precedence: bulk Subject: Risks Digest 21.35 RISKS-LIST: Risks-Forum Digest Monday 23 April 2001 Volume 21 : Issue 35 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Reliance on Automation "Top Risk" (Peter B. Ladkin) Kew Public Records Office data input problem (Pete Mellor) Never rely entirely on technology... (Peter Houppermans) You've Got Mail ... From The Admissions Office! (David Tarabar) Server 54, Where Are You? (Jack Burke) Hi-tech toilet swallows woman (Gareth Randell) Denial of Tax Service (Rebecca Mercuri) E-mail address ID theft (A.E. Brain) Sabotaged phone lines + stolen credit cards = safety in theft (Simon Carter) Security flaw found in Alcatel's high-speed modems (Monty Solomon) Alcatel admits more than they meant to (Mike Bristow) Web-enabled air conditioners (Alpha Lau) Risks of sorting time alphabetically (Marcos H. Woehrmann) Using Palm VII's to give traffic tickets (Ian Jordan) More on UCITA (Warren Pearce) Re: Aasta Train Crash (Magne Mandt, Merlyn Kline) Re: Risks of Hidden highway robbery ... (Will Fletcher) Viewers lament incredible shrinking Ultimate TV (Monty Solomon) Do prescription records stay private when pharmacy stores are sold? (Monty Solomon) New flashlight sees through doors as well as windows (Monty Solomon) Windows patchwork (Jay Levitt) REVIEW: "Securing Windows NT/2000 Servers for the Internet", Norberg (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 17 Apr 2001 11:52:59 +0200 From: "Peter B. Ladkin" Subject: Reliance on Automation "Top Risk" David Learmount, reporting from the Flight Safety Foundation's European Aviation Safety Seminar, held in March in Amsterdam, says in *Flight International* (20-26 Mar, 2001, p17) that the European Joint Aviation Authorities' Future Aviation Safety Team has identified "crew reliance on cockpit automation" as the top potential safety risk in future aircraft. PBL ------------------------------ Date: Mon, 9 Apr 2001 11:50:40 +0100 (BST) From: Pete Mellor Subject: Kew Public Records Office data input problem >From Private Eye 6-19th April 2001, p6: Managers at the Public Records Office in Kew have devised a clever money-saving idea: they are using prisoners in British jails to input on to computer the information from the 1901 census. The prisoners' work has been checked, however, and they have been found to be rewriting history. All references to prison wardens in 1901 have been changed to "bastards". Officials are now using cheap labour in India to correct the errors. Peter Mellor, Centre for Software Reliability, City University, London EC1V 0HB +44 (0)20 7477 8422 Pete Mellor [And of course no one in India still remembers the British. PGN] ------------------------------ Date: Wed, 18 Apr 2001 15:36:29 +0100 From: Peter Houppermans Subject: Never rely entirely on technology... The RISK here is that there appeared to be no inside escape override for the door: taking protection against vandalism to new heights. http://www.theregister.co.uk/content/28/18312.html Interesting related fact: in the UK, all lift escape hatches are welded shut (i.e., don't exist anymore in a usable fashion), I vaguely remember that this was to prevent kids in estate buildings getting themselves in danger in the elevator shaft (which happened frequently). The fact that this thus prevents any escape in case of emergency appears to have made insufficient impact on the decision. Peter Houppermans ------------------------------ Date: Mon, 9 Apr 2001 16:08:03 -0400 From: David Tarabar Subject: You've Got Mail ... From The Admissions Office! For college-bound seniors, it is a ritual of spring to eagerly await the daily mail delivery - looking for a thick or thin envelope which will notify them of college acceptance or rejection. But for the 94% of applicants to Tufts University, who provided an address, notification of acceptance AND rejection came via an e-mail this year. Tufts follows up with a physical mailing - and thus will reject people twice! [Boston Globe. 06-APR-2001. "For some, bad news traveling faster"] Tufts started email notifications several years ago to students in foreign countries. Two years ago it started e-mail notifications to applicants on the West Coast. (Tufts is in Medford, MA) This year it is almost everyone. The story notes that several colleges have password-protected web sites where an applicant can look up their admissions status. Risks 1) This seems impersonal for those who are accepted. It would be interesting to find out if this type of notification changed the percentage who choose to enroll at Tufts. And it is adding to insult to injury to reject an applicant twice. Tufts must get some very interesting e-mail replies. 