precedence: bulk Subject: Risks Digest 21.60 RISKS-LIST: Risks-Forum Digest Friday 17 August 2001 Volume 21 : Issue 60 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: Heart-device recalls (PGN) Runway incursions (Andres Zellweger) Cingular wireless goes down in heat wave (PGN) Swisscom Mobile breaks down for 10 hours (Andre Oppermann) Marines face charges in Osprey records falsifications (PGN) Woman stalked by Michigan cop via police databases is murdered (Declan McCullagh) Video crypto standard cracked? (Monty Solomon) Free hotel reservations canceled (Steve Bellovin) Interstate car tags to be photographed and tracked (Steve Holzworth) Hacked caller ID? (Andrew Hilborne) Risks of letting MS not-so-Hotmail do your junk filtering... (Michael Loftis) GPS-guide in car going nuts? (Martin Schulze) The risks of not verifying e-mail addresses (Doug Winter) Re: Mixing advertising and credit-card activation (Sam Garst, Joel Garry) REVIEW: "The Internet Security Guidebook", Juanita Ellis/Timothy Speed (Rob Slade) Dependability and "Open Source" development (Cliff Jones) CFP2002: Call for Proposals (Lance J. Hoffman) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 16 Aug 2001 9:35:51 PDT From: "Peter G. Neumann" Subject: Heart-device recalls A study from Brigham and Women's Hospital in Boston in the JAMA reports that, over the ten-year period ending Dec 2000, 42 recalls and 10 safety alerts were issued for pacemakers and implantable cardioverter defibrillators (ICDs, as In Cheney, Dick) involving more than 520,000 devices. Over 600,000 Americans have pacemakers and 150,000 have ICDs, so that represents a remarkably high percentage. However, only a small fraction of the recalled devices were actually defective. If recall recommendations were followed, the study estimates that 36,000 devices would have been replaced. Only a few deaths were attributed to malfunctions. Advisories are increasing, but that is attributed to increased manufacturer vigilance and richer information output by the devices. [Source: article by Kenneth Chang, *The New York Times*, 15 Aug 2001, Natl. Edition A12; PGN-ed] ------------------------------ Date: Wed, 15 Aug 2001 10:54:24 -0400 From: Andres Zellweger Subject: Runway incursions A 14 Aug 2001 Reuters item, New glitch for US system to avoid runway collisions, talks about more delays in the long promised FAA Runway Incursion System -- due to ``excessive false alarms''. This raises an interesting dilemma for designer of such safety systems. The state of the art in runway incursion systems is not good enough to detect all potential incursions without a relatively high level of false alarms. One could tune the system to have false alarms at an ``operationally acceptable'' level, but the likelihood of missing some potential incursions increases. Critics argue that one should not be implemented a system that misses some potential incursions because air traffic controllers would become dependent on the system instead of using it a safety net. Therefore, they argue, there might be more incursions than if controllers were doing their job properly without the system in place. Others (and I fall in this camp) think that, with proper training, controllers will not be lulled into a false sense of security, and safety can be increased when a safety net that is not perfect is present. I don't think that any air traffic controller takes his/her job of separating aircraft less seriously because of TCAS! Andres G. Zellweger, PhD, NASA code R, 300 E St, SW, Washington, DC 20546-0001 1-202.358.0544 azellweg@hq.nasa.gov [The chairman of the relevant House subcommittee on aviation suggested that the FAA should take the time to get it right. (The program is already six years behind schedule.) Runway safety is an increasing with more near misses, including one at Dallas in May 2001. LAX and O'Hare each had five near misses from 1997 to 2000. PGN-ed] [This morning's news reports noted a new runway crossing near-miss, preliminarily blamed on air-traffic control. PGN] ------------------------------ Date: Fri, 10 Aug 2001 14:17:48 PDT From: "Peter G. Neumann" Subject: Cingular wireless goes down in heat wave A little reverse Rube Goldberg: The heat wave in the DC area caused a power outage, the backup batteries failed, and the automatic system that should have cut over to the backup generator also failed, resulting in disruption of cell-phone service to 301- and 202-area Cingular Wireless customers. The failure of a single switch that was supposed to transfer from batteries to generator power (which was designed to operate autonomously for at least a month) was apparently the ultimately limiting factor. But the generator ran fine! [Source: Associated Press article by Derrill Holly, AP 10 Aug 2001; PGN-ed] ------------------------------ Date: Sun, 12 Aug 2001 13:03:15 +0200 From: Andre Oppermann Subject: Swisscom Mobile breaks down for 10 hours On Friday, July 27th 2001, the whole Swisscom Mobile GSM network, serving 3.3 million customers (70% market share in Switzerland), broke down for 10 hours from approx. 