RISKS-LIST: Risks-Forum Digest Sunday 16 Jun 2024 Volume 34 : Issue 31 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.31> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Waymo issues software and mapping recall after robotaxi crashes into a telephone pole (The Verge) Driver using FSD, staring at phone ... (LATimes) Voting machine contract under scrutiny following discrepancies in Puerto Rico's primaries (AP) Phishing attack hits L.A. County public health agency, jeopardizing 200,000-plus residents' personal info (LATimes) Leaked documents reveal patient safety issue at Amazon's One Medical (The Washington Post) Crooks plant backdoor in software used by courtrooms around the world (Dan Goodin) How a New Jersey man was wrongly arrested through facial recognition tech now in use in Ontario (CBC) Clearview AI Used Your Face. Now You May Get a Stake in the Company. (NYTimes) Microsoft Refused to Fix Flaw Years Before SolarWinds Hack (ProPublica) iOS 18 cracks down on apps asking for full address book access (TechCrunch) A reportedly fake group recruited a real candidate for Congress (Poliico) After sustained attacks by the GOP, Stanford Internet Observatory is being shut down (Casey Newton and Zoë Schiffer) Tile/Life360 Breach: Millions of Users' Data at Risk (Security Boulevard) Generative AI and the law (Lauren Weinstein) New Wi-Fi Takeover Attack -- All Windows Users Warned To Update Now (Forbes) Japan Runs on Vending Machines. It’s About to Break Millions of Them. (NYTimes) The surprisingly not so doomed effort to force U.S. drivers to stop speeding (The Verge) Vax (Jim Geissman) The Age of the Drone Police Is Here (WiReD) MXThunder and FBL (Cliff Kilby) Retired engineer discovers 55-year-old bug in Lunar Lander computer game code (Ars Technica) Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention (TorrentFreak) Wells Fargo Fires Over a Dozen for 'mouse jiggling' (Henry Baker) Why Microsoft, Google, and others screw up (Lauren Weinstein) Re: Microsoft and Recall (Lauren Weinstein) Re: Tom Van Vleck (Cliff Kilby) Quote of The Day (Edward Snowden) Re: Quote of The Day (James Joyce) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 13 Jun 2024 09:45:44 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Waymo issues software and mapping recall after robotaxi crashes into a telephone pole (The Verge) https://www.theverge.com/2024/6/12/24175489/waymo-recall-telephone-poll-crash-phoenix-software-map [Indeed, in this complex mathematical world in which we live, stability requires all the poles being in the left-half plane. (Wikipedia notes that 75 countries drive on the left.) In the U.S., where driving is on the right side of the road, there are many poles on the right side. Somehow, that sounds much less safe! PGN] ------------------------------ Date: Fri, 14 Jun 2024 09:53:20 +0100 From: Julia Segal <ju...@flydiem.com> Subject: Driver using FSD, staring at phone ... (LATimes) https://www.latimes.com/california/story/2024-06-13/self-driving-tesla-narrowly-misses-police-officer-before-slamming-into-patrol-car-in-orange-county ------------------------------ Date: Sat, 15 Jun 2024 09:31:26 -0700 From: the keyboard of geoff goodfellow <ge...@iconia.com> Subject: Voting machine contract under scrutiny following discrepancies in Puerto Rico's primaries (AP) Puerto Rico's elections commission said Tuesday that it's reviewing its contract with a U.S. electronic voting company after hundreds of discrepancies were discovered following the island's heated primaries. <https://apnews.com/article/puerto-rico-primaries-pierluisi-gonzalez-zaragoza-ortiz-62343cc879f4c5c73a9c0eec39325086> The problem stemmed from a software issue that caused machines supplied by Dominion Voting Systems to incorrectly calculate vote totals, said Jessika Padilla Rivera, the commission's interim president. While no one is contesting the results from the June 2 primary that correctly identify the winners, machine-reported vote counts were lower than the paper ones in some cases, and some machines reversed certain totals or reported zero votes for some candidates. ``The concern is that we obviously have elections in November, and we must provide the (island) not only with the assurance that the machine produces a correct result, but also that the result it produces is the same one that is reported,'' Padilla said. More than 6,000 Dominion voting machines were used in Puerto Rico's primaries, with the company stating that software issues stemmed from the digital files used to export results from the machines. ------------------------------ Date: Sun, 16 Jun 2024 06:54:26 -0700 From: Steve Bacher <seb...