RISKS-LIST: Risks-Forum Digest Saturday 3 Aug 2024 Volume 34 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.39>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Teenager Accused of Derailing Train and Posting Crash Video Online (NYTimes)
Mythbusting SOC costs (Cliff Kilby)
Newsgroups: comp.risks
How One Man Lost $740,000 to Scammers Targeting His Retirement Savings
(NYTimes)
Subject: Risks Digest 34.39
Are we too dependent on Microsoft? (CBC)
MBTA's new contactless payment system launches Thursday (The Globe)
Personal Data of 3 Billion People Stolen in Hack, Suit Says (BloombergLaw)
Trolls Used Her Face to Make Fake Porn. There Was Nothing She Could Do.
(NYTimes)
Date: 4 Aug 2024 00:39:57 -0000
Amazon forced to recall 400K products that could kill, electrocute people
(ArsTechnica)
Organization: PANIX Public Access Internet and UNIX, NYC
Don't Let Your Domain Name Become a crime site (Krebs on Security)
About Kid's Online Safety Act and age verification (Lauren Weinstein)
Lines: 626
A $100b plan with "70% risk of killing us all" (Stephen Fry)
Leaked github token could have put the entire python infrastructure at risk
Sender: RISKS List Owner <risko@csl.sri.com>
(TechRadar)
Argentina will use AI to ‘predict future crimes’ but experts worry
Approved: risks@csl.sri.com
for citizens’ rights (The Guardian, geoff goodfellow)
Gender Dysphoria and the Cass Review - A Summary of a Discussion
(Peter Bernard Ladkin)
Message-ID: <CMM.0.90.4.1722731897.risko@chiron.csl.sri.com8036>
Re: Google reverts TV YouTube app to original search history behavior
(Jim Geissman)
Injection-Info: reader1.panix.com; posting-host="panix2.panix.com:166.84.1.2";
Re: AT&T local news (Jim Geissman)
Re: Switzerland now requires all government software to open source
logging-data="234"; mail-complaints-to="abuse@panix.com"
(Martin Ward, Wol)
Re: CrowdStrike and fuzz testing (Jurek Kirakowski)
To: risko@csl.sri.com
Re: Robots sacked, screenings shut down: a new movement of Luddites is
rising up against AI (Wol)
IEEE Project on Digital Forensics for Trusted Learning Systems
Xref: unconfigured comp.risks:118
(via Rebecca Mercuri)

Abridged info on RISKS (comp.risks)

RISKS-LIST: Risks-Forum Digest Saturday 3 Aug 2024 Volume 34 : Issue 39
----------------------------------------------------------------------

Date: Mon, 29 Jul 2024 19:13:04 -0400
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
From: Monty Solomon <monty@roscom.com>
Subject: Teenager Accused of Derailing Train and Posting Crash Video Online
Peter G. Neumann, founder and still moderator
(NYTimes)

Investigators said a 17-year-old charged with intentionally causing a freight train derailment in Nebraska had recorded the crash, which he then posted on YouTube.
***** See last item for further information, disclaimers, caveats, etc. *****

https://www.nytimes.com/2024/07/29/us/nebraska-teen-charged-train-crash.html
This issue is archived at <http://www.risks.org> as

------------------------------
<http://catless.ncl.ac.uk/Risks/34.39>

Date: Sat, 3 Aug 2024 16:25:49 -0400
The current issue can also be found at
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Mythbusting SOC costs
<http://www.csl.sri.com/users/risko/risks.txt>

I came across a short opinion piece which really took me aback.
The poster claimed that running a SOC was an massive expense.
Contents:

The core assertions:
Teenager Accused of Derailing Train and Posting Crash Video Online (NYTimes)

Mythbusting SOC costs (Cliff Kilby)
Infrastructure Costs: Setting up a SOC requires significant hardware,
software, and network infrastructure investments. This includes advanced
How One Man Lost $740,000 to Scammers Targeting His Retirement Savings
security tools and platforms for monitoring and response.
Response: Not quite. There is no additional outlay for hardware, software
(NYTimes)
or networking. Your SOC should be able to use everything in place, unless
Are we too dependent on Microsoft? (CBC)
you don't already use industry standard products like firewalls, WAF, and
AV. You might consider purchasing an EDR to address dynamic threats, but
most AV products can be used for reporting to a SOC. Unless you don't even
have AV.
MBTA's new contactless payment system launches Thursday (The Globe)

Skilled Personnel: Hiring and retaining skilled cybersecurity professionals
Personal Data of 3 Billion People Stolen in Hack, Suit Says (BloombergLaw)
is expensive. An in-house SOC needs experts for threat detection, incident
Trolls Used Her Face to Make Fake Porn. There Was Nothing She Could Do.
response, and continuous monitoring, which can drive up labor costs.
Response: Maybe. It is expensive to maintain personnel who are trained for
bleeding edge threat detection and mitigation. But, considering the first
and third assertions, the company isn't even doing remedial security, and
would probably make great strides with a SOC staffed by DevOps engineers.
(NYTimes)

Ongoing Maintenance: An in-house SOC requires continuous updates,
Amazon forced to recall 400K products that could kill, electrocute people
maintenance, and upgrades to stay current with evolving threats. This adds
to the overall operational expenses.
Response: This has nothing to do with SOC. This is basic operations
hygiene. Patch when your vendors provide patches.
(ArsTechnica)

Training and Development: Keeping the SOC team trained with the latest
Don't Let Your Domain Name Become a crime site (Krebs on Security)
cybersecurity trends and technologies involves additional costs for ongoing
education and certifications. Response: Again, no. For most professionals
About Kid's Online Safety Act and age verification (Lauren Weinstein)
who carry certifications, they are required to maintain continuing
education. Those credits are as expensive as you allow them to be, though
A $100b plan with "70% risk of killing us all" (Stephen Fry)
they may need to be away from work to obtain them. Common vulnerability
Leaked github token could have put the entire python infrastructure at risk
OSINT is massive and mostly free. Keeping up with the bleeding edge is
expensive, but pointless if you have an environment which you believe that
(TechRadar)
updates and maintenance are driven by your SOC.

