RISKS-LIST: Risks-Forum Digest Thursday 11 Jun 2024 Volume 34 : Issue 35

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.35>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Electronic voting in Switzerland (Bertrand Mayer)
U.S. and Allies Issue Rare Warning on Chinese Hacking Group (WSJ)
Nations Warn Key Open-Source Programs Not Sufficiently Protected
(Craig Hale)
Russia Breaches TeamViewer: No Evidence Billions of Devices at Risk
(Security Boulevard)
10 Billion Passwords Exposed in Largest Leak Ever (Emily Price)
Canada warns of AI-driven Russian 'bot farm' spreading disinformation online
(CBC)
A Bugatti car, a first lady and the fake stories aimed at Americans (BBC)
New OpenSSH Vulnerability Discovered: Potential Remote Code Execution Risk
(The Hacker News)
New tool for creating exploits (Rik Farrow)
AI Accelerates Software Development to Breakneck Speeds (Joe McKendrick)
Microsoft Security Sieve (Cliff Kilby)
Americans abroad suffering hours-long roaming outage (The Register)
Second Factor SMS: Worse Than Its Reputation (CCC Denmark)
Hackers reverse engineer Ticketmaster (404media)
BLAST RADIUS (Victor Miller)
Feds *finally* starting to take privacy records seriously
(HHS press release)
Unintended consequences of building population tracking for COVID; public
semi-nudity (riaka in ch)
Nike killing app for $350 self-tying sneakers (Ars Technica)
Re: Software engineers, not astronauts, are the heroes of
today's, space industry (Niklas Holsti)
Re: What to do when you send money to the wrong person through Zelle
(John Levine)
Re: Firefighter charity bot call (Jurek Kirakowski)
Re: Fwd: Ozone Hole Mk. II (Martin Ward)
Re: More productive AI => Self-Poisoned Training GIGO (Amos Shapir)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 1 Jul 2024 18:36:21 +0200
From: Bertrand Meyer <Bertrand.Meyer@inf.ethz.ch>
Subject: Electronic voting in Switzerland

Over the years I have seen, in RISKS, many doomsday assessments of
electronic voting, supposedly impossible to organize without unsurmountable
risks. This is not my field of expertise but as a plain user I can report
about its use in the recent French legislative elections.

For the first time Internet-voting was available, but only for foreign
residents. The process seemed impeccable to me, well thought through. (The
irony is that the reason for this effectiveness may be that in the past few
years the country had for the first time in decades a highly competent
government, now about to be swept away as a result of these very elections.)
You must have registered with the local consulate both a phone number and an
email address. (Again, the mechanism is only for expats, who have registered
to vote in their foreign place of residence and in the process were invited
to provide this information.) Ahead of the vote you get a text message on
the phone and, separately, an email. The window for electronic voting is
very short, something like 48 hours, which I guess lowers the likelihood of
foul play. You still have the opportunity to go to the voting place in
person if you prefer. If you do vote electronically, you get a crypto
certificate.

At the polling place, where I accompanied someone who never managed to get
the SMS, there were no queues -- even though participation was much higher
than in the previous election, where I had to queue for a good hour -- and a
poll worker said 44% of the votes were electronic, testifying to the broad
success of the scheme. I hope they keep it in place for the future.

------------------------------

Date: Wed, 10 Jul 2024 06:49:23 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: U.S. and Allies Issue Rare Warning on Chinese Hacking Group (WSJ)

*An advisory by Australia, along with the U.S. and six other countries,
details a group known as APT40*

Australia, the U.S. and six other allies warned that a Chinese
state-sponsored hacking group poses a threat to their networks, in an
unusual coordinated move by Western governments to call out a global
hacking operation they say is directed by Beijing’s intelligence services.

Tuesday’s advisory was a rare instance of Washington’s major allies in the
Pacific and elsewhere joining to sound the alarm on China’s cyber activity.
Australia led and published the advisory. It was joined by the U.S., U.K.,
Canada and New Zealand, which along with Australia are part of an
intelligence-sharing group of countries known as the Five Eyes. Germany,
Japan and South Korea also signed on.

The warning marked the first time South Korea and Japan joined with
Australia in attributing malicious cyber activity to China. It was also the
first time that Australia—which has been reluctant to point the finger at
China, its largest trading partner—led such an effort, according to a
person familiar with the matter.

“In our current strategic circumstances, these attributions are
increasingly important tools in deterring malicious cyber activity,” said
Richard Marles, Australia’s deputy prime minister and defense minister.