@verizon.net> Subject: Phishing attack hits L.A. County public health agency, jeopardizing 200,000-plus residents' personal info (LATimes) Here we go again... Phishing attack hits L.A. County public health agency, jeopardizing 200,000-plus residents' personal info. The personal information of more than 200,000 people in Los Angeles County was potentially exposed after a hacker used a phishing email to steal login credentials. https://www.latimes.com/california/story/2024-06-14/la-county-public-health-data-breach-possibly-affects-200-000-are-you-one-of-them ------------------------------ Date: Sun, 16 Jun 2024 01:26:40 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Leaked documents reveal patient safety issue at Amazon's One Medical (The Washington Post) Patient safety issues have increased since One Medical shifted care to a call center staffed by contractors, employees say. Since Amazon acquired the primary-care service One Medical, elderly patients have been routed to a call center -— staffed partly by contractors with limited training — that failed on more than a dozen occasions to seek immediate attention for callers with urgent symptoms, according to internal documents seen by The Washington Post. When one patient reported a “blood clot, pain and swelling,” call center staff scheduled an appointment rather than escalating the matter for medical evaluation, according to a note in an internal incident tracking spreadsheet dated Feb. 19. Over the following two days, clinical staffers flagged four more call-center errors involving elderly patients with urgent complaints, including stomach pain and blood in stool, a spike in blood pressure, an insect bite and sudden rib pain, according to the internal spreadsheet. The call-center incidents were among dozens flagged by doctors, nurses and assistants at One Medical Seniors between Feb. 19 and March 18 in the documents, a year after Amazon acquired the primary-care service. One Medical began routing elderly patients to the call center in Tempe, Ariz., staffed partly by newly hired contractors with limited training and little to no medical experience, according internal documents seen by The Post and interviews with four current and former One Medical workers. https://www.washingtonpost.com/technology/2024/06/15/amazon-one-medical-patient-safety ------------------------------ Date: Sun, 16 Jun 2024 06:19:07 -0700 From: Brian Berg <brianb...@gmail.com> Subject: Crooks plant backdoor in software used by courtrooms around the world (Dan Goodin) Dan Goodin, *ArsTechnica*, 23 May 2024 It's unclear how the malicious version of JAVS Viewer came to be. https://arstechnica.com/security/2024/05/crooks-plant-backdoor-in-software-used-by-courtrooms-around-the-world/ ------------------------------ Date: Thu, 13 Jun 2024 06:14:43 -0600 From: Matthew Kruk <mkr...@gmail.com> Subject: How a New Jersey man was wrongly arrested through facial recognition tech now in use in Ontario (CBC) https://www.cbc.ca/news/canada/facial-recognition-technology-police-1.7228253 A New Jersey man who was wrongly jailed after being misidentified through facial recognition software has a message for two Ontario police agencies now using the same technology. "There's clear evidence that it doesn't work," Nijeer Parks said. Parks, now 36, spent 10 days behind bars for a January 2019 theft and assault on a police officer that he didn't commit. He said he was released after he provided evidence he was in another city, making a money transfer at the time of the offence. Prosecutors dropped the case the following November, according to an internal police report. ------------------------------ Date: Thu, 13 Jun 2024 22:28:35 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Clearview AI Used Your Face. Now You May Get a Stake in the Company. The facial recognition start-up doesn't have the funds to settle a class-action lawsuit, so lawyers are proposing equity for those whose faces were scraped from the Internet. https://www.nytimes.com/2024/06/13/technology/clearview-ai-facial-recognition-settlement.html ------------------------------ Date: Thu, 13 Jun 2024 15:17:53 +0000 From: Victor Miller <victorsmil...@gmail.com> Subject: Microsoft Refused to Fix Flaw Years Before SolarWinds Hack (ProPublica) https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers ------------------------------ Date: Sat, 15 Jun 2024 13:30:10 -0400 From: Ruth Hertz <kap...@verizon.net> Subject: iOS 18 cracks down on apps asking for full address book access (TechCrunch) https://techcrunch.com/2024/06/12/ios-18-cracks-down-on-apps-asking-for-full-address-book-access/ ------------------------------ Date: Fri, 14 Jun 2024 05:49:25 -0700 From: Steve Bacher <seb...@verizon.net> Subject: A reportedly fake group recruited a real candidate for Congress (Poliico) Though the group claims to be run by citizens across 14 states, researchers at the Institute for Strategic Dialogue found it was all managed by the same unknown person or small group of people. Dennis Hayes, a retired builder in Townsend, Montana, had strong libertarian leanings and a bone to pick with the U.S. Bureau of Land Management. Then he got an unexpected tap on the shoulder. The call came from a man in Arizona identifying himself as a volunteer for the Patriots Run Project, a group recruiting right-leaning conservatives to run for office. Would he run for Congress? A donor provided the $1,340 he needed to register. Since that call in February, Hayes has been running against incumbent Rep. Ryan Zinke, a Trump-friendly Republican who he is challenging from the right. Just one problem: The Patriots Run Project, according to a