precedence: bulk Subject: Risks Digest 21.70 RISKS-LIST: Risks-Forum Digest Friday 19 October 2001 Volume 21 : Issue 70 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: "Glitch" assigns votes to wrong candidate (Tom Malaher) Pregnant chad revisited (Douglas W. Jones) Internet voting, revisited (Marcus de Geus) LA County voting machine status report (David Schneider) Stray bomb caused by typo (Tim Hollebeek) Jet engine starter motors (Ben Laurie) Your stolen Passport (Monty Solomon) Re: A Risk from Excel and Outlook (Martin Torzewski) Euro changeover (Douglas Long) Re: Outlook for Thanksgiving (Edward Reid, Conor O'Neill) Re: Risks of bogus e-mail addresses "FROM: ObL" (Sascha Mattke) Improper address-change validation (Leonard Erickson) Re: Ham radios in the aftermath of 11 Sep 2001 (Jack Decker) ACM Forum on Legal Regulation of Technology (Edward W. Felten) International Conference on COTS-Based Software Systems (Carol Biesecker) REVIEW: "Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 17 Oct 2001 23:02:27 -0600 From: Tom Malaher Subject: "Glitch" assigns votes to wrong candidate [With Election Day coming up again (!!!) in the U.S., the first four items in this issue seem particularly relevant. PGN] Computer glitch miscounts votes ... Just after midnight, one of them [supporters] decided to take a last look at the results on the city's election Web site and discovered Desbarats had won -- a computer glitch had assigned the wrong totals to each candidate. ... The problem, said election officials, stemmed from the fact candidate Athena d'Arras's surname starts with a lower case "d," and the computer database that sorted election results didn't recognize it as the first letter of her last name. "Capital letters were sorted first and smaller letters were sorted next, so everything went in for the wrong candidate," said Barbara Clifford, the city's returning officer. [Source: *Calgary Herald*, 17 Oct 2001:] http://www.canada.com/calgary/calgaryherald/story.asp ?id={4567F15E-6CB8-4D0D-8245-31EDB555AA00} [My question is, why would the sort order of the output affect the correct assignment of votes to candidates? Hopefully the unique key being used is not the index position in a sorted array, but something more sophisticated. Tom M] [Perhaps the programmer implicitly assumed the order of appearance was indeed ASCII-collating-sequence sorted! Close but no ASCIIgar. PGN] ------------------------------ Date: Fri, 19 Oct 2001 15:16:10 -0500 (CDT) From: "Douglas W. Jones" Subject: Pregnant chad revisited I've recently gotten my hands on a Votomatic voting machine (thanks to Larry Mandel of Governmental Business systems Inc for sending it to me, out of the blue), and I've used it to do some experiments on pregnant chad, following up on questions arising from an interview I did with the Fort Lauderdale Sun Sentinel last December. The results of my experiments are on the web, in: http://www.cs.uiowa.edu/~jones/cards/chad.html complete with lots of pictures. In sum, certain ballot positions on a Votomatic voting machine, and not others, are particularly prone to jams caused by an accumulation of chad inside the mechanism. This was not difficult to uncover -- although punching all that chad was a bit boring. If the election community was supported by a decent research capability, this problem with the machine ought to have been known years ago. I'm shocked that nothing was mentioned of this possibility in any of the testimony I'm aware of from last winter's legal battles or the Congressional hearings last spring, because once you take the machine apart and look at how it works, the risk is pretty obvious. Doug Jones ------------------------------ Date: Wed, 17 Oct 2001 02:02:48 +0000 From: "Marcus de Geus" Subject: Internet voting, revisited A Dutch RNW news mailing reports that Internet (presumably WWW) voting to find a new name for the merged towns of Leidschendam and Voorburg in the Netherlands was abandoned after large-scale fraud was suspected. Starting on 12 Oct 2001, residents of the two towns, which are due to merge on 1 Jan 2002, were given the opportunity to indicate their choice of names (which I won't bother you with) for the new municipality via the Internet. On 15 Oct, 10,000 votes were counted, which was considered "an improbably high count". Also, the town councils received e-mail warnings pointing out the susceptibility to fraud of Internet voting. As a result, the referendum will be