precedence: bulk Subject: Risks Digest 22.67 RISKS-LIST: Risks-Forum Digest Friday 4 April 2003 Volume 22 : Issue 67 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/22.67.html and by anonymous ftp at ftp.sri.com, cd risks . Contents: Rice cooker reprograms pacemaker? (Mark Batten-Carew) eBay reacts to charges against its Paypal operation (NewsScan) Pennsylvania won't identify sites blocked for child porn (Ted Bridis via Monty Solomon) The Googlewashing of our language (Alpha Lau) Is your television watching you? (Phillip Swann via Monty Solomon) Website hoax on killer virus triggers Hong Kong panic (Monty Solomon) Ellison predicts major shakeout in Silicon Valley (NewsScan) Music piracy violations: $150K a song (NewsScan) Streaming video: a patent on porn (Monty Solomon) Laws make crypto and untraceable E-mail illegal? (Douglas W. Jones) The reality behind these laws (Fred Cohen) State Super-DCMAs will be suicidal (David Harmon) Draft legislation on using crypto (Anick Jesdanun via Dave Farber to PGN) Re: Draft legislation on using crypto (David P. Reed) Patriot software again a concern? (Robert I. Eachus) Friendly Fire and the Perils of Statistical Reasoning (Thomas A. Russ) Re: Friendly fire (Anthony Youngman) NCIC: "Death by Oops?" (Lauren Weinstein) POW Social Security numbers revealed (Paul Hirose) Cell phones & 911 service (Jeremy Epstein) Possibly-wrong expectations about bouncing e-mail (Mark T.B. Carroll) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 1 Apr 2003 12:56:24 -0500 From: "Mark Batten-Carew" Subject: Rice cooker reprograms pacemaker? This is an excerpt from a monthly newsletter that sends out interesting news items. I don't believe this is an April Fools' item, but then who knows? Mark Batten-Carew HEARTBREAKING A Japanese woman's automatic rice cooker changed the settings on her pacemaker. Doctors doing a routine check up were baffled to find that the hi tech pumping device they had implanted in the woman, 60, had been remotely adjusted. They contacted the manufacturer, who visited her home and found that a rogue rice cooker had somehow beamed signals to the device. [Source: A&A Economic Digest - April 2003 Edition, http://www.aacb.com/edigest/, 1 April 2003] [Quite plausible, in light of previous reported cases of electromagnetic interference on pacemakers --- from ACM Software Engineering Notes back issues: * Arthritis-therapy microwaves set pacemaker to 214, killed patient (S 5 1) * Retail-store anti-theft device reset pacemaker, man died (S 10 2, 11 1) * Pacemaker locked up when being adjusted by doctor (S 11 1) * Electrocauterizer disrupts pacemaker (S 20 1:20) --- and from RISKS: * Stores' shoplifting gates can set off pacemakers, defibrillator (RISKS-20.05) * Heart pacemaker and implantable cardioverter defibrillator recalls and alerts involve 520,000 devices (S 26 6:8, RISKS-21.60) PGN] ------------------------------ Date: Tue, 01 Apr 2003 10:43:01 -0700 From: "NewsScan" Subject: eBay reacts to charges against its Paypal operation Federal prosecutors in Maryland have accused PayPal, the Internet payments company acquired by eBay, of violating the Patriot Act by facilitating illegal gambling. The company disclosed the accusation in its annual report filed with the Securities and Exchange Commission; it says that prosecutors have offered a complete settlement of all possible claims and notes that the amount of its earnings from online gambling was less than what prosecutors asserted. [AP/*San Jose Mercury News*, 31 Mar 2003; NewsScan Daily, 1 Apr 2003] http://www.siliconvalley.com/mld/siliconvalley/5525363.htm ------------------------------ Date: Thu, 3 Apr 2003 22:09:01 -0500 From: Monty Solomon Subject: Pennsylvania won't identify sites blocked for child porn (Ted Bridis) Mike Fisher, Pennsylvania's attorney general, is citing laws against distributing child pornography in refusing to identify any of hundreds of Web sites his office has forced Internet providers to block under a unique state law that the Center for Democracy and Technology asserts is blocking Web surfers from accessing legitimate sites, but cannot prove without access to the list of blocked sites. Fisher's office said disclosing the list of blocked Web sites would itself be disseminating such pornography, which is illegal. [Source: Ted Bridis, AP Online, 3 Apr 2003; PGN-ed] http://finance.lycos.com/home/news/story.asp?story=33704697 ------------------------------ Date: Thu, 3 Apr 2003 22:06:12 -0800 (PST) From: Alpha Lau Subject: The Googlewashing of our language Taken from Slashdot [1]: "The Register[2] talks about how a term ("Second Superpower") coined by the anti-war culture suddenly got radically neutered and altered by a weblog[2] that a lot of people link to. Searching for the term on Google now brings up his blog and other people talking about his blog for the first several entries. Can Google's power to give information to the people be misused and perverted? This only took 42 days." First the widespread usage of "googling" to mean web searching, and now this. The Register article [2] has the details and how powerful google can be. [3] is the weblog that managed to saturate Google's PageRank. I had a quick peek on AltaVista and voila, numerous other usages of the term "Second Superpower" [4]. The Risk? Blindy trusting Google and it's proprietary PageRank algorithm. Worse yet, as Google gains users trust, it is very easy to trust Google alone. [1] http://slashdot.org/article.pl?sid=03/04/03/2327239&mode=nested&tid=95 [2] http://www.theregister.co.uk/content/6/30087.html [3] http://cyber.law.harvard.edu/people/jmoore/secondsuperpower.html [4] http://www.altavista.com/web/results ?q=Second+Superpower&kgs=0&kls=1&avkw=xytx ------------------------------ Date: Tue, 1 Apr 2003 14:35:48 -0500 From: Monty Solomon Subject: Is your television watching you? (Phillip Swann) Could the federal government find out what you're watching on TV? Even if you're not the subject of a criminal investigation? If you're a satellite TV or TiVo owner, the answer is yes, according to legal experts and industry officials. Under the USA Patriot Act, passed a month after the 9/11 terrorist attack, the feds can force a noncable TV operator to disclose every show you have watched. The government just has to say that the request is related to a terrorism investigation, said Jay Stanley, a technology expert for the American Civil Liberties Union. Under Section 215 of the Act, you don't even have to be the target of the investigation. Plus, your TV provider is prohibited from informing you that the feds have requested your personal information. ... Source: Phillip Swann, TVWeek.com http://www.tvweek.com/technology/030303isyourtv.html ------------------------------ Date: Tue, 1 Apr 2003 09:42:02 -0500 From: Monty Solomon Subject: Website hoax on killer virus triggers Hong Kong panic [Source: Tan Ee Lyn, Reuters, 1 Apr 2003; PGN-ed] A teenager's Web Site hoax about the killer virus sweeping Hong Kong sparked panic food buying and hit financial markets on Tuesday, and the government said it was placing more than 200 people into isolation camps. Indonesia, the world's fourth most populous nation, reported its first three suspected cases. One official said one of the patients had died but this could not be confirmed. Severe Acute Respiratory Syndrome (SARS) has now affected almost 1,900 people in at least 12 countries, and 63 are known to have died. In Hong Kong, where 685 people have been infected and 16 have died from the virus, the Web Site hoax forced authorities to deny it would isolate the entire territory. ... http://news.lycos.com/news/story.asp?section=Breaking&storyId=691262 ------------------------------ Date: Wed, 02 Apr 2003 07:49:12 -0700 From: "NewsScan" Subject: Ellison predicts major shakeout in Silicon Valley Oracle founder and CEO Larry Ellison says the high-tech industry is poised for another sweeping consolidation that will eliminate many of his rivals. "We think there's at least 1,000 Silicon Valley companies that need to go bankrupt," says Ellison, who predicted Oracle would be one of the survivors, along with Microsoft and IBM. He noted that nearly all software profits are generated by five companies (including Oracle), out of hundreds in the sector. Ellison says companies in Silicon Valley haven't come to grips with the realities of a maturing industry and have resisted the changes necessary to improve efficiency: "The whole model doesn't make sense. There's a bizarre belief that we'll be young forever." [*Wall Street Journal*, 1 Apr 2003; NewsScan Daily, 2 April 2003] http://online.wsj.com/article/0,,SB104923666370767900.djm,00.html (subscription required) ------------------------------ Date: Fri, 04 Apr 2003 09:07:26 -0700 From: "NewsScan" Subject: Music piracy violations: $150K a song The Recording Industry Association of America (RIAA) has filed lawsuits against four students it says it misappropriated academic computing resources to "illegally distribute millions of copyrighted works over the Internet." Two of the accused students are enrolled at Rensselaer Polytechnic Institute, one student is enrolled at Princeton, and the fourth is at Michigan Technological University. If they are convicted, they could be fined as much as $150,000 for each song they illegally traded. Digital media analyst Phil Leigh says of the RIAA's action: "This is just another step in the direction of demonstrating to the public that there will be penalties for what they consider to be copyright violations. I think they're attempting to take a carrot-and-stick approach here. They're whacking a few people with a stick now. And the carrot is the more liberal rules relating to label-backed subscription online services." [*San Jose Mercury News*, 4 Apr 2003; NewsScan Daily, 4 Apr 2003] http://www.siliconvalley.com/mld/siliconvalley/5558442.htm ------------------------------ Date: Wed, 2 Apr 2003 10:07:00 -0500 From: Monty Solomon Subject: Streaming video: a patent on porn Acacia Research says it owns five U.S. and 17 international patents covering the transmission and receipt of digital audio and digital video content, otherwise known as streaming media. But before attempting to enforce its patents with big outfits such as Yahoo! and The Walt Disney Co., Acacia instead chose to go after the smallish adult Internet sites that peddle videos of women (and men) doffing their clothes--and much more. They sent letters to 700 racy Web sites with offers to arrange royalty deals, typically consisting of 1% to 2% of gross revenue. Do the deal or we'll see you in court, warned Acacia. Eight firms agreed to Acacia's terms. But 40 didn't, and Acacia promptly slapped them with lawsuits. Rather than buckling, though, several of the porno sites joined together and stood their ground. Now Acacia is in the fight of its life and may even face a shareholder revolt as a result. ... [Source: Seth Lubove, Forbes.com, 2 Apr 2003; PGN-ed] http://www.forbes.com/2003/04/02/cz_sl_0402porn.html ------------------------------ Date: Mon, 31 Mar 2003 13:45:24 -0600 From: "Douglas W. Jones" Subject: Laws make crypto and untraceable E-mail illegal? (Re: RISKS-22.66) [See items by Ed Felten (USe a Firewall, Go to Jail), Steve Bellovin and William Allen Simpson in RISKS-22.66). PGN] [Some of this legislation] could have bizarre consequences for E-voting advocates, as well as for the entire Internet community. I quote from Section 750.540c of the Michigan Penal Code, Full text online at: http://www.michiganlegislature.org/mileg.asp?page=getObject&objName=mcl-750-540c-amended This goes into effect today (March 31, 2003): (1) A person shall not assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise an unlawful telecommunications access device or assemble, develop, manufacture, possess, deliver, offer to deliver, or advertise a telecommunications device intending to use those devices or to allow the devices to be used to do any of the following or knowing or having reason to know that the devices are intended to be used to do any of the following: (b) Conceal the existence or place of origin or destination of any telecommunications service. (c) To receive, disrupt, decrypt, transmit, retransmit, acquire, intercept, or facilitate the receipt, disruption, decryption, transmission, retransmission, acquisition, or interception of any telecommunications service without the express authority or actual consent of the telecommunications service provider. In effect, item 1b makes it illegal to create any anonymous communication service, and all of the interesting protocols for ballot deposit appear to rely on anonymization schemes of one kind or another. Item 1c is really hard to make out. It appears to be intended as an anti-wiretapping rule, but the plain wording appears to require the express authority or actual consent of every ISP for any use of that ISP's facilities; does this mean that if I was in Michigan, I'd have to ask permission before I hit the send key to E-mail this message? I checked their definition of telecommunications service provider and it is broad. The owner of the wire, the owner of the