[33445] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 34.39

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Aug 3 20:38:38 2024

From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 3 Aug 2024 17:38:17 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Saturday 3 Aug 2024  Volume 34 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.39>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Teenager Accused of Derailing Train and Posting Crash Video Online (NYTimes)
Mythbusting SOC costs (Cliff Kilby)
How One Man Lost $740,000 to Scammers Targeting His Retirement Savings
 (NYTimes)
Are we too dependent on Microsoft? (CBC)
MBTA's new contactless payment system launches Thursday (The Globe)
Personal Data of 3 Billion People Stolen in Hack, Suit Says (BloombergLaw)
Trolls Used Her Face to Make Fake Porn. There Was Nothing She Could Do.
 (NYTimes)
Amazon forced to recall 400K products that could kill, electrocute people
 (ArsTechnica)
Don't Let Your Domain Name Become a crime site (Krebs on Security)
About Kid's Online Safety Act and age verification (Lauren Weinstein)
A $100b plan with "70% risk of killing us all" (Stephen Fry)
Leaked github token could have put the entire python infrastructure at risk
 (TechRadar)
Argentina will use AI to ‘predict future crimes’ but experts worry
 for citizens’ rights (The Guardian, geoff goodfellow)
Gender Dysphoria and the Cass Review - A Summary of a Discussion
 (Peter Bernard Ladkin)
Re: Google reverts TV YouTube app to original search history behavior
 (Jim Geissman)
Re: AT&T local news (Jim Geissman)
Re: Switzerland now requires all government software to open source
 (Martin Ward, Wol)
Re: CrowdStrike and fuzz testing (Jurek Kirakowski)
Re: Robots sacked, screenings shut down: a new movement of Luddites is
 rising up against AI (Wol)
IEEE Project on Digital Forensics for Trusted Learning Systems
 (via Rebecca Mercuri)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 29 Jul 2024 19:13:04 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Teenager Accused of Derailing Train and Posting Crash Video Online
 (NYTimes)

Investigators said a 17-year-old charged with intentionally causing a freight train derailment in Nebraska had recorded the crash, which he then posted on YouTube.

https://www.nytimes.com/2024/07/29/us/nebraska-teen-charged-train-crash.html

------------------------------

Date: Sat, 3 Aug 2024 16:25:49 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Mythbusting SOC costs

I came across a short opinion piece which really took me aback.
The poster claimed that running a SOC was an massive expense.

The core assertions:

Infrastructure Costs: Setting up a SOC requires significant hardware,
software, and network infrastructure investments. This includes advanced
security tools and platforms for monitoring and response.
Response: Not quite. There is no additional outlay for hardware, software
or networking. Your SOC should be able to use everything in place, unless
you don't already use industry standard products like firewalls, WAF, and
AV. You might consider purchasing an EDR to address dynamic threats, but
most AV products can be used for reporting to a SOC. Unless you don't even
have AV.

Skilled Personnel: Hiring and retaining skilled cybersecurity professionals
is expensive. An in-house SOC needs experts for threat detection, incident
response, and continuous monitoring, which can drive up labor costs.
Response: Maybe. It is expensive to maintain personnel who are trained for
bleeding edge threat detection and mitigation. But, considering the first
and third assertions, the company isn't even doing remedial security, and
would probably make great strides with a SOC staffed by DevOps engineers.

Ongoing Maintenance: An in-house SOC requires continuous updates,
maintenance, and upgrades to stay current with evolving threats. This adds
to the overall operational expenses.
Response: This has nothing to do with SOC. This is basic operations
hygiene. Patch when your vendors provide patches.

Training and Development: Keeping the SOC team trained with the latest
cybersecurity trends and technologies involves additional costs for ongoing
education and certifications.  Response: Again, no. For most professionals
who carry certifications, they are required to maintain continuing
education. Those credits are as expensive as you allow them to be, though
they may need to be away from work to obtain them. Common vulnerability
OSINT is massive and mostly free.  Keeping up with the bleeding edge is
expensive, but pointless if you have an environment which you believe that
updates and maintenance are driven by your SOC.

24/7 Operations: To be effective, a SOC needs to operate around the clock,
requiring shifts and potentially more staff, further increasing costs.
Response: If your SOC is automating detections and responses, they really
only have unplanned work as long as someone is in the office. They don't
pack up the WAF at the end of the day. If your current environment can't
automatically alert a detection, having a human sitting staring at logs
won't find anything.  However, if you're running a 3 shift company, then
yeah, you'll need coverage for all three shifts. Realtime threats tend to
orgiinate from employees more than externally.

