precedence: bulk Subject: Risks Digest 22.79 RISKS-LIST: Risks-Forum Digest Tuesday 8 July 2003 Volume 22 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.79.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: The risks of assuming things: German payrolls (Debora Weber-Wulff) Radar operator's joke leads to fighter intercept (Ian Chard) "Soft walls" will keep hijacked planes at bay (Chris Meadows, Craig DeForest) Error in E-Mini Dow Futures creates havoc at CBOT, CME (Conrad Heiney) $180 Million for Piracy Conspiracy (Monty Solomon) Computer failure brings Hong Kong passenger to Melbourne (David Goll) Dead-pregnant-men software failure (Ed Ravin) Johnson Calls ATM Arrest Error 'Intolerable' (Keith A Rhodes) RFID Site Security Gaffe Uncovered by Consumer Group (Monty Solomon) Web site turns tables on government officials (Monty Solomon) FTC Increases Focus on Privacy (Bob Tedeschi via Monty Solomon) Web vandalism alert (NewsScan) Re: Cell-phone tracking (Thor Lancelot Simon) Microsoft Word "bytes" Tony Blair in the butt (Richard M. Smith) Dangers of MS Word, yet again (David Magda) New variant on the PayPal scam (Dawn Cohen) Re: Phantom voting in Israeli Knesset (Jonathan Kamens) Watch out for auto-dialing on cellphones (Danny Burstein) Glitches hit FTC 'do-not-call' list (Monty Solomon) Do not do not call? (Dawn Cohen) Risk of appropriating technology you don't understand (Doug Sojourner) About Do-Not-Call ListsMark Siegel (Mark Siegel) Re: New State Laws on Privacy (Don Colton) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 06 Jul 2003 23:08:26 +0200 From: Debora Weber-Wulff Subject: The risks of assuming things: German payrolls The German government has a little problem. Up until now all of the civil servants have been paid according to a pay scale that is the same throughout Germany. The salaries are paid out by the states, but the federal government determines the pay level. The company SAP has developed payroll software for the civil service that many states in German use. When a new payscale goes into effect, they just issue a table update, and everything is fine. Now suddenly the states are rebelling: Berlin has left the fold, and just this week concocted a wacky payment system. Certain extras are being cut, others kept, pay is being cut either 8, 10 or 12 percent depending on what scale people are in, the work week is to be decreased by 2 hours a week for most of them, etc. etc. No one really understands it, except that Berlin is broke and is trying to save money any way it can. The changes are to go into effect immediately - except that there's the slight problem with the payroll system. It assumes the same tariffs as everywhere..... Looks like the folks down at SAP are going to have their vacations canceled, as they try to whip up programs to institute this payment schedule change. Or as a colleague once said many, many years ago: No one can be *that* crazy.... only to discover a few months later that there really was someone with a really crazy schema for organizing stuff. Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Internationale Medieninformatik Treskowallee 8, 10313 Berlin +49-30-5019-2320 ------------------------------ Date: Thu, 3 Jul 2003 15:27:41 +0100 From: "Ian Chard" Subject: Radar operator's joke leads to fighter intercept Avweb Newswire (http://www.avweb.com/newswire/9_27b/complete/185253-1.html): "In Europe last week, French fighter jets almost shot down a civilian helicopter that wandered over Lake Geneva, after a Swiss controller jokingly labelled the helicopter as 'al-Qaeda' on his radar screen." Ian Chard RHCE Unix systems administrator E: ichard@cadence.com European IT, Cadence Design Systems Ltd T: +44 (0)1506 595019 The Alba Campus, Livingston, Scotland EH54 7HH M: +44 (0)7901 855073 ------------------------------ Date: Thu, 3 Jul 2003 10:17:29 -0500 From: Robotech_Master Subject: "Soft walls" will keep hijacked planes at bay Article in *NewScientist* about an interesting new technique for keeping airliners from crashing into skyscrapers: http://www.newscientist.com/news/news.jsp?id=ns99993893 The proposal suggests modifying the avionics in aircraft so that the plane would fight any efforts by the pilot to fly into restricted airspace. So if a plane was flying with a no-fly-zone to the left, and the pilot started banking left to enter the zone, the avionics would counter by banking right. Lee's system, called "soft walls", would first gently resist