2) Not all high school seniors have private email accounts, they are often shared with family members or friends. Thus the wrong person might get the message. 3) Could these e-mails be mistaken for spam? I must get a half dozen offers of University Diplomas each week. 4) Hacking! I shudder to think what could happen if there was a dedicated hacking attack that sent out forged admission e-mails. ------------------------------ Date: Sat, 14 Apr 2001 08:45:43 -0400 From: Jack Burke Subject: Server 54, Where Are You? My mind boggles. The University of North Carolina has finally found a network server that, although missing for four years, hasn't missed a packet in all that time. Try as they might, university administrators couldn't find the server. Working with Novell Inc., IT workers tracked it down by meticulously following cable until they literally ran into a wall. The server had been mistakenly sealed behind drywall by maintenance workers. Source: TechWeb News, 04/09/01: http://www.techweb.com/wire/story/TWB20010409S0012 This sounds like a novel way -- pun intended -- to physically secure a server. I suppose if you absolutely can't do without a floppy drive, etc., per the Orange book, this might be an acceptable alternative to help meet C2 specifications. [Except that electronically, it is C-Through rather than C-2. [Also noted by Mike Hogsett. PGN] ------------------------------ Date: Tue, 17 Apr 2001 16:45:30 +0100 From: Gareth Randell Subject: Hi-tech toilet swallows woman [Source: Article by Lester Haines, 17 Apr 2001, via Brian Randell http://www.theregister.co.uk/content/28/18312.html] A 51-year-old woman was subjected to a harrowing two-hour ordeal [on 16 Apr 2001] when she was imprisoned in a hi-tech public convenience. Maureen Shotton, from Whitley Bay, was captured by the maverick cyberloo during a shopping trip to Newcastle-upon-Tyne. The toilet, which boasts state-of-the-art electronic auto-flush and door sensors, steadfastly refused to release Maureen, and further resisted attempts by passers-by to force the door. Maureen was finally liberated when the fire brigade ripped the roof off the cantankerous crapper. Maureen's terrifying experience confirms that it is a short step from belligerent bogs to Terminator-style cyborgs hunting down and exterminating mankind. ------------------------------ Date: Wed, 18 Apr 2001 14:54:12 -0400 (EDT) From: Rebecca Mercuri Subject: Denial of Tax Service KYW News Radio in Philadelphia reported on 17 Apr 2001 that there had been a problem when tax procrastinators attempted to file their Pennsylvania State returns just before the midnight Monday deadline. Apparently in the last few hours, users received an error message from the filing Web site, and they were unable to complete their transaction. Because of this, the state decided to give ALL late filers an extension through 18 Apr. Officials were quoted as saying that "a glitch on the Web server" was the cause of the problem (whatever that means). This brings to mind the possibility of denial-of-service attacks on the infrastructure being a way to avoid paying taxes (short term, anyway). Rebecca Mercuri [Life, death, and taxes are not the only sure things. But perhaps *electronic* files could provide a new way to get out of jail. PGN] ------------------------------ Date: Mon, 9 Apr 101 11:05:41 GMT From: aebrain@dynamite.com.au Subject: E-mail address ID theft RISK: The simplest ID theft is that of an e-mail address. I use e-mail quite a lot for business purposes, and also make regular contributions to a lot of newsgroups. I've been on the net for a decade, so am on a zillion and one "40 million e-mail addresses for just $5" lists - thank god for filters. But on Sunday some insufferable person or organisation forged my e-mail address as the sender of some X-rated Spam. This has caused me lost business, a little personal embarrassment, and a mailbox rapidly filling up with bounces from nonexistent addresses. I'm expecting DOS counter-attacks from clueless newbies. There's not a lot that can be done to stop someone from doing this. But the risk is that I might not be able to do anything about it in the way of compensation. NeoTrace has given me plenty of