he declined the
offer.
Once I bypassed the supplier's helpdesk and contacted their CTO directly the
issue was quickly resolved. We reconfigured the client machines and the
database servers to eliminate the "SA" login completely.
RISKS readers might like to check their own systems to see whether any of
the Data Sources on their client machines use the SA login. If they do then
I suggest they have words with their suppliers and their DBAs (if they have
them.) Short pithy words are best.
------------------------------
Date: Wed, 7 Jan 2015 03:33:01 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Sony Cyberattack, First a Nuisance, Swiftly Grew Into a Firestorm
Michael Cieply and Brooks Barnes, *The New York Times*, 30 Dec 2014
It was three days before Thanksgiving, the beginning of a quiet week for
Sony Pictures. But Michael Lynton, the studio's chief executive, was
nonetheless driving his Volkswagen GTI toward Sony's lot at 6 a.m. Final
planning for corporate meetings in Tokyo was on his agenda - at least until
his cellphone rang.
The studio's chief financial officer, David C. Hendler, was calling to tell
his boss that Sony's computer system had been compromised in a hacking of
unknown proportions. To prevent further damage, technicians were debating
whether to take Sony Pictures entirely offline.
Shortly after Mr. Lynton reached his office in the stately Thalberg building
at Sony headquarters in Culver City, Calif., it became clear that the
situation was much more dire. Some of the studio's 7,000 employees, arriving
at work, turned on their computers to find macabre images of Mr. Lynton's
severed head. Sony shut down all computer systems shortly thereafter,
including those in overseas offices, leaving the company in the digital dark
ages: no voice mail, no corporate email, no production systems. ...
http://www.nytimes.com/2014/12/31/business/media/sony-attack-first-a-nuisance-swiftly-grew-into-a-firestorm-.html
------------------------------
Date: Fri, 9 Jan 2015 01:52:41 -0500
From: Monty Solomon <monty@roscom.com>
Subject: World's first *known* bootkit for OS X can permanently backdoor Macs
(Dan Goodin)
Dan Goodin, Ars Technica, 7 Jan 2015
Thunderstrike allows anyone with even brief access to install stealthy
malware.
Securing Macs against stealthy malware infections could get more complicated
thanks to a new proof-of-concept exploit that allows attackers with brief
physical access to covertly replace the firmware of most machines built
since 2011.
Once installed, the bootkit-that is, malware that replaces the firmware that
is normally used to boot Macs-can control the system from the very first
instruction. That allows the malware to bypass firmware passwords, passwords
users enter to decrypt hard drives and to preinstall backdoors in the
operating system before it starts running. Because it's independent of the
operating system and hard drive, it will survive both reformatting and OS
reinstallation. And since it replaces the digital signature Apple uses to
ensure only authorized firmware runs on Macs, there are few viable ways to
disinfect infected boot systems. The proof-of-concept is the first of its
kind on the OS X platform. While there are no known instances of bootkits
for OS X in the wild, there is currently no way to detect them, either.
The malware has been dubbed Thunderstrike, because it spreads through
maliciously modified peripheral devices that connect to a Mac's Thunderbolt
interface. When plugged into a Mac that's in the process of booting up, the
device injects what's known as an Option ROM into the extensible firmware
interface (EFI), the firmware responsible for starting a Mac's system
management mode and enabling other low-level functions before loading the
OS. The Option ROM replaces the RSA encryption key Macs use to ensure only
authorized firmware is installed. From there, the Thunderbolt device can
install malicious firmware that can't easily be removed by anyone who
doesn't have the new key. ...
http://arstechnica.com/security/2015/01/worlds-first-known-bootkit-for-os-x-can-permanently-backdoor-macs/
------------------------------
Date: Sat, 10 Jan 2015 01:48:15 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Spotlight search in OS X Yosemite exposes private user details to
spammers
Search feature overrides widely used setting blocking remote images.
Dan Goodin, Ars Technica, 9 Jan 2015
Using the Spotlight search feature in OS X Yosemite can leak IP addresses
and private details to spammers and other e-mail-based scammers, according
to tests independently performed by two news outlets.
The potential privacy glitch affects people who have configured the Mac Mail
App to turn off the "load remote content in messages" setting, as security
experts have long advised. Spammers, stalkers, and online marketers often
use remote images as a homing beacon to surreptitiously track people opening
e-mail. Because the images are hosted on sites hosted by the e-mail sender,
the sender can log the IP address that viewed the message, as well as the
times and how often the message was viewed, and the specific e-mail
addresses that received the message. Many users prefer to keep their e-mail
addresses, IP addresses, and viewing habits private, a goal that's
undermined by the viewing of remote images. ...
http://arstechnica.com/security/2015/01/spotlight-search-in-yosemite-exposes-private-user-details-to-spammers/
------------------------------
Date: Tue, 6 Jan 2015 09:43:46 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Apps Everywhere, but No Unifying Link
http://www.nytimes.com/2015/01/06/technology/tech-companies-look-to-break-down-walls-between-apps.html
As people spend more time using apps, their Internet has taken a step
backward, becoming more isolated -- more like the web before search engines.