On Tuesday, China accused the U.S. and its allies of hyping China’s cyber
activities to smear Beijing and distract from Washington’s efforts to
engage in surveillance and espionage worldwide. “Who is the biggest threat
to global cybersecurity? I believe the international community sees this
clearly,” said Foreign Ministry spokesman Lin Jian.

The technical advisory detailed a group known in cybersecurity circles as
Advanced Persistent Threat 40, or APT40, which conducts cybersecurity
operations for China’s Ministry of State Security and has been based in the
southern island province of Hainan. The advisory detailed how the group
targeted two networks in 2022—though it didn’t identify the
organizations—and said the threat is continuing.

“Having all eight nations collectively call this out is significant,” said
Rachael Falk, chief executive of the Cyber Security Cooperative Research
Centre in Australia. “You don’t see collective attribution from so many
agencies about one malicious cyber threat actor very often.”

Falk said APT40 carefully carries out reconnaissance, can look like a
legitimate user and is very effective at stealing valuable data. She said
APT40 rapidly exploits new, and sometimes old, public vulnerabilities in
widely used software and uses compromised small home office devices. That
enables the group to launch attacks and blend in with traffic. [...]
https://www.wsj.com/politics/national-security/u-s-allies-issue-rare-warning-on-chinese-hacking-group-9eebb0ce?st=cdo1eyb7rl4e9y9

------------------------------

Date: Mon, 1 Jul 2024 10:41:32 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Nations Warn Key Open-Source Programs Not Sufficiently
Protected (Craig Hale)

Craig Hale, *TechRadar*, 27 Jun 2024

The FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA),
and their counterparts in Canada and Australia warn that many open source
programs fail to protect against emerging and evolving threat actors. A CISA
report found that 52% of 172 open source projects studied contained code
written in a memory-unsafe language. The report revealed that Linux
comprises 95% unsafe code, compared to open source projects using unsafe
code in Tor (93%), MySQL Server (84%), and Chromium (51%).

------------------------------

Date: Tue, 2 Jul 2024 02:18:21 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Russia Breaches TeamViewer: No Evidence Billions of Devices
at Risk (Security Boulevard)

Remote access service hacked by APT29, says  TeamViewer.

TeamViewer says “a compromised employee account” led to a Russian
breach. While the company makes reassuring noises about its segmented
network, it also said the tool was installed on more than 2.5 billion
devices.

And that’s a worry, despite the calming PR. In today’s SB  Blogwatch, we
wonder why TeamViewer didn’t enforce MFA for employees (see also: Snowflake,
Okta, Uber, etc., etc.)

https://securityboulevard.com/2024/07/teamviewer-apt29-richixbw/

------------------------------

Date: Wed, 10 Jul 2024 11:18:50 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: 10 Billion Passwords Exposed in Largest Leak Ever
(Emily Price)

Emily Price, *PC Magazine*, 06 Jul 2024

Cybernews researchers discovered what they described as the largest-ever
password compilation on a popular hacking forum. The rockyou2024.txt file,
posted July 4 by a user known as "ObamaCare," contains 9,948,575,739 unique
plaintext passwords. Although these passwords are from a combination of old
and new data breaches, the researchers said the risk of credential stuffing
attacks is higher given that the passwords were compiled into a single,
searchable database.

------------------------------

Date: Wed, 10 Jul 2024 14:29:57 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Canada warns of AI-driven Russian 'bot farm' spreading
disinformation online (CBC)

https://www.cbc.ca/news/politics/canada-russian-bot-farm-1.7259665

Canadian security officials are warning about a Russian propaganda campaign
that used the social media site X to spread disinformation online.

The Canadian Centre for Cyber Security said individuals affiliated with RT,
formerly known as Russia Today, have been using a social media bot farm at
the direction of the Russian government.

Officials said fake social media accounts were created to spread
disinformation in the United States and abroad.

The accounts often posed as Americans and promoted messages in support of
Russian government objectives, they said.

When asked to comment on the claims, the RT press office said: "Farming is
a beloved pastime for millions of Russians."

------------------------------
Date: Tue, 2 Jul 2024 22:11:42 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: A Bugatti car, a first lady and the fake stories aimed
at Americans (BBC)

https://www.bbc.com/news/articles/c72ver6172do

A network of Russia-based websites masquerading as local American
newspapers is pumping out fake stories as part of an AI-powered operation
that is increasingly targeting the US election, a BBC investigation can
reveal.

A former Florida police officer who relocated to Moscow is one of the key
figures behind it.