clues to the perpetrators, but only by tracing the site that was advertised in the email. Proving it is another matter, and they may have no assets anyway. A.E.Brain ------------------------------ Date: Sun, 15 Apr 2001 16:41:32 +0000 From: Simon Carter Subject: Sabotaged phone lines + stolen credit cards = safety in theft Sabotaged phone lines and stolen credit cards allowed thieves to safely rob a Sydney shopping centre. "The thieves first sabotaged the telecommunication network in late February. They entered the pits via street-level manholes and severed all the lines leading to shopping centre businesses. With all on-line transaction systems down, shopkeepers processed transactions manually and the thieves used stolen credit cards to buy goods and withdraw cash. Bills are still coming in from the spree." Full story at http://www.smh.com.au/news/0104/15/text/national12.html Simon Carter ------------------------------ Date: Wed, 11 Apr 2001 17:06:38 -0400 From: Monty Solomon Subject: Security flaw found in Alcatel's high-speed modems Security flaw found in Alcatel's high-speed modems, By Tim Nott It's a security flaw. No, it's a spy. No, it doesn't exist at all. Tsutomu Shimomura, better known for his contribution to, and book about, the arrest of hacker Kevin Mitnick claims to have found a "trapdoor" in Alcatel ADSL modems. On Monday evening, Liberation reported, Shimomura and San Diego Supercomputer Centre colleague Thomas Perrine reported their findings to the Computer Emergency Response Team. The point, continued Liberation, is simple. Anyone can penetrate a computer system linked to the Internet by Alcatel 1000 ADSL and Speed Touch Home modems. http://www.thestandardeurope.com/article/display/0,1151,16251,00.html ------------------------------ Date: Tue, 17 Apr 2001 16:47:45 +0100 From: Mike Bristow Subject: Alcatel admits more than they meant to Recently, Alcatel has come under fire for security problems with some of it's products (see [broken URL] for details) As a result, Alcatel has released a statement, as a Microsoft Word document, which they placed on their Web site. According to , it had all the document history present (I cannot confirm this, as they appear to have corrected the mistake), in which we see such gems as: > (When and where will the firewall software be available? CERT has > said that they don't believe that installing a firewall is the > answer. What are you doing to provide a legitimate fix?) The RISKS? Well, apart from looking like idiots, and revealing early drafts of statements that are "off message", and potentially drawing attention to errors of omission that you are conveniently brushing under the carpet... Mike Bristow, seebitwopie ------------------------------ Date: Mon, 9 Apr 2001 10:38:34 -0700 (PDT) From: =?iso-8859-1?q?Alpha=20Lau?= Subject: Web-enabled air conditioners Not bad! :) Imagine the malicious freezer viruses! IBM and Carrier, an air-conditioning manufacturer, said they plan to offer Web-enabled air conditioners in Europe this summer that can be controlled wirelessly. Financial terms of the collaboration were not disclosed. Owners of the newfangled air conditioners will be able to set temperatures or switch the units on or off wirelessly using a website called Myappliance.com. http://www.wired.com/news/business/0,1367,42918,00.html From their press release (http://myappliance.com/myapp/press.htm): Unit performance and maintenance information over time can be gathered and recorded. ... In the opposite direction it is envisaged that Carrier dealers or engineers will be given 'service access' to check the system without the need for a PC connection. In the extreme case, someone with the correct hardware could check the aircond logs to see the typical times the aircond is off, i.e., when no one is home! Alpha ------------------------------ Date: Tue, 10 Apr 2001 14:56:38 -0400 (EDT) From: Subject: Risks of sorting time alphabetically I found a sorting error on Northwest Airlines web site (nwa.com) that I had not seen before, but am surprised is not more common. If you ask for a list of flights between two cities it returns the results sorted by departure time of the outbound flight. For example, from San Francisco (SFO) to Minneapolis (MSP) (return flight and other non-relevant data discarded): Departs Arrives Flight Number 6:25am 12:04pm NW928 7:50am 1:28pm NW344 10:15am 3:47pm NW350 11:30am 5:16pm NW588 12:40am 6:09am NW360 3:25pm 