info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 30.97
48 views
Skip to first unread message
RISKS List Owner
Dec 20, 2018, 6:40:14 PM12/20/18
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 20 December 2018 Volume 30 : Issue 97
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.97>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents: Several approaches to resolve the Emacs/UTF-8/mailer problems.
Sneaky parrot uses Amazon Alexa to shop while owner is away (WFLA)
The GPS wars are here (Foreign Policy)
Both engines on Virgin Australia ATR 72 "flame out" (SMH)
Drone shatters passenger jet's nose-cone, radar (RT)
Uber exec warned of rampant safety problems before fatal crash
(Ars Technica)
Ingestible Capsule Can Be Controlled Wirelessly (MIT News)
How a National Security Investigation of Huawei Set Off an International
Incident (NYTimes)
Apache Misconfig Leaks Data on 120 Million Brazilians (InfoSecurity)
"Market volatility: Fake news spooks trading algorithms" (Tom Foremski)
"Rhode Island sues Google after latest Google+ API leak" (Catalin Cimpanu)
New Zealand courts banned naming Grace Millane's accused killer; Google
just emailed it out. (The Guardian)
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail
(Ars Technica)
Turning on 2FA potentially harmful (Toby Douglass)
Top 10 worst password FAILS of 2018 (CSO)
She'd just had a stillborn child. Tech companies wouldn't let her forget it
(Chris Matyszczyk)
Thousands of Jenkins servers will let anonymous users become admins
(Catalin Cimpanu)
"Bing recommends piracy tutorial when searching for Office 2019"
(Catalin Cimpanu)
"Big Brother is driving with you!" (Rob Hull)
Delivery robot bursts into flames at UC Berkeley, students hold it a vigil
(SanFranChronicle)
Re: Your apps know where you were last night, and they're not
(Kelly Bert Manning)
Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Kurt Seifried)
Re: What Happens When You Reply All to 22,000 State Workers (Amos Shapir)
Re: Annoyed Baltimore Drivers Want City To Crack Down On `Squeegee Kids'
(Richard M Stein, John R. Levine, David Waitzman)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 17 Dec 2018 16:52:35 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Sneaky parrot uses Amazon Alexa to shop while owner is away
(WFLA)
TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal
sanctuary for swearing too much, is using technology to cause even more
trouble. The Times of London reports Rocco, an African grey, has been using
Amazon Alexa to shop online while his owner was away.
His owner, Marion Wis[c]hnewski told the newspaper she was shocked to find
that her Amazon account suddenly had pending orders for various snacks,
including watermelon and ice cream and also a kettle. “I have to check the
shopping list when I come in from work and cancel all the items he's
ordered,” Wischnewski told *The Daily Mail*.
https://www.wfla.com/news/viral-news/sneaky-parrot-uses-amazon-alexa-to-shop-while-owner-is-away/1662596515
[Coyly, that case is the ``real macaw'' (at least in English-speaking
idioms, but perhaps not in Macao). However, it reminds me of several very
funny parroting jokes -- one that makes sense only when told in German,
one about a seemingly very devout parrot who surprisingly turns
foul-mouthed, and more. Best wishes for some Holiday Cheer! PGN]
------------------------------
Date: Tue, 18 Dec 2018 11:12:22 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The GPS wars are here (Foreign Policy)
The problem first hit during Russia's September 2017 Zapad military exercise
in its western regions, near the Baltic states. Then it happened again in
October during NATO’s Trident Juncture exercise, held in Norway. GPS signals
across far northern Norway and Finland failed. Civilian airplanes were
forced to navigate manually, and ordinary citizens could no longer trust
their smartphones.
https://foreignpolicy.com/2018/12/17/the-gps-wars-are-here/
------------------------------
Date: Tue, 18 Dec 2018 20:08:03 +0000
From: John Colville <John.C...@uts.edu.au>
Subject: Both engines on Virgin Australia ATR 72 "flame out" (SMH)
https://www.smh.com.au/national/virgin-australia-under-investigation-after-engines-flame-out-during-landing-20181218-p50n22.html
Virgin Australia is under investigation after two engines on one of its
aircraft "flamed out" during descent and had to be manually re-ignited
before the aircraft hit the tarmac. The incident, which involved an ATR 72
twin-engine turboprop aircraft en route from Sydney to Canberra on December
13, has been categorised as "serious" by the Australian Transport Safety
Bureau (ATSB).
------------------------------
Date: Fri, 14 Dec 2018 13:34:16 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: Drone shatters passenger jet's nose-cone, radar (RT)
Imagine if that goes through a window or an engine.
https;//www.rt.com/news/446416-plane-drone-collision-mexico/
------------------------------
Date: Tue, 18 Dec 2018 16:47:16 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Uber exec warned of rampant safety problems before fatal crash
(Ars Technica)
"They told me incidents like that happen all of the time," whistleblower
wrote.
https://arstechnica.com/tech-policy/2018/12/uber-exec-warned-of-rampant-safety-problems-days-before-fatal-crash/
------------------------------
Date: Mon, 17 Dec 2018 11:17:19 -0500
From: ACM TechNews <technew...@acm.org>
Subject: Ingestible Capsule Can Be Controlled Wirelessly (MIT News)
Anne Trafton, MIT News, 13 Dec 2018, via ACM TechNews, 17 Dec 2018
Researchers at the Massachusetts Institute of Technology (MIT) and Brigham
and Women's Hospital have designed an ingestible capsule that can be
controlled wirelessly via Bluetooth. The three-dimensionally-printed
capsules, which can be customized to dispatch drugs, sense environmental
conditions, or both, can remain in the stomach for at least a month,
transmitting information and responding to instructions from a smartphone.