Argentina will use AI to ‘predict future crimes’ but experts worry
24/7 Operations: To be effective, a SOC needs to operate around the clock,
for citizens’ rights (The Guardian, geoff goodfellow)
requiring shifts and potentially more staff, further increasing costs.
Response: If your SOC is automating detections and responses, they really
Gender Dysphoria and the Cass Review - A Summary of a Discussion
only have unplanned work as long as someone is in the office. They don't
pack up the WAF at the end of the day. If your current environment can't
(Peter Bernard Ladkin)
automatically alert a detection, having a human sitting staring at logs
Re: Google reverts TV YouTube app to original search history behavior
won't find anything. However, if you're running a 3 shift company, then
(Jim Geissman)
yeah, you'll need coverage for all three shifts. Realtime threats tend to
orgiinate from employees more than externally.
Re: AT&T local news (Jim Geissman)

To me this whole post read like someone who was told that a SOC is buying
Re: Switzerland now requires all government software to open source
Rapid7 and Splunk, and then got mad that they also need to hire people to
(Martin Ward, Wol)
run those tools.

Re: CrowdStrike and fuzz testing (Jurek Kirakowski)
Operations aren't a goal, but a process.
Security isn't a goal, but a process.
Re: Robots sacked, screenings shut down: a new movement of Luddites is
Security operations... you get the drift.
rising up against AI (Wol)

Post courtesy of
IEEE Project on Digital Forensics for Trusted Learning Systems
https://old.reddit.com/r/CyberMsspZone/comments/1eii9jf/why_is_an_inhouse_soc_so_expensive/

(via Rebecca Mercuri)
------------------------------
Abridged info on RISKS (comp.risks)

Date: Mon, 29 Jul 2024 19:10:06 -0400

From: Monty Solomon <monty@roscom.com>
Subject: How One Man Lost $740,000 to Scammers Targeting His Retirement
----------------------------------------------------------------------
Savings (NYTimes)

Criminals on the Internet are increasingly going after Americans over the
Date: Mon, 29 Jul 2024 19:13:04 -0400
age of 60 because they are viewed as having the largest piles of savings.

From: Monty Solomon <monty@roscom.com>
https://www.nytimes.com/2024/07/29/business/retirement-savings-scams.html
Subject: Teenager Accused of Derailing Train and Posting Crash Video Online

------------------------------
(NYTimes)

Date: Fri, 2 Aug 2024 22:23:48 -0600

From: Matthew Kruk <mkrukg@gmail.com>
Investigators said a 17-year-old charged with intentionally causing a freight train derailment in Nebraska had recorded the crash, which he then posted on YouTube.
Subject: Are we too dependent on Microsoft? (CBC)

https://www.cbc.ca/player/play/video/9.6469022

https://www.nytimes.com/2024/07/29/us/nebraska-teen-charged-train-crash.html
After two major outages in as many weeks -- including the CrowdStrik= e

crash -- alarm bells are ringing about the world's overreliance on Microso=
ft. Andrew Chang breaks down what happened, who's to blame and digs into
------------------------------
just how much of our lives are connected to Microsoft.

------------------------------
Date: Sat, 3 Aug 2024 16:25:49 -0400

Date: Thu, 1 Aug 2024 06:57:45 -0700
From: Cliff Kilby <cliffjkilby@gmail.com>
From: Steve Bacher <sebmb1@verizon.net>
Subject: MBTA's new contactless payment system launches Thursday
Subject: Mythbusting SOC costs
(The Globe)

https://www.boston.com/news/local-news/2024/07/31/mbtas-new-contactless-payment-system-launches-thursday
I came across a short opinion piece which really took me aback.

Key excerpt:
The poster claimed that running a SOC was an massive expense.

“To avoid the possibility of accidental taps and charges of their
contactless credit or debit cards, riders are encouraged to hold their
The core assertions:
purses, bags, and backpacks away from the contactless readers.”

RISKy, anyone?
Infrastructure Costs: Setting up a SOC requires significant hardware,

------------------------------

Date: Fri, 2 Aug 2024 14:20:03 -0400
software, and network infrastructure investments. This includes advanced
From: Monty Solomon <monty@roscom.com>
security tools and platforms for monitoring and response.
Subject: Personal Data of 3 Billion People Stolen in Hack, Suit Says
Response: Not quite. There is no additional outlay for hardware, software
(BloombergLaw)
or networking. Your SOC should be able to use everything in place, unless

you don't already use industry standard products like firewalls, WAF, and
https://news.bloomberglaw.com/privacy-and-data-security/background-check-data-of-3-billion-stolen-in-breach-suit-says

AV. You might consider purchasing an EDR to address dynamic threats, but
------------------------------
most AV products can be used for reporting to a SOC. Unless you don't even

have AV.
Date: Wed, 31 Jul 2024 15:54:41 -0400

From: Monty Solomon <monty@roscom.com>
Skilled Personnel: Hiring and retaining skilled cybersecurity professionals
Subject: Trolls Used Her Face to Make Fake Porn. There Was Nothing She
is expensive. An in-house SOC needs experts for threat detection, incident
Could Do. (NYTimes)
response, and continuous monitoring, which can drive up labor costs.

Response: Maybe. It is expensive to maintain personnel who are trained for
Sabrina Javellana was a rising star in local politics — until deepfakes derailed her life.
bleeding edge threat detection and mitigation. But, considering the first

and third assertions, the company isn't even doing remedial security, and
https://www.nytimes.com/2024/07/31/magazine/sabrina-javellana-florida-politics-ai-porn.html
would probably make great strides with a SOC staffed by DevOps engineers.