the pilot, and then become increasingly forceful until it prevailed. The risks of this technique I leave as an exercise to the reader. Chris Meadows aka Robotech_Master robotech@eyrie.org http://www.eyrie.org/~robotech ------------------------------ Date: Mon, 7 Jul 2003 13:03:45 -0600 From: zowie@euterpe.boulder.swri.edu (Craig DeForest) Subject: "Soft walls" = dangerous avionics? Edward Lee, at U.C. Berkeley, is proposing to implement no-fly zones around skyscrapers (and avoid a repeat of the 9/11 massacre) by using GPS to override the controls of civilian aircraft. Based on a database (in the aircraft) of building locations, the on-board avionics would force the controls of large airplanes to prevent them from flying into large buildings (with presumably known locations). There's an interesting article in this week's New Scientist (http://www.newscientist.com/news/news.jsp?id=ns99993893) that talks about Lee's system and relates it to other ideas for counter- terrorism. Interestingly, one advantage that Lee uses is that other systems require radio links with the ground and therefore "can be jammed, or hacked into" (while, presumably, GPS cannot?). Not surprisingly, Lee says that pilots are "openly hostile" to the idea. It seems to me that the system falls prey to a weakness that so many pseudo-security systems do: it's in essence a cooperative system, rather than a pre-emptive one (by analogy to multitasking in the computing world). Even assuming the avionics work flawlessly, it would be impossible to install the "soft wall" system on every airplane in the country, let alone the world -- and it only takes one airplane with the soft-wall avionics missing or disabled, to defeat the purpose of the whole system. ------------------------------ Date: Thu, 3 Jul 2003 14:16:01 -0700 From: "Conrad Heiney" Subject: Error in E-Mini Dow Futures creates havoc at CBOT, CME The Wall Street Journal today (7/3/03) reported that a mistaken order on the Chicago Board of Trade's "e-mini Dow Jones Industrial Average Futures" caused wild market swings today. Apparently an order to sell 10,000 contracts instead of 100 was put in by mistake. This caused the market, which had been on the upswing that day, to plunge downwards in both the Chicago Board of Trade and the Chicago Mercantile Exchange. Several traders reported assuming that some bad news such as a terrorist attack had sparked the sell-off. The RISK of a typo on an electronic system causing financial havoc is once again made clear. Conrad Heiney conrad@fringehead.org http://fringehead.org ------------------------------ Date: Sun, 29 Jun 2003 23:39:37 -0400 From: Monty Solomon Subject: $180 Million for Piracy Conspiracy $180 million at $500 a month, Vickie Chachere, Associated Press, 28 Jun 2003 A man who schemed to steal satellite television signals now has something much bigger than a cable bill to pay -- a whopping $180 million restitution order on which he is to make $500 monthly payments. http://www.orlandosentinel.com/news/orl-locpayback28062803jun28,0,5719929.story http://yro.slashdot.org/yro/03/06/28/181227.shtml ------------------------------ Date: Tue, 8 Jul 2003 11:46:04 +1000 From: David Goll Subject: Computer failure brings Hong Kong passenger to Melbourne From today's *Melbourne Age*: According to reports on local radio this morning, the lady in question was in possession of a branded boarding pass which clearly identified her carrier as Cathay Pacific not Qantas. One has to question our reliance on technology when even holding a branded boarding pass, a passenger can inadvertently walk onto the wrong flight and end up not only in a different country, but a different hemisphere to boot! http://www.theage.com.au/articles/2003/07/08/1057430177680.html ------------------------------ Date: Mon, 7 Jul 2003 01:38:16 -0400 From: Ed Ravin Subject: Dead-pregnant-men software failure In a NY Times story about the effects of NY City budget cuts: http://www.nytimes.com/2003/07/07/nyregion/07BLOC.html?pagewanted=print (link free until July 13 or so, after that they charge): Is a discussion of yet another multi-million dollar software development failure: Eight years ago, at the urging of [...] funeral directors, the city agreed to develop a computerized registration system [for the filing of death certificates]. About $3.2 million was spent to design one, according to an audit released on June 23 by the city comptroller. Then the plans were abandoned when the prototype