------------------------------

Date: Wed, 10 Jul 2024 04:48:01 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: New OpenSSH Vulnerability Discovered: Potential Remote
Code Execution Risk (The Hacker News)

Select versions of the OpenSSH secure networking suite are susceptible to a
new vulnerability that can trigger remote code execution (RCE).

The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct
from CVE-2024-6387
<https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html>
(aka RegreSSHion) and relates to a case of code execution in the privsep child
process
<https://github.com/openssh/openssh-portable/blob/master/README.privsep> due
to a race condition in signal handling. It only impacts versions 8.7p1 and
8.8p1 shipped with Red Hat Enterprise Linux 9.

[geoff also noted an earlier item:
https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html
Victor Miller noted
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
PGN]

------------------------------

Date: Mon, 1 Jul 2024 10:17:29 -0700
From: Rik Farrow <rik@rikfarrow.com>
Subject: New tool for creating exploits

At a paper to be presented at USENIX Security, researchers have built a tool
for creating data-only exploits:

https://www.usenix.org/publications/loginonline/data-only-attacks-are-easier-you-think

The paper [5] becomes available to conference attendees soon, and to
everyone once the conference begins on August 14. I believe the authors
have shared access to their tool. Cool idea, tracking back tainting from
useful system calls.

------------------------------

Date: Mon, 1 Jul 2024 10:41:32 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Accelerates Software Development to Breakneck Speeds
(Joe McKendrick)

Joe McKendrick, ZDNet, 28 Jun 2024

A GitLab survey of 5,315 executives and IT professionals revealed that 78%
of respondents already are using AI in software development or plan to do so
in the next two years, marking a year-over-year increase of 64%. Forty-seven
percent said they used AI for code generation and code
suggestion/completion, as well as code explanations (40%), summaries of code
changes (38%), chatbots allowing users to ask documentation questions using
natural language (35%), and summaries of code reviews (35%).

[Fast should be irrelevant if it is buggy. PGN]

------------------------------

Date: Tue, 2 Jul 2024 01:33:46 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Microsoft Security Sieve

The exfil from the Microsoft breaches seems to have no end.

https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

This of course being a different breach than the earlier Exchange Online
event.

https://www.theregister.com/2024/04/03/cisa_microsoft_exchange_online_china_report/

The later breach comes with an updated impact statement.

https://www.bloomberg.com/news/articles/2024-06-27/microsoft-tells-some-clients-that-russian-hackers-viewed-emails

This combined with recent Cybersecurity Safety Review Board (CSRB) report
has made a statement from Easterly to Ciaran Martin, professor of practice
in the management of public organizations at the University of Oxford into a
terrible joke.
https://www.theregister.com/2024/07/01/cisa_big_tech_security/

"To Microsoft's credit, they were very transparent."
Microsoft, the maker of Windows. Transparent.

------------------------------

Date: Fri, 28 Jun 2024 16:20:36 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Americans abroad suffering hours-long roaming outage
(The Register)

https://www.theregister.com/2024/06/27/international_roaming_outage_north_america/

------------------------------

Date: Thu, 11 Jul 2024 13:12:00 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Second Factor SMS: Worse Than Its Reputation (CCC)

https://www.ccc.de/en/updates/2024/2fa-sms

------------------------------

Date: Tue, 9 Jul 2024 12:55:05 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Hackers reverse engineer Ticketmaster (404media)

https://www.404media.co/scalpers-are-working-with-hackers-to-liberate-non-transferable-tickets-from-ticketmasters-ecosystem/

------------------------------

Date: Tue, 9 Jul 2024 13:18:54 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: BLAST RADIUS

https://www.blastradius.fail/

Blast-RADIUS is a vulnerability that affects the RADIUS protocol. RADIUS is
a very common protocol used for authentication, authorization, and
accounting (AAA) for networked devices on enterprise and telecommunication
networks. What can the attacker do?

The Blast-RADIUS attack allows a man-in-the-middle attacker between the
RADIUS client and server to forge a valid protocol accept message in
response to a failed authentication request. This forgery could give the
attacker access to network devices and services without the attacker
guessing or brute forcing passwords or shared secrets. The attacker does not
learn user credentials. Who is affected?

Blast-RADIUS is a protocol vulnerability, and thus affects all RADIUS
implementations using non-EAP authentication methods over UDP.

System administrators of networks using RADIUS should check with vendors for
a patch against this vulnerability, and follow best practices for RADIUS
configuration as discussed below. There is nothing that end users can do on
their own to protect against this attack.

