RISKS-LIST: Risks-Forum Digest Saturday 3 Aug 2024 Volume 34 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.39>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Teenager Accused of Derailing Train and Posting Crash Video Online (NYTimes) Mythbusting SOC costs (Cliff Kilby)
How One Man Lost $740,000 to Scammers Targeting His Retirement Savings
(NYTimes)
Are we too dependent on Microsoft? (CBC)
MBTA's new contactless payment system launches Thursday (The Globe)
Personal Data of 3 Billion People Stolen in Hack, Suit Says (BloombergLaw) Trolls Used Her Face to Make Fake Porn. There Was Nothing She Could Do.
(NYTimes)
Amazon forced to recall 400K products that could kill, electrocute people
(ArsTechnica)
Don't Let Your Domain Name Become a crime site (Krebs on Security)
About Kid's Online Safety Act and age verification (Lauren Weinstein)
A $100b plan with "70% risk of killing us all" (Stephen Fry)
Leaked github token could have put the entire python infrastructure at risk
(TechRadar)
Argentina will use AI to ‘predict future crimes’ but experts worry
for citizens’ rights (The Guardian, geoff goodfellow)
Gender Dysphoria and the Cass Review - A Summary of a Discussion
(Peter Bernard Ladkin)
Re: Google reverts TV YouTube app to original search history behavior
(Jim Geissman)
Re: AT&T local news (Jim Geissman)
Re: Switzerland now requires all government software to open source
(Martin Ward, Wol)
Re: CrowdStrike and fuzz testing (Jurek Kirakowski)
Re: Robots sacked, screenings shut down: a new movement of Luddites is
rising up against AI (Wol)
IEEE Project on Digital Forensics for Trusted Learning Systems
(via Rebecca Mercuri)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 29 Jul 2024 19:13:04 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Teenager Accused of Derailing Train and Posting Crash Video Online
(NYTimes)

Investigators said a 17-year-old charged with intentionally causing a freight train derailment in Nebraska had recorded the crash, which he then posted on YouTube.

https://www.nytimes.com/2024/07/29/us/nebraska-teen-charged-train-crash.html

------------------------------

Date: Sat, 3 Aug 2024 16:25:49 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Mythbusting SOC costs

I came across a short opinion piece which really took me aback.
The poster claimed that running a SOC was an massive expense.

The core assertions:

Infrastructure Costs: Setting up a SOC requires significant hardware,
software, and network infrastructure investments. This includes advanced security tools and platforms for monitoring and response.
Response: Not quite. There is no additional outlay for hardware, software
or networking. Your SOC should be able to use everything in place, unless
you don't already use industry standard products like firewalls, WAF, and
AV. You might consider purchasing an EDR to address dynamic threats, but
most AV products can be used for reporting to a SOC. Unless you don't even
have AV.

Skilled Personnel: Hiring and retaining skilled cybersecurity professionals
is expensive. An in-house SOC needs experts for threat detection, incident response, and continuous monitoring, which can drive up labor costs.
Response: Maybe. It is expensive to maintain personnel who are trained for bleeding edge threat detection and mitigation. But, considering the first
and third assertions, the company isn't even doing remedial security, and
would probably make great strides with a SOC staffed by DevOps engineers.

Ongoing Maintenance: An in-house SOC requires continuous updates,
maintenance, and upgrades to stay current with evolving threats. This adds
to the overall operational expenses.
Response: This has nothing to do with SOC. This is basic operations
hygiene. Patch when your vendors provide patches.

Training and Development: Keeping the SOC team trained with the latest cybersecurity trends and technologies involves additional costs for ongoing education and certifications. Response: Again, no. For most professionals
who carry certifications, they are required to maintain continuing
education. Those credits are as expensive as you allow them to be, though
they may need to be away from work to obtain them. Common vulnerability
OSINT is massive and mostly free. Keeping up with the bleeding edge is expensive, but pointless if you have an environment which you believe that updates and maintenance are driven by your SOC.

24/7 Operations: To be effective, a SOC needs to operate around the clock, requiring shifts and potentially more staff, further increasing costs. Response: If your SOC is automating detections and responses, they really
only have unplanned work as long as someone is in the office. They don't
pack up the WAF at the end of the day. If your current environment can't automatically alert a detection, having a human sitting staring at logs
won't find anything. However, if you're running a 3 shift company, then
yeah, you'll need coverage for all three shifts. Realtime threats tend to orgiinate from employees more than externally.