To me this whole post read like someone who was told that a SOC is buying
Rapid7 and Splunk, and then got mad that they also need to hire people to
run those tools.

Operations aren't a goal, but a process.
Security isn't a goal, but a process.
Security operations... you get the drift.

Post courtesy of
https://old.reddit.com/r/CyberMsspZone/comments/1eii9jf/why_is_an_inhouse_soc_so_expensive/

------------------------------

Date: Mon, 29 Jul 2024 19:10:06 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How One Man Lost $740,000 to Scammers Targeting His Retirement
 Savings (NYTimes)

Criminals on the Internet are increasingly going after Americans over the
age of 60 because they are viewed as having the largest piles of savings.

https://www.nytimes.com/2024/07/29/business/retirement-savings-scams.html

------------------------------

Date: Fri, 2 Aug 2024 22:23:48 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Are we too dependent on Microsoft? (CBC)

https://www.cbc.ca/player/play/video/9.6469022

After two major outages in as many weeks -- including the CrowdStrik= e
crash -- alarm bells are ringing about the world's overreliance on Microso=
ft.  Andrew Chang breaks down what happened, who's to blame and digs into
just how much of our lives are connected to Microsoft.

------------------------------

Date: Thu, 1 Aug 2024 06:57:45 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: MBTA's new contactless payment system launches Thursday
 (The Globe)

https://www.boston.com/news/local-news/2024/07/31/mbtas-new-contactless-payment-system-launches-thursday

Key excerpt:

“To avoid the possibility of accidental taps and charges of their
contactless credit or debit cards, riders are encouraged to hold their
purses, bags, and backpacks away from the contactless readers.”

RISKy, anyone?

------------------------------

Date: Fri, 2 Aug 2024 14:20:03 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Personal Data of 3 Billion People Stolen in Hack, Suit Says
 (BloombergLaw)

https://news.bloomberglaw.com/privacy-and-data-security/background-check-data-of-3-billion-stolen-in-breach-suit-says

------------------------------

Date: Wed, 31 Jul 2024 15:54:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Trolls Used Her Face to Make Fake Porn. There Was Nothing She
 Could Do.  (NYTimes)

Sabrina Javellana was a rising star in local politics — until deepfakes derailed her life.

https://www.nytimes.com/2024/07/31/magazine/sabrina-javellana-florida-politics-ai-porn.html

------------------------------

Date: Tue, 30 Jul 2024 21:36:18 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Amazon forced to recall 400K products that could kill,
 electrocute people (ArsTechnica)

https://arstechnica.com/?p=2040006

------------------------------

Date: Fri, 2 Aug 2024 07:50:46 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Don't Let Your Domain Name Become a crime site
 (Krebs on Security)

More than a million domain names -— including many registered by
Fortune 100 firms and brand protection companies — are vulnerable to
takeover by cybercriminals thanks to authentication weaknesses at a
number of large web-hosting providers and domain registrars, new
research finds.

https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/

  [Lauren Weinstein noted Over 1 Million Domains at Risk of 'Sitting
  Ducks' Domain Hijacking Technique (The Hacker News) The powerful
  attack vector, which exploits weaknesses in the domain name system
  (DNS), is being exploited by over a dozen Russian-nexus
  cybercriminal actors to stealthily hijack domains, a joint analysis
  published by Infoblox
  <https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/>
  and Eclypsium has revealed.
  <https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/>

"In a Sitting Ducks attack, the actor hijacks a currently registered domain
at an authoritative DNS service or web hosting provider without accessing
the true owner's account at either the DNS provider
<https://www.cloudflare.com/learning/dns/dns-server-types/> or registrar,"
the researchers said.

"Sitting Ducks is easier to perform, more likely to succeed, and
harder to detect than other well-publicized domain hijacking attack
vectors, such as dangling CNAMEs."
<https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>
  Cliff Kilby noted this in SecurityWeek:
https://www.securityweek.com/vulnerabilities-enable-attackers-to-spoof-emails-fr
om-20-million-domains/
  PGN]

------------------------------

Date: Tue, 30 Jul 2024 11:45:06 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: About Kid's Online Safety Act and age verification

For anyone who points out that the Kids Online Safety Act doesn't
actually REQUIRE government IDs for age verification, let me assure
you that this is, to use the vernacular, a subterfuge.

The liabilities created by the legislation for violations by the
targeted sites are so large that nothing short of age verification via
government IDs will satisfy their own legal departments in the long
run -- and with good reason.