RADIUS is used in a wide variety of applications, including in enterprise
networks to authenticate access to switches and other routing
infrastructure, for VPN access, by ISPs for DSL and FTTH (Fiber to the
Home), in 802.1X and Wi-Fi authentication, 2G and 3G cellular roaming and 5G
DNN (Data Network Name) authentication, mobile Wi-Fi offload with SIM
card-based authentication, private APN authentication, to authenticate
access to critical infrastructure, and in the Eduroam and OpenRoaming wifi
consortia.

------------------------------

Date: Tue, 2 Jul 2024 22:42:35 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: Feds *finally* starting (starting) to take health care
privacy records seriously (HHS press release)

HHS Office for Civil Rights Settles HIPAA Security Rule Failures for
$950,000

Today, the U.S. Department of Health and Human Services' (HHS) Office for
Civil Rights (OCR) announced a settlement with Heritage Valley Health System
(Heritage Valley), which provides care in Pennsylvania, Ohio and West
Virginia, concerning potential violations of the Health Insurance
Portability and Accountability Act (HIPAA) Security Rule, following a
ransomware attack. Ransomware and hacking are the primary cyber-threats in
health care. Since 2018, there has been a 264% increase in large breaches
reported to OCR involving ransomware attacks. [...]

https://www.hhs.gov/about/news/2024/07/01/hhs-office-civil-rights-settles-hipaa-security-rule-failures-950000.html

------------------------------

Date: Tue, 2 Jul 2024 21:14:59 +0200
From: risks@sctb.ch
Subject: Unintended consequences of building population tracking
for COVID; public semi-nudity

Today, I had to walk across the gym (a major chain) where I train,
fortunately in my boxers as opposed to shielded by only a towel too small
for the purpose, to the entrance and back again, so I could open my locker,
to get dressed.

Prior to COVID, for this a story of computer systems and unintended
consequences, the gym was fitted was an entry system which requires a
membership card.

The card is read on entry. It is not needed to exit.

Lockers are locked, and unlocked, with the card.

As a consequence of COVID, in the country I currently am in, public buildings needed to keep some sort of track of how many people are in the building, so they can refuse entry when there are too many people.

The entry system at the gym cannot itself fulfill this function as it knows
only when people enter, not when they leave.

The gym decided then to modify the behaviour of *lockers*, so that they will
not open once 1.5 hours have passed from a member entering the gym.

Today, then, I exercised, attended my locker, deposited my clothes and
removed my towel, and showered.

I returned to find my locker would not open.

The only solution was to walk out through the gym, in my boxers (and it was
fortunate I had taken them, as the travel towel I use is too small for
modesty), attend the entrance, walk out, and walk back in.

I could now open the locker.

Then having returned to a state of attire, I spoke with the manager.

She explained she knew about this, and has asked for it to be changed,
especially as COVID was so long ago, and had been told State regulation
required still tracking the population of the building. Of course, what she
was told may be mistaken - I have not verified this myself - and we can of
course question the method used. I can quite reasonable think it was
required, but perhaps now the gym simply hasn't done the work to remove this
behaviour; it's impossible to know or verify any of this from the outside of
the organization.

In any event however I would think here about the Law of Unintended
Consequences. Years ago, it seems reasonable to think that the State
mandated tracking building populations. This passed then down to the mass
of organizations throughout the country, all of whom implemented in their
own ways, and then in turn comes down to me, years after COVID mattered,
walking in my boxers only across the gym.

------------------------------

Date: Wed, 10 Jul 2024 12:11:01 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Nike killing app for $350 self-tying sneakers (Ars Technica)

Scharon Harding, *Ars Technica*, 7/8/2024, 12:47 PM

In 2019, Nike got closer than ever to its dreams of popularizing
self-tying sneakers by releasing the Adapt BB. Using Bluetooth, the
sneakers paired to the Adapt app that let users do things like tighten
or loosen the shoes' laces and control its LED lights. However, Nike
has announced that it's "retiring" the app on August 6, when it will
no longer be downloadable from Apple's App Store or the Google Play
Store; nor will it be updated.

https://arstechnica.com/gadgets/2024/07/immensely-disappointing-nike-killing-app-for-350-self-tying-sneakers/

[The Internet of Laces

------------------------------

Date: Sat, 29 Jun 2024 09:45:57 +0300
From: Niklas Holsti <niklas.holsti@iki.fi>
Subject: Re: Software engineers, not astronauts, are the heroes of
today's, space industry (WashPost, RISKS-34.34)

Regarding the Intuitive Machines lunar lander, and the "heroic" effort to
modify the on-board software to substitute an experimental LIDAR sensor for
the lander's own landing LIDARs (which could not be turned on because of a
wiring mistake in the connector cable used for flight, where a different
cable was used during ground tests): yes, the programmers produced new code
very quickly, but no, it did not work, and did not "save" the mission.

