precedence: bulk Subject: Risks Digest 22.71 RISKS-LIST: Risks-Forum Digest Saturday 3 May 2003 Volume 22 : Issue 71 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/22.71.html and by anonymous ftp at ftp.sri.com, cd risks . Contents: OpenBSD release protects against buffer-overflow attacks (SANS via Monty Solomon) Prescription error (Monty Solomon) Spelling checker renames Amritsar to AmriCzar (David J. Aronson) Kellogg's American Airlines online sweepstakes swept away (PGN) Pilots fail exams (Jill Treu) Inside Cisco's eavesdropping apparatus (Declan McCullagh via Monty Solomon) Internet fraud complaints triple (NewsScan) Bogus Internet domain-name renewal offers (Network Solutions via PGN) Spammers use viruses to hijack computers (NewsScan) Breastfeeding mothers, avoid Continental (Meng Weng Wong via Dave Farber) Re: NCIC database accuracy requirements (John Beattie) Re: Friendly Fire (Jan C. Vorbrueggen) REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin (Rob Slade) REVIEW: "Inside the Security Mind", Kevin Day (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 20 Apr 2003 22:28:52 -0400 From: Monty Solomon Subject: OpenBSD release protects against buffer-overflow attacks (SANS) Excerpt from SANS NewsBites April 16, 2003 Vol. 5, Num. 15 http://www.sans.org/newsletters/newsbites/vol5_15.php The most recent release of OpenBSD should eliminate buffer overflows, according to the group's project leader. The group took three approaches to hardening the software. First, the location of the stack in memory is randomized. Second, the team added a tag to the memory structure that will detect address modifications. Finally, they managed to divide the main memory into two sections: writable and executable; the pieces of data and programs, called "pages", would be stored in one or the other section, ensuring that no page is writable and executable at the same time. http://news.com.com/2100-1002-996584.html [Editor's Note (Gene Schultz): Many kudos are in order here. If what the OpenBSD people are doing really works, they will put considerable pressure on other vendors and developers to do the same. Buffer overflow problems continue to plague operating systems and applications. Eliminating this category of vulnerabilities would be a major victory for the information security arena. (Schneier): It's great to see this kind of approach to buffer overflows. This is an example of building in security instead of trying to patch it afterwards. (Ranum): It's GREAT to see that at least a few people are smart enough to try to attack problems like this systemically, rather than keeping stuck in the fruitless "penetrate and patch" while loop. This is how to make progress in security: fundamental protections. (Shpantzer): Initiatives like this should be taught as case studies in computer science courses at the undergraduate level. ] ------------------------------ Date: Tue, 8 Apr 2003 02:57:07 -0400 From: Monty Solomon Subject: Prescription error I recently had a prescription filled that was written for 60 pills with 4 refills. The pharmacist made a data-entry mistake, and the prescription was entered for 60 pills with 60 refills! Because prescriptions are valid for a year, the pharmacy computer could have detected the error and alerted the pharmacist. But, in this case, the prescription was printed by my doctor's computer so the issue of reading the doctor's handwriting was not an issue. The pharmacist may be used to finding the number of refills in a specific place on the prescription and the computer generated prescription might have the number of refills and quantity of pills in unusual places. The prescription was laser printed in the corner of a standard 8.5" x 11" piece of paper so the form factor of the prescription was also non-standard. [I suppose Monty was lucky the fields were not transposed. Imagine having a prescription for 60 refills of 4 pills each. PGN] ------------------------------ Date: Tue, 29 Apr 2003 11:53:15 -0400 From: "David J. Aronson" Subject: Spelling checker renames Amritsar to AmriCzar A Reuters news story written yesterday ("Revenge Behind Air India Bombing, Court Told", by Allan Dowd) included mention of "the Golden Temple in the city of AmriCzar". Google-ing AmriCzar revealed eight hits, compared to the about 141,000 of the correct spelling. (That, as you may have guessed, is Amritsar.) The six shown (two other similar hits were omitted) are: http://www.washingtonpost.com/wp-dyn/ articles/A58594-2003Mar7.html http://www.punjabi.net/talk/messages/1/829.html http://cndyorks.gn.apc.org/news/articles/ asia/itemsonconflict.htm http://terrorism.com/ http://www.ocf.berkeley.edu/~andychou/archive200211.htm http://www.jekyl.com/jekyl/arc_Nov02.htm (Note that some of these are quoting Reuters articles!) At a guess, the cause seems to have been blind string-matching without regard for context, including whether the string was part of a larger word. The RISK? Fortunately, just mild embarrassment in this case, and even that is assuming that the IT folks at Reuters ever catch wind of this. However, we've seen worse consequences reported here before due to similar "help", even when the "correction" is limited to spelling.... David J. Aronson, Software