restaged, this time using a new medium: e-mail. Voters will be asked to leave their name and address. I don't think there's any need to point out the RISKS. Marcus de Geus http://www.degeus.com ------------------------------ Date: Tue, 16 Oct 2001 18:03:48 -0700 From: "Schneider, David" Subject: LA County voting machine status report On the KLCS broadcast of 2001.10.10, the Los Angeles County Board of Supervisors meeting included an agenda item on digital voting machines. I caught it in progress, but was able to make the following notes: Conny B. McCormack, The LA County Registrar/Recorder was giving a progress report, and made the following points - The Cal Tech/MIT report was that digital voting machines [in general?] were "not ready" for full deployment. - Logistics: current models are heavy, increasing transportation issues, including delivery charges. - Training: The decertification of [prescored] punch cards was due to 1-3% problems that voters experienced - it can expected to be difficult to keep new system problems that low. - Training: LA County has to train 2500 poll workers who cover 5000 [500?] polling places. - Punch cards allow parking-lot setup if polling place is locked; what would be the fallback with digital voting machines? - Phased introduction is desirable: early voters in 2000 (9 locations 1% of voters) and 2002, and full deploy in off-year election such as 2005. - Paper ballots are a contingency plan; they remain certified and are cheaper but the slow count that results is an issue. Supervisor Knabe had the comment that he had observed, in the early voter trial, that seniors had fear of the new machines going in, but liked the big print; and the disabled liked voice features Supervisor Yaroslavsky was asking what is consequences of missing the goal of full deployment for the 2004 election, and how would the conversion be funded? (This would be a BIG budget hit). Ms. McCormack pointed out in other comments that LA County (among others in California) had to respond to the California Secretary of State, but that this was being driven by a class-action lawsuit, and the court could mandate a stricter schedule than the Secretary of State might. Also, there was a reference made that, "Cal Tech voting machines did not yet exist". I hope my summary is reasonably accurate, and that the parts I missed don't change the thrust of the discussion. Meanwhile, voting officials will be watching the counties in Florida where digital voting machines would get their next big trial. David Schneider ------------------------------ Date: Mon, 15 Oct 2001 13:12:29 -0400 From: Tim Hollebeek Subject: Stray bomb caused by typo Several sources are now reporting that a satellite bomb that went astray and hit a residential area did so because the pilot entered one digit wrong when entering the target coordinates. Without more information, it is hard to say definitively how this problem could be avoided, but it certainly seems feasible that systems which display or accept GPS coordinates could use a check digit that detects one digit errors and transpositions, much like the one used in credit-card numbers. If at all possible, systems attached to 2000-lb warheads should be as resistant to typos as commercial systems are. Tim Hollebeek ------------------------------ Date: Mon, 15 Oct 2001 14:42:49 +0100 From: Ben Laurie Subject: Jet engine starter motors Recently I flew from Heathrow to Boston with British Airways on (I think) a 747. My plane was delayed for two hours while one of the starter motors was replaced. We then flew to Boston without event. Whilst in Boston I joked with friends that it was kind of scary that the starter motor was replaced and tested precisely once before we flew across the Atlantic. Of course, the response (which I naturally expected) was that it only needed to work once. But is that true? As it happened, on my return flight I spent the takeoff in the cockpit of the 777 I flew back on. As we took off, I noted that the copilot switched the starter motors to "continuous" after takeoff. When I asked why, he said that because there were a lot of clouds, the moisture could put the engines out -- so they ran them in continuous start "just in case". So, how safe was it to fly across the Atlantic on a single test? Ben. http://www.apache-ssl.org/ben.html ------------------------------ Date: Wed, 3 Oct 2001 22:45:59 -0400 From: Monty Solomon Subject: Your stolen Passport ZDNET, OPINION, By Wayne Rash, 