As discussed in the mission press briefings (available on Youtube), and as
noted in the comments to the Washington Post article, the rushed programmers
made one critical mistake: the new code did not set the single bit that
would have told the landing software that LIDAR data were
available. Consequently the landing was done without LIDAR data and the
lander hit the surface while the software thought it was a hundred or so
meters above it. The lander touched down with higher than expected vertical
and horizontal velocities that broke one landing leg and made the lander
fall onto its side. Some of the mission goals were reached, but not all.

There are reasons why making this kind of code change normally takes /1much/
more than a few hours -- if the code must work.

------------------------------

Date: 29 Jun 2024 17:46:17 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: What to do when you send money to the wrong person
through Zelle (RISKS-34.34)

Reversing fraudument Zelle payments is not a new problem. Here's an
article from last year from someone who was scammed out of $31K.

https://www.businessinsider.com/zelle-fraud-scam-swimming-pool-online-payment-apps-mobile-banking-2023-10

This is a regulatory problem, not a technical or financial one. Banks
have never liked to deal with bogus transactions so when they set up
Zelle, they wished the problem away by claiming that it was completely
irrevocable, like giving someone an envelope full of cash.

Except that of course it's not. It's just a faster version of the ACH
transfers we use for direct deposit or moving money in and out of
Venmo. Every Zelle transfer is from one US bank account to another. That
means that if the sender complains, the bank knows exactly where the money
went and who to reclaim it from, just like a bounced check or a bogus
ACH. It's possible that the recipient's bank might have already have let the
recipient withdraw the money, but that's not a new problem. It's something
banks have been dealing with as long as there have been checks.

------------------------------

Date: Sat, 29 Jun 2024 11:05:16 +0100
From: Jurek Kirakowski <jzk@uxp.ie>
Subject: Re: Firefighter charity bot call (Slade, RISKS-34.34)

When I get a call from a number which I don't recognise I have trained
myself to give the following spiel automatically in a bland "recorded"
voice:

"You have reached - the Cork Rodent Removal service. Press ONE to remove a
rodent - press TWO to remove two rodents - or hang yourself up by the tail
and wait..."

It certainly separates out the rodents from the real humans.

[It does have a certain element of Rat Etat. PGN]

------------------------------

Date: Sat, 29 Jun 2024 12:16:41 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Fwd: Ozone Hole Mk. II (Kilby, RISKS-34.34)

On 28/06/2024 20:13, Cliff Kilby wrote:> I see my post was truncated.
from my original submission.

It's a pity that the totally irrelevant link was included while the relevant
link and information was excluded! I see that our moderator added NCBI to
the subject (the source of the irrelevant article)

However, there is some important information which appears to be missing
from the relevant article. The article claims:

(1) Aluminium oxide is a catalyst which destroys ozone without being
consumed (as do other "ozone depleting substances" which are covered by the
Montreal agreement);

(2) The model shows that a certain amount of aluminium oxide will be
generated on de-orbiting of satellites that contain significant amounts of
aluminium;

(3) The projected mega constellations will therefore increase the
concentration of aluminium oxide in the atmosphere by 685% over the natural
amount. (It does not seem to say whether this "natural amount" is the
current amount, which is already eight times the amount supplied by
micrometeorites, or the amount supplied by micrometeorites, in which case
the 685% increase is not such a big increase over current levels!)

The missing piece of information is this: just how significant right now is
the effect of aluminium oxide on the ozone layer? Its like the scary
headlines which say things like: "Eating X will *double* your risk of
getting (some variety of cancer)!!" If the normal risk of getting that
variety of cancer is less than one in a million, then I might decide that
I'll take the risk and carry on eating the thing. My rough estimate:

Total mass of atmosphere: 5.5e+18 kg
Concentration of all ozone depleting substances (ODS):
about 570 ppt (parts per trillion).
Therefore, total mass of all ODS: about 3.1 million tonnes

Currently planned satellite constellations are expected to release 360
tonnes of oxides per year into the atmosphere. If this happens every year,
and the oxides will take 30 years to fall out of the atmosphere, then the
maximum increase in ODS will be 10,800 tonnes, or 0.35% of the total.

Am I in the right ballpark?

------------------------------

Date: Sat, 29 Jun 2024 12:45:56 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: More productive AI => Self-Poisoned Training GIGO
(RISKS-34.33)

I have already pointed out this problem in RISKS-33.75.

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.35
************************