9:01pm NW354 5:00pm 10:31pm NW358 The risk? Assuming that because 11:30am is later than 10:15 am it follows that 12:40am is later than 11:30am. Another good reason to drop AM/PM in favor of a 24 hour clock (particularly if you call midnight 0.00 and not 24.00). Marcos H. Woehrmann | marcos@panix.com | http://members.home.com/marcos ------------------------------ Date: Fri, 6 Apr 2001 14:05:26 -0700 From: "Ian Jordan" Subject: Using Palm VII's to give traffic tickets The Seattle news played a story on a local police force that is now using Palm VII's to give traffic tickets. Apparently, officers can look up information on vehicles and people via the wireless interface from this Palm. The obvious risk comes from the publicly based network that the Palm relies on, namely the CDPD network. Just imagine someone getting a ticket, and wanting to cover it up. If they broke into the system, they could start issuing tickets to every car on the road. How would anyone know what tickets were valid? Simpler security risks also are involved, such as just monitoring the communications and seeing what people are accused of, or even looking for addresses that are transmitted- if someone is getting pulled over, they're probably not home. As a side note, I wonder how you get your court summons, since this procedure removes paper tickets. It would also appear to eliminate the officer's signature, making for a dubious case, since there is no official document indicating the charge against you. The full story is linked at: http://www.king5.com/biztech/storydetail.html?StoryID=17028 ------------------------------ Date: Wed, 18 Apr 2001 11:50:49 -0600 From: "Pearce, Warren, CTR" Subject: More on UCITA Ed Foster's Gripeline column in the current issue of *InfoWorld* (www.infoworld.com) raises another interesting security related issue. The column starts with: Microsoft recently prevented an independent lab from publishing benchmark results, using a term in the SQL Server license that says the user "may not disclose the results of any benchmark test without Microsoft's prior written approval" to threaten the lab with legal action. It's not my intent to focus on Microsoft as this is an element of UCITA. In prior columns, Ed included a similar comment from Network Associates. Consider a security related "benchmark test" that reveals a vulnerability. The vendor's permission will be required to "disclose the results" of the test. What does this do to the entire CERT process? ------------------------------ Date: Tue, 3 Apr 2001 08:10:56 +0200 From: "Mandt, Magne" Subject: Re: Aasta Train Crash There is one very important point that has been forgotten in the latest postings about the fatal Aasta train crash: The railways deliberately introduced a single point of failure system some months prior to the accident. The old operating procedure was that both the train driver and the ticket taker (conductor) had to verify that the signal was green before the train left the station. Under the new procedure, introduced some months before the crash, only the driver had to check the signal. The line where the crash occurred does not have an automatic train stop system that stops trains that are headed towards each other on the same track, so the drivers observation of the signal is the final barrier against a crash. Magne Mandt ------------------------------ Date: Tue, 3 Apr 2001 11:14:11 +0100 From: "Merlyn Kline" Subject: Re: Aasta train crash (Smorgrav, RISKS-21.32) Am I missing something here or is all this beside the point? Using mobile 'phones as a safety-critical means of communication entails so many risks I hardly know where to start: The network coverage is patchy at best and hardly at its best when used in a train; the handset batteries have short lives and are liable to fail; the handsets are easily lost or damaged; handsets are typically unsuitable for noisy environments; communication is dependent on a network outside the control of the train company; even if you get network coverage, cell capacity is limited; the list just goes on and on. Some of these risks can be addressed but some simply cannot. Surely this can't be right? Merlyn Kline ------------------------------ Date: Thu, 19 Apr 2001 20:37:15 -0500 From: "Will Fletcher" Subject: Re: Risks of Hidden highway robbery ... (RISKS-21.32) In RISKS-21.32 it was noted that Microsoft was being particularly heavy-handed with the end-user agreement and the