precedence: bulk Subject: Risks Digest 22.80 RISKS-LIST: Risks-Forum Digest Wednesday 16 July 2003 Volume 22 : Issue 80 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.80.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Helios loss (Peter B. Ladkin) Error In e-mini Dow Futures creates havoc at CBOT, CME (Conrad Heiney) A Virginia law aids identity theft victims (Michael D. Shear via Monty Solomon) David Nelson and CAPPS II? (Rob Slade) Man charged in e-mail stalking of anchor (Rick Jervis via Monty Solomon) Has your PC been hijacked to spread pornography? (NewsScan) Remotely disabling PCs as an anti-theft measure (Nick Brown) Walk-By Hacking (Erik Sherman via Monty Solomon) Secure eBay password changes (Scott Ehrlich) Adobe Acrobat and PDF security: no improvements for 2 years (Monty Solomon) Bank advises ActiveX is a security product (Charles Williams) "Complex" security -- what hope mere mortals? (Ben Low) New Kind of Snooping Arrives at the Office (Marci Alboher Nusbaum via Monty Solomon) Canada and the FTC Do Not Call list (Tony Harminc) Washing machine does the right thing after power outage (Erik Klavon) Sony recalling some Vaio laptops for shock risk (Monty Solomon) Re: "Soft walls" = dangerous avionics? (Thomas Wicklund, Robert Woodhead) Re: RFID Site Security Gaffe ... (Crispin Cowan) Re: The risks of assuming things: German payrolls (Josef Janko) REVIEW: "Computer and Intrusion Forensics", George Mohay et al. (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 16 Jul 2003 22:28:22 +0200 From: "Peter B. Ladkin" Subject: Helios loss The Helios solar-powered flying wing was lost in June in the Pacific just west of the Hawaiian Islands, whence it was flying, due to "control difficulties that resulted in severe oscillations" at about 3,000 ft altitude [1]. The craft set an altitude record for propeller-driven craft of nearly 100,000 ft in its previous set of flights for NASA. Helios is (rather, was) extremely lightweight and remote-piloted. Lots of it has been recovered from the ocean, but the fuel-cell system, reported to cost $10m, sank in about 1,800m of water and is unlikely to be recovered. The National Research Council Committee on the Effects of Aircraft-Pilot Coupling [APC] on Flight Safety reported in 1997 that, although APC events are rare, they occur "at some point during the development of almost all FBW [Fly-By-Wire] aircraft" and notes that they are often associated with the introduction of new technologies [2, p6], of which the Helios is one of the more remarkable. [1] Guy Norris, Helios board looks at cause of `severe oscillations´, Flight International, 15-21 July, 2003, p26. [2] National Research Council, Committee on the Effects of Aircraft-Pilot Coupling, "Aviation Safety and Pilot Control", National Academy Press, 1997. Peter B. Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de ------------------------------ Date: Thu, 3 Jul 2003 14:16:01 -0700 From: "Conrad Heiney" Subject: Error In e-mini Dow Futures creates havoc at CBOT, CME The *Wall Street Journal* reported today that a mistaken order on the Chicago Board of Trade's "e-mini Dow Jones Industrial Average Futures" caused wild market swings today. Apparently an order to sell 10,000 contracts instead of 100 was put in by mistake. This caused the market, which had been on the upswing htat day, to plunge downwards in both the Chicago Board of Trade and the Chicago Mercantile Exchange. Several traders reported assuming that some bad news such as a terrorist attack had sparked the sell-off. The RISK of a typo on an electronic system causing financial havoc is once again made clear. Conrad Heiney conrad@fringehead.org http://fringehead.org ------------------------------ Date: Sun, 13 Jul 2003 22:25:39 -0400 From: Monty Solomon Subject: A Virginia law aids identity theft victims By Michael D. Shear, *The Washington Post*, 13 Jul 2003 Federal and state police put the handcuffs on 32-year-old Angel Gonzales in front of his wife and two young children just as the neighborhood school bus pulled up. ''We're taking your father to jail,'' they told his 6-year-old daughter, walking Gonzales to the cruiser as his neighbors gawked. The police had nabbed Gonzales, who lives in the Tidewater area of Virginia, on a Las Vegas fugitive warrant on cocaine charges. The warrant said he was armed and dangerous. Ambur Daley, 27, was arrested in a North Carolina airport as she returned from visiting her grandmother in Canada. The Staunton, Va., resident was booked, fingerprinted, and kept overnight in