The capsules also could be used to communicate with other wearable and
implantable devices, transmitting their pooled information to the patient or
doctor's smartphone. Within the capsule is a device with six arms that fold
up before encasement; once swallowed, the capsule dissolves and the arms
expand so the device can lodge in the stomach. Said former MIT postdoc Yong
Lin Kong, "The self-isolation of wireless signal strength within the user's
physical space could shield the device from unwanted connections, providing
a physical isolation for additional security and privacy protection."
https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d946x2192dfx068970%26
[Risks in ingested capsules? They are not "in jest". Compromised 3-D
printing instructions? sharp arms? embedded transmitters? monitoring?
interference with brain signals? doping? absorbable toxins triggered
remotely? And others left to your imaginations. PGN]
------------------------------
Date: Fri, 14 Dec 2018 22:46:03 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: How a National Security Investigation of Huawei Set Off an
International Incident (NYTimes)
https://www.nytimes.com/2018/12/14/business/huawei-meng-hsbc-canada.html
The chief financial officer was arrested after a years-long American inquiry
into the Chinese telecommunications company.
------------------------------
Date: Fri, 14 Dec 2018 23:18:35 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Apache Misconfig Leaks Data on 120 Million Brazilians
(InfoSecurity)
https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/
------------------------------
Date: Thu, 13 Dec 2018 09:00:56 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "Market volatility: Fake news spooks trading algorithms"
(Tom Foremski)
ZDnet, 10 Dec 2018
Stock trading algorithms know how to read news headlines, but they don't
know what's real.
https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/
selected text:
Fake news and inaccurate headlines may have contributed to recent stock
market volatility, as trading algorithms try to interpret market-related
news.
Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan
Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of
real and fake news, which makes it easy for others to amplify negative
news. The effects can be seen that, in spite of a booming economy and
positive signals, the markets are reacting strongly to this mix of negative
news.
High-speed trading algorithms scan news stories to try and quickly determine
if there is any market-moving information that affects their portfolios. It
doesn't give them much time to determine which news stories are real.
For example, a few years ago stock trading algorithms were buying Berkshire
Hathaway stock because actress Anne Hathaway was in the news with a new
movie.
------------------------------
Date: Thu, 13 Dec 2018 08:57:02 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "Rhode Island sues Google after latest Google+ API leak"
(Catalin Cimpanu)
ZDNet,12 Dec 2018
Google sued within a day after announcing latest Google+ API leak.
https://www.zdnet.com/article/rhode-island-sues-google-after-latest-google-api-leak/
opening text:
A day after Google announced a Google+ API leak that could have exposed the
personal information of over 52.5 million users, a Rhode Island government
entity filed a class-action lawsuit in a California court.
------------------------------
Date: Wed, 12 Dec 2018 20:36:55 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Zealand courts banned naming Grace Millane's accused
killer; Google just emailed it out. (The Guardian)
That one of the world's biggest companies rides roughshod over a court order
tells you all you need to know about the giants of Silicon Valley
EXCERPT:
Imagine if a media company told you the name of the man accused of killing
Grace Millane. Imagine if, in defiance of a very clear court ruling of
interim name suppression, that company told you his name in an email --
spelling it out, even, in the subject header.
Unthinkable? That's exactly what happened in the early hours of Tuesday.
The media company wasn't (New Zealand's) the Herald or Stuff. It wasn't
TVNZ or Newshub or RNZ. New Zealand media outlets, from the hobbyist
bloggers to the biggest broadcasters, respected the proscription on naming
the accused. Of course they did: they understand consequences for breaching
such an order, and in fact spend significant time and resource policing
their social media channels to ensure their audience doesn't breach
suppression either.
Not just because the courts would take action against them for doing so.
They understand, too, that it would be morally odious to do so: it could
risk damaging the course of justice in an appalling murder that has left a
family distraught and sent waves of grief and upset through the country.
The company that paid precisely zero heed to all that is a media and
technology corporation from Silicon Valley. A global colossus against which
all of New Zealand;s media companies combined amount to a dim pixel. The
company is Google. Shortly after midnight on Tuesday this week, it delivered
to everyone signed up to its `what's trending in New Zealand' email the name
of the 26-year-old accused of the most headlined crime in this country in
2018...
https://www.theguardian.com/world/2018/dec/13/new-zealand-courts-banned-naming-grace-millanes-accused-killer-google-just-emailed-it-out
------------------------------
Date: Thu, 13 Dec 2018 14:48:52 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Iranian phishers bypass 2fa protections offered by Yahoo Mail and
Gmail (Ars Technica)
(via NNSquad)
"In other words, they check victims' usernames and passwords in realtime
on their own servers, and even if 2 factor authentication such as text
message, authenticator app or one-tap login are enabled they can trick
targets and steal that information too," Certfa Lab researchers wrote.
https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/
Avoid using text messaging as a second factor whenever possible!