Engineer for hire in Washington DC area. See http://destined.to/program/ for online resume, references, etc. [Roto-reuters strike again. PGN] ------------------------------ Date: Wed, 30 Apr 2003 16:07:58 PDT From: "Peter G. Neumann" Subject: Kellogg's American Airlines online sweepstakes swept away The Kellogg Company ("cereal giant") began a two-month sweepstake intended to give away one grand prize of 25,000 American Airlines' AAdvantage miles each day for 60 days. Unfortunately, due to a "computer glitch", several thousand people were erroneously notified by e-mail that they were winners -- and then later notified that the earlier e-mail was in error but that they would receive 500 miles as a goodwill gesture. [Source: AP item, 29 Apr 2003; PGN-ed] http://www.siliconvalley.com/mld/siliconvalley/ ------------------------------ Date: Wed, 23 Apr 2003 11:10:42 -0400 From: "Treu, Jill" Subject: Pilots fail exams [For those readers who wonder about why this item is relevant to RISKS, please remember that technology usually depends on a lot of people. PGN] The pilots couldn't pass the psychological and physical tests to be allowed to carry a firearm --- but flying huge planes full of people is OK. Oh, this makes so much sense! The risks should be obvious. Four pilots did not finish gun training. Four of the 48 veteran airline pilots who began the government's first training course for pilots wishing to carry guns in the cockpit were rejected after they failed at least one of the battery of required background checks, psychological exams and firearms tests. Officials said the four rejections showed that the government was serious about providing guns only to pilots who were psychologically and physically fit to carry firearms in flight and defend their planes against attackers. The bill permitting airline pilots to carry guns was passed by Congress last year, a legacy of the hijackings on 11 Sep 2001, over the serious objections of senior members of the Bush administration and some members of Congress. [Source: *The New York Times*, 22 Apr 2003] http://www.nytimes.com/2003/04/22/international/worldspecial/22PILO.html ------------------------------ Date: Tue, 22 Apr 2003 02:26:16 -0400 From: Monty Solomon Subject: Inside Cisco's eavesdropping apparatus (from Declan McCullagh) By Declan McCullagh, 21 Apr 2003 Cisco Systems has created a more efficient and targeted way for police and intelligence agencies to eavesdrop on people whose Internet service provider uses their company's routers. The company recently published a proposal that describes how it plans to embed "lawful interception" capability into its products. Among the highlights: Eavesdropping "must be undetectable," and multiple apolice agencies conducting simultaneous wiretaps must not learn of one another. If an Internet provider uses encryption to preserve its customers' privacy and has access to the encryption keys, it must turn over the intercepted communications to police in a descrambled form. Cisco's decision to begin offering "lawful interception" capability as an option to its customers could turn out to be either good or bad news for privacy. Because Cisco's routers currently aren't designed to target an individual, it's easy for an Internet service provider (ISP) to comply with a police request today by turning over all the traffic that flows through a router or switch. Cisco's "lawful interception" capability thus might help limit the amount of data that gets scooped up in the process. On the other hand, the argument that it hinders privacy goes like this: By making wiretapping more efficient, Cisco will permit governments in other countries -- where court oversight of police eavesdropping is even more limited than in the United States -- snoop on far more communications than they could have otherwise. Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I don't see why the technical community should hardwire surveillance standards and not also hardwire accountability standards like audit logs and public reporting. The laws that permit 'lawful interception' typically incorporate both components -- the (interception) authority and the means of oversight -- but the (Cisco) implementation seems to have only the surveillance component. That is no guarantee that the authority will be used in a 'lawful' manner." U.S. history provides many examples of government and police agencies conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt, Martin Luther King Jr., feminists, gay rights leaders and Catholic priests. During its dark days, the bureau used secret files and hidden microphones to blackmail the Kennedy brothers, sway the Supreme Court and influence presidential elections. Cisco's Internet draft may be titled "lawful interception," but there's no guarantee that the capability will always be used legally. Still, if you don't like Cisco's decision, remember that they're not the ones doing the snooping. Cisco is responding to its customers' requests, and if they don't, other hardware vendors will. If you're looking for someone to blame, consider Attorney General John Ashcroft, who asked for and received sweeping surveillance powers in the USA Patriot Act, along with your elected