rights to intellectual property transmitted over their.NET or Hailstorm passport service. Wanting to see the fine print for myself I downloaded the agreement at http://www.passport.com/Consumer/TermsOfUse.asp. Yes, it does say that Microsoft reserves the right to take advantage of any intellectual property. However, it would appear that the intent of the agreement is allow Microsoft the rights to any intellectual property submitted to them concerning the service, not intellectual property transmitted over the service. Towards the end of the section in question the following appears: This section also is inapplicable to any documents, information, or other data that you upload,transmit or otherwise submit to or through any Passport-Enabled Properties. Please refer to the terms and conditions for such Passport-Enabled Properties to determine the rights of the web site or service provider to such documents, information and/or data. The first sentence would seem to limit the rights of Microsoft with respect to misappropriating intellectual property transmitted via these services. But, then again the second sentence might lead one to be suspicious about how such rights are determined. Perhaps the real risk is not being able to read all of the fine print, since it is not clear where one would go to find these additional "terms and conditions for such Passport-Enabled Properties". Will Fletcher ------------------------------ Date: Wed, 18 Apr 2001 01:40:16 -0400 From: Monty Solomon Subject: Viewers lament incredible shrinking Ultimate TV UltimateTV shrinks from the spotlight A software bug is inadvertently shrinking hard-drive storage space on set-top boxes for UltimateTV, the new interactive TV service from Microsoft. The bug reduces how many hours of programming people can record onto the hard drive of UltimateTV set-top boxes. Customers began reporting the problem on Web forums earlier this month. http://www.zdnet.com/zdnn/stories/news/0,4586,5081102,00.html ------------------------------ Date: Wed, 11 Apr 2001 17:02:53 -0400 From: Monty Solomon Subject: Do prescription records stay private when pharmacy stores are sold? Do prescription records stay private when pharmacy stores are sold? The issue caught the attention of the Clinton administration By Milo Geyelin THE WALL STREET JOURNAL April 11 - A novel lawsuit over the privacy of prescription records at a former neighborhood drug store could complicate the way pharmacy chains buy up their competitors. The suit challenges the common but little-known practice of "file buying," in which chains purchase customer prescription files from pharmacies they acquire and add them to their own. http://www.msnbc.com/news/557734.asp ------------------------------ Date: Wed, 18 Apr 2001 01:30:46 -0400 From: Monty Solomon Subject: New flashlight sees through doors as well as windows Police officers serving a warrant or searching for a suspect hiding inside a building could soon have a new tool for protecting themselves and finding the "bad guy." A prototype device called the RADAR Flashlight, developed at the Georgia Tech Research Institute (GTRI), can detect a human's presence through doors and walls up to 8 inches thick. The device uses a narrow 16-degree radar beam and specialized signal processor to discern respiration and/or movement up to three meters behind a wall. The device can penetrate even heavy clothing to detect respiration and movements of as little as a few millimeters. http://unisci.com/stories/20012/0416015.htm ------------------------------ Date: Tue, 10 Apr 2001 22:09:50 -0400 From: "Jay Levitt" Subject: Windows patchwork A recent *Wired* news article detailed problems that Microsoft had with an Internet Explorer security patch: In some cases the patch would wrongly display "This update does not need to be installed on this system." Although I hadn't seen such a message, I double-checked that the patch was properly installed - and it wasn't. After digging further, I was surprised at the reason why. Microsoft maintains a "Windows Update" site, which automatically scans your Windows installation (locally), compares it with a list of known patches, and lists any missing updates. Further, they have a "Critical Update Notification" tool that runs in the background and automatically alerts the user when any "critical" patches are added to Windows Update. I run the notification tool, and I check Windows Update often, so I expected my