RISKS-LIST: Risks-Forum Digest Wednesday 12 October 2016 Volume 29 : Issue 84
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can also be found at
How computers are setting us up for disaster (Tim Harford via
Wendy M. Grossman)
Harbinger of The Internet of Things? Tempest in a Teapot? (The Guardian)
English man spends 11 hours trying to make cup of tea with Wi-Fi kettle
(BoingBoing via LW)
NSA could put undetectable "trapdoors" in millions of crypto keys
Samsung Halts Galaxy Note 7 Production as Battery Problems Linger (NYT)
Samsung discontinues Galaxy Note 7 after battery debacle (Gene Wirchenko)
Better Software Security and Privacy by Law(suit)?!!? (Catalin Cimpanu
via Werner U)
Censorship by Legal Trickery (Catalin Cimpanu)
Publishing Malware Open-Source on GitHub... (Catalin Cimpanu)
Re: Bruce Schneier: Economics of security and the IoT (Al Mac)
Re: Dutch Police connected to private cameras (Peter Houppermans)
Re: Yahoo scanned customer e-mails (Michael Marking)
Re: Undetectable election hacking? (John Sebes, Mark Kramer,
Michael Kohne, Mark E. Smith)
Abridged info on RISKS (comp.risks)
Date: Tue, 11 Oct 2016 09:16:35 +0100
From: "Wendy M. Grossman" <wen...@pelicancrossing.net>
Subject: How computers are setting us up for disaster (Tim Harford)
In this essay at the Guardian, Tim Harford suggests that reliance on
automation is setting us up for disaster as, like airline pilots, we become
more used to manipulating computer systems than directly running the systems
they control. Harford draws lessons from aviation, where this "mode
confusion" causes plane crashes such as, to apply to council decisions and
self-driving cars. Harford concludes by examining the work of Dutch traffic
engineer Hans Monderman, who solved such conundrums by removing cues such as
street signs and forcing drivers, pedestrians, and cyclists to engage with
each other in navigating messy terrain, an approach that sounds risky but
that in practice proved to be safer for all concerned.
Wendy M. Grossman www.pelicancrossing.net Twitter: @wendyg
Date: Wed, 12 Oct 2016 09:55:13 +0100
From: "Wendy M. Grossman" <wen...@pelicancrossing.net>
Subject: Harbinger of The Internet of Things? Tempest in a Teapot?
British data specialist spends 11 hours trying to get his wifi kettle to
make a cup of tea. Wars have been fought for less...
[Of course, the original Internet of Things was the Cambridge Computer Lab
coffee pot. WMG]
[However, that was a camera-only hookup, and one could not remotely
adjust the coffee-pot controls. By the way, The Internet of Things has
the potential of being a collossal fiasco in the making. In any event,
it will have plenty of fodder for RISKS as Things Begin to Unfold (a
nonaccidental pun). PGN
Date: Wed, 12 Oct 2016 11:54:00 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: English man spends 11 hours trying to make cup of tea with Wi-Fi
A key problem seemed to be that Rittman's kettle didn't come with software
that would easily allow integration with other devices in his home,
including Amazon Echo, which, like Apple's Siri, allows users to tell
connected smart devices what to do. So Rittman was trying to build the
integration functionality himself.
I love the "Attention! You must connect to the kettle network before
proceeding!" error message.
Date: Tue, 11 Oct 2016 09:56:07 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: NSA could put undetectable "trapdoors" in millions of crypto keys
Dan Goodin, Ars Technica, Oct 11 2016
Technique allows attackers to passively decrypt Diffie-Hellman protected
Researchers have devised a way to place undetectable backdoors in the
cryptographic keys that protect websites, virtual private networks, and
Internet servers. The feat allows hackers to passively decrypt hundreds of
millions of encrypted communications as well as cryptographically
impersonate key owners.