26 Sep 2001 The way Dave Thomas describes it, he and his staff were trying to track down a series of unusual bugs in Windows, when they stumbled across something that really worried them. There, on their screens along with the code they were debugging, was the name and password they'd just used for Microsoft's Passport service. Worse, it was in plain text, and readily accessible. As he looked more deeply, he realized that creating a worm that could recover that information would be, in his words, "trivial." http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2814881,00.html ------------------------------ Date: Tue, 16 Oct 2001 13:32:21 +0100 From: Martin Torzewski Subject: Re: A Risk from Excel and Outlook (Re: RISKS-21.69) I encountered this some years ago. See MS KB extract below (my italics). The article goes on to provide around 3 ways of avoiding it (none being default - the risk). When I reported it the mail administrator where I worked at the time, we jointly concluded that the existence of the KB entry meant MS would be unresponsive to any report. As it happened, what was sent to me was sensitive in terms of cell content which I shouldn't have seen. Martin Torzewski Work: +44 (0)20 7426 7280 OL98: Entire Excel Worksheet Copied Rather than Selected Cells The information in this article applies to: * Microsoft Outlook 98 SYMPTOMS Double-clicking a selection of cells that are pasted from Microsoft Excel into a Microsoft Outlook 98 e-mail message, displays the entire worksheet rather than just the selection of cells. CAUSE This is by design. When you use Microsoft Outlook Rich Text for the default e-mail message format and you paste the cells with the Microsoft Excel worksheet still open, the default paste option is Microsoft Excel Worksheet. http://support.microsoft.com/support/kb/articles/Q192/4/17.ASP ------------------------------ Date: Sun, 14 Oct 2001 21:50:48 +0200 From: Douglas Long Subject: Euro changeover I am trying to balance my first statement from my French bank. (For those of you not familiar with the Euro conversion, banks in France currently allow transactions in both Francs and Euros, which results in a statement that contains amounts in both currencies.) My bank provides two statements, the first in Francs and the second in Euros. Unfortunately, I am trying to use Quicken to reconcile my account (which has its own peculiarities with respect to non-dollar currencies) and am running up against a problem with round off errors. Converting all values to Euros and then calculating the account balance, as I do in Quicken, yields one answer. Calculating a partial balance in Francs, converting to Euros, and then completing the remaining calculations using Euros, as my bank does, yields a slightly different result. Not enough to make a difference to me, but multiplied by 1000's of bank accounts one has to wonder if anyone is taking advantage of the rounding errors? [This possibility was suggested quite some time ago in http://catless.ncl.ac.uk/Risks/19.69.html#subj6.1 .] What makes me really wonder here is the way my ATM withdrawals are recorded on my statement. Every withdrawal results in Francs coming out of the machine, but some ATM transactions are reported in Francs on the Franc part of my statement and others are reported in Euros on the Euro part of my statement. This even occurs when I use the same ATM machine; some are recorded Francs, some are reported in Euros! I can think of no rational reason why this is so. Douglas Long, Paris, France ------------------------------ Date: Tue, 16 Oct 2001 9:48:00 -0400 From: Edward Reid Subject: Re: Outlook for Thanksgiving (RISKS-21.69) > It seems that in some versions of Microsoft Outlook, Thanksgiving 2001 is > marked as 29 Nov. In fact, Thanksgiving is early this year, on 22 Nov. That's not early. Thanksgiving has always been celebrated on the fourth Thursday in November, never the fifth. (Where "always" :=: as long as I've been alive, 52 years.) The risk is not that the celebration date might change -- it didn't -- but that the programming was done by someone who didn't know the basics of the application area (holidays). Edward Reid ------------------------------ Date: Tue, 16 Oct 2001 13:46:25 +0100 From: "Conor O'Neill" Subject: Re: Outlook for Thanksgiving Surely the real risk here is any program pretending to 'know' anything about these public holidays. For the vast majority of the world, the US-style 'Thanksgiving' holiday doesn't