------------------------------

Ongoing Maintenance: An in-house SOC requires continuous updates,
Date: Tue, 30 Jul 2024 21:36:18 -0400
maintenance, and upgrades to stay current with evolving threats. This adds
From: Monty Solomon <monty@roscom.com>
to the overall operational expenses.
Subject: Amazon forced to recall 400K products that could kill,
Response: This has nothing to do with SOC. This is basic operations
electrocute people (ArsTechnica)
hygiene. Patch when your vendors provide patches.

https://arstechnica.com/?p=2040006

Training and Development: Keeping the SOC team trained with the latest
------------------------------
cybersecurity trends and technologies involves additional costs for ongoing

education and certifications. Response: Again, no. For most professionals
Date: Fri, 2 Aug 2024 07:50:46 -0700
who carry certifications, they are required to maintain continuing
From: Steve Bacher <sebmb1@verizon.net>
education. Those credits are as expensive as you allow them to be, though
Subject: Don't Let Your Domain Name Become a crime site
they may need to be away from work to obtain them. Common vulnerability
(Krebs on Security)
OSINT is massive and mostly free. Keeping up with the bleeding edge is

expensive, but pointless if you have an environment which you believe that
More than a million domain names -— including many registered by
Fortune 100 firms and brand protection companies — are vulnerable to
updates and maintenance are driven by your SOC.
takeover by cybercriminals thanks to authentication weaknesses at a

number of large web-hosting providers and domain registrars, new
24/7 Operations: To be effective, a SOC needs to operate around the clock,
research finds.
requiring shifts and potentially more staff, further increasing costs.

Response: If your SOC is automating detections and responses, they really
https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/
only have unplanned work as long as someone is in the office. They don't

pack up the WAF at the end of the day. If your current environment can't
[Lauren Weinstein noted Over 1 Million Domains at Risk of 'Sitting
automatically alert a detection, having a human sitting staring at logs
Ducks' Domain Hijacking Technique (The Hacker News) The powerful
won't find anything. However, if you're running a 3 shift company, then
attack vector, which exploits weaknesses in the domain name system
yeah, you'll need coverage for all three shifts. Realtime threats tend to
(DNS), is being exploited by over a dozen Russian-nexus
cybercriminal actors to stealthily hijack domains, a joint analysis
orgiinate from employees more than externally.
published by Infoblox

<https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/>
To me this whole post read like someone who was told that a SOC is buying
and Eclypsium has revealed.
Rapid7 and Splunk, and then got mad that they also need to hire people to
<https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/>
run those tools.

"In a Sitting Ducks attack, the actor hijacks a currently registered domain
Operations aren't a goal, but a process.
at an authoritative DNS service or web hosting provider without accessing
the true owner's account at either the DNS provider
Security isn't a goal, but a process.
<https://www.cloudflare.com/learning/dns/dns-server-types/> or registrar,"
Security operations... you get the drift.
the researchers said.

Post courtesy of
"Sitting Ducks is easier to perform, more likely to succeed, and
https://old.reddit.com/r/CyberMsspZone/comments/1eii9jf/why_is_an_inhouse_soc_so_expensive/
harder to detect than other well-publicized domain hijacking attack

vectors, such as dangling CNAMEs."
------------------------------
<https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>
Cliff Kilby noted this in SecurityWeek:

https://www.securityweek.com/vulnerabilities-enable-attackers-to-spoof-emails-fr
Date: Mon, 29 Jul 2024 19:10:06 -0400
om-20-million-domains/
From: Monty Solomon <monty@roscom.com>
PGN]
Subject: How One Man Lost $740,000 to Scammers Targeting His Retirement

Savings (NYTimes)
------------------------------

Criminals on the Internet are increasingly going after Americans over the
Date: Tue, 30 Jul 2024 11:45:06 -0700
age of 60 because they are viewed as having the largest piles of savings.
From: Lauren Weinstein <lauren@vortex.com>

Subject: About Kid's Online Safety Act and age verification

https://www.nytimes.com/2024/07/29/business/retirement-savings-scams.html
For anyone who points out that the Kids Online Safety Act doesn't

actually REQUIRE government IDs for age verification, let me assure
------------------------------
you that this is, to use the vernacular, a subterfuge.

Date: Fri, 2 Aug 2024 22:23:48 -0600
The liabilities created by the legislation for violations by the
From: Matthew Kruk <mkrukg@gmail.com>
targeted sites are so large that nothing short of age verification via
government IDs will satisfy their own legal departments in the long
run -- and with good reason.
Subject: Are we too dependent on Microsoft? (CBC)

This doesn't mean uploading IDs to each site -- the anticipated model
is third party verifiers -- but that doesn't actually reduce (and may
https://www.cbc.ca/player/play/video/9.6469022
actually increase) the privacy and tracking abuse risks associated

with these age verification models, for a variety of technical
After two major outages in as many weeks -- including the CrowdStrik= e
reasons. -L
crash -- alarm bells are ringing about the world's overreliance on Microso=

ft. Andrew Chang breaks down what happened, who's to blame and digs into
------------------------------
just how much of our lives are connected to Microsoft.

Date: Tue, 30 Jul 2024 19:21:47 -0400
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
------------------------------
Subject: A $100b plan with "70% risk of killing us all" (Stephen Fry)

Date: Thu, 1 Aug 2024 06:57:45 -0700
Apart from his comedic, dramatic, and literary endeavors, Stephen Fry
From: Steve Bacher <sebmb1@verizon.net>
is widely known for his avowed technophilia. He once wrote a column on
Subject: MBTA's new contactless payment system launches Thursday
that theme, “Dork Talk,” for the Guardian, in whose inaugural dispatch
(The Globe)
he laid out his credentials by claiming to have been the owner of only

the second Macintosh computer sold in Europe (“Douglas Adams bought
https://www.boston.com/news/local-news/2024/07/31/mbtas-new-contactless-payment-system-launches-thursday
the first”), and never to have “met a smartphone I haven’t bought.”
But now, like many of us who were “dippy about all things digital” at

the end of the last century and the beginning of this one, Fry seems
Key excerpt:
to have his doubts about certain big-tech projects in the works today:

take the “$100-billion plan with a 70-percent risk of killing us all”
“To avoid the possibility of accidental taps and charges of their
described in this video:
contactless credit or debit cards, riders are encouraged to hold their

purses, bags, and backpacks away from the contactless readers.”
<https://www.youtube.com/watch?v=-H7e4XlMgg0>

RISKy, anyone?
[found on Open Culture, July 26th, 2024]

------------------------------
------------------------------

Date: Fri, 2 Aug 2024 14:20:03 -0400
Date: Fri, 2 Aug 2024 08:49:38 -0700
From: Victor Miller <victorsmiller@gmail.com>
From: Monty Solomon <monty@roscom.com>
Subject: Leaked github token could have put the entire python
Subject: Personal Data of 3 Billion People Stolen in Hack, Suit Says
infrastructure at risk (TechRadar)
(BloombergLaw)

https://news.bloomberglaw.com/privacy-and-data-security/background-check-data-of-3-billion-stolen-in-breach-suit-says