12:30 until 22:30 GMT+0200. Two independent software errors in the primary and backup network signaling processors (the SS7 network) caused a halt for the processing of all signaling in a GSM network. This includes call setup, call receiving, SMS (short message service), logging onto network and basically everything else. The central GSM systems (HLR, VLR, NMC and so on) stayed up but were unable to communicate with the base stations in the field. The primary system suffered a complete failure (software error) and as designed the backup system took over. While it was working fine first the backup system got loaded more and more, judging from the description something like a missing free() call, and eventually broke down too half an hour later. The newspaper "Le Monde" was reporting insider information last week saying that these signaling processors are made by Alcatel and that Alcatel found out about the software errors two weeks before (and probably also had a fix) but "forgot" to inform Swisscom Mobile about it. Alcatel is now facing a Swiss Franc 30 million liability case. This is the loss Swisscom Mobile has because of lost revenues, not including public image damages. In one thing I have respect for Swisscom; They did a pretty good job with public relations and informed the media and public very openly about their technical problem(s). Now, two weeks later, Swisscom Mobile also issued a, thought written for the non technician but pretty detailed, press release of the cause and events of this network failure. Although one funny thing happened; The press release in German is the original one and while translating into English they forgot one just one word but it makes a somewhat significant difference. In the German version it reads "Technical systems do *not* guarantee 100% availability [but we do our best to get 99.95%]. In the English version it reads "Technical systems guarantee 100% availability [but we do our best to get 99.95%]". But see yourself: http://www.swisscom.com/gd/information/press_releases/2001/ natel_disruption-de.html in German http://www.swisscom.com/gd/information/press_releases/2001/ natel_disruption-en.html in English Andre Oppermann ------------------------------ Date: Fri, 10 Aug 2001 13:09:55 PDT From: "Peter G. Neumann" Subject: Marines face charges in Osprey records falsifications Eight Marine Corp officers have been charged with misconduct with the alleged falsification of MV-22 Osprey tilt-rotor maintenance records. [http://www.washingtonpost.com/wp-dyn/articles/A59345-2001Aug10.html] [See RISKS-21.14,21,24,31,33,36,38,41 for Osprey problems.] ------------------------------ Date: Fri, 10 Aug 2001 10:35:36 -0400 From: Declan McCullagh Subject: Woman stalked by Michigan cop via police databases is murdered A Michigan State Police detective whose estranged wife was shot dead at the Potter Park Zoo admitted using police databases such as the Law Enforcement Information Network (LEIN) to check on his wife and her acquaintances before her fatal shooting. [Source: *Free Press*, 8 Aug 2001; PGN-ed http://www.freep.com/news/mich/lein8_20010808.htm] ------------------------------ Date: Wed, 15 Aug 2001 01:17:48 -0400 From: Monty Solomon Subject: Video crypto standard cracked? Noted cryptographer Niels Ferguson says he's broken Intel's vaunted High-bandwidth Digital Content Protection (HDCP) Digital Video Encryption System, but fear of U.S. law is keeping him silent on the details. HDCP connects digital cameras, high-definition televisions, cable boxes, and video disks players. [Source: Article by Ann Harrison, 13 Aug 2001, PGN-ed; http://www.securityfocus.com/news/236] [Intel has not threatened him, but he can still be sued by the U.S. Govt under DMCA, or by the motion-picture industry. His comments are at http://www.macfergus.com/niels/dmca/index.html Knowledge that it is (or might be) breakable is likely to result in other folks doing it, and perhaps posting it anonymously in some non-US Web site. The globalization of the Internet is clearly going to be an increasingly difficult problem for industries trying to defend information supposedly protected under flawed standards. PGN] ------------------------------ Date: Tue, 14 Aug 2001 11:56:40 -0400 From: Steve Bellovin Subject: Free hotel reservations canceled We have here a story of sequential bugs, or at least odd behavior. Last March, someone entered a rate of $0 per night for the Mexico City Airport Hilton into an online reservation system. A number of users of the Travelocity web site saw it and reserved rooms. Hilton eventually agreed to honor that rate for one night, and let travelers stay additional nights at "the lowest available rate". But the story has gotten stranger. According to today's Wall Street Journal, at least two people who made such reservations via Travelocity have found that their reservations have been canceled without their knowledge. Hilton and Travelocity deny any knowledge of what happened. Both cancellations were via telephone calls to Travelocity, made within minutes of each other. Steve Bellovin, http://www.research.att.com/~smb ------------------------------ Date: Thu, 9 Aug 2001 19:00:48 -0400 From: Steve Holzworth Subject: Interstate car tags to be photographed and tracked >From WRAL.com (excerpted): http://www.wral.com/news/910501/index.html [Charlotte, NC] ... The cameras will be used to photograph the license tags of some 400,000 vehicles so researchers can analyze freeway travel