switching systems, they're all involved and each must give permission. According to slashdot, a goodly number of states are now considering this kind of law. See: http://yro.slashdot.org/article.pl?sid=03/03/28/1541230&tid=103 It's pretty obvious that they haven't thought these bills through. ------------------------------ Date: Tue, 1 Apr 2003 05:29:07 -0800 (PST) From: Fred Cohen Subject: The reality behind these laws (Re: Firewall, Jail, RISKS-22.66) As I read the Texas bill, it starts out by saying: http://www.capitol.state.tx.us/data/docmodel/78r/billtext/pdf/HB02121I.PDF "A person commits an offense if, with the intent to defraud a communications service..." The Michigan bill starts out saying: http://www.michiganlegislature.org/printDocument.asp ?objName=mcl-750-219a-amended&version=txt http://www.michiganlegislature.org/printDocument.asp ?objName=mcl-750-540c-amended&version=txt "(1) A person shall not knowingly obtain or attempt to obtain telecommunications service with intent to avoid, attempt to avoid, or cause another person to avoid or attempt to avoid any lawful charge for that telecommunications service by using any of the following:" > The Bill analysis basically quotes the MPAA website! > http://michiganlegislature.org/documents/2001-2002/ > billanalysis/house/htm/2001-HLA-6079-b.htm This analysis agrees with mine. That these bills increase penalties only for already illegal actions and possibly criminalize what would currently be some civil matters. If you are paying for one class of service (e.g., home use of the Internet for one computer) and using it for another class of services (e.g., selling access to your neighborhood by putting up a NAT firewall), you are already violating the law and you will also be violating these laws. I know that this was the April 1 issue, but the rumors on these bills are spreading faster than most computer viruses, and they have been spreading for several days with increasing intensity and are being taken seriously. Nothing in these bills in any way prevents firewalling, encryption, etc. UNLESS it is being used to defraud. Fred Cohen - http://all.net/ - fc@all.net - fc@unhca.com - tel/fax 925-454-0171 Fred Cohen & Associates - University of New Haven - Security Posture [defraud ... in the eyes of the accuser! PGN] ------------------------------ Date: Tue, 01 Apr 2003 11:23:41 -0500 From: David Harmon Subject: State Super-DCMAs will be suicidal (Re: RISKS-22.66) I suspect at least the Michigan state legislature may reconsider -- after their tech industries pick up and *leave*. The first to go will be the ones actually working on the criminalized tools etc. These will be followed by those whose lawyers were paying attention. The third wave will be triggered as both government and private actors start (ab)using the new laws for arbitrary "takedowns" of their enemies. Of course, quickly repealing or nullifying the laws *may* stop the exodus, but I expect the state will still be regretting this bonehead move for some time, as will any other states who follow suit. I do, however, doubt Massachusetts will actually *pass* any such law, given the assured and powerful opposition of MIT and their *many* friends. I would hope that whoever introduced it gets stomped at their next election, but that may be too much to ask. On the other hand, some of the other states in question may not have techies with enough pull to make their voice heard. Of course, a fair number of the companies and persons involved will decide to leave the country altogether, leaving us with fewer national resources for defense *or* productivity. Steve Kirsch was right: > The terrorists have won. They have successfully convinced America to > attack itself. (from: http://www.skirsch.com/politics/iraq/Lessons911.htm ) Dave H. PS: The basic pattern I'm seeing here is that private self-defense "in cyberspace" is being methodically outlawed. Has anyone *else* noticed that "we" are slowly dismantling the various obstacles to a _Handmaid's_ _Tale_ style techno-coup? ------------------------------ Date: Mon, 31 Mar 2003 16:11:25 -0500 From: "Peter G. Neumann" Subject: Draft legislation on using crypto Cheating on income taxes or neglecting to pay sales taxes on online purchases could get you five extra years in prison if the government succeeds in restricting data-scrambling technology, and discourage human rights workers