system developed serious problems, like registering some men as having been pregnant when they died. The city now plans to spend $1.8 million more for project design. The comptroller's audit called the aborted plans "a monumental waste" of taxpayer dollars. The NYC Comptroller's press release announcing the audit is at: http://www.comptroller.nyc.gov/press/2001_releases/01-08-055.shtm Where it is mentioned that the city Health Department, in charge of the software development, violated both City and State procurement procedures in using an existing contract with IBM for "computer maintenance" to develop the new software system. The full bill for the system so far is more like $9-$10 million. The system still does not work, and the Health Department has issued a new RFP for the project that does not contain any references to the old system, so it appears they intend to throw it away. The audit is available at: http://www.comptroller.nyc.gov/bureaus/audit/06-23-03_7A03-073.shtm The Comptroller quickly reaches to the heart of the matter: "[...] the Department did not employ a formal systems development methodology or an independent software quality assurance consultant [as required by City rules, which] contributed to the apparent failure of this project." Meanwhile, across the river in New Jersey, a similar project was completed by leveraging an existing Sybase system from the New York State Department of Health, taking only six months and $250,000. ------------------------------ Date: Mon, 30 Jun 2003 08:25:02 -0400 From: "Keith A Rhodes" Subject: Johnson Calls ATM Arrest Error 'Intolerable' (Re: RISKS-22.78) http://www.washingtonpost.com/wp-dyn/articles/A33576-2003Jun25.html Although this article is focusing more on the local Prince George's County police force and detective function -- which has gotten a lot of bad press here in the DC area for quite a long time -- I think the message that is being missed is that technology can give the exact opposite result from that intended. Photographs from ATM cameras linked with ATM card usage and the system clocks are supposed to provide exact measures of events. However, if the ones using the data do not carefully collect it and interpret it correctly, then -- as this article states -- three apparently innocent people are arrested and held for 22 days. Humans cannot be completely removed from processes that have severe consequences, but the humans that are left "in the loop" must understand that what they do has severe consequences. They should, therefore, be very careful about what the "system" is telling them. In this case, the detention of the three innocent people has allowed a killer at least 22 days to get away. ------------------------------ Date: Tue, 8 Jul 2003 02:08:36 -0400 From: Monty Solomon Subject: RFID Site Security Gaffe Uncovered by Consumer Group CASPIAN asks, "How can we trust these people with our personal data?" CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering) says anyone can download revealing documents labeled "confidential" from the home page of the MIT Auto-ID Center Web site in two mouse clicks. The Auto-ID Center is the organization entrusted with developing a global Internet infrastructure for radio frequency identification (RFID). Their plans are to tag all the objects manufactured on the planet with RFID chips and track them via the Internet. Privacy advocates are alarmed about the Center's plans because RFID technology could enable businesses to collect an unprecedented amount of information about consumers' possessions and physical movements. They point out that consumers might not even know they're being surveilled since tiny RFID chips can be embedded in plastic, sewn into the seams of garments, or otherwise hidden. ... http://www.nocards.org/press/pressrelease07-07-03_1.shtml ------------------------------ Date: Sat, 5 Jul 2003 00:28:42 -0400 From: Monty Solomon Subject: Web site turns tables on government officials Hiawatha Bray, *The Boston Globe*, 4 Jul 2003 Annoyed by the prospect of a massive new federal surveillance system, two researchers at the Massachusetts Institute of Technology are celebrating the Fourth of July with a new Internet service that will let citizens create dossiers on government officials. The system will start by offering standard background information on politicians, but then go one bold step further, by asking Internet users to submit their own intelligence reports on government