representatives in Congress, who gave those powers to him with virtually no debate. I talked with Fred Baker, a Cisco fellow and former chairman of the Internet Engineering Task Force (IETF), about his work on the "lawful interception" draft. ... http://news.com.com/2010-1071-997528.html ------------------------------ Date: Thu, 10 Apr 2003 08:15:43 -0700 From: "NewsScan" Subject: Internet fraud complaints triple Complaints about fraudulent schemes perpetrated over the Internet tripled in 2002 from the previous year, with the most common grievance being auction fraud, followed by non-delivery of promised merchandise, credit card fraud and fake investments. According to a report from the Internet Fraud Complaint Center, which is run by the FBI and the National White Collar Crime Center, the 48,252 complaints referred for prosecution in 2002 represent only a fraction of the crimes authorities believe are occurring. The center also received almost 37,000 other complaints that did not constitute fraud, but involved such things as spam, illegal child pornography and computer intrusions. The report says 80% of known fraud perpetrators and about 71% of complainants are male. Fraud complaints originated in all parts of the country, with a third coming from California, Florida, Texas and New York. One of the most persistent scams described in the report is the infamous "Nigerian letter," which urges victims to pay an upfront fee (characterized as a bribe to the government) in order to receive non-existent funds from the "Government of Nigeria." There were 16,000 complaints related to that scam in 2002, up from 2,600 in 2001. [AP, 9 Apr 2003; NewsScan Daily, 10 Apr 2003] http://apnews.excite.com/article/20030409/D7QA6UFO0.html ------------------------------ Date: Wed 23 Apr 2003 From: neumann@csl.sri.com Subject: Bogus Internet domain-name renewal offers The following CUSTOMER SERVICE ANNOUNCEMENT warns of bogus e-mail offering domain renewals. > Date: Tue, 22 Apr 2003 19:51:59 -0400 > From: "Network Solutions, Inc." [...] > Subject: Customer Renewal Warning > Dear Network Solutions(R) Customer, > We recently learned that our customers are receiving domain name renewal > notices from companies falsely representing themselves as Network > Solutions. These notices inform customers that their domain name > registration is due to expire and provides instructions on how to renew. > If you receive a renewal notice you do not believe is from Network > Solutions or if you have an unauthorized vendor listed on your credit card > statement for 'domain name renewal,' please contact us immediately [...]. ------------------------------ Date: Wed, 30 Apr 2003 08:46:57 -0700 From: "NewsScan" Subject: Spammers use viruses to hijack computers As efforts to tackle junk e-mail ramp up, unscrupulous spammers increasingly are hiding their identities by taking over innocent users' accounts using e-mail messages that resemble computer viruses. Like many other viruses, these programs exploit weaknesses in Microsoft's popular Outlook e-mail package. One of the first hijacking programs to emerge was called "Jeem," which contained a hidden e-mail engine that enabled it to route messages via the infected computer. Another, called Proxy-Guzu, comes as a spam message with an attachment. When the unsuspecting recipient clicks on the attachment, the computer contacts a Hotmail account and transmits information about the infected machine, making it possible to route e-mail through that machine. "Spammers are beginning to use virus-like techniques to cover themselves," says Larry Bridwell, content security programs manager at ICSA Labs. "Spam is one of the two things that the security industry is going to be asked to deal with. The other is adware or spyware." [BBC News 30 Apr 2003; NewsScan Daily, 30 Apr 2003] http://news.bbc.co.uk/2/hi/technology/2988209.stm ------------------------------ Date: Tue, 22 Apr 2003 10:50:54 -0400 From: Meng Weng Wong Subject: Breastfeeding mothers, avoid Continental (via Dave Farber's IP) Deborah Wolfe, a Canadian citizen who was just breast-feeding her son and changing his diaper while en route between Houston and Vancouver, says her "subversive" actions led to her being threatened with detainment, RCMP involvement and legal charges for terrorist action against a U.S. citizen in international airspace while on an American flight during a time of war. ... Wolfe says she refused a flight attendant's offer of an airline blanket to hide herself because it hadn't been sealed and, given the SARS scare, she'd rather use her own things. Thus, unbeknownst to her, a "Level 1" crew complaint was filed. ... She says the flight attendants also began to call her and her travelling party "foreign nationals in international airspace on an international flight during a time of war." And she was informed both of the complaint and that it could be upgraded to a Level 3, which meant possible mandatory detainment by U.S. authorities for 24 hours, RCMP involvement and criminal charges for an act of war upon an American. http://www.canada.com/montreal/montrealgazette/story.asp ?id=51AA6AB6-034B-4FE0-911C-04871E6B1EC5 IP archives at: http://www.interesting-people.org/archives/interesting-people/ ------------------------------ Date: Mon, 21 Apr 2003 11:01:55 +0100 From: John Beattie Subject: Re: NCIC database accuracy requirements As reported in RISKS-22.65, etc., the accuracy requirements for the FBI's National Crime Information Center have been reduced or eliminated. Also discussed in the April 2003 Cryptogram: http://www.counterpane.com/crypto-gram-0304.html At first sight this is bad. But the other point of view may be worth noting: a widely used database which is "accurate" but has a high false positive rate may provide a useful widespread learning experience. Most users of databases regard "the computer" as infallible. A 100-to-1 false positive rate would be salutary! :-) It isn't enough that engineers and computer scientists understand accuracy requirements; the end-users, as represented by lawyers, have to have a feeling for it as well. Bad databases already do damage -- it may be that what is needed is a really high-profile failure. You can argue probabilities as much as you like; the thing will only hit home when almost everyone who's had contact with the database has actual knowledge of a failure. [Perhaps if a few Senators, Representatives, Justice Department folks, and other government officials were mistakenly apprehended, that might help. PGN] ------------------------------ Date: Mon, 28 Apr 2003 15:58:19 +0200 From: "Jan C. =?iso-8859-1?Q?Vorbr=FCggen?=" Subject: Re: Friendly Fire (Ladkin, RISKS-22.68) I believe a technical contribution to this organizational problem was the fact that Aegis computed/computes the first and second derivatives of measured target height to derive sink/climb rate and acceleration. These values, derived as they are from noisy measurements, are notoriously unreliable. The crew seems to have treated these "measurements" at face value, deriving a threat from the fact that they indicated a high sink rate directed at the Vincennes, when in reality the aircraft was flying level. So in this case the misinterpretation (at least in part) resulted in the ability of computers to provide processed but unreliable data, very likely without an indication of its unreliability (ever seen error bars on such displays?). Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen Research & Development - Tel. +49 201 437 52 52 http://www.mediasec.com ------------------------------ Date: Fri, 25 Apr 2003 08:36:55 -0800 From: Rob Slade Subject: REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin BKFRINSC.RVW 20030321 "Firewalls and Internet Security", William R. Cheswick/Steven M. Bellovin/Aviel D. Rubin, 2003, 0-201-63466-X, U$49.99/C$77.99 %A William R. Cheswick ches@cheswick.com %A Steven M. Bellovin smb@stevebellovin.com %A Aviel D. Rubin avi@rubin.net %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-201-63466-X %I Addison-Wesley Publishing Company %O U$49.99/C$77.99 416-447-5101 fax: 416-443-0948 %O http://www.amazon.com/exec/obidos/ASIN/020163466X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/020163466X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/020163466X/robsladesin03-20 %P 433 p. %T "Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition" As the first work to deal seriously and completely with the topic, the first edition of "Firewalls and Internet Security" was one of those classics that get known only by the last names of the authors, so as not to leave any possibility of confusion with books whose titles may be similar. When such a long time has elapsed between editions of a work such as this, it is more than possible that the field has moved on far enough that a minor updating of the material is simply not feasible. The authors are quite well aware of the new territory: where useful, the original structure has been retained, but otherwise, the book has essentially been rewritten. A huge undertaking, but the only practical course, in the circumstances. Part one establishes a starting point. Chapter one, an introduction, presents a number of basic, but worthwhile, security concepts. The operations of various components of the TCP/IP protocol suite are discussed, with the most serious security vulnerabilities helpfully highlighted, in chapters two (lower layers) and three (upper layers). The authors' thoughts on the security of the Web are amply expressed in the title of chapter four: "The Web: Threat or Menace?" Part two outlines the threats to networked machines. Chapter five describes a number of different types of attacks. A variety of tools for determining security weaknesses are listed in chapter six, alongside discussions of the relative costs/benefits of disclosure versus security by obscurity. Part three details security tools and utilities. Chapter seven reviews authentication concepts and techniques. Various network security systems are described in chapter eight. Part four gets us to firewalls and virtual private networks (VPNs) themselves. Chapter nine outlines the different types of firewalls. Basic filtering concepts are examined in chapter ten. Considerations for constructing and tuning your firewall are in chapter eleven. Tunnelling and VPNs are discussed in chapter twelve. Part five extends the isolated technology of firewalls into the application of protecting