------------------------------

https://www.techradar.com/pro/security/github-token-leak-could-have-put-the-entire-python-language-at-risk
Date: Wed, 31 Jul 2024 15:54:41 -0400

From: Monty Solomon <monty@roscom.com>
------------------------------
Subject: Trolls Used Her Face to Make Fake Porn. There Was Nothing She

Could Do. (NYTimes)
Date: Sat, 3 Aug 2024 06:47:59 -0700

From: geoff goodfellow <geoff@iconia.com>
Sabrina Javellana was a rising star in local politics — until deepfakes derailed her life.
Subject: Argentina will use AI to ‘predict future crimes’ but experts worry

for citizens’ rights (The Guardian)
https://www.nytimes.com/2024/07/31/magazine/sabrina-javellana-florida-politics-ai-porn.html

*President Javier Milei creates security unit as some say certain groups
------------------------------
may be overly scrutinized by the technology*

Argentina’s security forces have announced plans to use artificial
Date: Tue, 30 Jul 2024 21:36:18 -0400
intelligence to “predict future crimes” in a move experts have warned could
From: Monty Solomon <monty@roscom.com>
threaten citizens’ rights.
Subject: Amazon forced to recall 400K products that could kill,

electrocute people (ArsTechnica)
The country’s far-right president Javier Milei this week created the Artificial

Intelligence Applied to Security
https://arstechnica.com/?p=2040006
<https://www.boletinoficial.gob.ar/detalleAviso/primera/311381/20240729> Unit,

which the legislation says will use “machine-learning algorithms to analyse
------------------------------
historical crime data to predict future crimes”. It is also expected to
deploy facial recognition software to identify “wanted persons”, patrol

social media, and analyse real-time security camera footage to detect
Date: Fri, 2 Aug 2024 07:50:46 -0700
suspicious activities.
From: Steve Bacher <sebmb1@verizon.net>

Subject: Don't Let Your Domain Name Become a crime site
While the ministry of security has said the new unit will help to “detect
(Krebs on Security)
potential threats, identify movements of criminal groups or anticipate

disturbances”, the Minority Report-esque resolution has sent alarm bells
More than a million domain names -— including many registered by
ringing among human rights organisations.

Fortune 100 firms and brand protection companies — are vulnerable to
<https://english.elpais.com/international/2024-07-30/javier-mileis-government-will-monitor-social-media-with-ai-to-predict-future-crimes.html>
takeover by cybercriminals thanks to authentication weaknesses at a

number of large web-hosting providers and domain registrars, new
Experts fear that certain groups of society could be overly scrutinised by
research finds.
the technology, and have also raised concerns over who – and how many

security forces – will be able to access the information. [...]

https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitting-duck/
https://www.theguardian.com/world/article/2024/aug/01/argentina-ai-predicting-future-crimes-citizen-rights

[Lauren Weinstein noted Over 1 Million Domains at Risk of 'Sitting
------------------------------

Date: Sat, 3 Aug 2024 07:17:00 -0700
Ducks' Domain Hijacking Technique (The Hacker News) The powerful
From: geoff goodfellow <geoff@iconia.com>
attack vector, which exploits weaknesses in the domain name system
Subject: Re: Argentina will use AI to predict future crimes
(DNS), is being exploited by over a dozen Russian-nexus
but experts worry for citizens' rights (The Guardian)

cybercriminal actors to stealthily hijack domains, a joint analysis
oh gee, doesn't this sound just "a wee bit" kinda like say John
published by Infoblox
Poindexter's *Total Information Awareness*? viz.:
<https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/>

and Eclypsium has revealed.
*"Total Information Awareness* (*TIA*) was a mass detection program by the
<https://eclypsium.com/blog/ducks-now-sitting-dns-internet-infrastructure-insecurity/>
United States Information Awareness Office

<https://en.wikipedia.org/wiki/Information Awareness_Office>. It operated
"In a Sitting Ducks attack, the actor hijacks a currently registered domain
under this title from February to May 2003 before being renamed *Terrorism
Information Awareness*.
at an authoritative DNS service or web hosting provider without accessing

the true owner's account at either the DNS provider
[1]
<https://www.cloudflare.com/learning/dns/dns-server-types/> or registrar,"
<https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-dapra1-1>
the researchers said.
[2]

<https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-rename-2>
"Sitting Ducks is easier to perform, more likely to succeed, and

harder to detect than other well-publicized domain hijacking attack
------------------------------

vectors, such as dangling CNAMEs."
Date: Wed, 31 Jul 2024 10:38:54 +0200
<https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>
From: "Prof. Dr. Peter Bernard Ladkin" <ladkin@causalis.com>
Cliff Kilby noted this in SecurityWeek:
Subject: Gender Dysphoria and the Cass Review - A Summary of a Discussion
https://www.securityweek.com/vulnerabilities-enable-attackers-to-spoof-emails-fr

om-20-million-domains/
I wrote my note explaining that the Cass Review had commissioned a thorough
PGN]
literature review from a major research facility, and sent it not only to

Risks and PGN, but also to Martin Ward and Julian Bradfield. I also,
separately, drew the attention of some British colleagues who are
------------------------------

informaticians and also interested in social issues, one of whom is a
Date: Tue, 30 Jul 2024 11:45:06 -0700
renowned expert in healthcare IT. He found my note appropriate.
From: Lauren Weinstein <lauren@vortex.com>

Subject: About Kid's Online Safety Act and age verification
Ward replied with what I can only describe as a deluge of citations which he
claims shows that the Cass Review is highly at fault. Many of them do not

mention the Cass review; they are publications, some of them scientific and
For anyone who points out that the Kids Online Safety Act doesn't
some of them advocatory, which pose a different view of the care of gender
actually REQUIRE government IDs for age verification, let me assure
dysphoria than the Cass Review. Ward claims this is "evidence" and suggests
you that this is, to use the vernacular, a subterfuge.
that, by not reading them, I am "ignoring the evidence".