The technique is notable because it puts a backdoor -- or in the parlance of
cryptographers, a "trapdoor" -- in 1,024-bit keys used in the Diffie-Hellman
key exchange. Diffie-Hellman significantly raises the burden on
eavesdroppers because it regularly changes the encryption key protecting an
ongoing communication. Attackers who are aware of the trapdoor have
everything they need to decrypt Diffie-Hellman-protected communications over
extended periods of time, often measured in years. Knowledgeable attackers
can also forge cryptographic signatures that are based on the widely used
digital signature algorithm.
As with all public key encryption, the security of the Diffie-Hellman
protocol is based on number-theoretic computations involving prime numbers
so large that the problems are prohibitively hard for attackers to solve.
The parties are able to conceal secrets within the results of these
computations. A special prime devised by the researchers, however, contains
certain invisible properties that make the secret parameters unusually
susceptible to discovery. The researchers were able to break one of these
weakened 1,024-bit primes in slightly more than two months using an academic
computing cluster of 2,000 to 3,000 CPUs.
Backdooring crypto standards -- completely feasible"
To the holder, a key with a trapdoored prime looks like any other 1,024-bit
key. To attackers with knowledge of the weakness, however, the discrete
logarithm problem that underpins its security is about 10,000 times easier
to solve. This efficiency makes keys with a trapdoored prime ideal for the
type of campaign former National Security Agency contractor Edward Snowden
exposed in 2013, which aims to decode vast swaths of the encrypted Internet.
"The Snowden documents have raised some serious questions about backdoors in
public key cryptography standards," Nadia Heninger, one of the University of
Pennsylvania researchers who participated in the project, told Ars. "We are
showing that trapdoored primes that would allow an adversary to efficiently
break 1,024-bit keys are completely feasible."
While NIST -- short for the National Institute for Standards and Technology
-- has recommended minimum key sizes of 2,048 bits since 2010, keys of half
that size remain abundant on the Internet. As of last month, a survey
performed by the SSL Pulse service found that 22 percent of the top 200,000
HTTPS-protected websites performed key exchanges with 1,024-bit keys. A
belief that 1,024-bit keys can only be broken at great cost by
nation-sponsored adversaries is one reason for the wide use. Other reasons
include implementation and compatibility difficulties. Java version 8
released in 2014, for instance, didn't support Diffie-Hellman or DSA keys
larger than 1,024 bits. And, to this day, the DNSSEC specification for
securing the Internet's domain name system limits keys to a maximum of 1,024
Poisoning the well
Solving a key's discrete logarithm problem is significant in the
Diffie-Hellman arena. Why? Because a handful of primes are frequently
standardized and used by a large number of applications.
If the NSA or another adversary succeeded in getting one or more trapdoored
primes adopted as a mainstream specification, the agency would have a way to
eavesdrop on the encrypted communications of millions, possibly hundreds of
millions or billions, of end users over the life of the primes. So far, the
researchers have found no evidence of trapdoored primes in widely used
applications. But that doesn't mean such primes haven't managed to slip by
Date: Tue, 11 Oct 2016 01:02:44 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Samsung Halts Galaxy Note 7 Production as Battery Problems Linger
The move is a major setback for the world's largest producer of smartphones,
which had been gaining ground against Apple in the high-end market.
Date: Wed, 12 Oct 2016 09:59:26 -0700
From: Gene Wirchenko <ge...@telus.net>
Subject: "Samsung discontinues Galaxy Note 7 after battery debacle"
Put this one under the risks of getting computer hardware wrong.
An article I read several years ago about battery problems -- yes, this has
been an issue that long -- stated roughly that the high concentration of
energy in a battery makes it a bomb. Unfortunately, we are seeing cases
where this most definitely is correct.
I suggest that this problem is going to continue because of the lack of an
effective countercheck against users' desire for as-long-as-possible battery
life. Maybe, it will end when a safe battery is found (next to the
leprechaun's gold at the other end of the rainbow)?
John Ribeiro, InfoWorld, 11 Oct 2016
Samsung discontinues Galaxy Note 7 after battery debacle
Problems worsened for Samsung after reports that even replacement
Note 7 phones were catching fire
Date: Tue, 11 Oct 2016 17:50:17 +0200
From: Werner U <wern...@gmail.com>
Subject: Better Software Security and Privacy by Law(suit)?!!?