------------------------------
Date: Mon, 17 Dec 2018 19:52:37 +0200
From: Toby Douglass <ri...@winterflaw.net>
Subject: Turning on 2FA potentially harmful
When you make an account with a username, email address and password, it's
usual that a verification email is sent. If the password is later lost, it
is again an email which is used to send the password reset link, so here we
see the mechanism to make the account is the mechanism to recover the
account. If you can make the account, then you possess the means to recover
the account.
Two factor authentication when enabled guarantees that the person attempting
to log in knows the username, email, password and possesses the 2FA device.
If the device is lost, email cannot be used for recovery, because then both
the password and device can be compromised by access to the email address.
The question then is how to recover from loss of the 2FA device, and there
is no obviously easy way. It actually seems to come down to methods to
obtain a partial or full proof of identity - something, critically, which
was *not* required to *enable* 2FA.
It is then that the mechanisms to activate and to recover 2FA are not the
same, and so it can be one works while the other does not, and so it can be
that 2FA is activated, but does not work, and cannot be recovered because
the provided mechanisms do not or cannot work, which means the account is
inaccessible.
Turning on 2FA can be in and of itself a risk.
(As you gentle reader may have guessed, this is what happened today, with
Amazon. In the light of the recent kernel.org DNS hijack, I activated 2FA
on my Amazon account. 2FA activation worked, but log in to Amazon did not,
and both the 2FA resync and account recovery pages seemed broken server-side
("internal error"), and 2FA support is only available in the form of Amazon
phoning you, and I cannot currently be phoned. I thought then to try my
luck with AWS rather than Amazon, log in failed still but the resync page on
AWS worked, and having worked, I could log into both retail Amazon and AWS.
If AWS resync also had not worked, I would now be locked out of my account.)
------------------------------
Date: Fri, 14 Dec 2018 23:21:54 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Top 10 worst password FAILS of 2018 (CSO)
https://www.csoonline.com/article/3326830/security/top-10-worst-password-fails-of-2018.html
------------------------------
Date: Thu, 13 Dec 2018 09:09:47 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: She'd just had a stillborn child. Tech companies wouldn't let her
forget it (Chris Matyszczyk)
Technically Incorrect, ZDnet, 13 Dec 2018
A woman pleads with tech companies like Facebook and Twitter to stop serving
her ads to intensify her grief.
https://www.zdnet.com/article/shed-just-had-a-stillborn-child-tech-companies-wouldnt-let-her-forget-it/
[A summary would not do this article justice. GW]
------------------------------
Date: Sun, 16 Dec 2018 16:13:41 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: Thousands of Jenkins servers will let anonymous users become admins
(Catalin Cimpanu)
ZDNet, 16 Dec 2018
Two vulnerabilities discovered and patched over the summer expose Jenkins
servers to mass exploitation.
https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
------------------------------
Date: Sun, 16 Dec 2018 16:09:44 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "Bing recommends piracy tutorial when searching for Office 2019"
(Catalin Cimpanu)
ZDNet, 14 Dec 2018
Oh, Bing! Not again!
https://www.zdnet.com/article/bing-recommends-piracy-tutorial-when-searching-for-office-2019/
opening text:
Microsoft is sending users who search for Office 2019 download links via its
Bing search engine to a website that teaches them the basics about pirating
the company's Office suite.
This happens every time users search for the term "office 2019 download" on
Bing. The result is a Bing search card (highlighted search results) that
links to a piracy tutorial.
------------------------------
Date: Sun, 16 Dec 2018 19:55:10 +0000
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: "Big Brother is driving with you!" (Rob Hull)
Thisismoney.co.uk, Daily Mail, 5 Dec 2018
Item in newspaper seen this week. There's a lot of debate about driverless
vehicles, but how much control will drivers still be allowed to have? And
what about older cars (mine was made in 1988) -- will they just be banned,
or only allowed on the roads under strict supervision?
https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html
Big Brother is driving with you! All new cars could be fitted with black
boxes to log speed and systems to slow them automatically under EU
proposals
https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html
Big Brother is driving with you! All new cars could be fitted with black
boxes to log speed and systems to slow them automatically under EU
proposals
* The European Council has called for all cars to have data loggers
fitted by law
* These would be able to record speed and which safety features were
activated before, during and after a collision
* Proposals also want new cars to have intelligent speed assistance
systems and pre-wiring so an in-car breathalyser can be installed
* Other requirements for new cars could include lane assist and
fatigue monitors
------------------------------
Date: Sun, 16 Dec 2018 11:46:43 -0500
From: Tom Van Vleck <th...@multicians.org>
Subject: Delivery robot bursts into flames at UC Berkeley, students hold it
a vigil (SanFranChronicle)
*The San Francisco Chronicle* website:
https://www.sfgate.com/bayarea/article/Delivery-robot-catches-fire-at-UC-Berkeley-13470063.php
hmm.