to protect sensitive data. Draft legislation circulating in the Justice Department would extend prison sentences for using encryption in the commission of a crime, something encryption advocates fear would achieve little in catching terrorists and hurt only legitimate uses of cryptography. The new proposal is part of the proposed Patriot II legislation. [Source: Anick Jesdanun, *The Washington Post*, 31 Mar 2003; PGN-ed via Dave Farber] [The full item is available on Dave's IP Archives: http://www.interesting-people.org/archives/interesting-people/ PGN] ------------------------------ Date: Mon, 31 Mar 2003 21:21:10 -0500 From: "David P. Reed" Subject: Re: Draft legislation on using crypto (RISKS-22.67) If they declare that encryptions are arms, perhaps we should point out the Second Amendment (favorite of the National Rifle Association) guarantees the right to keep and bear arms. [via Dave Farber's IP] ------------------------------ Date: Mon, 31 Mar 2003 19:53:22 -0500 From: "Robert I. Eachus" Subject: Patriot software again a concern? The two Patriot "failures" in have different -- and understandable -- modalities. Whether these incidents were indicative of a problem with the system has to be determined. The first thing you have to understand is that once a missile has been fired, if an aircraft flies between the target and the Patriot radar on the ground, the missile can acquire the closer aircraft. The Patriot operator can tell the radar not to track the closer aircraft when that plane is showing friendly IFF. If this happens, the missile should reacquire the original target. Off course, if the missile is close to the aircraft, the wrong target may be attacked anyway. This seems to be what happened in the incident where the British aircraft was shot down. It is not clear whether there really was an enemy missile -- or if the incoming was really a mortar shell. The decision to put IFF recognition in the Patriot ground systems but not in the missiles is both a practical design decision and a military one. If the enemy starts broadcasting "your" IFF code do you want the Patriot system to be able to override IFF recognition? In the second incident, the operators were again under attack and apparently "unassed" the control trailer. My guess is that the radar was in TWS (track while scan) mode, and the F-15 countermeasures read it as a lock-on -- which of course it was. If the Patriot battery had been manned they could have either told the radar not to lock on to the F-15, or turned off the radar so that the HARM would have lost lock. In both cases, note that the situation was a typical one for "friendly fire" incidents -- multi-mode attacks that haven't been considered by the rules of engagement. ------------------------------ Date: 31 Mar 2003 15:02:39 -0800 From: tar@ISI.EDU (Thomas A. Russ) Subject: Friendly Fire and the Perils of Statistical Reasoning Actually, having it be higher in the first Gulf War is not really that astounding, given the general circumstances. In that war, the overwhelming majority of all casualties were inflicted by the Coalition Forces. Given that tremendous disparity, even a very small error rate applied to the casualty causation numbers would end up being a very large part of the overall casualties. While good figures for the Iraqis are hard to come by, CNN's web site lists the following. Coalition 213 combat fatalities (plus another 145 nonbattle deaths). Iraqi military fatalities estimated at 100,000. If the latter is true, then having just a 0.1% error rate would explain about 100 friendly casualties or about half of all of them... (CNN did not break down US casualties by cause, although British losses were listed as 24, 9 by U.S. fire). Thomas A. Russ, USC/Information Sciences Institute tar@isi.edu ------------------------------ Date: Mon, 31 Mar 2003 10:27:41 +0100 From: Anthony Youngman Subject: Re: Friendly fire (RISKS-22.65) In the first Gulf War, our (the British) "friendly fire" casualties were about FIFTY percent of total casualties. Nearly all of them were caused by a single American "hunter air patrol" which, while OUT of its patrol area, and OUT of radio touch (accidental or deliberate?) with its controllers, mis-identified two Warrior APCs as Iraqi and destroyed them. It caused considerable bad press over here, and the impression left was that the pilots were fed up with not