[French sue Apple over 'imposing unbalanced contracts' and 'the sorry
state' of their Software Support and Maintenance. Hmmm... the ToS of most
websites and software, online and offline, appear so abominably
'unbalanced' today, to appear 'sittenwidrig'
<https://de.wikipedia.org/wiki/Sittenwidrig> to any fair-minded person I
know (see also <https://en.wikipedia.org/wiki/Unconscionability>) so,
without any further ado.]
Catalin Cimpanu, 9 Oct 2016
French Company Sues Apple Because of Improper HTML5 Support in iOS
Company wants Apple to open iOS for other browsers
Nexedi, a French software development company, is suing Apple in a French
court because of the sorry state of HTML5 support on iOS, and because Apple
actively prevents third-party browser engines from running on iOS.
The company filed a civil lawsuit in France because a local law gives it the
best chances of succeeding in its effort. A local French law passed a few
years back prevents large companies from imposing unbalanced contracts on
Nexedi says that Apple forces software developers to sign an unfair contract
when submitting an app to the iOS App Store that states that all web content
should be handled by a WebKit-based browser engine.
The French company's problem is that the WebKit engine is seriously lagging
behind when it comes to supporting modern HTML5 features. Because Apple
forces iOS app developers to use WebKit-based browsers, developers must
invest serious time and effort into porting modern apps to work with the
limited version of HTML5 supported in iOS, indirectly cutting down their
[Very long item pruned for RISKS. PGN]
Date: Tue, 11 Oct 2016 16:09:31 +0200
From: Werner U <wern...@gmail.com>
Subject: Censorship by Legal Trickery (Catalin Cimpanu)
Catalin Cimpanu, *The Washington Post*, 11 Oct 2016
People Are Suing Nonexistent Persons to Trick Google in Censoring Search
Companies and individuals have filed dozens of defamation lawsuits against
nonexisting persons, which after a complicated legal procedure lead judges
into issuing court orders that force online platforms such as Google, Yelp,
and others to remove bad reviews or negative articles.
This new legal trick to censor bad press on the Internet came to light
following an investigation by The Washington Post, which uncovered 25
The common theme in all cases was that the lawsuit's defendant was not a
real person, which WP validated with the help of a private investigator.
Lawyers find clever (probably illegal) trick to censor Google, Yelp.
Plaintiffs had filed lawsuits for defamatory comments and defamation claims
against nonexistent persons, who then "mysteriously" agreed for an
injunction on their comments or articles.
Faced with a quick resolution to the case, judges would approve the
self-agreed injunction and put out a court order to have the web page taken
The plaintiff would then take this court order and pass it on to Google or
Yelp, who acted on it and removed the content from their search results and
Internet companies furiously fight against illegal takedown notices, but
when the takedown notice is accompanied by an "official" court order, they
trust that the judge had taken the right decision. SEO reputation
management company tied to many lawsuits. [...]
[Long item pruned for RISKS. PGN]
Date: Tue, 11 Oct 2016 11:01:21 +0200
From: Werner U <wern...@gmail.com>
Subject: Publishing Malware Open-Source on GitHub... (Catalin Cimpanu)
Catalin Cimpanu, Softpedia, 26 Sept 2016
New Open Source Linux Ransomware Shows Infosec Community Divide
*UPDATE:* Following our investigation into this matter, and seeing the
vitriol-filled reaction from some people in the infosec community, Zaitsev
has told Softpedia that he decided to remove the project from GitHub,
shortly after this article's publication. The original, unedited article is
Security researchers can't decide if publishing open-source ransomware on
GitHub is a bad or a good idea
CryptoTrooper, an open source kit for building Linux ransomware, has divided
the infosec community right down the middle. The hot potato at the heart of
the debate is the same issue that surrounded Utku Sen's EDA2 and Hidden Tear
ransomware building kits for Windows. Should security researchers create
"ransomware for educational purposes" and should they release them on
GitHub? While you may think the clear-cut answer is "Hell NO!!!,"
surprisingly, the reality is quite different. A recent Twitter poll has
asked users "Is open source ransomware helping improve ransomware
detection/prevention, or making it worse?"