This doesn't mean uploading IDs to each site -- the anticipated model
is third party verifiers -- but that doesn't actually reduce (and may
actually increase) the privacy and tracking abuse risks associated
with these age verification models, for a variety of technical
reasons. -L

------------------------------

Date: Tue, 30 Jul 2024 19:21:47 -0400
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
Subject: A $100b plan with "70% risk of killing us all" (Stephen Fry)

Apart from his comedic, dramatic, and literary endeavors, Stephen Fry
is widely known for his avowed technophilia. He once wrote a column on
that theme, “Dork Talk,” for the Guardian, in whose inaugural dispatch
he laid out his credentials by claiming to have been the owner of only
the second Macintosh computer sold in Europe (“Douglas Adams bought
the first”), and never to have “met a smartphone I haven’t bought.”
But now, like many of us who were “dippy about all things digital” at
the end of the last century and the beginning of this one, Fry seems
to have his doubts about certain big-tech projects in the works today:
take the “$100-billion plan with a 70-percent risk of killing us all”
described in this video:

<https://www.youtube.com/watch?v=-H7e4XlMgg0>

[found on Open Culture, July 26th, 2024]

------------------------------

Date: Fri, 2 Aug 2024 08:49:38 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Leaked github token could have put the entire python
 infrastructure at risk (TechRadar)

https://www.techradar.com/pro/security/github-token-leak-could-have-put-the-entire-python-language-at-risk

------------------------------

Date: Sat, 3 Aug 2024 06:47:59 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Argentina will use AI to ‘predict future crimes’ but experts worry
 for citizens’ rights (The Guardian)

*President Javier Milei creates security unit as some say certain groups
may be overly scrutinized by the technology*

Argentina’s security forces have announced plans to use artificial
intelligence to “predict future crimes” in a move experts have warned could
threaten citizens’ rights.

The country’s far-right president Javier Milei this week created the Artificial
Intelligence Applied to Security
<https://www.boletinoficial.gob.ar/detalleAviso/primera/311381/20240729> Unit,
which the legislation says will use “machine-learning algorithms to analyse
historical crime data to predict future crimes”. It is also expected to
deploy facial recognition software to identify “wanted persons”, patrol
social media, and analyse real-time security camera footage to detect
suspicious activities.

While the ministry of security has said the new unit will help to “detect
potential threats, identify movements of criminal groups or anticipate
disturbances”, the Minority Report-esque resolution has sent alarm bells
ringing among human rights organisations.

<https://english.elpais.com/international/2024-07-30/javier-mileis-government-will-monitor-social-media-with-ai-to-predict-future-crimes.html>

Experts fear that certain groups of society could be overly scrutinised by
the technology, and have also raised concerns over who – and how many
security forces – will be able to access the information. [...]

https://www.theguardian.com/world/article/2024/aug/01/argentina-ai-predicting-future-crimes-citizen-rights

------------------------------

Date: Sat, 3 Aug 2024 07:17:00 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Re: Argentina will use AI to predict future crimes
 but experts worry for citizens' rights (The Guardian)

oh gee, doesn't this sound just "a wee bit" kinda like say John
Poindexter's *Total Information Awareness*? viz.:

*"Total Information Awareness* (*TIA*) was a mass detection program by the
United States Information Awareness Office
<https://en.wikipedia.org/wiki/Information Awareness_Office>. It operated
under this title from February to May 2003 before being renamed *Terrorism
Information Awareness*.

[1]
<https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-dapra1-1>
[2]
<https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-rename-2>

------------------------------

Date: Wed, 31 Jul 2024 10:38:54 +0200
From: "Prof. Dr. Peter Bernard Ladkin" <ladkin@causalis.com>
Subject: Gender Dysphoria and the Cass Review - A Summary of a Discussion

I wrote my note explaining that the Cass Review had commissioned a thorough
literature review from a major research facility, and sent it not only to
Risks and PGN, but also to Martin Ward and Julian Bradfield. I also,
separately, drew the attention of some British colleagues who are
informaticians and also interested in social issues, one of whom is a
renowned expert in healthcare IT. He found my note appropriate.

Ward replied with what I can only describe as a deluge of citations which he
claims shows that the Cass Review is highly at fault. Many of them do not
mention the Cass review; they are publications, some of them scientific and
some of them advocatory, which pose a different view of the care of gender
dysphoria than the Cass Review. Ward claims this is "evidence" and suggests
that, by not reading them, I am "ignoring the evidence".

The Cass Review reviewed the literature. The reviewers came to the view that
not much of it was of particularly high scientific quality. This shouldn't
surprise anybody, especially those of us peripherally familiar with the
medical and epimedical literature.