The liabilities created by the legislation for violations by the
The Cass Review reviewed the literature. The reviewers came to the view that
targeted sites are so large that nothing short of age verification via
not much of it was of particularly high scientific quality. This shouldn't
surprise anybody, especially those of us peripherally familiar with the
government IDs will satisfy their own legal departments in the long
medical and epimedical literature.
run -- and with good reason.

I don't see myself as reviewing the gender dysphoria literature, because the
This doesn't mean uploading IDs to each site -- the anticipated model
subject is not my cup of tea. But I think it unlikely that there has
is third party verifiers -- but that doesn't actually reduce (and may
coincidentally been a breakthrough in scientific understanding of the
actually increase) the privacy and tracking abuse risks associated
condition since the Cass Review completed its literature survey. If there
with these age verification models, for a variety of technical
had been, I think I'd have read about it in reliable newspapers who report
on scientific breakthroughs such as The Guardian. I also imagine the Cass
reasons. -L
Review would have generated an appendix on it.

------------------------------
So what Ward deluged me with is a bunch of opinion and work which takes a

different point of view from that of the Cass Review. Sure, I knew that that
Date: Tue, 30 Jul 2024 19:21:47 -0400
existed. Some of it was even reviewed in newspapers when the Cass Review
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
came out. Much of it seems to come from North America. Anybody who has spent
Subject: A $100b plan with "70% risk of killing us all" (Stephen Fry)
significant time in the US as well as Britain and Continental Europe is well
aware of the radical differences in approach to health care and its

structure. Many essays have been written on this subject, and this will not
Apart from his comedic, dramatic, and literary endeavors, Stephen Fry
be another. Suffice it to say that it is quite plausible that the standard
is widely known for his avowed technophilia. He once wrote a column on
of care for a condition such as gender dysphoria in the USA and in the UK
that theme, “Dork Talk,” for the Guardian, in whose inaugural dispatch
might, for very good reason, be very different. Also that it might well
he laid out his credentials by claiming to have been the owner of only
converge in the future, as tends to happen when conditions become better
the second Macintosh computer sold in Europe (“Douglas Adams bought
understood.
the first”), and never to have “met a smartphone I haven’t bought.”

What Ward unfortunately did not do is provide me with a list of specific
But now, like many of us who were “dippy about all things digital” at
mistakes that he claims the Cass Review has made, along with anything that
the end of the last century and the beginning of this one, Fry seems
would count for me as proof of these mistakes. As someone who writes such
to have his doubts about certain big-tech projects in the works today:
documents (but not in this field), I do know how much work it takes. I also
take the “$100-billion plan with a 70-percent risk of killing us all”
know that they are much more valuable to a reader.
described in this video:

He also hasn't provided an explanation of why he thinks a particular point
<https://www.youtube.com/watch?v=-H7e4XlMgg0>
of view of an advocacy group (which seems to account for a goodly proportion

of what he cited to me) counts for him as "evidence" against particular
points made in the Cass Review when for me it counts as yet another opinion
[found on Open Culture, July 26th, 2024]
from an advocacy group. I asked Ward what his motivation is, but didn't

receive what I would regard as a plausible answer.
------------------------------

So I don't see this particular discussion as proceeding much further. Neither does PGN.
Date: Fri, 2 Aug 2024 08:49:38 -0700

PGN expressed concern that the form of discussions enabled by the Internet
are often, to put it in a word, broken. Yes, some forms indeed are. But
From: Victor Miller <victorsmiller@gmail.com>
let's think back to, say, 1993. I'd have read about the Cass Review in the
Subject: Leaked github token could have put the entire python
newspaper. I wouldn't have read the Review itself -- I would have had to
infrastructure at risk (TechRadar)
have written to a government publisher and sent payment and got a copy a few

weeks later in the post. And I wouldn't have done so. If I had wanted to
https://www.techradar.com/pro/security/github-token-leak-could-have-put-the-entire-python-language-at-risk
find out what kind of literature review was conducted and by whom, I likely

couldn't have done so without purchasing and reading the report (it is not
------------------------------
likely to be in many public libraries in Germany). Now, the

literature-review proposal is on the University of York's WWW site for
Date: Sat, 3 Aug 2024 06:47:59 -0700
everyone to read for free. Some things, some kind of information such as
From: geoff goodfellow <geoff@iconia.com>
this, have got immeasurably better. Let's not forget that.
Subject: Argentina will use AI to ‘predict future crimes’ but experts worry

for citizens’ rights (The Guardian)
[I have blown the whistle on the pending interchange, and have allowed

this one final summary of a nonconverging series of rants. PGN]
*President Javier Milei creates security unit as some say certain groups

may be overly scrutinized by the technology*
------------------------------

Argentina’s security forces have announced plans to use artificial
Date: Wed, 31 Jul 2024 09:27:58 -0700
intelligence to “predict future crimes” in a move experts have warned could
From: "Jim" <jgeissman@socal.rr.com>
threaten citizens’ rights.
Subject: Re: Google reverts TV YouTube app to original search history behavior

The country’s far-right president Javier Milei this week created the Artificial
This reminds me of what MS did in the Feb 2024 Windows update. File manager
Intelligence Applied to Security
searches used to look at least part of the path beyond the file name. So if
<https://www.boletinoficial.gob.ar/detalleAviso/primera/311381/20240729> Unit,
you had a folder Arizona which contained a file Grand Canyon, the file would
which the legislation says will use “machine-learning algorithms to analyse
be found by searching for Arizona. The update changed that, and now it seems
historical crime data to predict future crimes”. It is also expected to
only the file name is examined. I wonder how many other file and folder
deploy facial recognition software to identify “wanted persons”, patrol
naming schemes stopped working.
social media, and analyse real-time security camera footage to detect

suspicious activities.
------------------------------

While the ministry of security has said the new unit will help to “detect
Date: Wed, 31 Jul 2024 06:58:08 -0700
potential threats, identify movements of criminal groups or anticipate
From: "Jim" <jgeissman@socal.rr.com>
disturbances”, the Minority Report-esque resolution has sent alarm bells
Subject: Re: AT&T local news
ringing among human rights organisations.