The final result was extremely close, with 54 percent for "No, it's not
helping," and 46 percent for "Yes, it's helping." Twitter poll reignites
the "open source ransomware" debate. [...]
[Long item pruned for RISKS. PGN]
Date: Wed, 12 Oct 2016 12:42:42 -0500
From: "Alister Wm Macintyre \(Wow\)" <macwhee...@wowway.com>
Subject: Re: Bruce Schneier: Economics of security and the IoT (Risks 29.82)
Can Brian Krebs use the 9-11 victims law to sue device manufacturers
involved in the attack upon him, or the nations where they were built?
Anyone can say they were terrorized by an attack - that is a subjective
A quick recap what the US 911 victims law is: Congress passed it, Pres Obama
vetoed it, Congress overwhelmingly over-ruled the veto. It grants to
victims of terrorism, the right to sue governments they think are
It was intended to allow 9-11 victims to sue Saudi Arabia for what bin Laden
orchestrated, but the 911 commission showed that Saudi Arabia was not
responsible . claims that they were, are political rhetoric posturing, which
does not work in a court of law. The Saudis kicked bin Laden out of their
nation, and the Sudan, long before 9-11. He selected many Saudi confederates
to try to drive a wedge between USA and the Saudi gov. It was Afghanistan
Taliban (gov wiped out by USA & NATO) gave him sanctuary. Locating those
Taliban today, and getting them into court, may be a lost cause, thanks to
the US assassination program. It is easier to seize their assets via Panama
US 911 victims law may have opened the door for residents of Afghanistan,
Iraq, Iran, Libya, Pakistan, Somalia, Syria, Yemen, etc. to sue the US
government for acts of war against people of those nations, which have
Date: Tue, 11 Oct 2016 09:29:10 +0200
From: Peter Houppermans <pe...@houppermans.net>
Subject: Re: Dutch Police connected to private cameras (Bos, RISKS-29.83)
The links in the Cyberwar article do not work. The more detailed project
description is at https://www.politie.nl/themas/live-view.html and is in
Dutch, but Google translate does a reasonable job here (the English language
brochure is a bit short on detail). The project has apparently been live
for a few years.
The project states in the "privacy" section that the police only gets a feed
on request (after an incident), but the list of other uses seems hard work
without some direct access ability. That doesn't mean the facility is
actually there, but the temptation certainly is..
Date: Mon, 10 Oct 2016 23:25:48 +0000
From: Michael Marking <mark...@tatanka.com>
Subject: Re: Yahoo scanned customer e-mails (Maziuk, RISKS-29.83)
Sorry, I wasn't clear about the suggestion. I'll be more specific.
>> Why can't we have a new standard, designed to work with the major browsers
>> and e-mail vendors -- maybe built on PGP -- that would take the encryption
>> responsibility out of the hands of the e-mail providers,
> For one thing, because encryption is downright illegal in Chernarus and
> requires a separate government license in Freedom.
I was not suggesting that Google, Yahoo, or Mozilla be involved. My
suggestion to take the responsibility out of their hands was fundamental to
programmer, so I may be misunderstanding completely the context of the
problem. However, I can install third-party plugins in my personal copy of
Firefox which will change the appearance and function of the display. For
example, I can install a plug-in which adds a button to download YouTube
videos. (That specific one crashed my browser, but presumably they can be
made to work correctly.) So, if there is some text entry widget on my
display -- maybe there so that I can type in an e-mail -- why can't I add a
plugin which encrypts what I type? I can imagine that the access to the text
entry widget would have other uses, as well: maybe it would help the
disabled, or allow specialized kinds of data entry, so there are other
plausible reasons to modify the widget.
Maybe some standardization of e-mail text entry widgets would make
this easier, maybe not. That's beyond my knowledge at this time.
By putting an externally developed façade on the widget, no involvement
by the browser developer or the e-mail provider is required. They can,
indeed, claim honestly that they can't help the spooks.