[The amount needed to pony up must have been a Vigil-ante. PGN]
------------------------------
Date: Fri, 14 Dec 2018 18:54:09 -0500
From: Kelly Bert Manning <bo...@freenet.carleton.ca>
Subject: Re: Your apps know where you were last night, and they're not
keeping it secret (NYTimes)
If memory serves me correctly, back in the 1950s and 1960s we were told that
one of the freedoms we enjoyed in the "Free West" was not having to
constantly carry Internal Passports to be produced on demand by police and
other officials. Sounded like a Killer Argument to me.
What a change. Even if you don't carry an electronic ball and chain your
movements could be tracked by licence plate scanners or by facial
recognition. Seems more and more like Moscow or Beijing during the Cold War
to me. Greyhound recently ceased operation in Western Canada, but the last
time I used it in 2005 I saw someone being released from handcuffs after
Vancouver Police decided that him giving the same name as a fugitive to the
bus ticket agent was just a coincidence.
I have never had a personal wireless digital device, so the main exposure
would probably be if I bought a new automobile with some sort of wireless
"feature / vulnerability". I would like to see wireless access in autos made
modular, pull the module and carry on without it. Connect a plug to the
engine interface for diagnosis and firmware updating. I use 100 mpbs wired
ethernet for my home network, not WiFi.
At home web pages ask permission to find the location of my PC. I just say
NO. I have a used laptop with wireless that started out with XP
Professional, but it usually boots with Linux.
For the 2015 Victoria Privacy and Security conference one of the presenters
did the usual live demonstration of a Pineapple type attack. I mentioned my
laptop during the Q&A session, and the fact that I had booted it with Tails
from an optical disk instead of Linux from the hard drive.
Such conferences are places where someone might see a challenge or an
opportunity. An IBM employee gave up a phone number to Kevin Mitnick for a
demo of caller ID spoofing during a previous conference.
Back when I had to carry a work phone I turned off the WiFi and GPS to make
the battery life last longer. I am aware that GPS can be turned on again
problematically. Calling 911 turns on GPS if it has been disabled.
Our current auto is more than 10 years old and lacks that "feature".
At least the e-trike I bought in 2016 does not have wireless, although
it does have a USB port for powering a wireless or other device.
https://www.youtube.com/watch%3Fv%3D1xbPm01fWHM
------------------------------
Date: Wed, 12 Dec 2018 22:22:04 -0700
From: Kurt Seifried <ku...@seifried.org>
Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)
In all the twitter clients/web interface I use, if I type text it is black,
until twitter or the client make it a link and then it's blue. Just like in
literally every GUI piece of software I've used for 20+ years that
auto-creates hyperlinks based on what you type. If you are typing text and
some of it turns blue... it's probably because it's now a hyperlink.
Attach it as a text file.
------------------------------
Date: Sat, 15 Dec 2018 11:26:33 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: What Happens When You Reply All to 22,000 State Workers
(RISKS-30.96)
This looks less like a case of recipients using "Reply to All" -- which is
the default mode in many mailers, making mistakes unavoidable -- and more a
case of senders who do not know how to use "Bcc" when sending to a large
list of recipients.
------------------------------
Date: Thu, 13 Dec 2018 12:57:32 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
Kids' (Levine, RISKS-30.06)
John -- You might be right: the AV idles until the way forward is
obstacle-free.
We'll have to wait this trolley problem outcome. Alternatively, Waymo in
Chandler, AZ could share a live scenario demo with the world to prove that
"My Mother the Car" is sharp enough to respectfully manage hostile
pedestrian interaction.
I'd put my money on the vehicle occupants, if present, to issue one or more
verbal command overrides or set a new destination with their hailing
application if the squeegee crew acts aggressively. If AV is payload empty,
an infinite standoff might manifest at the intersection/stop point...or not
-- low fuel or diminished reserve power-level might compel AV return to
depot to refuel rather than exhaust reserves and wait AAA for a tow.
Suppose the AV is stuck due to obstacles that shuffle around it and
otherwise impede forward motion -- and possibly at a controlled intersection
or behind another vehicle. I wonder if it'll try to rabbit should the signal
light change to green or remain neutralized until obstacles clear? Possibly,
AV depot control will sense a "help me I am stuck" signal and call the cops
to intervene and run the squeegees off?
------------------------------
Date: 13 Dec 2018 08:28:23 -0500
From: "John R. Levine" <jo...@iecc.com>
Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
Kids' (Stein, RISKS-30.97)
Having been in NYC when it had squeegee guys, this isn't the trolley
problem. They dart out when the light is red, they don't deliberately block
traffic, since that would get them arrested instantly.
------------------------------
Date: Sun, 16 Dec 2018 15:51:37 -0500
From: David Waitzman <dwai...@gmail.com>
Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
Kids' (npr.org)
I would not feel safe, in Baltimore particularly, of rolling down my car
windows for a squeegee kid nor anyone else.
Jacquelyn Smith was killed on December 1st in Baltimore when she "and her
husband saw a woman asking for money. She rolled down her car window to
hand over some cash when her husband said a man approached the car, reached
inside to try to take Smith’s purse and necklace before stabbing her. She
later died at the hospital."
https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-jacquelyn-smith-funeral-20181213-story.html
------------------------------
Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.97
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/30.97>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents: Several approaches to resolve the Emacs/UTF-8/mailer problems.