new research report, is a fake grassroots group that was running numerous accounts on Facebook without any identifiable people behind the operation. Though the group claims to be run by citizens across 14 states, researchers at the Institute for Strategic Dialogue, a nonprofit that researches disinformation, found it was all managed by the same unknown person or small group of people who cross-posted content and all listed the same address at a UPS store in Washington. The network of accounts ran for nearly a year until Meta removed them last week for violating its policies against inauthentic accounts misleading users. Hayes, however, is still running for office, in a bizarre example of how fake groups online can shape politics in the real world. [...] https://www.politico.com/news/2024/06/14/fake-political-group-montana-candidate-00163036 ------------------------------ Date: Thu, 13 Jun 2024 16:09:56 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: After sustained attacks by the GOP, Stanford Internet Observatory is being shut down (Casey Newton and Zoë Schiffer) House Republicans attacked the lab's reports on misinformation and [attacks on] election integrity -— and now Stanford is pulling the plug. https://www.platformer.news/stanford-internet-observatory-shutdown-stamos-diresta-sio/ ------------------------------ Date: Sat, 15 Jun 2024 01:10:38 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Tile/Life360 Breach: Millions of Users' Data at Risk (Security Boulevard) Location tracking service leaks PII, because -— incompetence? An anonymous hacker breached the internal support systems of Tile (ASX:360). They grabbed “millions” of customer data records by wielding two incredibly simple techniques. Companies must do better! It’s yet another story of failed anti-scraping defenses (see also: Dell, 23andMe). And of stolen employee credentials—with no 2FA/MFA to protect critical internal systems (see also: LastPass, Ticketmaster). Parent company Life360’s CEO Chris Hulls (pictured) is putting a brave face on it. In today’s SB Blogwatch, we wish these firms would get the message. https://securityboulevard.com/2024/06/tile-life360-breach-richixbw ------------------------------ Date: Fri, 14 Jun 2024 09:00:47 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Generative AI and the law A federal law should be passed making AI firms fully responsible for any and all content disseminated from their generative AI systems. Period. No exceptions. -L [That would be a dramatic end to chatbotd? PGN] ------------------------------ Date: Fri, 14 Jun 2024 23:51:12 +0000 From: Victor Miller <victorsmil...@gmail.com> Subject: New Wi-Fi Takeover Attack -- All Windows Users Warned To Update Now (Forbes) https://www.forbes.com/sites/daveywinder/2024/06/14/new-wi-fi-takeover-attack-all-windows-users-warned-to-update-now/ ------------------------------ From: Monty Solomon <mo...@roscom.com> Date: Thu, 13 Jun 2024 22:13:59 -0400 Subject: Japan Runs on Vending Machines. It’s About to Break Millions of Them. (NYTimes) New yen notes set to be introduced this summer won’t be compatible with many machines that businesses like ramen shops rely on. https://www.nytimes.com/2024/06/07/world/asia/japan-bank-notes-vending-machines.html [This gives entirely new meaning to having a Yen for Ramen. What is more, businesses like ramen shops! Really. PGN] ------------------------------ Date: Thu, 13 Jun 2024 09:45:13 -0400 From: Monty Solomon <mo...@roscom.com> Subject: The surprisingly not so doomed effort to force U.S. drivers to stop speeding (The Verge) https://www.theverge.com/2024/6/12/24176403/intelligent-speed-assistance-iihs-safety-limiters-governor [See my comment on the driver crashing at 100 mph in RISKS-34.25-26 about having some sort of sanity limit. PGN] ------------------------------ Date: Fri, 14 Jun 2024 17:16:27 -0700 From: "Jim" <jgeiss...@socal.rr.com> Subject: Vax Sometimes it seems these days an entire topic is fake, not to mention everything said about it. https://www.msn.com/en-us/news/news/content/ar-BB1oeXxQ?ocid=sapphireappshare ------------------------------ Date: Tue, 11 Jun 2024 23:14:05 -0400 From: Monty Solomon <mo...@roscom.com> Subject: The Age of the Drone Police Is Here (WiReD) A WIRED investigation, based on more than 22 million flight coordinates, reveals the complicated truth about the first full-blown police drone program in the U.S. -— and why your city could be next. https://www.wired.com/story/the-age-of-the-drone-police-is-here/ ------------------------------ Date: Fri, 14 Jun 2024 17:27:16 -0400 From: Cliff Kilby <cliffjki...