Now, I was proposing a technical solution. The points made by Mr Maziuk
regarding the legalities and uses of such an encrypting plugin, while
relevant in some instances, aren't relevant in all instances, and don't make
the technical solution infeasible at any rate. If a resident of some
jurisdiction which has a dim view of encryption wants to go ahead, then who
am I to stop him?
Regarding some of Mr Maziuk's musings, I don't have to open a potentially
incriminating e-mail if I don't want, encrypted or not. At least with an
encrypting plugin, I can check the digital signature before so doing. And I
rather like the non-Latin-script domain names. Why should everyone be
required to write the same way?
I'd like to solve the world's political and human rights problems, but don't
know how. At least I can take a stab at some software challenges. ;-)
Date: Mon, 10 Oct 2016 17:21:32 -0700
From: John Sebes <jse...@osetfoundation.org>
Subject: Re: Undetectable election hacking? (Smith, RISKS-29.83)
"The only way to ensure that your vote is not counted, is to not vote." is
is a belief that's been voiced widely during the recent vogue on "hacking
elections" and "the Russian hackers", by many colleagues of mine at the Open
Source Election Technology Institute and within the election tech and
election integrity communities.
In RISKS 29.83, Mark Smith was accurate is listing several of the most
important ways in which one's vote *might* not count, or be counted
accurately (two separate things BTW).
But I have to respectfully disagree on the conclusion. Despite all the risks
Mark enumerated, and many others, many peoples votes are counted, and it
still remains true that if you don't try to vote, you have 0% chance of
being counted; while if you do vote you do have a chance of being counted.
I understand how many people feel bad that there is no way for any one
person to be certain that their cast ballot would be counted, and
correctly. We can wish for a perfect system, but in fact it is a structural
principle of this unique transaction -- authenticated, access controlled,
anonymous, and non-reversible -- that such certainty is impossible. This is
actually by design, from the principle of anonymity to avoid bribery and
I understand Mark's sentiment that one tends to not use a critical system
when it is not trustworthy. I would not call our election process
untrustworthy as a whole, but it is clear that the certainty Mark seeks is
not part of it.
I understand the impulse to not have faith in a system that lacks guarantees
that one might wish for, and I don't want to try to convince Mark or anyone
else to have faith in such a system.
AND YET, I believe that voting is such an essential and vital part of
democracy, that I urge Mark and anyone else with his doubts, to put in the
small effort vote *notwithstanding* the concerns we all have about the
complex election system that we inherited. If everyone who had the same type
of doubts that Mark has (and/or others that I and other election folks have)
were to not vote, then we would not have an effective democracy. We are
already teetering on the brink, with participation so low. Sometimes we have
a moral imperative to act despite a lack of faith in the act or its
effectiveness -- and for me, voting is included.
So please vote! The effort involved is not great. The result is important --
another ballot that has a chance to be counted accurately, as part of an
election with just that one person's participation's increment in
legitimacy. We have *already* bet the whole country on the chance of an
election with legitimacy -- and each of use can act to further that goal,
preventing the nightmare of a broken election.
John Sebes, CTO, OSET Institute
"If I learn that a system vital to my survival cannot be trusted, I tend to
stop using it until or unless it has been fixed. Therefore, once I
understood that there was no way I could be certain that my vote would be
counted, I stopped voting. Nobody, no matter how highly credentialed and
respected, is going to convince me to have faith in an untrustworthy system.
If you want to gamble, risk your own money, but please don't bet the whole
country on it."
Date: Tue, 11 Oct 2016 18:18:26 -0400
From: Mark Kramer <c28...@theworld.com>
Subject: Re: Undetectable election hacking? (Smith, RISKS-29.82)
"Mark E. Smith" <mym...@gmail.com> writes:
> In reality there are at least three other ways that your vote for sure
> doesn't get counted:
> 1. The Electoral College vote does not follow the popular vote, as
happened in 1876 and 1888, or if, as in 1824, neither candidate gets an
Electoral College majority and the House of Representatives elects the
Despite appearances to the contrary, there is NO "popular vote" for the US
president and vice president. The electoral college system has been in place
for centuries at this point, and it should have been taught to every child
when they had civics class in grade school. It should not be a surprise to
any US voter.