I don't see myself as reviewing the gender dysphoria literature, because the
subject is not my cup of tea. But I think it unlikely that there has
coincidentally been a breakthrough in scientific understanding of the
condition since the Cass Review completed its literature survey. If there
had been, I think I'd have read about it in reliable newspapers who report
on scientific breakthroughs such as The Guardian. I also imagine the Cass
Review would have generated an appendix on it.

So what Ward deluged me with is a bunch of opinion and work which takes a
different point of view from that of the Cass Review. Sure, I knew that that
existed. Some of it was even reviewed in newspapers when the Cass Review
came out. Much of it seems to come from North America. Anybody who has spent
significant time in the US as well as Britain and Continental Europe is well
aware of the radical differences in approach to health care and its
structure. Many essays have been written on this subject, and this will not
be another. Suffice it to say that it is quite plausible that the standard
of care for a condition such as gender dysphoria in the USA and in the UK
might, for very good reason, be very different. Also that it might well
converge in the future, as tends to happen when conditions become better
understood.

What Ward unfortunately did not do is provide me with a list of specific
mistakes that he claims the Cass Review has made, along with anything that
would count for me as proof of these mistakes. As someone who writes such
documents (but not in this field), I do know how much work it takes. I also
know that they are much more valuable to a reader.

He also hasn't provided an explanation of why he thinks a particular point
of view of an advocacy group (which seems to account for a goodly proportion
of what he cited to me) counts for him as "evidence" against particular
points made in the Cass Review when for me it counts as yet another opinion
from an advocacy group. I asked Ward what his motivation is, but didn't
receive what I would regard as a plausible answer.

So I don't see this particular discussion as proceeding much further. Neither does PGN.

PGN expressed concern that the form of discussions enabled by the Internet
are often, to put it in a word, broken. Yes, some forms indeed are. But
let's think back to, say, 1993. I'd have read about the Cass Review in the
newspaper. I wouldn't have read the Review itself -- I would have had to
have written to a government publisher and sent payment and got a copy a few
weeks later in the post. And I wouldn't have done so. If I had wanted to
find out what kind of literature review was conducted and by whom, I likely
couldn't have done so without purchasing and reading the report (it is not
likely to be in many public libraries in Germany). Now, the
literature-review proposal is on the University of York's WWW site for
everyone to read for free. Some things, some kind of information such as
this, have got immeasurably better. Let's not forget that.

  [I have blown the whistle on the pending interchange, and have allowed
  this  one final summary of a nonconverging series of rants.  PGN]

------------------------------

Date: Wed, 31 Jul 2024 09:27:58 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Re: Google reverts TV YouTube app to original search history behavior

This reminds me of what MS did in the Feb 2024 Windows update. File manager
searches used to look at least part of the path beyond the file name. So if
you had a folder Arizona which contained a file Grand Canyon, the file would
be found by searching for Arizona. The update changed that, and now it seems
only the file name is examined. I wonder how many other file and folder
naming schemes stopped working.

------------------------------

Date: Wed, 31 Jul 2024 06:58:08 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Re: AT&T local news

My U-verse went out.  This is like DSL that uses the POTS copper wires for
the last block. There are 26 houses on the block, 7 at my end, with the
connection to the network at the other end. The AT&T technician told me
there are 9 wires at my pole, for the 7 houses plus fax machines, etc. a
couple of decades ago. The tech said only one of the wires might work, so he
tried it and it does work. I asked, if he gives me the only active wire,
what about the rest of the customers? He replied, there is only one, and
it's inactive. Looks like total victory to the cell phones and squirrels,
and apparently AT&T owns a lot of non-functioning copper wire.

------------------------------

Date: Tue, 30 Jul 2024 10:40:20 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Switzerland now requires all government software to be
 open source (Shapir, RISKS-34.38)

> Companies who wish to keep their code hidden can do it while still
> formally complying with the law.  E.g., they can post code in assembly
> (which can be generated automatically by tools like "cc -S") if
> regulations allow it

As it happens, the framers of the Gnu General Public Licence, Version 3, 29
June 2007, have already thought of this wriggle and countered it:

1. Source Code.

  The "source code" for a work means the preferred form of the work
for making modifications to it.  "Object code" means any non-source
form of a work.

------------------------------

Date: Tue, 30 Jul 2024 08:41:30 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Switzerland now requires all government software to
 be open source (RISKS-34.38)

All being well, the legislators will look at the long history of FLOSS.  It
explicitly defines source code as being "the preferred form for programmers
to modify it".

The mere act of running an obfuscator is a breach of the GPL, and if a
company is happy writing code using an assembler or machine code, then
releasing source like that would comply, but running your binary through as
disassembler and releasing that would not, if your programmers worked in eg
Rust.