exist at all. Conor O'Neill, Bristol, UK ------------------------------ Date: Thu, 18 Oct 2001 08:26:25 -0400 From: Sascha Mattke Subject: Re: Risks of bogus e-mail addresses "FROM: ObL" (Wayner, RISKS-21.68) That news is nonsense. I talked with the priest who was cited on vnunet. He said that some Filipino members of his church received that sms and were also questioned by the police (very politely, he stressed), but this was in no way related to receiving the sms. The padre basically said that the story was made up by a leftist ngo called Migrante International, then printed without research by the inquirer, and then found its way on the net. He and some Filipinos are now demanding the ngo to apologize for spreading fear with the relatives of the questioned people. Sascha Mattke, Redaktion BIZZ, Stolberger Strasse 200, 50933 Koeln Tel +49 (0) 221 - 5341-575 mattke.sascha@bizz.de http://www.bizz.de ------------------------------ Date: Tue, 9 Oct 2001 04:35:52 PST From: shadow@krypton.rain.com (Leonard Erickson) Subject: Improper address-change validation About a month ago I decided to update some info in a personal ad on alt.com. Among other things, I changed the e-mail address that responses were and notifications of potential matches were to to be sent to. Imagine my surprise when I found that the confirmation message was sent *only* to the new address. Sure, it requires a password to get logged in to alt.com. But once there, *anyone* could change the info, and the first I'd have known was when I couldn't get in. While this isn't an application that can cause damage, it is one where the results could be more than a bit embarrassing. The method of "verification" chosen might guard against mistyping the address you wished to change to, but it provides no security. I've gotten no response to my e-mail to alt.com pointing out the flaws in their "security". Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com last resort: leonard@qiclab.scn.rain.com ------------------------------ Date: Mon, 15 Oct 2001 17:06:04 -0400 From: Jack Decker Subject: Re: Ham radios in the aftermath of 11 Sep 2001 (Murnane, R-21.68) With all due respect to Mr. Jonz and Mr. Collinsworth, the problems that amateur radio operators are having with government officials are, in my opinion, largely a product of their own attitudes. Those who promote Linux and other alternative operating systems could take a lesson from this as well. Not too many years ago, there was a requirement that was considered absolutely essential for getting into ham radio: That you know Morse code at 5 words per minute. That may not seem like a huge obstacle (particularly to those who found it easy) but in a way it's like playing the piano - some people pick it up naturally and can "play it by ear", some struggle with it but do well enough to get by (IF they have sufficient motivation), and some are completely tone deaf - no matter how they try, it just doesn't make sense to them. The amateur radio community has steadfastly refused to acknowledge that the latter group could even possibly exist. But what was worse was the attitude of many hams whenever someone advocated dropping the code requirement. Their attitude was that the code acted as a "lid filter" which kept the "undesirables" (read: former CB radio operators) out of ham radio. The result of this was that there were many kids like myself, who had the interest and knowledge of electronics back in the 60's and 70's, but who found the code an insurmountable barrier. Having been this excluded from the exclusive group of those who could "pound brass", we found it hard to figure out why we should care what happens to ham radio in the future. We moved on to other things, like computers and the Internet. Then a little over a decade ago, U.P.S. (the folks who deliver packages using brown trucks) petitioned for some 2-meter frequencies that were carved right out of the ham bands. A lot of hams were so arrogant that they thought there wasn't a chance that the FCC would give away any of their precious spectrum to a commercial interest. Well, they got a rude awakening, and suddenly decided that perhaps it would be in their best interest to allow folks into certain classes of amateur radio without the code requirement, although even that did not happen without a lot of "kicking and screaming" by the older hams. But even then, they reserved the higher classes of amateur licenses - the ones that had access to