Sneaky parrot uses Amazon Alexa to shop while owner is away (WFLA)
The GPS wars are here (Foreign Policy)
Both engines on Virgin Australia ATR 72 "flame out" (SMH)
Drone shatters passenger jet's nose-cone, radar (RT)
Uber exec warned of rampant safety problems before fatal crash
(Ars Technica)
Ingestible Capsule Can Be Controlled Wirelessly (MIT News)
How a National Security Investigation of Huawei Set Off an International
Incident (NYTimes)
Apache Misconfig Leaks Data on 120 Million Brazilians (InfoSecurity)
"Market volatility: Fake news spooks trading algorithms" (Tom Foremski)
"Rhode Island sues Google after latest Google+ API leak" (Catalin Cimpanu)
New Zealand courts banned naming Grace Millane's accused killer; Google
just emailed it out. (The Guardian)
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail
(Ars Technica)
Turning on 2FA potentially harmful (Toby Douglass)
Top 10 worst password FAILS of 2018 (CSO)
She'd just had a stillborn child. Tech companies wouldn't let her forget it
(Chris Matyszczyk)
Thousands of Jenkins servers will let anonymous users become admins
(Catalin Cimpanu)
"Bing recommends piracy tutorial when searching for Office 2019"
(Catalin Cimpanu)
"Big Brother is driving with you!" (Rob Hull)
Delivery robot bursts into flames at UC Berkeley, students hold it a vigil
(SanFranChronicle)
Re: Your apps know where you were last night, and they're not
(Kelly Bert Manning)
Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Kurt Seifried)
Re: What Happens When You Reply All to 22,000 State Workers (Amos Shapir)
Re: Annoyed Baltimore Drivers Want City To Crack Down On `Squeegee Kids'
(Richard M Stein, John R. Levine, David Waitzman)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 17 Dec 2018 16:52:35 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Sneaky parrot uses Amazon Alexa to shop while owner is away
(WFLA)
TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal
sanctuary for swearing too much, is using technology to cause even more
trouble. The Times of London reports Rocco, an African grey, has been using
Amazon Alexa to shop online while his owner was away.
His owner, Marion Wis[c]hnewski told the newspaper she was shocked to find
that her Amazon account suddenly had pending orders for various snacks,
including watermelon and ice cream and also a kettle. “I have to check the
shopping list when I come in from work and cancel all the items he's
ordered,” Wischnewski told *The Daily Mail*.
https://www.wfla.com/news/viral-news/sneaky-parrot-uses-amazon-alexa-to-shop-while-owner-is-away/1662596515
[Coyly, that case is the ``real macaw'' (at least in English-speaking
idioms, but perhaps not in Macao). However, it reminds me of several very
funny parroting jokes -- one that makes sense only when told in German,
one about a seemingly very devout parrot who surprisingly turns
foul-mouthed, and more. Best wishes for some Holiday Cheer! PGN]
------------------------------
Date: Tue, 18 Dec 2018 11:12:22 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The GPS wars are here (Foreign Policy)
The problem first hit during Russia's September 2017 Zapad military exercise
in its western regions, near the Baltic states. Then it happened again in
October during NATO’s Trident Juncture exercise, held in Norway. GPS signals
across far northern Norway and Finland failed. Civilian airplanes were
forced to navigate manually, and ordinary citizens could no longer trust
their smartphones.
https://foreignpolicy.com/2018/12/17/the-gps-wars-are-here/
------------------------------
Date: Tue, 18 Dec 2018 20:08:03 +0000
From: John Colville <John.C...@uts.edu.au>
Subject: Both engines on Virgin Australia ATR 72 "flame out" (SMH)
https://www.smh.com.au/national/virgin-australia-under-investigation-after-engines-flame-out-during-landing-20181218-p50n22.html
Virgin Australia is under investigation after two engines on one of its
aircraft "flamed out" during descent and had to be manually re-ignited
before the aircraft hit the tarmac. The incident, which involved an ATR 72
twin-engine turboprop aircraft en route from Sydney to Canberra on December
13, has been categorised as "serious" by the Australian Transport Safety
Bureau (ATSB).
------------------------------
Date: Fri, 14 Dec 2018 13:34:16 -1000
From: the keyboard of geoff goodfellow <ge...@iconia.com>
Subject: Drone shatters passenger jet's nose-cone, radar (RT)
Imagine if that goes through a window or an engine.
https;//www.rt.com/news/446416-plane-drone-collision-mexico/
------------------------------
Date: Tue, 18 Dec 2018 16:47:16 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Uber exec warned of rampant safety problems before fatal crash
(Ars Technica)
"They told me incidents like that happen all of the time," whistleblower
wrote.
https://arstechnica.com/tech-policy/2018/12/uber-exec-warned-of-rampant-safety-problems-days-before-fatal-crash/
------------------------------
Date: Mon, 17 Dec 2018 11:17:19 -0500
From: ACM TechNews <technew...@acm.org>
Subject: Ingestible Capsule Can Be Controlled Wirelessly (MIT News)
Anne Trafton, MIT News, 13 Dec 2018, via ACM TechNews, 17 Dec 2018
Researchers at the Massachusetts Institute of Technology (MIT) and Brigham
and Women's Hospital have designed an ingestible capsule that can be
controlled wirelessly via Bluetooth. The three-dimensionally-printed
capsules, which can be customized to dispatch drugs, sense environmental
conditions, or both, can remain in the stomach for at least a month,
transmitting information and responding to instructions from a smartphone.