My U-verse went out. This is like DSL that uses the POTS copper wires for
<https://english.elpais.com/international/2024-07-30/javier-mileis-government-will-monitor-social-media-with-ai-to-predict-future-crimes.html>
the last block. There are 26 houses on the block, 7 at my end, with the

connection to the network at the other end. The AT&T technician told me
Experts fear that certain groups of society could be overly scrutinised by
there are 9 wires at my pole, for the 7 houses plus fax machines, etc. a
the technology, and have also raised concerns over who – and how many
couple of decades ago. The tech said only one of the wires might work, so he
security forces – will be able to access the information. [...]
tried it and it does work. I asked, if he gives me the only active wire,

what about the rest of the customers? He replied, there is only one, and
https://www.theguardian.com/world/article/2024/aug/01/argentina-ai-predicting-future-crimes-citizen-rights
it's inactive. Looks like total victory to the cell phones and squirrels,

and apparently AT&T owns a lot of non-functioning copper wire.
------------------------------

------------------------------
Date: Sat, 3 Aug 2024 07:17:00 -0700

From: geoff goodfellow <geoff@iconia.com>
Date: Tue, 30 Jul 2024 10:40:20 +0100
Subject: Re: Argentina will use AI to predict future crimes
From: Martin Ward <mwardgkc@gmail.com>
but experts worry for citizens' rights (The Guardian)
Subject: Re: Switzerland now requires all government software to be

open source (Shapir, RISKS-34.38)
oh gee, doesn't this sound just "a wee bit" kinda like say John

Poindexter's *Total Information Awareness*? viz.:
> Companies who wish to keep their code hidden can do it while still

> formally complying with the law. E.g., they can post code in assembly
*"Total Information Awareness* (*TIA*) was a mass detection program by the
> (which can be generated automatically by tools like "cc -S") if
> regulations allow it

As it happens, the framers of the Gnu General Public Licence, Version 3, 29
June 2007, have already thought of this wriggle and countered it:

United States Information Awareness Office
1. Source Code.
<https://en.wikipedia.org/wiki/Information Awareness_Office>. It operated

under this title from February to May 2003 before being renamed *Terrorism
The "source code" for a work means the preferred form of the work
Information Awareness*.
for making modifications to it. "Object code" means any non-source

form of a work.
[1]

<https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-dapra1-1>
------------------------------
[2]

<https://en.wikipedia.org/wiki/Total_Information_Awareness#cite_note-rename-2>
Date: Tue, 30 Jul 2024 08:41:30 +0100

From: Wols Lists <antlists@youngman.org.uk>
------------------------------
Subject: Re: Switzerland now requires all government software to

be open source (RISKS-34.38)
Date: Wed, 31 Jul 2024 10:38:54 +0200

From: "Prof. Dr. Peter Bernard Ladkin" <ladkin@causalis.com>
All being well, the legislators will look at the long history of FLOSS. It
explicitly defines source code as being "the preferred form for programmers
Subject: Gender Dysphoria and the Cass Review - A Summary of a Discussion
to modify it".

I wrote my note explaining that the Cass Review had commissioned a thorough
The mere act of running an obfuscator is a breach of the GPL, and if a
literature review from a major research facility, and sent it not only to
company is happy writing code using an assembler or machine code, then
Risks and PGN, but also to Martin Ward and Julian Bradfield. I also,
releasing source like that would comply, but running your binary through as
separately, drew the attention of some British colleagues who are
disassembler and releasing that would not, if your programmers worked in eg
informaticians and also interested in social issues, one of whom is a
Rust.
renowned expert in healthcare IT. He found my note appropriate.

Ward replied with what I can only describe as a deluge of citations which he
claims shows that the Cass Review is highly at fault. Many of them do not
mention the Cass review; they are publications, some of them scientific and
some of them advocatory, which pose a different view of the care of gender
dysphoria than the Cass Review. Ward claims this is "evidence" and suggests
that, by not reading them, I am "ignoring the evidence".

The Cass Review reviewed the literature. The reviewers came to the view that
not much of it was of particularly high scientific quality. This shouldn't
surprise anybody, especially those of us peripherally familiar with the
medical and epimedical literature.

I don't see myself as reviewing the gender dysphoria literature, because the
subject is not my cup of tea. But I think it unlikely that there has
coincidentally been a breakthrough in scientific understanding of the
condition since the Cass Review completed its literature survey. If there
had been, I think I'd have read about it in reliable newspapers who report
on scientific breakthroughs such as The Guardian. I also imagine the Cass
Review would have generated an appendix on it.

So what Ward deluged me with is a bunch of opinion and work which takes a
different point of view from that of the Cass Review. Sure, I knew that that
existed. Some of it was even reviewed in newspapers when the Cass Review
came out. Much of it seems to come from North America. Anybody who has spent
significant time in the US as well as Britain and Continental Europe is well
aware of the radical differences in approach to health care and its
structure. Many essays have been written on this subject, and this will not
be another. Suffice it to say that it is quite plausible that the standard
of care for a condition such as gender dysphoria in the USA and in the UK
might, for very good reason, be very different. Also that it might well
converge in the future, as tends to happen when conditions become better
understood.

What Ward unfortunately did not do is provide me with a list of specific
mistakes that he claims the Cass Review has made, along with anything that

would count for me as proof of these mistakes. As someone who writes such
documents (but not in this field), I do know how much work it takes. I also
------------------------------
know that they are much more valuable to a reader.