and predict future air-pollution levels and highway needs. The 43 cameras will photograph and track every car that passes on stretches of U.S. 74, and Interstates 77 and 85 during a 12-hour period on Tuesday. ... North Carolina highway officials say the photos will be destroyed within 90 days to protect the drivers. [Suuure they will - SCH] Steve Holzworth, Senior Systems Developer sch@unx.sas.com SAS Institute - Open Systems R&D VMS/MAC/UNIX Cary, N.C. [Interesting possibility if the numbers and letters can be read, but the state identification cannot -- in which case Steve in NC might get a ticket based on someone's Alaska licence plate. PGN] ------------------------------ Date: 09 Aug 2001 18:09:52 +0100 From: Andrew Hilborne Subject: Hacked caller ID? Two-and-a-half years ago I received an unexpected telephone call at about 2230 on my British Telecom phone. The caller was adamant that I had called him at about 2020 the same night, from my phone -- he had used "1471" when he arrived home himself, to access the CLID of the last call to his number. But I had been out of the house until 2200, and the house had been empty. It took some effort to persuade my unknown caller that I hadn't called him earlier that evening. So the following day I asked on the BT fault reporting line how this could have happened. I was told that this sort of thing happens quite often. I may well have been in trouble if a crime had been committed at the other house that night. BT don't advertise this failure mode at all. Andrew Hilborne ------------------------------ Date: Fri, 10 Aug 2001 09:01:38 -0700 From: Michael Loftis Subject: Risks of letting MS not-so-Hotmail do your junk filtering... I see that Hotmail has junk/spam filter, I get a fair amount of SPAM in my hotmail account so I figure I'll give this a try. It doesn't block anything that is spam, in fact the only thing it did block in the "Low" setting was mailings from SPEAKEASY my ISP, even after I told it that I *wanted* those! It's a good thing I noticed, they send bills via e-mail too. I mean really! I got 3-4 pices of spam through the filter (even after saying one of htem was spam earlier) and 5-6 pieces of mail from Speakeasy went into the Junk folder with the filter, I turned it off. The RISK is two-fold, blocking very obvious non-bulk mailings via a mechanism that isn't obvious, and then telling the user that they can ask that mechanism to be circumvented in special cases but not implementing it!! Imagine if I had not looked into the Junk Mail folder? How much other legitimate e-mail would go into there, keep in mind this was the "Low" setting. Michael Loftis ------------------------------ Date: Wed, 8 Aug 2001 18:09:33 +0200 From: Martin Schulze Subject: GPS-guide in car going nuts? Modern cars may contain GPS systems to guide the driver to unknown destination locations he would otherwise have to use a map for. We went out with three cars, of which two were sold with such a GPS system, ours wasn't, but we were driving in the city I know best. Both cars with GPS system didn't know that city well enough to reach the destination location without a map (or GPS system). After lunch at a restaurant at a distant edge of the city we went back to the house. Right after leaving the restaurant the three cars diverted, used different paths. Our car (w/o GPS) and one other car arrived at the house early. We were wondering where the third car had gone. Finally, some 10 minutes later, they arrived as well. What was the reason? Too much trust and depending on modern computer thingies. The location was stored in the GPS system. In order to reuse the location it was stored by using letters, but unfortunately the display wasn't very wide. When storing the name of the city and some random string the system cut off some parts: Wilhelmshaven Hotel Wilhelmshaven House Wilhelmshaven Restaurant `-----------' Display So when re-selecting the destination after lunch the driver had to make the choice which of the three similar looking locations is the proper one. He had selected the wrong one so the GPS system guided him to the hotel instead of the house. This driver used the GPS system of a modern 'VW Passat', the other car was a 'Audi 100' which has a larger display for the GPS system, so the driver was guided to the correct address. [Joey says "Please always Cc to me when replying to me on the lists." That is always a good policy. PGN] ------------------------------ Date: Thu, 9 Aug 2001 18:21:08 +0100 From: Doug Winter Subject: The risks of not verifying e-mail addresses A colleague of mine recently received the following e-mail, apropos nothing: > Date: Wed, 8 Aug 2001 16:41:07 +0530 > From: HDFC Bank Support > To: [name elided] <[address elided]> > Subject: " Welcome to HDFC Bank. " > > This is an auto-generated mail. Please do not reply to it. > Dear Customer, > Thank you for opening an account with us. > We have received your account opening form and opened an account as > per the details mentioned below. > You can now access all your accounts from any of our branches across > the country. To give you quick access to all your accounts with us, we > have generated a Customer Identification Number (Customer ID No.). All > your accounts are linked to this number, and you only