To me this whole post read like someone who was told that a SOC is buying Rapid7 and Splunk, and then got mad that they also need to hire people to
run those tools.

Operations aren't a goal, but a process.
Security isn't a goal, but a process.
Security operations... you get the drift.

Post courtesy of https://old.reddit.com/r/CyberMsspZone/comments/1eii9jf/why_is_an_inhouse_soc_so_expensive/

------------------------------

Date: Mon, 29 Jul 2024 19:10:06 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How One Man Lost $740,000 to Scammers Targeting His Retirement
Savings (NYTimes)

Criminals on the Internet are increasingly going after Americans over the
age of 60 because they are viewed as having the largest piles of savings.

https://www.nytimes.com/2024/07/29/business/retirement-savings-scams.html

------------------------------

Date: Fri, 2 Aug 2024 22:23:48 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Are we too dependent on Microsoft? (CBC)

https://www.cbc.ca/player/play/video/9.6469022

After two major outages in as many weeks -- including the CrowdStrik= e
crash -- alarm bells are ringing about the world's overreliance on Microso=
ft. Andrew Chang breaks down what happened, who's to blame and digs into
just how much of our lives are connected to Microsoft.

------------------------------

Date: Thu, 1 Aug 2024 06:57:45 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: MBTA's new contactless payment system launches Thursday
(The Globe)

https://www.boston.com/news/local-news/2024/07/31/mbtas-new-contactless-payment-system-launches-thursday

Key excerpt:

“To avoid the possibility of accidental taps and charges of their
contactless credit or debit cards, riders are encouraged to hold their
purses, bags, and backpacks away from the contactless readers.”

RISKy, anyone?

------------------------------

Date: Fri, 2 Aug 2024 14:20:03 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Personal Data of 3 Billion People Stolen in Hack, Suit Says
(BloombergLaw)

https://news.bloomberglaw.com/privacy-and-data-security/background-check-data-of-3-billion-stolen-in-breach-suit-says

------------------------------

Date: Wed, 31 Jul 2024 15:54:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Trolls Used Her Face to Make Fake Porn. There Was Nothing She
Could Do. (NYTimes)

Sabrina Javellana was a rising star in local politics — until deepfakes derailed her life.

https://www.nytimes.com/2024/07/31/magazine/sabrina-javellana-florida-politics-ai-porn.html

------------------------------

Date: Tue, 30 Jul 2024 21:36:18 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Amazon forced to recall 400K products that could kill,
electrocute people (ArsTechnica)

https://arstechnica.com/?p=2040006

------------------------------

Date: Fri, 2 Aug 2024 07:50:46 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Don't Let Your Domain Name Become a crime site
(Krebs on Security)

More than a million domain names -— including many registered by
Fortune 100 firms and brand protection companies — are vulnerable to
takeover by cybercriminals thanks to authentication weaknesses at a
number of large web-hosting providers and domain registrars, new
research finds.

https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/

[Lauren Weinstein noted Over 1 Million Domains at Risk of 'Sitting
Ducks' Domain Hijacking Technique (The Hacker News) The powerful
attack vector, which exploits weaknesses in the domain name system
(DNS), is being exploited by over a dozen Russian-nexus
cybercriminal actors to stealthily hijack domains, a joint analysis
published by Infoblox
<https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/>
and Eclypsium has revealed.
<https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/>

"In a Sitting Ducks attack, the actor hijacks a currently registered domain
at an authoritative DNS service or web hosting provider without accessing
the true owner's account at either the DNS provider <https://www.cloudflare.com/learning/dns/dns-server-types/> or registrar,"
the researchers said.

"Sitting Ducks is easier to perform, more likely to succeed, and
harder to detect than other well-publicized domain hijacking attack
vectors, such as dangling CNAMEs." <https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>
Cliff Kilby noted this in SecurityWeek: https://www.securityweek.com/vulnerabilities-enable-attackers-to-spoof-emails-fr
om-20-million-domains/
PGN]

------------------------------

Date: Tue, 30 Jul 2024 11:45:06 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: About Kid's Online Safety Act and age verification

For anyone who points out that the Kids Online Safety Act doesn't
actually REQUIRE government IDs for age verification, let me assure
you that this is, to use the vernacular, a subterfuge.

The liabilities created by the legislation for violations by the
targeted sites are so large that nothing short of age verification via government IDs will satisfy their own legal departments in the long
run -- and with good reason.