officials -- reports that will be published with no effort to verify their accuracy. ''It's sort of a citizen's intelligence agency,'' said Chris Csikszentmihalyi, assistant professor at the MIT Media Lab. He and graduate student Ryan McKinley created the Government Information Awareness (GIA) project as a response to the US government's Total Information Awareness program (TIA). ... http://www.boston.com/dailyglobe2/185/business/ Website_turns_tables_on_government_officials+.shtml ------------------------------ Date: Tue, 1 Jul 2003 00:28:13 -0400 From: Monty Solomon Subject: FTC Increases Focus on Privacy Bob Tedeschi, *The New York Times*, 30 Jun 2003 What started more than a year ago as a California teenager's quest for blue jeans ended this month with a warning shot from the Federal Trade Commission, which is moving more aggressively against e-tailers seen as too lax about protecting their customers' privacy. Online merchants say they can handle the commission's new scrutiny. But some people, including the young man who set off the FTC investigation in this case, are not so sure. And given that the young man pointed out a security flaw in another well-known online merchant last week, he may be right. In February 2002, Jeremiah Jacks, then a 19-year-old computer programmer, was set to buy a pair of jeans on the Web site of Guess Inc. But before entering his credit card information, he took the unusual step of checking the site's security - not the security pledge in Guess.com's privacy policy, but the company's actual practices. In the site's address bar he entered a string of characters that, on an insecure site, would produce a page listing the credit card numbers of the company's customers. The vulnerability, he said, is well known within the programming community. It worked. About 200,000 customer names and credit card numbers appeared in Mr. Jacks's browser. In an interview last week, Mr. Jacks recalled that he had immediately tried to inform Guess of its vulnerability to such a break-in [an SQL injection]. Guess.com ignored his entreaties, he said, and Mr. Jacks soon reported his discovery to SecurityFocus, an Internet security news site owned by the Symantec Corporation, which then notified Guess. Within hours, the company fixed the site. http://www.nytimes.com/2003/06/30/technology/30ECOM.html ------------------------------ Date: Thu, 03 Jul 2003 09:30:59 -0700 From: "NewsScan" Subject: Web vandalism alert Anonymous organizers of a Web-vandalizing contest this weekend say that the goal will be to deface 6,000 Web sites in six hours, with winners to be awarded prizes such as Web hosting space and Internet domain names. Pete Allor of Internet Security Systems Inc., which runs a threat-detection service, cautions Web operators: "The problem is now, and you shouldn't wait until Sunday to address it." (Atlanta Journal-Constitution 3 Jul 2003) http://www.ajc.com/business/content/business/0703/03hacker.html NewsScan Daily, 3 Jul 2003 [Apparently mostly small sites were hit. PGN] ------------------------------ Date: 28 Jun 2003 18:17:21 -0400 From: tls@panix.com (Thor Lancelot Simon) Subject: Re: Cell-phone tracking (Lesher, RISKS-22.78) Knowing which location register (cell-phone networks use, essentially, remote procedure call with callbacks between "location registers" to authorize outbound calls, correctly route inbound calls, etc.) a phone is currently active on, or has recently been active on, is *not* the same as knowing where a phone is with GPS precision, nor even the same as knowing which cell site a phone is currently speaking to. Logs of transitions between LRs ("roaming", even if that hardly exists from most customers' points of view any longer) are useful and probably even necessary for diagnosing connectivity and billing problems and for settling accounts among providers. ------------------------------ Date: Mon, 30 Jun 2003 09:04:13 -0400 From: "Richard M. Smith" Subject: Microsoft Word "bytes" Tony Blair in the butt Microsoft Word documents are notorious for containing private information in file headers which people would sometimes rather not share. The British government of Tony Blair just learned this lesson the hard way. Last week, Alastair Campbell, Blair's Director of Communications and Strategy, was in the hot seat in British Parliament hearings explaining what roles four of his employees played in the creation of a plagiarized dossier on Iraq which the UK government published