The capsules also could be used to communicate with other wearable and
implantable devices, transmitting their pooled information to the patient or
doctor's smartphone. Within the capsule is a device with six arms that fold
up before encasement; once swallowed, the capsule dissolves and the arms
expand so the device can lodge in the stomach. Said former MIT postdoc Yong
Lin Kong, "The self-isolation of wireless signal strength within the user's
physical space could shield the device from unwanted connections, providing
a physical isolation for additional security and privacy protection."
https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d946x2192dfx068970%26
[Risks in ingested capsules? They are not "in jest". Compromised 3-D
printing instructions? sharp arms? embedded transmitters? monitoring?
interference with brain signals? doping? absorbable toxins triggered
remotely? And others left to your imaginations. PGN]
------------------------------
Date: Fri, 14 Dec 2018 22:46:03 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: How a National Security Investigation of Huawei Set Off an
International Incident (NYTimes)
https://www.nytimes.com/2018/12/14/business/huawei-meng-hsbc-canada.html
The chief financial officer was arrested after a years-long American inquiry
into the Chinese telecommunications company.
------------------------------
Date: Fri, 14 Dec 2018 23:18:35 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Apache Misconfig Leaks Data on 120 Million Brazilians
(InfoSecurity)
https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/
------------------------------
Date: Thu, 13 Dec 2018 09:00:56 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "Market volatility: Fake news spooks trading algorithms"
(Tom Foremski)
ZDnet, 10 Dec 2018
Stock trading algorithms know how to read news headlines, but they don't
know what's real.
https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/
selected text:
Fake news and inaccurate headlines may have contributed to recent stock
market volatility, as trading algorithms try to interpret market-related
news.
Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan
Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of
real and fake news, which makes it easy for others to amplify negative
news. The effects can be seen that, in spite of a booming economy and
positive signals, the markets are reacting strongly to this mix of negative
news.
High-speed trading algorithms scan news stories to try and quickly determine
if there is any market-moving information that affects their portfolios. It
doesn't give them much time to determine which news stories are real.
For example, a few years ago stock trading algorithms were buying Berkshire
Hathaway stock because actress Anne Hathaway was in the news with a new
movie.
------------------------------
Date: Thu, 13 Dec 2018 08:57:02 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "Rhode Island sues Google after latest Google+ API leak"
(Catalin Cimpanu)
ZDNet,12 Dec 2018
Google sued within a day after announcing latest Google+ API leak.
https://www.zdnet.com/article/rhode-island-sues-google-after-latest-google-api-leak/
opening text:
A day after Google announced a Google+ API leak that could have exposed the
personal information of over 52.5 million users, a Rhode Island government
entity filed a class-action lawsuit in a California court.
------------------------------
Date: Wed, 12 Dec 2018 20:36:55 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Zealand courts banned naming Grace Millane's accused
killer; Google just emailed it out. (The Guardian)
That one of the world's biggest companies rides roughshod over a court order
tells you all you need to know about the giants of Silicon Valley
EXCERPT:
Imagine if a media company told you the name of the man accused of killing
Grace Millane. Imagine if, in defiance of a very clear court ruling of
interim name suppression, that company told you his name in an email --
spelling it out, even, in the subject header.
Unthinkable? That's exactly what happened in the early hours of Tuesday.
The media company wasn't (New Zealand's) the Herald or Stuff. It wasn't
TVNZ or Newshub or RNZ. New Zealand media outlets, from the hobbyist
bloggers to the biggest broadcasters, respected the proscription on naming
the accused. Of course they did: they understand consequences for breaching
such an order, and in fact spend significant time and resource policing
their social media channels to ensure their audience doesn't breach
suppression either.
Not just because the courts would take action against them for doing so.
They understand, too, that it would be morally odious to do so: it could
risk damaging the course of justice in an appalling murder that has left a
family distraught and sent waves of grief and upset through the country.
The company that paid precisely zero heed to all that is a media and
technology corporation from Silicon Valley. A global colossus against which
all of New Zealand;s media companies combined amount to a dim pixel. The
company is Google. Shortly after midnight on Tuesday this week, it delivered
to everyone signed up to its `what's trending in New Zealand' email the name
of the 26-year-old accused of the most headlined crime in this country in
2018...
https://www.theguardian.com/world/2018/dec/13/new-zealand-courts-banned-naming-grace-millanes-accused-killer-google-just-emailed-it-out
------------------------------
Date: Thu, 13 Dec 2018 14:48:52 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Iranian phishers bypass 2fa protections offered by Yahoo Mail and
Gmail (Ars Technica)
(via NNSquad)
"In other words, they check victims' usernames and passwords in realtime
on their own servers, and even if 2 factor authentication such as text
message, authenticator app or one-tap login are enabled they can trick
targets and steal that information too," Certfa Lab researchers wrote.
https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/
Avoid using text messaging as a second factor whenever possible!