This doesn't mean uploading IDs to each site -- the anticipated model
is third party verifiers -- but that doesn't actually reduce (and may
actually increase) the privacy and tracking abuse risks associated
with these age verification models, for a variety of technical
reasons. -L

------------------------------

Date: Tue, 30 Jul 2024 19:21:47 -0400
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
Subject: A $100b plan with "70% risk of killing us all" (Stephen Fry)

Apart from his comedic, dramatic, and literary endeavors, Stephen Fry
is widely known for his avowed technophilia. He once wrote a column on
that theme, “Dork Talk,” for the Guardian, in whose inaugural dispatch
he laid out his credentials by claiming to have been the owner of only
the second Macintosh computer sold in Europe (“Douglas Adams bought
the first”), and never to have “met a smartphone I haven’t bought.”
But now, like many of us who were “dippy about all things digital” at
the end of the last century and the beginning of this one, Fry seems
to have his doubts about certain big-tech projects in the works today:
take the “$100-billion plan with a 70-percent risk of killing us all” described in this video:

<https://www.youtube.com/watch?v=-H7e4XlMgg0>

[found on Open Culture, July 26th, 2024]

------------------------------

Date: Fri, 2 Aug 2024 08:49:38 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Leaked github token could have put the entire python
infrastructure at risk (TechRadar)

https://www.techradar.com/pro/security/github-token-leak-could-have-put-the-entire-python-language-at-risk

------------------------------

Date: Sat, 3 Aug 2024 06:47:59 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Argentina will use AI to ‘predict future crimes’ but experts worry
for citizens’ rights (The Guardian)

*President Javier Milei creates security unit as some say certain groups
may be overly scrutinized by the technology*

Argentina’s security forces have announced plans to use artificial intelligence to “predict future crimes” in a move experts have warned could threaten citizens’ rights.

The country’s far-right president Javier Milei this week created the Artificial
Intelligence Applied to Security <https://www.boletinoficial.gob.ar/detalleAviso/primera/311381/20240729> Unit, which the legislation says will use “machine-learning algorithms to analyse historical crime data to predict future crimes”. It is also expected to deploy facial recognition software to identify “wanted persons”, patrol social media, and analyse real-time security camera footage to detect suspicious activities.

While the ministry of security has said the new unit will help to “detect potential threats, identify movements of criminal groups or anticipate disturbances”, the Minority Report-esque resolution has sent alarm bells ringing among human rights organisations.

<https://english.elpais.com/international/2024-07-30/javier-mileis-government-will-monitor-social-media-with-ai-to-predict-future-crimes.html>

Experts fear that certain groups of society could be overly scrutinised by
the technology, and have also raised concerns over who – and how many security forces – will be able to access the information. [...]

https://www.theguardian.com/world/article/2024/aug/01/argentina-ai-predicting-future-crimes-citizen-rights

------------------------------

Date: Sat, 3 Aug 2024 07:17:00 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Re: Argentina will use AI to predict future crimes
but experts worry for citizens' rights (The Guardian)

oh gee, doesn't this sound just "a wee bit" kinda like say John
Poindexter's *Total Information Awareness*? viz.:

*"Total Information Awareness* (*TIA*) was a mass detection program by the United States Information Awareness Office <https://en.wikipedia.org/wiki/Information Awareness_Office>. It operated
under this title from February to May 2003 before being renamed *Terrorism Information Awareness*.

[1] <https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-dapra1-1> [2] <https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-rename-2>

------------------------------

Date: Wed, 31 Jul 2024 10:38:54 +0200
From: "Prof. Dr. Peter Bernard Ladkin" <ladkin@causalis.com>
Subject: Gender Dysphoria and the Cass Review - A Summary of a Discussion

I wrote my note explaining that the Cass Review had commissioned a thorough literature review from a major research facility, and sent it not only to
Risks and PGN, but also to Martin Ward and Julian Bradfield. I also, separately, drew the attention of some British colleagues who are informaticians and also interested in social issues, one of whom is a
renowned expert in healthcare IT. He found my note appropriate.

Ward replied with what I can only describe as a deluge of citations which he claims shows that the Cass Review is highly at fault. Many of them do not mention the Cass review; they are publications, some of them scientific and some of them advocatory, which pose a different view of the care of gender dysphoria than the Cass Review. Ward claims this is "evidence" and suggests that, by not reading them, I am "ignoring the evidence".

The Cass Review reviewed the literature. The reviewers came to the view that not much of it was of particularly high scientific quality. This shouldn't surprise anybody, especially those of us peripherally familiar with the
medical and epimedical literature.