in February 2003. The names of these four employees were found hidden inside of a Microsoft Word file of the Iraq dossier which was posted on the 10 Downing Street Web site for use by the press. The "dodgy dossier" as it became known in the British press raised serious questions about the quality of British intelligence before the second Iraq war. I wrote an article for my Web site about how a bit computer forensics Analysis played a role in this controversy: http://www.ComputerBytesMan.com/privacy/blair.htm Richard M. Smith http://www.ComputerBytesMan.com ------------------------------ Date: Thu, 3 Jul 2003 20:28:52 -0400 From: David Magda Subject: Dangers of MS Word, yet again The British government learned the hard way about how Microsoft Word documents keep a revision history: http://www.wsws.org/articles/2003/feb2003/cnew-f10.shtml http://www.computerbytesman.com/privacy/blair.htm http://www.abc.net.au/pm/s779254.htm The original analysis was supposedly this: http://www.casi.org.uk/discuss/2003/msg00457.html This is nothing new of course: see RISKS 20.83, 20.28, 17.76, 19.97, 18.46, 18.44, 18.41, etc. This problem goes back to (at least) 1996 (RISKS 17.76) and yet people are still bitten by this bug(?). The more things change... David Magda , http://www.magda.ca/ ------------------------------ Date: Thu, 03 Jul 2003 09:23:02 -0400 From: "Dawn Cohen" Subject: New variant on the PayPal scam I don't know exactly what it is about PayPal (as compared with any other e-commerce sort of thing)...I seem to get more scam e-mails targeting them than anything else, and all of these e-mails seem to look very similar. They all appear to be from PayPal, and include HTML forms with legitimate PayPal images and have links with real PayPal URL's. The kicker is always that the submit button takes you to a non-PayPal site. The newest variant is a bit more insidious than the previous ones I've received. The submit button, as usual, takes you to a non-PayPal site, but appears to immediately re-direct you to a valid PayPal page. You have to either be looking in the page source for the non-PayPal URL or be *very* quick to notice that you are going to a non-PayPal URL, first. And even the non-PayPal URL might be a little hard for a naive user to catch, assuming they were fast enough to see it: http://www.paypal.com0011101100011010011100011100001110001101001110001110000111000110100111000111000011100011@pizdatohosting.com/paypal/paypal.php ------------------------------ Date: Tue, 1 Jul 2003 16:13:09 -0400 From: Jonathan Kamens Subject: Re: Phantom voting in Israeli Knesset (Ravin, RISKS 22.76) It is worth noting that the computerized voting system used by the Israeli Knesset has, as far as I know, no security whatsoever. It consists solely of a station of buttons at each Member of Knesset's (MK's) seat for him/her to use to register his/her vote. No authentication is required for casting a vote. All an MK has to do to cast someone else's vote is to lean over and push the desired button at the other MK's station. In contrast, the electronic voting stations in the US House of Representatives require a "Vote-ID" card to be inserted before a Congressman can vote. Furthermore, there are many fewer stations than seats (Congressman line up to vote at the stations), so I suspect that the stations all have cameras trained on them throughout each vote, such that if there is suspicion of wrong-doing after a vote, it is straightforward to replay the video to find out who voted twice. The US Senate has no electronic voting equipment -- counted votes are conducted by roll-call or paper ballot. This is surely far from the first time that MK's have voted for each other. In fact, I find myself wondering not how this could be allowed to happen, but rather why a fuss is being made about this particular instance of it. If the Knesset really wanted to prevent it, they could do so, so it seems to me that they haven't seen it as a problem. Perhaps the culture within Israel's government is changing, such that what was previously acceptable behavior is becoming unacceptable. ------------------------------ Date: Tue, 1 Jul 2003 04:20:35 -0400 (EDT) From: danny burstein Subject: Watch out for auto-dialing on cellphones RISKS has previously pointed out the awkwardness that can result from inadvertently tapping an auto-dial button on a cellphone. We now have a burgler who will now have quite a bit of spare time to study RISKS. Per the *NY