need to quote > this number to our Personal Bankers or Tellers for any help you > may require. > Your Customer ID No. is [number elided]. > The Account details are: > Account Number: [number elided] > Primary Account Holder: [name elided] > The Welcome Letter is being sent to you separately by mail. [snip] They sent a real account name, account number and customer ID to a complete stranger on the basis of a new user's registration information, without first validating it in any way. The user in this case had /almost/ got his email address right - only the Top Level Domain was incorrect. On informing the bank of their error they claimed "The information we send across to across e mail is limited hence the possibility of misuse is not possible". The risks are obvious. Doug Winter, CTO, Business Europe, 3 Waterhouse Square, Holborn Bars, 142 Holborn, London EC1N 2NX +44 (0)20 7961 0341 dwinter@businesseurope.com ------------------------------ Date: Tue, 07 Aug 2001 14:30:12 -0400 From: Sam Garst Subject: Re: Mixing advertising and credit-card activation (Green, RISKS-21.57) In RISKS-21.57 Bob Green discussed a credit-card authorization process that raised some risks. I, too, was confused by a recent credit card activation; with an couple of novel (and risky) twists: My credit card had been compromised. Kudos to the credit card agency, as they called me to confirm a suspicious (and fraudulent) charge. I dutifully called to activate my new card when it arrived. I have CallerID blocked, and I was curious to know how this might be handled. It wasn't, I sailed on through the authorization process. Do they have the means to override CallerID blocking? Or, are they not validating the originating phone number as my home? I promise to call from my office next time, and report back. Just as Bob Green mentioned, I was subjected to a rather long and tedious ad before the authorization process was complete. Ironically, the ad was for one of those credit reporting services, that will send you a consolidated report from all credit agencies, and alert you whenever someone makes a credit check. Well, I hope it was ironic and not targeted advertising for fraud victims. Finally, the prompt at the end of the ad were deeply confusing, just as Bob Green noted. But wait, the confirmation prompt was reversed: "Do you want to buy this service?" "Are you sure you don't want to buy this service?" Sam Garst ------------------------------ Date: Tue, 07 Aug 2001 23:27:33 -0700 From: Joel Garry Subject: Re: Mixing advertising and credit-card activation (Green, RISKS-21.57) >From Pacific Bell web page about caller id http://www.pacbell.com/Products_Services/Residential/ProdInfo_1/1,1973,10-3-,00.html Complete Blocking prevents the transmission of your phone number on all calls you make, except 911 and national 800, 888, and 877 number calls. The risk must be that adhesion contracts (with terms you are stuck with) may define a phrase like "Complete Blocking" with caveats that may unexpectedly negate the phrase. Of course, they are the phone company, they don't have to adhere to any reasonable man or reasonable computer standard. A few days ago, I noticed my business line was in use. Since I wasn't using it, I picked it up and heard telephone technicians talking about line loops and how the "ants were biting the hell out of my arm." So I drove over to where they were installing DSL in the street and told a very surprised tech that if he didn't get off my line, I would make sure his supervisor would bite his ass a lot harder than those ants! Joel Garry, Oracle and Unix Guy http://www.garry.to ------------------------------ Date: Mon, 13 Aug 2001 09:38:30 -0800 From: Rob Slade Subject: REVIEW: "The Internet Security Guidebook", Juanita Ellis/Timothy Speed BKISGFPD.RVW 20010605 "The Internet Security Guidebook", Juanita Ellis/Timothy Speed, 2001, 0-12-237471-1, U$44.95 %A Juanita Ellis %A Timothy Speed tim.speed@home.com %C 525 B Street, Suite 1900, San Diego, CA 92101-4495 %D 2001 %G 0-12-237471-1 %I Academic Press %O U$44.95 619-231-0926 800-321-5068 fax: 619-699-6380 %P 320 p. %T "The Internet Security Guidebook: From Planning to Deployment" The introduction outlines some of the basic types of attacks that can happen over the Internet, and seems to concentrate on attacks against machines, rather than people or companies. This emphasis on the technical is odd, since the material provides very few technical details, but does contain more than a little error and confusion. The text of the book doesn't mention a specific target audience, although the jacket notes seem to promote the work to CEOs and other senior executives. Which is odd: the writing level seems more appropriate to the home user. Chapter one is an overview of security planning. Most of the important parts of preparation are included, but the chapter structure and even the figures are very confusing. There are many gaps in the discussion of security reviews, and a number of odd and apparently misplaced items have been inserted. Encryption is covered simplisticly, and the lack of depth in the material becomes a problem in the chapter on network security. After twelve pages that *don't* explain the Internet and OSI (Open Systems Interconnection) models of networking, the text