I don't see myself as reviewing the gender dysphoria literature, because the subject is not my cup of tea. But I think it unlikely that there has coincidentally been a breakthrough in scientific understanding of the
condition since the Cass Review completed its literature survey. If there
had been, I think I'd have read about it in reliable newspapers who report
on scientific breakthroughs such as The Guardian. I also imagine the Cass Review would have generated an appendix on it.

So what Ward deluged me with is a bunch of opinion and work which takes a different point of view from that of the Cass Review. Sure, I knew that that existed. Some of it was even reviewed in newspapers when the Cass Review
came out. Much of it seems to come from North America. Anybody who has spent significant time in the US as well as Britain and Continental Europe is well aware of the radical differences in approach to health care and its
structure. Many essays have been written on this subject, and this will not
be another. Suffice it to say that it is quite plausible that the standard
of care for a condition such as gender dysphoria in the USA and in the UK might, for very good reason, be very different. Also that it might well converge in the future, as tends to happen when conditions become better understood.

What Ward unfortunately did not do is provide me with a list of specific mistakes that he claims the Cass Review has made, along with anything that would count for me as proof of these mistakes. As someone who writes such documents (but not in this field), I do know how much work it takes. I also know that they are much more valuable to a reader.

He also hasn't provided an explanation of why he thinks a particular point
of view of an advocacy group (which seems to account for a goodly proportion
of what he cited to me) counts for him as "evidence" against particular
points made in the Cass Review when for me it counts as yet another opinion from an advocacy group. I asked Ward what his motivation is, but didn't
receive what I would regard as a plausible answer.

So I don't see this particular discussion as proceeding much further. Neither does PGN.

PGN expressed concern that the form of discussions enabled by the Internet
are often, to put it in a word, broken. Yes, some forms indeed are. But
let's think back to, say, 1993. I'd have read about the Cass Review in the newspaper. I wouldn't have read the Review itself -- I would have had to
have written to a government publisher and sent payment and got a copy a few weeks later in the post. And I wouldn't have done so. If I had wanted to
find out what kind of literature review was conducted and by whom, I likely couldn't have done so without purchasing and reading the report (it is not likely to be in many public libraries in Germany). Now, the
literature-review proposal is on the University of York's WWW site for
everyone to read for free. Some things, some kind of information such as
this, have got immeasurably better. Let's not forget that.

[I have blown the whistle on the pending interchange, and have allowed
this one final summary of a nonconverging series of rants. PGN]

------------------------------

Date: Wed, 31 Jul 2024 09:27:58 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Re: Google reverts TV YouTube app to original search history behavior

This reminds me of what MS did in the Feb 2024 Windows update. File manager searches used to look at least part of the path beyond the file name. So if
you had a folder Arizona which contained a file Grand Canyon, the file would
be found by searching for Arizona. The update changed that, and now it seems only the file name is examined. I wonder how many other file and folder
naming schemes stopped working.

------------------------------

Date: Wed, 31 Jul 2024 06:58:08 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Re: AT&T local news

My U-verse went out. This is like DSL that uses the POTS copper wires for
the last block. There are 26 houses on the block, 7 at my end, with the connection to the network at the other end. The AT&T technician told me
there are 9 wires at my pole, for the 7 houses plus fax machines, etc. a
couple of decades ago. The tech said only one of the wires might work, so he tried it and it does work. I asked, if he gives me the only active wire,
what about the rest of the customers? He replied, there is only one, and
it's inactive. Looks like total victory to the cell phones and squirrels,
and apparently AT&T owns a lot of non-functioning copper wire.

------------------------------

Date: Tue, 30 Jul 2024 10:40:20 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Switzerland now requires all government software to be
open source (Shapir, RISKS-34.38)

Companies who wish to keep their code hidden can do it while still
formally complying with the law. E.g., they can post code in assembly
(which can be generated automatically by tools like "cc -S") if
regulations allow it

As it happens, the framers of the Gnu General Public Licence, Version 3, 29 June 2007, have already thought of this wriggle and countered it:

1. Source Code.

The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.

------------------------------

Date: Tue, 30 Jul 2024 08:41:30 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Switzerland now requires all government software to
be open source (RISKS-34.38)

All being well, the legislators will look at the long history of FLOSS. It explicitly defines source code as being "the preferred form for programmers
to modify it".

The mere act of running an obfuscator is a breach of the GPL, and if a
company is happy writing code using an assembler or machine code, then releasing source like that would comply, but running your binary through as disassembler and releasing that would not, if your programmers worked in eg Rust.