frequencies capable of spanning long distances - for those that could decipher Morse Code at a higher rate of speed. Even though some hams (and potential hams) had absolutely zero desire to communicate using Morse Code, the requirement was still forced upon them by the "old guard". Wouldn't want any former C.B.'ers communicating with people overseas, you know! Well, guess what - that generation that the hams snubbed is the generation that's now holding political offices. Many of those who know enough about amateur radio that they are not voting out of total ignorance, also know that they were welcomed on CB and told to go study the Morse Code (already a dying form of communication) by the hams. I see the same type of struggle happening today in the Linux community, between those who feel that Linux should be made as easy to use as Windows, and those who feel that people ought not to even be allowed to own a computer unless they know how to use the command line interface (I've even seen a few Linux folks suggest that computer users should be licensed!). Fortunately, since the use of Linux is not licensed by any government, vendors can make their own decisions as to how much user-friendliness to incorporate into the product. The risk is that if you set up something, be it a hobby or a computer operating system, in such a way that it appears that you are making it *deliberately* harder to learn than it needs to be, some folks either cannot or will not make the effort, and those are lost opportunities for making friends. And it's also something that could come back to bite you in the butt, should those of the "excluded" class ever reach positions of power. Personally, I have good friends who are ham radio operators and yet I still find it difficult to have much sympathy for the plight of hams as expressed by Mr. Jonz and Mr. Collinsworth. From where I sit, the hams (or at least their predecessors in the hobby) brought much of it on themselves. Jack Decker ------------------------------ Date: Wed, 17 Oct 2001 06:55:24 -0700 From: "Edward W. Felten" Subject: ACM Forum on Legal Regulation of Technology ACM Forum on Legal Regulation of Technology (http://www.cs.princeton.edu/lawtech) Laws and legal regulations are increasingly affecting what technologists can do. The ACM Forum on Legal Regulation of Technology is a new venue for technologists to discuss how the law is changing their work. There are many examples of the law's impact on technology. The growth of intellectual property claims, including software and business-model patents, has affected many technologists. Prohibitions on specific technologies, such as those in the U.S. Digital Millennium Copyright Act, have affected both researchers and practitioners. Applications of antitrust law have shaped the landscape for companies both large and small. Legal scholars have been discussing these issues for some time, but computer scientists have not been nearly as active in the debate. The forum seeks to bring technologists into the debate. Although we welcome the contributions of legal scholars, the forum belongs to technologists and has a technology-centric view. Many discussions will necessarily focus on the laws of a particular country, often the United States, but the forum is international in scope. Discussion of any country's laws will be welcome. In light of economic globalization, international treaties, and countries' efforts to harmonize their laws with each other, we expect technologists throughout the world to face many of the same issues. The forum will follow the model of ACM's successful RISKS Forum, issuing a periodic digest of contributions. Contributions will be chosen by a moderator, and generally will be short but may point to lengthier discussions elsewhere. The forum is sponsored by ACM. It is hosted by the Department of Computer Science at Princeton University. The moderator is Edward W. Felten. How To Subscribe: To subscribe, send an e-mail message to majordomo@cs.princeton.edu. The body of the message should contain the single line "subscribe lawtech". If all goes well, you will receive a reply message saying that you have been subscribed to the forum. ------------------------------ Date: Mon, 15 Oct 2001 17:31:06 +0000 (UTC) From: cb@sei.cmu.edu (Carol Biesecker) Subject: International Conference on COTS-Based Software Systems (ICCBSS) International Conference on COTS-Based Software Systems (ICCBSS) 4 - 6 February 2002 Orlando, Florida, USA