@gmail.com> Subject: MxThunder and FBL If you're a US Client of MxThunder, it might be time to validate your CAN-SPAM compliance. I got a marketing email from one of their client domains. Email appeared to be a harvested loan scam/UCE. I attempted to report it to the client domain, via abuse@. Routed email box doesn't exist, but thanks for dumping the internal naming scheme back. Tried postmaster@client, also unroutable but to another user alias. Nice, I'm racking up the data here. Tried abuse@mxthunder. Another unroutable email. So on to postmaster. Oh dear, postmaster appears to have caused a vhost routing error. I wonder how severe that crash was. delivery failed to mailbox /vhosts/1: unable to create lock file /vhosts/1.lock: No such file or directory If their infrastructure does not provide compliance, it is on each client to validate. If your org does not have a functioning Feedback Loop (FBL), other than the obvious compliance issue, deliverability will continually drop. cf. https://en.m.wikipedia.org/wiki/Feedbackloop_(email) I've tried their security team. No response there so far. Your email has been routed to /dev/null, ------------------------------ Date: Sun, 16 Jun 2024 02:54:16 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Retired engineer discovers 55-year-old bug in Lunar Lander computer game code (Ars Technica) A physics simulation flaw in text-based 1969 computer game went unnoticed until today. https://arstechnica.com/gaming/2024/06/retired-engineer-discovers-55-year-old-bug-in-lunar-lander-computer-game-code/ What next? Someone will find a bug in Adventure cave game?! Great comments, including: That closes our bug list for 1969. Hopefully, it won't take more than a decade to wrap up 1970. [Gee,Whiz! It was a looner lender after all, and deserves to be recalled. PGN] ------------------------------ Date: Sun, 16 Jun 2024 10:06:24 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention (TorrentFreak) A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains. The move is another anti-piracy escalation for broadcaster Canal+, which also has permission to completely deindex the sites from search engine results. https://torrentfreak.com/google-cloudflare-cisco-will-poison-dns-to-stop-piracy-block-circumvention-240613/ ------------------------------ Date: Thu, 13 Jun 2024 18:57:08 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Wells Fargo Fires Over a Dozen for 'mouse jiggling' Clearly Microsoft and Apple are wasting their time with ChatGPT -- a Turing Test-qualified AI-powered *mouse jiggler* is all the world really needs ! (One wonders if *mouse jiggling detection* is the *real reason* why Microsoft is so intent on rolling out the Windows 'Recall' privacy shitstorm ?) An old joke from the Soviet era: "We pretend to work and they pretend to pay". https://finance.yahoo.com/news/wells-fargo-fires-over-dozen-133711267.html Wells Fargo Fires Over a Dozen for 'Simulation of Keyboard Activity' Hannah Levitt Thu, Jun 13, 2024, 6:37 AM PDT (Bloomberg) -- Wells Fargo & Co. fired more than a dozen employees last month after investigating claims that they were faking work. The staffers, all in the firm's wealth- and investment-management unit, were "discharged after review of allegations involving simulation of keyboard activity creating impression of active work," according to disclosures filed with the Financial Industry Regulatory Authority. "Wells Fargo holds employees to the highest standards and does not tolerate unethical behavior," a company spokesperson said in a statement. Devices and software to imitate employee activity, sometimes known as "mouse movers" or "mouse jigglers," took off during the pandemic-spurred work-from-home era, with people swapping tips for using them on social-media sites Reddit and TikTok. Such gadgets are available on Amazon.com for less than $20. It's unclear from the Finra disclosures whether the employees Wells Fargo fired were allegedly faking active work from home. The finance industry was among the most aggressive in ordering workers back to the office as the pandemic waned, though Wells Fargo waited longer than rivals JPMorgan Chase & Co. and Goldman Sachs Group Inc. San Francisco-based Wells Fargo started requiring employees to return to the office under a "hybrid flexible model" in early 2022. The bank now expects most staffers to be in the office at least three days a week, while members of management committee are in four days and many employees, such as branch workers, are in five days. The nation's fourth-largest lender has sought to grow in wealth management under Chief Executive Officer Charlie Scharf and his deputy, Barry Sommers, who joined the firm in 2020. The unit was hit particularly hard by a series of scandals that erupted in 2016, sending advisers fleeing by the thousands, taking lucrative clients with them. The recent firings have echoes of another episode at Wells Fargo from 2018, when the firm investigated employees in its investment bank for alleged violations of its expense policy after they tried to get the company to pay for ineligible evening meals. --With assistance from Noah Buhayar and Dean Halford. ------------------------------ Date: Thu, 13 Jun 2024 20:49:38 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Why Microsoft, Google, and others screw up Part of the reason -- and a big part -- of why you see public-relations disasters like Microsoft Recall and Google AI Overviews is that these firms typically refuse to have employees on these teams who bring skill sets that include real world experiences that go beyond the technical. It should have been obvious to execs at Microsoft and Google (and other firms) that