Date: Tue, 30 Jul 2024 12:50:19 +0100
He also hasn't provided an explanation of why he thinks a particular point
From: Jurek Kirakowski <jzk@uxp.ie>
of view of an advocacy group (which seems to account for a goodly proportion
Subject: Re: CrowdStrike and fuzz testing
of what he cited to me) counts for him as "evidence" against particular

points made in the Cass Review when for me it counts as yet another opinion
Martin Ward's summary of fuzz testing practices took me back to those old
from an advocacy group. I asked Ward what his motivation is, but didn't
punchcard days - and the severe admonitions of my programming tutors about
receive what I would regard as a plausible answer.
writing software which did not thoroughly test input data. The poem

Jabberwocky and a listing of prime numbers up to 1000 were some of our
So I don't see this particular discussion as proceeding much further. Neither does PGN.
amusing test data decks, but most important were test decks that followed

the syntax of the expected input but which were semantically abnormal. I
PGN expressed concern that the form of discussions enabled by the Internet
have always followed this practice. Detecting these of course raises the
are often, to put it in a word, broken. Yes, some forms indeed are. But
line count of software considerably.
let's think back to, say, 1993. I'd have read about the Cass Review in the

newspaper. I wouldn't have read the Review itself -- I would have had to
His analysis of the debacle with CrowdStrike reminded me of perhaps the most
have written to a government publisher and sent payment and got a copy a few
basic principle of disaster analysis: "fatal errors are rarely one-off
weeks later in the post. And I wouldn't have done so. If I had wanted to
mistakes, they are the cumulative effect of many small and possibly
find out what kind of literature review was conducted and by whom, I likely
over-looked mistakes - and even the cumulative effect of slightly misguided
couldn't have done so without purchasing and reading the report (it is not
corporate policies."
likely to be in many public libraries in Germany). Now, the

literature-review proposal is on the University of York's WWW site for
His remarks on how MicroSoft may be changing perceptions about the release
everyone to read for free. Some things, some kind of information such as
of known buggy software followed by an endless chain of fixes and updates
this, have got immeasurably better. Let's not forget that.

reminds me of what Stalin is reputed to have said: "the future is
[I have blown the whistle on the pending interchange, and have allowed
certain. It is history which is subject to revision."
this one final summary of a nonconverging series of rants. PGN]

------------------------------
------------------------------

Date: Tue, 30 Jul 2024 08:54:00 +0100
Date: Wed, 31 Jul 2024 09:27:58 -0700
From: Wols Lists <antlists@youngman.org.uk>
From: "Jim" <jgeissman@socal.rr.com>
Subject: Re: Robots sacked, screenings shut down: a new movement of Luddites is
Subject: Re: Google reverts TV YouTube app to original search history behavior
rising up against AI (Ed Newton-Rex)

This reminds me of what MS did in the Feb 2024 Windows update. File manager
I've just had a web discussion about databases etc, and that has made me
searches used to look at least part of the path beyond the file name. So if
realise why Computing in general (and databases in particular) are so
you had a folder Arizona which contained a file Grand Canyon, the file would
wasteful.
be found by searching for Arizona. The update changed that, and now it seems

only the file name is examined. I wonder how many other file and folder
I've always been aware of the tendency of computing to seek perfection
naming schemes stopped working.
(driven I suspect, by the "Publish or Perish" mentality in Universities).

------------------------------
But I had a very "interesting" discussion where it was obvious that most of

my protagonists were saying "we need to guarantee response times and provide
Date: Wed, 31 Jul 2024 06:58:08 -0700
100% availability". For most people, WHY?!

My favourite database (MultiValue) guarantees data retrieval of 95% with --
From: "Jim" <jgeissman@socal.rr.com>
in the non-pathological cold worst case - just ONE cache miss. I work in an
Subject: Re: AT&T local news
office where I only need one third of one nine availability.

My U-verse went out. This is like DSL that uses the POTS copper wires for
Yet I'm expected to work with a database that - in the name of reliability
the last block. There are 26 houses on the block, 7 at my end, with the
-- regularly takes so long to respond that my client software falls over
with annoying regularity thanks to database timeouts.
connection to the network at the other end. The AT&T technician told me
there are 9 wires at my pole, for the 7 houses plus fax machines, etc. a
couple of decades ago. The tech said only one of the wires might work, so he
tried it and it does work. I asked, if he gives me the only active wire,
what about the rest of the customers? He replied, there is only one, and
it's inactive. Looks like total victory to the cell phones and squirrels,
and apparently AT&T owns a lot of non-functioning copper wire.

------------------------------

Date: Tue, 30 Jul 2024 10:40:20 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Switzerland now requires all government software to be
open source (Shapir, RISKS-34.38)

> Companies who wish to keep their code hidden can do it while still
> formally complying with the law. E.g., they can post code in assembly
> (which can be generated automatically by tools like "cc -S") if
> regulations allow it

As it happens, the framers of the Gnu General Public Licence, Version 3, 29
June 2007, have already thought of this wriggle and countered it:

1. Source Code.

The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.

------------------------------

Date: Tue, 30 Jul 2024 08:41:30 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Switzerland now requires all government software to
be open source (RISKS-34.38)

All being well, the legislators will look at the long history of FLOSS. It
explicitly defines source code as being "the preferred form for programmers
to modify it".

The mere act of running an obfuscator is a breach of the GPL, and if a
company is happy writing code using an assembler or machine code, then
releasing source like that would comply, but running your binary through as
disassembler and releasing that would not, if your programmers worked in eg
Rust.

------------------------------

Date: Tue, 30 Jul 2024 12:50:19 +0100
From: Jurek Kirakowski <jzk@uxp.ie>
Subject: Re: CrowdStrike and fuzz testing

Martin Ward's summary of fuzz testing practices took me back to those old
punchcard days - and the severe admonitions of my programming tutors about
writing software which did not thoroughly test input data. The poem
Jabberwocky and a listing of prime numbers up to 1000 were some of our
amusing test data decks, but most important were test decks that followed
the syntax of the expected input but which were semantically abnormal. I
have always followed this practice. Detecting these of course raises the
line count of software considerably.

His analysis of the debacle with CrowdStrike reminded me of perhaps the most
basic principle of disaster analysis: "fatal errors are rarely one-off
mistakes, they are the cumulative effect of many small and possibly
over-looked mistakes - and even the cumulative effect of slightly misguided
corporate policies."

His remarks on how MicroSoft may be changing perceptions about the release
of known buggy software followed by an endless chain of fixes and updates
reminds me of what Stalin is reputed to have said: "the future is
certain. It is history which is subject to revision."

------------------------------

Date: Tue, 30 Jul 2024 08:54:00 +0100
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Robots sacked, screenings shut down: a new movement of Luddites is
rising up against AI (Ed Newton-Rex)

I've just had a web discussion about databases etc, and that has made me
realise why Computing in general (and databases in particular) are so
wasteful.