system to be quite current. Documentation for the notification tool says: "Download this component and never miss a Critical Update again. Whenever a new Critical Fix is released, you will be notified... Critical Update Notification is the best way to keep your computer up-to-date and protected from potential security issues affecting Microsoft Windows." As it turns out, although Microsoft puts many of its IE security patches on Windows Update, four critical patches this year were not included there, and thus are not detected by the notification tool. Users must go to a separate IE Security site to download these patches - a site that is not promoted or even mentioned by the Windows Update site or other customer service pages. I first learned of it from the *Wired* article. Risks: - Maintaining two separate patch repositories - Promoting a site as the way to "never miss" security patches, but failing to add all security patches there - Trusting Microsoft to help keep my computer up-to-date Jay Levitt ------------------------------ Date: Mon, 16 Apr 2001 08:48:21 -0800 From: "Rob Slade, doting grandpa of Ryan and Trevor" Subject: REVIEW: "Securing Windows NT/2000 Servers for the Internet", Norberg BKSWN2SI.RVW 20010320 "Securing Windows NT/2000 Servers for the Internet", Stefan Norberg, 2001, 1-56592-768-0, U$29.95/C$43.95 %A Stefan Norberg stefan@norberg.org http://people.hp.se/stnor %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2001 %G 1-56592-768-0 %I O'Reilly & Associates, Inc. %O U$29.95/C$43.95 800-998-9938 fax: 707-829-0104 nuts@ora.com %P 199 p. %T "Securing Windows NT/2000 Servers for the Internet" This book is based on the paper "Building a Windows NT bastion host in practice," which is available on the author's Web site. The title of the essay is much more accurate than the title of the text. The work is concerned strictly with bastion hosts, and does not address, in more than a nominal way, considerations of applications that are necessarily part of any Internet server. Chapter one takes a brief, scattered, and not very clear look at a number of issues related to Windows and/or security. This disregard for background information extends into chapter two. Having presented an extensive list of services to turn off, Norberg tells us that "[you now] understand the purpose of all active software components on the host." The irony of this bald assertion stems from the fact that there has been little discussion of why these services are to be turned off, and what you lose along the way. (Further, for those new to Windows NT or 2000, there is no indication of how to accomplish the task of reduction.) Once we get into more advanced tuning there is slightly more information, but not much. The material on the differences in Win2K, contained in chapter three, does present a bit more detail on how to accomplish the restrictions. Chapter four describes a number of software tools that will encrypt sessions to be used for remote administration, but does not deal with system management itself. The standard advice you always read about backups ("make one") is repeated in chapter five. Chapter six reviews auditing and logging, with, for some unknown reason, four times as much space devoted to network time synchronization as to intrusion detection. "Maintaining Your Perimeter Network" is the title of chapter seven, but it seems to be a return to the same kind of catch-all discussion that started the book. In the Preface, Norberg does state that the book is not intended as a primer for security, or even for Windows security. The text is written as a kind of a checklist for those thoroughly familiar with NT or 2K. There is, of course, nothing wrong with such an approach, and those in the target audience will appreciate the brevity of this concise guide. The approach does, however, severely limit the utility of the work. Chapter two (and three, if you are using Win2K) is the heart of the book, and the rest seems to be an attempt to expand the text to more than pamphlet length. copyright Robert M. Slade, 2001 BKSWN2SI.RVW 20010320 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) which now requires confirmation to majordomo@CSL.sri.com (not to risks-owner) [with option of E-mail address if not the same as FROM: on the same line, which requires PGN's intervention -- to block spamming subscriptions, etc.] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.35 ************************