jail, accused of writing bad checks. In fact, neither Daley nor Gonzales had done anything wrong. The crimes they were accused of were committed by phantoms -- identity thieves who have stolen their names, Social Security numbers, addresses, and telephone numbers. Dependent on electronic records in databanks, police across the nation were chasing the wrong people. Both now have a Virginia Identity Theft Passport, the first two victims to participate in a program aimed at giving people such as Daley and Gonzales a fighting chance in convincing police of their innocence. A state law creating the program took effect July 1. Issued by a judge and bearing the seal of Attorney General Jerry W. Kilgore, the passport is intended to aid Virginia residents who are the victims of identity theft. ... http://www.boston.com:80/dailyglobe2/194/nation/ A_Virginia_law_aids_identity_theft_victims+.shtml ------------------------------ Date: Mon, 14 Jul 2003 12:18:20 -0800 From: Rob Slade Subject: David Nelson and CAPPS II? According to a story in the "This is True" mailing list, based on another from the *Los Angeles Daily News*, 6 people in the Los Angeles area, 18 in Oregon, and 4 in Alaska, all with the name David Nelson, have been pulled from commercial flights even after passing security checks. The Transportation Security Administration is quoted as saying that the name is not on any list, but that pattern matching technology is flagging the name. Does anyone have any further information on this phenomenon? rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Wed, 16 Jul 2003 02:39:05 -0400 From: Monty Solomon Subject: Man charged in e-mail stalking of anchor Tonny Horne, an Indiana man who thought Chicago WFLD (Channel 32) news anchor Tamron Hall was talking to him through his television set, and who showered her with affectionate and obscene e-mails for two years, will be among the first people charged under Illinois' 2001 cyberstalking law. A grand jury indicted him on charges of cyberstalking and criminal trespassing. He had been arrested on 16 Jun 2003 outside the Chicago Fox studios. If convicted, he could face 2 to 5 years in prison. [Source: article by Rick Jervis, *Chicago Tribute*, 13 Jul 2003; PGN-ed] http://www.chicagotribune.com/technology/chi-0307130506jul13,1,2009477.story ------------------------------ Date: Fri, 11 Jul 2003 09:40:42 -0700 From: "NewsScan" Subject: Has your PC been hijacked to spread pornography? Computer security expert Richard M. Smith says that in the last month network vandals (possibly linked to Russian organized crime) have found ways to take over PCs with high-speed connections to the Internet and use them, without their owners' knowledge, to send Web pages advertising pornographic sites. Smith says that "people are sort of involved in the porno business and don't even know it." Most PC owners don't know when their computers have been hijacked and the hijacking apparently doesn't damage the computer or disrupt its operation. Because so many different machines are hijacked to perpetrate this scheme, there's no single computer that be shut down to end the problem. Smith adds: "We're dealing with somebody here who is very clever." (*The New York Times*, 11 Jul 2003; NewsScan Daily, 11 Jul 2003) http://partners.nytimes.com/2003/07/11/technology/11HACK.html ------------------------------ Date: Fri, 30 May 2003 16:04:59 +0200 From: BROWN Nick Subject: Remotely disabling PCs as an anti-theft measure ZDNet reports yet another attempt to "discourage PC theft": http://zdnet.com.com/2100-1105_2-1009807.html A short extract: "Every time a computer outfitted with TheftGuard connects to the Internet, it pings the TheftGuard site. A computer-theft victim can register the machine at the site. If the stolen machine is brought online, the original owner can arrange to have the machine crippled or crippled with all data erased, and can determine the Internet Protocol address used--which can help in hunting down the thief." Naturally: - The TheftGuard site can and will never, ever be hacked - or even a tempting target for hackers; - Extensive checks will be put in place to ensure that only the registered owner of a PC can call in to say it's been stolen (perhaps they'll ask for your SSN ?); - The world's law enforcement agencies have thousands of officers just standing by reports saying "the person who used IP address A.B.C.D at is a thief; go get them !". Nick Brown, Strasbourg, France [Now, that is nice sarcasm. PGN] ------------------------------ Date: Sun, 13 Jul 