Post* article, excerpts attached: "It seems Boylan accidentally hit the redial button on his cell phone during a burglary - providing the break-in victim with a voice-mail recording of the crime in progress, said Detective Lt. Steve Skrynecki. "Before the 3:20 a.m. burglary on Sunday, Boylan had called the victim's girlfriend on her cell and spoke to the victim, the detective said. "Somehow, Boylan "inadvertently hit the redial on his cell phone" while he and his buddy ransacked the house and chatted as they grabbed a video-game player, game cartridges, a remote-controlled car and an antique bayonet, Skrynecki said. "They had no idea their crime-scene commentary was being recorded on the girlfriend's voice mail, Skrynecki said. http://nypost.com/news/regionalnews/2178.htm ------------------------------ Date: Tue, 1 Jul 2003 00:47:31 -0400 From: Monty Solomon Subject: Glitches hit FTC 'do-not-call' list Nearly one-fourth of the consumers who tried to sign up for the Federal Trade Commission's Do Not Call database haven't completed the process, the agency said Monday. The agency blames in part a series of technological glitches, including aggressive spam filtering by e-mail providers that accidentally deleted some confirmation e-mails sent by the FTC. But many consumers just haven't replied to the FTC e-mail, which is the final step in the sign-up process, said FTC attorney Eileen Harrington. [Source: Bob Sullivan, Three million consumers didn't finish sign-up process, MSNBC, 30 Jun 2003] http://www.msnbc.com/news/933138.asp ------------------------------ Date: Tue, 01 Jul 2003 13:27:04 -0400 From: "Dawn Cohen" Subject: Do not do not call? I found my way to the Web site for the national Do Not Call registry, through the CDT Web site. With great cheerfulness, I registered my two phone numbers. I followed the instructions: I entered my phone numbers and one of my e-mail addresses. I received the automatic e-mails generated by the registry Web site, and followed their instructions, which were simply to click on a link in the e-mail and print out the confirmation on the linked Web page. "How simple!" thought I to myself. "What a blessing! With no effort at all, I am relieved of countless nuisance calls that interrupt my otherwise hectic dinner!" "But wait a bit! How does it know that the e-mail address I entered corresponds to someone who legitimately has the rights to put my number on the Do Not Call registry? Oh well...I guess it doesn't matter...suppose I go out of my way to take someone else off the list...are they going to cry because they don't get a lot of telemarketing calls? I guess not. No problem!" "Oh, but wait...I think I saw a 'delete registration' button..." Yup. It works the same way. Type in a phone number and your favorite e-mail address, and you can make sure that that number is not on the do not call registry! ------------------------------ Date: Mon, 30 Jun 2003 14:51:12 -0700 From: Doug Sojourner Subject: Risk of appropriating technology you don't understand Like many other people, I registered at www.donotcall.gov the other day. It seems like they are using a "validation" technique that is often used for e-mail lists: contact the e-mail given to see if it really belongs to the person trying to subscribe. Alas, this does no good when you contact an e-mail to validate a phone number. ------------------------------ Date: Sun, 29 Jun 2003 11:40:09 -0700 From: Mark Siegel Subject: About Do-Not-Call Lists Assume for a moment, that do not call/do not spam lists are found to be invalid/unenforceable/unconstitutional. 'They', now, have all the valid e-mail addresses and phone numbers anyone could want. ------------------------------ Date: Sat, 28 Jun 2003 19:07:44 -1000 From: Don Colton Subject: Re: New State Laws on Privacy (RESmith, 22.78) What are the RISKs of a do-not-call (or do-not-e-mail) list? How does this process work? Does a telemarketer purchase a copy of the do-not-call list, or does the telemarketer submit his own copy and get back a list of rejections? Since conducting surveys is apparently still allowed under the new law, will telemarketers use the do-not-call list but employ a pseudo-survey marketing tactic? Or will the free market dictate that calling the unwilling is not a money-making proposition? Or is the list seeded with honey pots to facilitate catching violators? I find myself afraid to sign up. ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.79 ************************