finding targets, wanted to attack something/anything, and had pretty much disobeyed orders in order to find something to shoot at. Shame it was a bunch of soldiers on the same side ... ------------------------------ Date: Wed, 02 Apr 2003 20:34:30 -0800 (PST) From: Lauren Weinstein Subject: NCIC: "Death by Oops?" The latest "Fact Squad Radio" short audio segment may be of interest. It concerns the issue of data accuracy in the FBI's NCIC system. It's called: "The FBI NCIC: Death by Oops?" and is available via: http://www.factsquad.org/radio +1 (818) 225-2800 lauren@pfir.org PFIR: People For Internet Responsibility - http://www.pfir.org ------------------------------ Date: Thu, 03 Apr 2003 00:02:47 GMT From: Paul Hirose Subject: POW Social Security numbers revealed The current war in Iraq has highlighted a risky practice the Pentagon has been following for many years: using the Social Security number as a military member's "service number". Americans taken POW have been seen and heard on television identifying themselves as required by the Geneva Convention. Naturally this included reciting their SSNs. In every case I've seen (all on American TV), the interview was edited so only the first few digits were revealed. I'm not sure who did this; I hope it occurred at the source (presumably Iraqi state television). The use of SSNs as service numbers was an issue even before the war. In one incident, some senior officers suffered identity theft when their SSNs were published in the Congressional Record: http://www.washingtonpost.com/ac2/wp-dyn/A35194-2000Apr7?language=printer Foreign readers should understand the SSN is practically an American's national identity number, heavily used by the government, employers, banks, even schools. Broadcasting a POW's name and SSN worldwide creates a severe risk of identity theft and invasion of privacy. Perhaps when the change to SSNs occurred (in the Vietnam era, according to the newspaper article) the danger seemed minimal. But times have changed. The Pentagon should revert to service numbers which have no meaning or usefulness outside the military. Paul Hirose ------------------------------ Date: Wed, 2 Apr 2003 10:54:10 -0500 From: Jeremy Epstein Subject: Cell phones & 911 service *The Washington Post* reports on a number of cases where calling 911 from a cell phone was routed to the wrong jurisdiction, so "response to a life-threatening -- and ultimately fatal -- emergency was delayed because a cell phone call to 911 didn't work the way it was supposed to". The examples given were a caller in Chillum MD routed to 911 in Washington DC (an immediately adjacent jurisdiction) and the recent case [RISKS-22.58] where teenagers in Long Island Sound drown because 911 wasn't able to determine where the call was coming from. They note that in the Chillum case, the problem occurred because "a wireless signal can get picked up by the wrong cell phone tower". In this case, though, the technology isn't at fault, despite what *The Post* says. Radio waves don't respect human boundaries; the cell phone goes to the nearest/strongest signal (not sure exactly how this works). If I stand on one side of a street, I can be in a different jurisdiction from the other side of the street. There's no way for the cell tower to know which side of the street I'm on, and route the call to the correct 911 location. The RISK is that 911 dispatchers aren't trained to recognize calls from adjacent jurisdictions and route them appropriately. http://www.washingtonpost.com/wp-dyn/articles/A54802-2003Mar30.html ------------------------------ Date: Fri, 4 Apr 2003 07:50:16 -0500 (EST) From: "Mark T.B. Carroll" Subject: Possibly-wrong expectations about bouncing e-mail I have domain names with short names where all e-mail to anyone at that domain comes past me. One thing I find is that people from organisations that have a similar domain name to one of mine send their inter-office stuff to me as they mistype their own organisation's domain name in the intended recipients' addresses. I wonder if they would be more careful with internal documents if they realised it is actually not all that improbable that e-mail to Some.Odd.Name@wrong-short.domain that doesn't look like spam will be read by at least somebody instead of being bounced automatically. ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.67 ************************