2003 12:28:15 -0400 From: Monty Solomon Subject: Walk-By Hacking Erik Sherman, *The New York Times*, 13 Jul 2003 ''We've got 12 . . . wait, 13. Another just came in!'' On the hunt for 30 seconds, Gary Morse is jazzed. We've walked about 45 feet down Avenue of the Americas in Midtown Manhattan, and he has been counting the number of chirrups coming from the speaker of his hand-held computer. Each represents potential prey: wireless networks in the offices and apartments above us. So far, we have had more than a dozen chances to sneak Internet access, reap user ID's and passwords and otherwise peer into the private affairs of individuals and businesses. Morse is an expert -- president of Razorpoint Security Technologies Inc., a computer security consulting firm that helps companies find their weak spots and fix them -- and a self-described ''professional hacker.'' He knows dozens of tricks to ease his way into any of the networks he has found. Most users don't realize that left untended, the wireless technology that can quickly connect computers will literally broadcast every bit of transmitted information to anyone with a computer and a $40 wireless networking card. The software package running on Morse's hand-held is called Kismet, from a Turkish-derived word meaning fate. The program uses the wireless card like a police band scanner, noting each wireless network that makes its presence known. ''I could put it in my pocket and record all the networks without anyone seeing,'' he says. The program is available to security experts and would-be hackers for a perfectly legal and free download. ... http://www.nytimes.com/2003/07/13/magazine/13HACKING.html ------------------------------ Date: 15 Jul 2003 19:31:53 -0400 From: se@panix.com (Scott Ehrlich) Subject: Secure eBay password changes [Cf. the item by Paul Festa via Monty Solomon in RISKS-22.40. PGN] http://catless.ncl.ac.uk/Risks/22.40.html#subj3 eBay's Web site allows for SSL (https -- i.e., secure) logins, but non-SSL (http -- i.e., insecure) password changes. A recent visit to half.com, and eBay company, provides for SSL logins, and, to my surprise, an SSL password change screen. I promptly changed my password using half's ssl form, logged out, then logged into eBay via SSL using my new password from half.com, and it took. So, even if eBay doesn't change their 'Change Password' form [back] to SSL, we can still use half.com's form and do it securely. Now watch - I say this and half.com will magically remove SSL capability from its password change form. ------------------------------ Date: Tue, 8 Jul 2003 11:58:00 -0400 From: "monty solomon" Subject: Adobe Acrobat and PDF security: no improvements for 2 years Software released in 2003 contains vulnerabilities disclosed in 2001 8 Jul 2003 Summary: In early 2001, we have discovered a serious security flaw in Adobe Acrobat and Adobe Acrobat Reader. In July'2001, we've briefly described it in "eBook Security: Theory and Practice" speech on DefCon security conference. Since there was no reaction from Adobe (though Adobe representative has attended the conference), we have reported this vulnerability to CERT in September'2002 (after more than a year), still not disclosing technical details to the public. Only in March'2003, CERT Vulnerability Note (VU#549913) has been published, and after a week, Adobe has responded officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ), promising to fix the problem in new versions of Adobe Acrobat and Adobe Reader software expected in the second quarter of 2003. When these versions became available, we have found that though some minor improvements have been made, the whole Adobe security model is still very vulnerable, and so sent a follow-up to both CERT and Adobe. Both parties failed to respond. Full story: http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0011.html ------------------------------ Date: Tue, 8 Jul 2003 19:26:56 +0100 From: Charles Williams Subject: Bank advises ActiveX is a security product The Internet bank Egg has just sent me an unsolicited leaflet (EP1996 06/03) trying to induce me to sign up for its account aggregation service. Step 2 of its four-step procedure says: "Read and accept the terms and conditions. Then download a piece of software from Microsoft, called ActiveX. This acts like a digital safe and sits on your PC protecting your password and log in details." How many of Egg's customers have now installed ActiveX in the belief that it is a security product? ------------------------------ Date: Tue, 