------------------------------
Date: Mon, 17 Dec 2018 19:52:37 +0200
From: Toby Douglass <ri...@winterflaw.net>
Subject: Turning on 2FA potentially harmful
When you make an account with a username, email address and password, it's
usual that a verification email is sent. If the password is later lost, it
is again an email which is used to send the password reset link, so here we
see the mechanism to make the account is the mechanism to recover the
account. If you can make the account, then you possess the means to recover
the account.
Two factor authentication when enabled guarantees that the person attempting
to log in knows the username, email, password and possesses the 2FA device.
If the device is lost, email cannot be used for recovery, because then both
the password and device can be compromised by access to the email address.
The question then is how to recover from loss of the 2FA device, and there
is no obviously easy way. It actually seems to come down to methods to
obtain a partial or full proof of identity - something, critically, which
was *not* required to *enable* 2FA.
It is then that the mechanisms to activate and to recover 2FA are not the
same, and so it can be one works while the other does not, and so it can be
that 2FA is activated, but does not work, and cannot be recovered because
the provided mechanisms do not or cannot work, which means the account is
inaccessible.
Turning on 2FA can be in and of itself a risk.
(As you gentle reader may have guessed, this is what happened today, with
Amazon. In the light of the recent kernel.org DNS hijack, I activated 2FA
on my Amazon account. 2FA activation worked, but log in to Amazon did not,
and both the 2FA resync and account recovery pages seemed broken server-side
("internal error"), and 2FA support is only available in the form of Amazon
phoning you, and I cannot currently be phoned. I thought then to try my
luck with AWS rather than Amazon, log in failed still but the resync page on
AWS worked, and having worked, I could log into both retail Amazon and AWS.
If AWS resync also had not worked, I would now be locked out of my account.)
------------------------------
Date: Fri, 14 Dec 2018 23:21:54 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Top 10 worst password FAILS of 2018 (CSO)
https://www.csoonline.com/article/3326830/security/top-10-worst-password-fails-of-2018.html
------------------------------
Date: Thu, 13 Dec 2018 09:09:47 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: She'd just had a stillborn child. Tech companies wouldn't let her
forget it (Chris Matyszczyk)
Technically Incorrect, ZDnet, 13 Dec 2018
A woman pleads with tech companies like Facebook and Twitter to stop serving
her ads to intensify her grief.
https://www.zdnet.com/article/shed-just-had-a-stillborn-child-tech-companies-wouldnt-let-her-forget-it/
[A summary would not do this article justice. GW]
------------------------------
Date: Sun, 16 Dec 2018 16:13:41 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: Thousands of Jenkins servers will let anonymous users become admins
(Catalin Cimpanu)
ZDNet, 16 Dec 2018
Two vulnerabilities discovered and patched over the summer expose Jenkins
servers to mass exploitation.
https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/
------------------------------
Date: Sun, 16 Dec 2018 16:09:44 -0800
From: Gene Wirchenko <ge...@telus.net>
Subject: "Bing recommends piracy tutorial when searching for Office 2019"
(Catalin Cimpanu)
ZDNet, 14 Dec 2018
Oh, Bing! Not again!
https://www.zdnet.com/article/bing-recommends-piracy-tutorial-when-searching-for-office-2019/
opening text:
Microsoft is sending users who search for Office 2019 download links via its
Bing search engine to a website that teaches them the basics about pirating
the company's Office suite.
This happens every time users search for the term "office 2019 download" on
Bing. The result is a Bing search card (highlighted search results) that
links to a piracy tutorial.
------------------------------
Date: Sun, 16 Dec 2018 19:55:10 +0000
From: Chris Drewe <e76...@yahoo.co.uk>
Subject: "Big Brother is driving with you!" (Rob Hull)
Thisismoney.co.uk, Daily Mail, 5 Dec 2018
Item in newspaper seen this week. There's a lot of debate about driverless
vehicles, but how much control will drivers still be allowed to have? And
what about older cars (mine was made in 1988) -- will they just be banned,
or only allowed on the roads under strict supervision?
https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html
Big Brother is driving with you! All new cars could be fitted with black
boxes to log speed and systems to slow them automatically under EU
proposals
https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html
Big Brother is driving with you! All new cars could be fitted with black
boxes to log speed and systems to slow them automatically under EU
proposals
* The European Council has called for all cars to have data loggers
fitted by law
* These would be able to record speed and which safety features were
activated before, during and after a collision
* Proposals also want new cars to have intelligent speed assistance
systems and pre-wiring so an in-car breathalyser can be installed
* Other requirements for new cars could include lane assist and
fatigue monitors
------------------------------
Date: Sun, 16 Dec 2018 11:46:43 -0500
From: Tom Van Vleck <th...@multicians.org>
Subject: Delivery robot bursts into flames at UC Berkeley, students hold it
a vigil (SanFranChronicle)
*The San Francisco Chronicle* website:
https://www.sfgate.com/bayarea/article/Delivery-robot-catches-fire-at-UC-Berkeley-13470063.php
hmm.
[The amount needed to pony up must have been a Vigil-ante. PGN]
------------------------------
Date: Fri, 14 Dec 2018 18:54:09 -0500
From: Kelly Bert Manning <bo...@freenet.carleton.ca>
Subject: Re: Your apps know where you were last night, and they're not
keeping it secret (NYTimes)
If memory serves me correctly, back in the 1950s and 1960s we were told that
one of the freedoms we enjoyed in the "Free West" was not having to
constantly carry Internal Passports to be produced on demand by police and
other officials. Sounded like a Killer Argument to me.