an organization. Network layout, and the implications thereof, is reviewed in chapter thirteen. Chapter fourteen deals with hardening of hosts. Chapter fifteen is a rather terse look at intrusion detection. Part six is entitled "Lessons Learned." The detection and tracing of "berferd" is described in chapter sixteen, along with the taking of the "CLARK" machine in chapter seventeen. In chapter eighteen, Kerberos and IPSec are used as examples of approaches to security of insecure networks. Chapter nineteen finishes with some ideas for work that yet needs to be done to help with the security of the Internet. The place of firewalls in regard to network security has broadened considerably in the past decade. This book does reflect that reality. Unfortunately, that breadth of topic has come at the expense of some depth in coverage. The result is a book that is definitely worthwhile as an introduction to the field, but which may no longer be suitable as a working reference. I must admit that, for some time, I have been recommending Chapman and Zwicky (cf. BKBUINFI.RVW) over Cheswick and Bellovin's original text, since "Building Internet Firewalls" seems to have the edge in terms of practicality. Upon reviewing this new edition of the classic, I would have to stick to that recommendation. copyright Robert M. Slade, 1994, 2003 BKFRINSC.RVW 20030321 rslade@sprint.ca rslade@vcn.bc.ca slade@victoria.tc.ca p1@canada.com ------------------------------ Date: Fri, 2 May 2003 08:21:11 -0800 From: Rob Slade Subject: REVIEW: "Inside the Security Mind", Kevin Day BKINSCMI.RVW 20030321 "Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3, U$44.99/C$69.99 %A Kevin Day %C One Lake St., Upper Saddle River, NJ 07458 %D 2003 %G 0-13-111829-3 %I Prentice Hall %O U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0131118293/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0131118293/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0131118293/robsladesin03-20 %P 309 p. %T "Inside the Security Mind: Making the Tough Decisions" I am quite sympathetic to the idea that the realization of a security mindset or attitude (I frequently refer to it as professional paranoia) is more important to attaining security than isolated technical skills. I'm sorry to say that this work is not likely to help you find, attain, or assess that protection perspective. Right from the beginning of the book, readers will find a flavour of eastern philosophy, and even mysticism, to it. There are four virtues, an eight-fold path, and even repeated injunctions for the reader to keep an "open mind"--a phrase which those who have conversed with devotees of the Buddhist faith will find rather familiar. Unfortunately, chapter one seems to demonstrate that Day is bringing us only a newage vagueness in his description of the security mind. We are to rid ourselves of negative thoughts, and follow fundamental virtues, which we haven't been given yet. Computer security is only a decade old, we are told in chapter two, and constantly changing, and expensive, and there are few practitioners, and lots of bad guys out there, and we are paralyzed by fear--but we have nothing to fear but fear itself! Chapter three finally lists the four virtues for us: security is ongoing, a group effort, requires a generic approach, and is dependent upon education. I don't disagree with any of these points (other than the philological debate about whether they should be called virtues), and neither would any other security professional. However, they don't really provide us with much in the way of help. Eight security "rules," in chapter four, list principles such as "least privilege," which are also commonly known in security work. Chapter five is supposed to tell us how to develop a security mind, but actually seems to be an exercise in wishful thinking. If the world were neatly divided into safe and unsafe zones, and if our systems all worked perfectly and in correspondence with our users' known requirements, and if everyone that we trusted were completely competent in regard to their own defence, security would be much easier. Decision-making is likewise simplisticly seen to be supported by the virtues and rules, in chapter six. There is a superficial overview of blackhats and vulnerabilities in chapter seven. Chapter eight has a standard review of risk analysis. Vague ideas on hiring security, and some thoughts on outsourcing, are in chapter nine. The author gives his opinion on some security tools in chapter ten. Chapter eleven is another attempt to prove that the rules can be used. We are given a final adjuration to change our attitudes in chapter twelve. Basically, this book is yet another attempt to write a general security guide, without first ensuring that the material is structured, sound, complete, or useful. copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321 rslade@sprint.ca rslade@vcn.bc.ca slade@victoria.tc.ca p1@canada.com ------------------------------ Date: 29 Mar 2002 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 21" for volume 21] http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. Lindsay Marshall has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.71 ************************