World Wide Web: http://www.iccbss.org Implementing COTS-based software systems presents unique problems that typical reuse practices do not address. As systems increasingly depend on the successful integration of COTS products, practitioners and researchers must be ready to meet these challenges. National Research Council Canada, the Software Engineering Institute, and the USC Center for Software Engineering present the inaugural International Conference on COTS-Based Software Systems (ICCBSS). ICCBSS is the first conference dedicated to solving the unique problems of using COTS products in large systems [*]. We have assembled a unique program that includes keynote addresses by Barry Boehm of the USC Center for Software Engineering, David Baum of Motorola Labs, Ivar Jacobson of Rational Software, and Mike Moore of NASA. The conference features over 25 presentations covering COTS management and engineering processes, technical strategies, and practical experiences using COTS products in large systems. In addition, panel discussions will address the critical issues involved in constructing survivable systems using COTS products, testing systems incorporating COTS products, and dealing with COTS vendors. Additional information about the program and conference registration can be found on this Web site: http://www.iccbss.org Contact: Barb Hoerr, E-mail: iccbss2002@sei.cmu.edu, Phone: + 1 412 268 3007 [* NOT TRUE. I keynoted a NATO conference on that subject in Brussels, April 2000. On my Web site you will find lecture notes for the talk, and references to many of the published papers given in my report on survivable systems and networks. http://www.csl.sri.com/neumann PGN] ------------------------------ Date: Tue, 16 Oct 2001 11:57:29 -0800 From: Rob Slade Subject: REVIEW: "Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker [I think this book is very much worthy of mention in RISKS, despite the identity of the reviewer. PGN] BKVR.RVW 20011013 "Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker, 2001, 0-07-213090-3, U$39.99 %A Robert M. Slade rslade@sprint.ca, rslade@vcn.bc.ca, p1@canada.com %A David Harley harley@sherpasoft.org.uk, macvirus@dircon.co.uk %A Urs Gattiker (Denmark) %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2001 %G 0-07-213090-3 %I McGraw-Hill Ryerson/Osborne %O U$39.99 905-430-5000 +1-800-565-5758 fax: 905-430-5020 %P 700 p. %T "Viruses Revealed" The International Institute for Fashion and Other Really Nasty Things today announced the winner of the 2001 Award for the World's Ugliest Book Cover. "Normally, we wouldn't announce a winner until next spring some time," said Frederick Krueger, the Institute's president, "but with the release of `Viruses Revealed,' there really isn't room for any competition." Spokespeople for Osborne/McGraw-Hill would not speak for attribution, but one did admit that they were pleased with the award. "We said we were going for `bold' and `eye-catching,' but our real target was to produce that sick-to-your-stomach flu feeling, to give people a real virus queasiness. It's nice to know we succeeded." Security specialists were equally quick to comment on the contents of the work. "What a thick book!" said David Chess. "Da- I mean, darn it, where are the taxonomies?" said Winn Schwartau, author of "Internet and Computer Ethics for Kids." He also promised to give us his *real* reaction "as soon as I get rid of the best of these rugrats." "I think more time should go by between Slade's books." - Larry Bridwell "How come my work didn't get mentioned?" - sarah gordon "read it" - A. Padgett Peterson "Should be `reviled'." - PGN "A mythic work! No, sorry, that should be `mythical'." - Jeff Crume "Why are these guys misusing my name?" - Gene Spafford "Makes a great doorstop." - Tom Sheldon "Oooh, a foreword from spaf!" - David Chess (no relation) "Fills an unneeded gap." - Fred Cohen Misinformation about semi-recent viruses can be found at http://www.osborne.com/virus_alert/, while marketing hype is available at http://victoria.tc.ca/techrev/vrupdate.htm and http://sun.soci.niu.edu/~rslade/vrupdate.htm. Some real links can be found at http://www.sherpasoft.org.uk/viruses-revealed/. copyright Robert M. Slade, 2001 BKVR.RVW 20011013 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 12 Feb 2001 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 20" for volume 20] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 21.70 ************************