------------------------------

Date: Tue, 30 Jul 2024 12:50:19 +0100
From: Jurek Kirakowski <jzk@uxp.ie>
Subject: Re: CrowdStrike and fuzz testing

Martin Ward's summary of fuzz testing practices took me back to those old
punchcard days - and the severe admonitions of my programming tutors about
writing software which did not thoroughly test input data. The poem
Jabberwocky and a listing of prime numbers up to 1000 were some of our
amusing test data decks, but most important were test decks that followed
the syntax of the expected input but which were semantically abnormal. I
have always followed this practice. Detecting these of course raises the
line count of software considerably.

His analysis of the debacle with CrowdStrike reminded me of perhaps the most
basic principle of disaster analysis: "fatal errors are rarely one-off
mistakes, they are the cumulative effect of many small and possibly
over-looked mistakes - and even the cumulative effect of slightly misguided
corporate policies."

His remarks on how MicroSoft may be changing perceptions about the release
of known buggy software followed by an endless chain of fixes and updates
reminds me of what Stalin is reputed to have said: "the future is
certain. It is history which is subject to revision."

------------------------------

Date: Tue, 30 Jul 2024 08:54:00 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Robots sacked, screenings shut down: a new movement of Luddites is
 rising up against AI (Ed Newton-Rex)

I've just had a web discussion about databases etc, and that has made me
realise why Computing in general (and databases in particular) are so
wasteful.

I've always been aware of the tendency of computing to seek perfection
(driven I suspect, by the "Publish or Perish" mentality in Universities).

But I had a very "interesting" discussion where it was obvious that most of
my protagonists were saying "we need to guarantee response times and provide
100% availability". For most people, WHY?!

My favourite database (MultiValue) guarantees data retrieval of 95% with --
in the non-pathological cold worst case - just ONE cache miss. I work in an
office where I only need one third of one nine availability.

Yet I'm expected to work with a database that - in the name of reliability
-- regularly takes so long to respond that my client software falls over
with annoying regularity thanks to database timeouts.

I guess the cost of all this extra (un)reliability as an extra nought on
costs, so why on earth are we paying it? Especially when abandoning the
search for perfection is almost certain to lead to much improved
availability and response times.

------------------------------

Date: Fri, 2 Aug 2024 15:12:23 -0400
From: DrM Rebecca Mercuri  <notable@mindspring.com>
Subject: IEEE Project on Digital Forensics for Trusted Learning Systems

  [I hope they mean Trustworthy.  I don't trust them today. PGN]

Readers of Risks may be interested in joining an IEEE project to develop a
standard for digital forensics investigation of student and perhaps also
faculty data (see below). The implementation of such investigative tools
should be of great concern, especially with respect to privacy and use. The
idea of creating a forensic investigation back-door seems to inherently
violate the integrity of a trusted learning system, but perhaps I am
misunderstanding what they are trying to accomplish. [Note: To join an IEEE
Standards group, one typically must be a member of IEEE ($212) as well as a
member of their Standards Association ($66).] If you attend the working
group meeting, please report what they are planning back to Risks.

  The IEEE Standards Association (IEEE SA) <https://standards.ieee.org/>
  extends an invitation for your participation in the Working Group for the
  P2834.1 Standard for Digital Forensics on Trusted Learning Systems
  <https://standards.ieee.org/ieee/2834.1/11538/>.This standard specifies
  technical requirements on a forensic-investigation-ready infrastructure
  for learning systems. The standard delineates technical requirements and
  conformance criteria essential for ensuring adherence to prevalent
  regulations governing the protection of digital evidence in kindergarten
  to 12th grade (K12) and Higher Education environments and making the
  system forensically ready to investigate in case of a security incident.

  The Working Group has a meeting scheduled:

  *DATE: *30 August 2024
  *TIME: *1 PM Central/ 2 PM EST*
  *For additional information, contact:*
  *IEEE P2834.1™ Working Group Chair:*
  Cihan Varol <cvarol@shsu.edu>
<https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpntz4OalxDr17x51T_Ex1PjMO7OIeTx_Dk7w8zd-kf0cFvmaMY1nyqucSJSH4m7z5qDNg=>

  *IEEE SA Program Manager:*
  Patrycja Jarosz <p.jarosz@ieee.org>
  <https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpnt6D1i2jJcTrc_YGVZ9009swfQyiXi7ZRyQ0wAD1l_TFDO4wjyw2n20vKTRU28jTBpyU=>

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.39
************************

home help back first fref pref prev next nref lref last post