What a change. Even if you don't carry an electronic ball and chain your
movements could be tracked by licence plate scanners or by facial
recognition. Seems more and more like Moscow or Beijing during the Cold War
to me. Greyhound recently ceased operation in Western Canada, but the last
time I used it in 2005 I saw someone being released from handcuffs after
Vancouver Police decided that him giving the same name as a fugitive to the
bus ticket agent was just a coincidence.
I have never had a personal wireless digital device, so the main exposure
would probably be if I bought a new automobile with some sort of wireless
"feature / vulnerability". I would like to see wireless access in autos made
modular, pull the module and carry on without it. Connect a plug to the
engine interface for diagnosis and firmware updating. I use 100 mpbs wired
ethernet for my home network, not WiFi.
At home web pages ask permission to find the location of my PC. I just say
NO. I have a used laptop with wireless that started out with XP
Professional, but it usually boots with Linux.
For the 2015 Victoria Privacy and Security conference one of the presenters
did the usual live demonstration of a Pineapple type attack. I mentioned my
laptop during the Q&A session, and the fact that I had booted it with Tails
from an optical disk instead of Linux from the hard drive.
Such conferences are places where someone might see a challenge or an
opportunity. An IBM employee gave up a phone number to Kevin Mitnick for a
demo of caller ID spoofing during a previous conference.
Back when I had to carry a work phone I turned off the WiFi and GPS to make
the battery life last longer. I am aware that GPS can be turned on again
problematically. Calling 911 turns on GPS if it has been disabled.
Our current auto is more than 10 years old and lacks that "feature".
At least the e-trike I bought in 2016 does not have wireless, although
it does have a USB port for powering a wireless or other device.
https://www.youtube.com/watch%3Fv%3D1xbPm01fWHM
------------------------------
Date: Wed, 12 Dec 2018 22:22:04 -0700
From: Kurt Seifried <ku...@seifried.org>
Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)
In all the twitter clients/web interface I use, if I type text it is black,
until twitter or the client make it a link and then it's blue. Just like in
literally every GUI piece of software I've used for 20+ years that
auto-creates hyperlinks based on what you type. If you are typing text and
some of it turns blue... it's probably because it's now a hyperlink.
Attach it as a text file.
------------------------------
Date: Sat, 15 Dec 2018 11:26:33 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: What Happens When You Reply All to 22,000 State Workers
(RISKS-30.96)
This looks less like a case of recipients using "Reply to All" -- which is
the default mode in many mailers, making mistakes unavoidable -- and more a
case of senders who do not know how to use "Bcc" when sending to a large
list of recipients.
------------------------------
Date: Thu, 13 Dec 2018 12:57:32 +0800
From: Richard M Stein <rms...@ieee.org>
Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
Kids' (Levine, RISKS-30.06)
John -- You might be right: the AV idles until the way forward is
obstacle-free.
We'll have to wait this trolley problem outcome. Alternatively, Waymo in
Chandler, AZ could share a live scenario demo with the world to prove that
"My Mother the Car" is sharp enough to respectfully manage hostile
pedestrian interaction.
I'd put my money on the vehicle occupants, if present, to issue one or more
verbal command overrides or set a new destination with their hailing
application if the squeegee crew acts aggressively. If AV is payload empty,
an infinite standoff might manifest at the intersection/stop point...or not
-- low fuel or diminished reserve power-level might compel AV return to
depot to refuel rather than exhaust reserves and wait AAA for a tow.
Suppose the AV is stuck due to obstacles that shuffle around it and
otherwise impede forward motion -- and possibly at a controlled intersection
or behind another vehicle. I wonder if it'll try to rabbit should the signal
light change to green or remain neutralized until obstacles clear? Possibly,
AV depot control will sense a "help me I am stuck" signal and call the cops
to intervene and run the squeegees off?
------------------------------
Date: 13 Dec 2018 08:28:23 -0500
From: "John R. Levine" <jo...@iecc.com>
Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
Kids' (Stein, RISKS-30.97)
Having been in NYC when it had squeegee guys, this isn't the trolley
problem. They dart out when the light is red, they don't deliberately block
traffic, since that would get them arrested instantly.
------------------------------
Date: Sun, 16 Dec 2018 15:51:37 -0500
From: David Waitzman <dwai...@gmail.com>
Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
Kids' (npr.org)
I would not feel safe, in Baltimore particularly, of rolling down my car
windows for a squeegee kid nor anyone else.
Jacquelyn Smith was killed on December 1st in Baltimore when she "and her
husband saw a woman asking for money. She rolled down her car window to
hand over some cash when her husband said a man approached the car, reached
inside to try to take Smith’s purse and necklace before stabbing her. She
later died at the hospital."
https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-jacquelyn-smith-funeral-20181213-story.html
------------------------------
Date: Tue, 5 May 2018 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
<http://the.wiretapped.net/security/info/textfiles/risks-digest/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks have done to URLs. I have
tried to extract the essence.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 30.97
************************
0 new messages