I've always been aware of the tendency of computing to seek perfection

(driven I suspect, by the "Publish or Perish" mentality in Universities).

But I had a very "interesting" discussion where it was obvious that most of
I guess the cost of all this extra (un)reliability as an extra nought on
my protagonists were saying "we need to guarantee response times and provide
100% availability". For most people, WHY?!

My favourite database (MultiValue) guarantees data retrieval of 95% with --
in the non-pathological cold worst case - just ONE cache miss. I work in an
office where I only need one third of one nine availability.

Yet I'm expected to work with a database that - in the name of reliability
-- regularly takes so long to respond that my client software falls over
with annoying regularity thanks to database timeouts.

I guess the cost of all this extra (un)reliability as an extra nought on
costs, so why on earth are we paying it? Especially when abandoning the
search for perfection is almost certain to lead to much improved
availability and response times.

------------------------------

Date: Fri, 2 Aug 2024 15:12:23 -0400
From: DrM Rebecca Mercuri <notable@mindspring.com>
Subject: IEEE Project on Digital Forensics for Trusted Learning Systems

[I hope they mean Trustworthy. I don't trust them today. PGN]

Readers of Risks may be interested in joining an IEEE project to develop a
standard for digital forensics investigation of student and perhaps also
faculty data (see below). The implementation of such investigative tools
should be of great concern, especially with respect to privacy and use. The
idea of creating a forensic investigation back-door seems to inherently
violate the integrity of a trusted learning system, but perhaps I am
misunderstanding what they are trying to accomplish. [Note: To join an IEEE
Standards group, one typically must be a member of IEEE ($212) as well as a
member of their Standards Association ($66).] If you attend the working
group meeting, please report what they are planning back to Risks.

The IEEE Standards Association (IEEE SA) <https://standards.ieee.org/>
extends an invitation for your participation in the Working Group for the
P2834.1 Standard for Digital Forensics on Trusted Learning Systems
<https://standards.ieee.org/ieee/2834.1/11538/>.This standard specifies
technical requirements on a forensic-investigation-ready infrastructure
for learning systems. The standard delineates technical requirements and
conformance criteria essential for ensuring adherence to prevalent
regulations governing the protection of digital evidence in kindergarten
to 12th grade (K12) and Higher Education environments and making the
system forensically ready to investigate in case of a security incident.

The Working Group has a meeting scheduled:

*DATE: *30 August 2024
*TIME: *1 PM Central/ 2 PM EST*
*For additional information, contact:*
*IEEE P2834.1™ Working Group Chair:*
Cihan Varol <cvarol@shsu.edu>
<https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpntz4OalxDr17x51T_Ex1PjMO7OIeTx_Dk7w8zd-kf0cFvmaMY1nyqucSJSH4m7z5qDNg=>

*IEEE SA Program Manager:*
Patrycja Jarosz <p.jarosz@ieee.org>
<https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpnt6D1i2jJcTrc_YGVZ9009swfQyiXi7ZRyQ0wAD1l_TFDO4wjyw2n20vKTRU28jTBpyU=>

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
costs, so why on earth are we paying it? Especially when abandoning the
Subject: Abridged info on RISKS (comp.risks)

search for perfection is almost certain to lead to much improved
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
availability and response times.
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:

http://mls.csl.sri.com/mailman/listinfo/risks
------------------------------

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
Date: Fri, 2 Aug 2024 15:12:23 -0400
includes the string `notsp'. Otherwise your message may not be read.
From: DrM Rebecca Mercuri <notable@mindspring.com>
*** This attention-string has never changed, but might if spammers use it.
Subject: IEEE Project on Digital Forensics for Trusted Learning Systems
=> SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!
[I hope they mean Trustworthy. I don't trust them today. PGN]
=> The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
Readers of Risks may be interested in joining an IEEE project to develop a
<risksinfo.html>.
standard for digital forensics investigation of student and perhaps also
*** Contributors are assumed to have read the full info file for guidelines!
faculty data (see below). The implementation of such investigative tools

should be of great concern, especially with respect to privacy and use. The
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
idea of creating a forensic investigation back-door seems to inherently
delightfully searchable html archive at newcastle:
violate the integrity of a trusted learning system, but perhaps I am
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
misunderstanding what they are trying to accomplish. [Note: To join an IEEE
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
Standards group, one typically must be a member of IEEE ($212) as well as a
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
member of their Standards Association ($66).] If you attend the working
If none of those work for you, the most recent issue is always at
group meeting, please report what they are planning back to Risks.
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00

ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
The IEEE Standards Association (IEEE SA) <https://standards.ieee.org/>
*** NOTE: If a cited URL fails, we do not try to update them. Try
extends an invitation for your participation in the Working Group for the
browsing on the keywords in the subject line or cited article leads.
P2834.1 Standard for Digital Forensics on Trusted Learning Systems
Apologies for what Office365 and SafeLinks may have done to URLs.
<https://standards.ieee.org/ieee/2834.1/11538/>.This standard specifies
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
technical requirements on a forensic-investigation-ready infrastructure
<http://www.acm.org/joinacm1>
for learning systems. The standard delineates technical requirements and

conformance criteria essential for ensuring adherence to prevalent
------------------------------
regulations governing the protection of digital evidence in kindergarten

to 12th grade (K12) and Higher Education environments and making the
End of RISKS-FORUM Digest 34.39
system forensically ready to investigate in case of a security incident.
************************

The Working Group has a meeting scheduled:
.

*DATE: *30 August 2024
*TIME: *1 PM Central/ 2 PM EST*
*For additional information, contact:*
*IEEE P2834.1™ Working Group Chair:*
Cihan Varol <cvarol@shsu.edu>
<https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpntz4OalxDr17x51T_Ex1PjMO7OIeTx_Dk7w8zd-kf0cFvmaMY1nyqucSJSH4m7z5qDNg=>

*IEEE SA Program Manager:*
Patrycja Jarosz <p.jarosz@ieee.org>
<https://go.standards.ieee.org/MjExLUZZTC05NTUAAAGUsgpnt6D1i2jJcTrc_YGVZ9009swfQyiXi7ZRyQ0wAD1l_TFDO4wjyw2n20vKTRU28jTBpyU=>

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.39
************************