attempts to deal with a number of Internet security tools, most of which rely on encryption and key exchange. There are frequent errors and the sections sometimes even provide contradictory and nonsensical explanations, such as the statement that "unencoded" means both "not encrypted" and "not as plain text." The basic outline of firewalls is better than is provided in most general guides, although the description of circuit- level gateways keeps referring to "stateful inspection" without ever explaining what that is. The long evaluation section is, unfortunately, the usual for this type of book: it does provide most of the right questions to ask, but doesn't give the novice reader much help in analyzing the answers. Authentication is a very important topic in security, and it is too bad that the material on this subject is so confused, and confusing. I find it very difficult to reconcile the statement that there are "very few examples" of biometrics with the existence of a great many fingerprint, palm geometry, iris, voiceprint, and even face readers. The depiction of Kerberos is wrong in some basic aspects, does not address the fundamental problems with the Microsoft version, and does not relate in any way to the very closely associated topic of single sign-on that immediately follows. The discussion of PKI (Public Key Infrastructure) does do well in covering the "build or buy" debate for a certificate authority. Directory issues are not handled particularly well, and there are other errors. (Excuse me? The Internet didn't exist before the mid- 1980s?) The chapter on messaging security is a real grab bag of topics, none of which, with the possible exception of acceptable use, are covered in sufficient depth. (Viruses and trojans get lumped into this chapter, and the commentary is quite sloppy.) The basic outline of risk analysis, including threat, impact, and probability, is good, but the supporting material is not quite standard, and probably not very helpful to the target audience. The chapter also fails to point out the full scope of such an appraisal, as well as the importance of looking at the aggregate risk. On the other hand, the review of policy and procedures hardly seems to address policy creation at all. This is another miscellaneous compendium of vulnerabilities, diving into specifics and missing the bigger picture. The material on incident response is generic, but does point out the foundational concepts. There is little detail, and the text does concentrate on dealing with events by severity, rather than by type. The book closes off with an ordinary presentation on project planning. I would be the first to admit that security can be a dry topic, and a little humour can help to spice up the text. However, I am willing to make an exception in the case of this book. The jokes added to the text do nothing to improve it. They are intrusive, distracting, and do not, in any way, help the reader to understand the topics under discussion. Indeed, the attempts at comedy generally sidetrack the reader from the central issues of the work, and simply confuse any issue under discussion. If this text is aimed at executive management, it definitely needs to be tightened up and reorganized to eliminate duplicated material and ensure the structure and arguments are easier to follow. Many points raised throughout the work are important, but a number of vital issues are not addressed, and the patchwork of writing level and quality of information probably means that this is unsuitable as an only introduction to security. The Internet, in fact, is not really a major concern in this book, although it does get mentioned from time to time. I would have difficulty in suggesting a group that would benefit from this book, although it might serve as an adjunct text to the security planning process, if ideas were being culled from multiple sources. copyright Robert M. Slade, 2001 BKISGFPD.RVW 20010605 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Wed, 15 Aug 2001 13:39:14 +0100 From: Cliff Jones Subject: Dependability and "Open Source" development WORKSHOP ON OPEN SOURCE SOFTWARE DEVELOPMENT NEWCASTLE, 25-26 FEBRUARY 2002 Organised by the Dependability of Computer-Based Systems (www.dirc.org.uk) Interdisciplinary Research Collaboration, the focus is on dependability and open source software development. Short abstracts due by 2 Nov 2001, papers later. For further details, see: http://www.dirc.org.uk/events/ossdw_ncl.html and contact Dr. C. Gacek . ------------------------------ Date: Wed, 01 Aug 2001 19:48:44 -0400 From: "Lance J. Hoffman" Subject: CFP2002: Call for Proposals [CFP has been an extraordinarily valuable conference, bringing together a very diverse group. Strongly recommended. Proposals due 15 Oct 2001. (This CFP CFP has been abridged for RISKS.) PGN] CFP2002: The Twelfth Conference on Computers, Freedom & Privacy Cathedral Hill Hotel, San Francisco, California, USA 16-19 April 2002 http://www.cfp2002.org Lance J. Hoffman, The George Washington University, Washington DC 20052: Professor, Dept. of Computer Science www.cs.seas.gwu.edu (202) 994-4955 and Cyberspace Policy Institute (202) 994-5513 www.cpi.seas.gwu.edu ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.60 ************************