------------------------------
Date: Mon, 05 Jan 2015 21:57:00 -0700
From: "Bob Gezelter" <gezelter@rlgsc.com>
Subject: Re: Gogo Issues False SSL Certificates, Allowing them to decode SSL
Traffic (Weinstein, RISKS-28.44)
ArsTechnica reports that Gogo, an inflight Wi-Fi service has been proffering
its own version of other domains certificates (the article refers
specifically to YouTube). This allows Gogo to decrypt traffic intended to
remain encrypted while in-transit. If used for all SSL connections, it would
expose a wide variety of traffic to monitoring, capture, and subsequent
impersonation (e.g., email, banking, corporate applications). It is not
clear if this is being used on all SSL connection attempts, or only on
certain connections. The justification offered is to enforce a Gogo ban on
streaming applications. This report reemphasizes the need for users to be
careful accepting a certificate not signed by a well-known signature
authority (CA). The Ars Technica article is at:
http://arstechnica.com/security/2015/01/gogo-issues-fake-https-certificate-to-users-visiting-youtube/
Bob Gezelter, http://www.rlgsc.com
------------------------------
Date: Fri, 09 Jan 2015 06:19:20 -0700
From: "Bob Gezelter" <gezelter@rlgsc.com>
Subject: ASUS Routers reportedly vulnerable to local area network command
execution exploit
Apparently, ASUS routers have a weakness in the implementation of infosvr,
which reportedly uses UDP to communicate between different
routers. Designated CVE-2014-09583, this vulnerability allows a user inside
the firewall zone to use a UDP request to inject a command for execution by
the router (e.g., opening ports). The report includes a command which can
be manually used to shut down the infosvr service each time the router is
restarted. The Ars Technica article is at:
http://arstechnica.com/security/2015/01/got-an-asus-router-someone-on-your-network-can-probably-hack-it/
Bob Gezelter, http://www.rlgsc.com
------------------------------
Date: Wed, 7 Jan 2015 14:42:36 +1100
From: Craig Burton <craig.alexander.burton@gmail.com>
Subject: Re: Subject: Too many pilots can't handle an emergency (RISKS-28.44)
The most tragic element of the AF447 crash was that the stall warning system
gave a warning up to a critical angle of attack, but actually went silent
after that angle was exceeded on the assumption it could not be possible and
the device should not report a false positive.
This caused the pilots to keep the plane in a stall since when they tried to
take it out of stall by reducing attack angle, the stall alarm sounded.
I think there is the new risk that pilots need to be able to handle a system
failing in a complex way such as this? Is it reasonable for them to learn
and manage all edge cases in automation?
------------------------------
Date: Wed, 7 Jan 2015 16:14:57 -0500
From: david lewis <davidlewis@sympatico.ca>
Subject: Re: Lenovo recalls more than 500,000 power cords
Both Leonard Finegold and Morton Welinder are wrong on the power dissipation
in a laptop power supply cord, because the power supply is not a resistor,
but a constant power sink, due to the regulator in it, which is designed to
convert power at high efficiency, and supply a fixed power to the batter. So
the current through the power supply is inverse of the voltage.
But the power supply cord is a resistance, so the heat in it is square of
current, or inverse square of the voltage in this case.
Let's take a 55W power supply for simplicity, and a .1 ohm power supply cord
resistance.
At 110V it draws .5 A so the power supply cord dissipates .5 * .5 * .1 =
.025W.
At 220V it draws .25A so the power supply core dissipates .25 * .25 * .1 =
.00625W or a factor of 4 less.
[We received a slew of comments in response on this subject. I picked
this one as representative. PGN]
------------------------------
Date: Wed, 7 Jan 2015 15:01:42 -0500
From: Dick Mills <dickandlibbymills@gmail.com>
Subject: LOL Re: Lenovo recalls more than 500,000 power cords
Len Finegold said
"As my freshman students know...
Twinkle twinkle little star
Power equals I squared R"
50 years ago when I was a freshman I memorized that jingle. But when
I got into the exam, my brain regurgitated this:
Little star up in the sky, power equals R squared I.
------------------------------
Date: Mon, 17 Nov 2014 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. The mailman Web interface can
be used directly to subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
Alternatively, to subscribe or unsubscribe via e-mail to mailman
your FROM: address, send a message to
risks-request@csl.sri.com
containing only the one-word text subscribe or unsubscribe. You may
also specify a different receiving address: subscribe address= ... .
You may short-circuit that process by sending directly to either
risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com
depending on which action is to be taken.
Subscription and unsubscription requests require that you reply to a
confirmation message sent to the subscribing mail address. Instructions
are included in the confirmation message. Each issue of RISKS that you
receive contains information on how to post, unsubscribe, etc.
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines.
=> .UK users may contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
*** NOTE: Including the string `notsp' at the beginning or end of the subject
*** line will be very helpful in separating real contributions from spam.
*** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
or ftp://ftp.sri.com/VL/risks for previous VoLume
http://www.risks.org takes you to Lindsay Marshall's searchable archive at
newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
<http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
<http://www.csl.sri.com/illustrative.html> for browsing,
<http://www.csl.sri.com/illustrative.pdf> or .ps for printing
is no longer maintained up-to-date except for recent election problems.
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 28.45
************************