The votes were, indeed, counted IN THE STATES THEY WERE CAST, according to
the Constitutionally mandated system, and the meaningless "popular vote
total" was quite properly ignored.
The votes were counted in 1824 as well, but since there was no majority in
the electoral college the Constitutionally mandated process for resolving
that issue was used. This, too, is part of the civics education that all
school children should be getting.
> 2. The Supreme Court steps in as it did in Bush v. Gore 2000 and stops the
SCOTUS did NOT "stop the vote count". The votes had been counted. The votes
had been recounted. SCOTUS ruled that the authority for determining the vote
counting process in the state of Florida rested with the legislature of the
state of Florida and the Secretary of State of the state of
Florida. Further, SCOTUS found that the legislature had acted properly in
creating the process. The plaintiff's request for yet another recount,
which would have prevented the certification of the electors to the
electoral college in time for the electoral college balloting, was denied.
The effect of delaying the certification of the result would be that every
voter in the state of Florida would have had their vote counted BUT IGNORED
in determining the final result. The state of Florida would have lost their
votes in the electoral college, with the effective disenfranchisement of
every voter in that state.
> 3. One candidate concedes before all the votes have been counted, as then
Presidential candidate John Kerry did in 2004.
If your candidate concedes prior to the votes being counted, that's the
fault of your candidate and not the system.
> Therefore, once I understood that there was no way I could be certain that
my vote would be counted, I stopped voting.
The effect of changing the rules after the ballots have been counted because
your preferred candidate did not win is not how you "be certain that [my]
vote would be counted." In fact, it is trying to make certain that the votes
of other people, who exercised their right to vote for the other person,
would not be counted.
Date: Tue, 11 Oct 2016 07:39:12 -0400
From: Michael Kohne <mhko...@kohne.org>
Subject: Re: Undetectable election hacking? (Smith, RISKS-29.83)
You know, this is probably the worst POSSIBLE response to a broken electoral
system. And I won't argue the point that our electoral system has problems -
you are correct that it does. But moaning that it's broken while you sit at
home on election day doesn't get it fixed. Staying home just gives anyone
monkeying around with the system that much more leverage to work with.
I can certainly respect that you believe the system is much more broken than
I believe. I could certainly be wrong. But I can't respect just sitting
there whining without even trying to vote, let alone FIX it.
And no, 'protesting' by not voting isn't fixing anything. It's a cop-out. It
accomplishes NOTHING. You want to actually FIX things, then start harassing
your government. Be annoying enough that they fix things just so you'll go
Date: Tue, 11 Oct 2016 11:32:58 -0700
From: "Mark E. Smith" <mym...@gmail.com>
Subject: Re: Undetectable election hacking? (Kohne, RISKS-29.84)
> "You want to actually FIX things, then start harassing your government.
> Be annoying enough that they fix things just so you'll go away."
If by "your government," you mean "elected" officials, they cannot be
harassed. Only their biggest donors can actually get face time with them.
Those who attempt to harass their paid staffers, interns, and volunteers,
are dealt with according to time-tested bureaucratic methods that protect
plutocrats from the mob and rabble. Those who persist to the point of
becoming annoying can be arrested if they don't go away.
Once you vote, you have delegated your power to the plutocracy. You have
consented to allow them to make your decisions for you. You no longer have a
voice. When you voted, you signed a contract to leave things up to whoever
happens to win. Attempts to renege on, or even seriously protest that
contract, can be prosecuted as criminal acts.
To vote is to declare yourself incompetent to manage your own affairs, and
to appoint whoever takes office as your guardian with a full power of
attorney to spend your money and dictate your choices. If that's your
intention, go right ahead and vote.
It isn't difficult to know who'll win an election. Just look online to see
how much money was donated to them by the big banks and multinational
corporations. If one candidate got more money than the other, that's who
will win. If both got almost equal amounts, it doesn't matter who wins, as
their policies will be the same.
Date: Wed, 17 Aug 2016 11:11:11 -0800
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
End of RISKS-FORUM Digest 29.84