trying to ram projects like these (and others, like poorly designed passkey implementations) down consumers' throats would trigger major blowback and embarrassment. But either they just couldn't see the forest for the trees, or simply ignored the warning signs, treating the user community like a giant fungible planet of guinea pigs. Either way, it's bad for them, and it's very, very bad for us. -L [Giant fun-giblet plants made with guinea-pig DNA are next with artificial genetics. PGN] ------------------------------ Date: Wed, 12 Jun 2024 09:20:22 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Re: Microsoft and Recall [See RISKS-34.27 and 34.30] The fact that Microsoft felt that their screenshot spying "Recall" AI feature was safe to be enabled by default -- a position they have now reversed after massive criticism -- calls into question their entire security and privacy regimes -- which appear to have become rotten to the core. Of course, they're not the only ones pushing aside privacy and security in the name of AI profits at the expense of their users. -L ------------------------------ Date: Mon, 10 Jun 2024 12:40:32 -0400 From: Cliff Kilby <cliffjki...@gmail.com> Subject: Re: Tom Van Vleck (RISKS-34.30) Mindful that I have little formal documentation for the specific failure modes, anecdotally failures seem to be correlated with: * Compliance mandated changes for legacy systems. * Insubstantial requirements. * Unrequested feature implementations. * Job validation exercises, aka "ooo, shiney". Every time a significant issue has been found in a legacy system the Agile process has decayed to an IBM death-march project. The work must be institutional knowledge available to expedite. This is especially damning if the company has had sufficient time to complete multiple job validation exercises as noted below. I've also had failures from the lack of concrete requirements. There is no way to determine if the project was successful if no one could say what the goal was. In one case, the entire threading library was to be rip-and-replaced with a serverless dispatcher. No one could elaborate on what the gain was to be. This may have also been an example of a job validation exercise. Business product owners tend to be the driver for the class of unrequested feature changes. A client will hint that they are dissatisfied with some feature, and the product owner will start a change for that client seemingly unaware that similar functionality exists, or unknowing that if the new feature requires any client changes in either code or behavior that that client will not adopt the new feature as long as the current "broken" feature remains, which is almost guaranteed by the fact that no other client has requested a change. The last class of failures is fun for the whole family (company). Most recently, this manifested as a desire to implement Node in a Java company. Some developers managed to argue that since Java had become a version treadmill, the company should look to replacing some of the core application features with Node. The ops team had no practical experience with Node, so containers were also introduced to provide some kind of sandboxing for Node. Of course, there was no practical experience with containers either, so a rushed k8s deployment was performed. Now that k8s was available, the company rushed the other teams to start porting the Java codebase to containers. The final state of that system was a frankenmonster of unported Java, static Java containers, static Node containers and a hokey-pokey(left foot in, right foot out) Esxi/k8s/ec2/eks conglomeration. There was no success there, as there was no actual reason to implement anything, and the end result entirely overwhelmed the capacity of the operations team to manage any of the existing or new software. The whole team quit en-masse. I think mostly the article just goes to document that "Agile(tm)" isn't. But then every agile team I've worked with seemed to already understand that. ------------------------------ Date: Fri, 14 Jun 2024 09:26:10 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Quote of The Day (Edward Snowden) *"They've gone full mask-off: AB trust OpenAI or its products (ChatGPT etc). There is only one reason for appointing an @NSAGov Director to your board. This is a willful, calculated betrayal of the rights of every person on Earth. You have been warned."* https://x.com/Snowden/status/1801610725229498403 ------------------------------ Date: Fri, 14 Jun 2024 09:34:46 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Re: Quote of The Day (Edward Snowden) *Dr. James Joyce*: *"As the person who wrote the foundational patent for all these AI engines, I can say without any doubt that you are correct. OpenAI engines have hard logical locks on thresholds that will not allow them to learn anything [they] don't want the engines to learn. Their initial training data sets are rife with hard-left ideology, and they WILL mislead anyone who puts their trust in them."* https://x.com/drjamesbjoyce/status/1801614167360623085 ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.31 ************************