------------------------------

Date: Tue, 30 Jul 2024 12:50:19 +0100
From: Jurek Kirakowski <jzk@uxp.ie>
Subject: Re: CrowdStrike and fuzz testing

Martin Ward's summary of fuzz testing practices took me back to those old punchcard days - and the severe admonitions of my programming tutors about writing software which did not thoroughly test input data. The poem
Jabberwocky and a listing of prime numbers up to 1000 were some of our
amusing test data decks, but most important were test decks that followed
the syntax of the expected input but which were semantically abnormal. I
have always followed this practice. Detecting these of course raises the
line count of software considerably.

His analysis of the debacle with CrowdStrike reminded me of perhaps the most basic principle of disaster analysis: "fatal errors are rarely one-off mistakes, they are the cumulative effect of many small and possibly
over-looked mistakes - and even the cumulative effect of slightly misguided corporate policies."

His remarks on how MicroSoft may be changing perceptions about the release
of known buggy software followed by an endless chain of fixes and updates reminds me of what Stalin is reputed to have said: "the future is
certain. It is history which is subject to revision."

------------------------------

Date: Tue, 30 Jul 2024 08:54:00 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Robots sacked, screenings shut down: a new movement of Luddites is
rising up against AI (Ed Newton-Rex)

I've just had a web discussion about databases etc, and that has made me realise why Computing in general (and databases in particular) are so
wasteful.

I've always been aware of the tendency of computing to seek perfection
(driven I suspect, by the "Publish or Perish" mentality in Universities).

But I had a very "interesting" discussion where it was obvious that most of
my protagonists were saying "we need to guarantee response times and provide 100% availability". For most people, WHY?!

My favourite database (MultiValue) guarantees data retrieval of 95% with --
in the non-pathological cold worst case - just ONE cache miss. I work in an office where I only need one third of one nine availability.

Yet I'm expected to work with a database that - in the name of reliability
-- regularly takes so long to respond that my client software falls over
with annoying regularity thanks to database timeouts.

I guess the cost of all this extra (un)reliability as an extra nought on
costs, so why on earth are we paying it? Especially when abandoning the
search for perfection is almost certain to lead to much improved
availability and response times.

------------------------------

Date: Fri, 2 Aug 2024 15:12:23 -0400
From: DrM Rebecca Mercuri <notable@mindspring.com>
Subject: IEEE Project on Digital Forensics for Trusted Learning Systems

[I hope they mean Trustworthy. I don't trust them today. PGN]

Readers of Risks may be interested in joining an IEEE project to develop a standard for digital forensics investigation of student and perhaps also faculty data (see below). The implementation of such investigative tools
should be of great concern, especially with respect to privacy and use. The idea of creating a forensic investigation back-door seems to inherently
violate the integrity of a trusted learning system, but perhaps I am misunderstanding what they are trying to accomplish. [Note: To join an IEEE Standards group, one typically must be a member of IEEE ($212) as well as a member of their Standards Association ($66).] If you attend the working
group meeting, please report what they are planning back to Risks.

The IEEE Standards Association (IEEE SA) <https://standards.ieee.org/>
extends an invitation for your participation in the Working Group for the
P2834.1 Standard for Digital Forensics on Trusted Learning Systems
<https://standards.ieee.org/ieee/2834.1/11538/>.This standard specifies
technical requirements on a forensic-investigation-ready infrastructure
for learning systems. The standard delineates technical requirements and
conformance criteria essential for ensuring adherence to prevalent
regulations governing the protection of digital evidence in kindergarten
to 12th grade (K12) and Higher Education environments and making the
system forensically ready to investigate in case of a security incident.

The Working Group has a meeting scheduled:

*DATE: *30 August 2024
*TIME: *1 PM Central/ 2 PM EST*
*For additional information, contact:*
*IEEE P2834.1™ Working Group Chair:*
Cihan Varol <cvarol@shsu.edu> <https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpntz4OalxDr17x51T_Ex1PjMO7OIeTx_Dk7w8zd-kf0cFvmaMY1nyqucSJSH4m7z5qDNg=>

*IEEE SA Program Manager:*
Patrycja Jarosz <p.jarosz@ieee.org>
<https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpnt6D1i2jJcTrc_YGVZ9009swfQyiXi7ZRyQ0wAD1l_TFDO4wjyw2n20vKTRU28jTBpyU=>

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.39
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)