15 Jul 2003 14:18:36 +1000 From: Ben Low Subject: "Complex" security -- what hope mere mortals? The Center for the Study of Complex Systems (CSCS) at the University of Michigan appears to be staffed with competent, knowledgeable people who study "complex systems". Yet their Computer Lab Security page at http://www.pscs.umich.edu/lab/security.html advises the user, when faced with a ssh host key change warning (potential "man in the middle" attack) to essentially ignore the warning, and to simply delete the offending key. When a group studying "complex systems" has difficulty dealing with the issues of computer security, what hope to mere mortals hold? ------------------------------ Date: Mon, 14 Jul 2003 21:57:44 -0400 From: Monty Solomon Subject: New Kind of Snooping Arrives at the Office (Marci Alboher Nusbaum) Corporate executives are becoming increasingly aggressive about spying on their employees, and with good reason: now, in addition to job shirkers and office-supply thieves, they have to worry about being held accountable for the misconduct of their subordinates. Even one offensive e-mail message circulated around the office by a single employee can pose a liability risk for a company. Not only that, but a wave of laws - including the federal Health Insurance Portability and Accountability Act of 1996 and the anticorruption and corporate-governance Sarbanes-Oxley Act of 2002 - have imposed new record-keeping and investigative burdens on companies. Not complying with some laws can result in the personal liability of officers and directors. As a result, employers have stepped up their surveillance of employees, often using stealth techniques to peer deep into their computer use. As of 2001, more than a third of all American workers with access to computers, or 14 million in all, were being monitored in one way or another, according to the Privacy Foundation, a Denver research group; with added pressure on executives to oversee their employees' electronic activities, experts predict that those numbers will grow. ... [Source: Marci Alboher Nusbaum, *The New York Times*, 13 Jul 2003] http://www.nytimes.com/2003/07/13/business/yourmoney/13EXLI.html ------------------------------ Date: Tue, 8 Jul 2003 19:54:58 -0400 From: "Tony Harminc" Subject: Canada and the FTC Do Not Call list Curious, I went to the FTC site and tried to register my Canadian home phone number. It was rejected with an uninformative error message. However the site was quite happy to accept my (also Canadian) 800 number. This raises a blend of techno-legal issues, because it is not possible to distinguish syntactically or in any simple way between a US and Canadian 800 number, and indeed one number can terminate in multiple locations based on the caller's location, the time of day, load, etc. So what's the legal situation if I get a junk call at this number from a US telemarketer? From a non-US one? US legislators have not been shy in the past about extending the reach of their laws outside their borders. Is this legislation written clearly enough to provide a definitive answer? The Canadian telecom regulator (the CRTC) has been mumbling about Do Not Call for some years. Perhaps they should get together with their southern counterparts and arrange a common site and database. On second thought, maybe they should just go for a friendlier message. ------------------------------ Date: Tue, 15 Jul 2003 10:11:13 -0700 From: Erik Klavon Subject: Washing machine does the right thing after power outage Readers of RISKS are now doubt familiar with some of the less then graceful ways in which technology fails in the event of a brown or black out. When the electricity to my apartment building went out recently, I thought I might experience just such a failure. Five minutes prior to losing power, I had started a load of laundry in the shared washing machine on my floor. The laundry machines in my complex use a smart card system for payment as opposed to coins. The machines have a digital control system that displays the remaining time and the cycle on an LCD display. After power was lost I checked the machine to verify that it had lost power. No display, not noise and no overhead light in the laundry room. I figured I was out US$1.25, good for the recently increased bus fare in San Francisco. When power was restored, I returned to the laundry room to find that the machine had restarted and was prompting me to select a cycle. It appears the designers had thought about the problem of losing power mid cycle and decided to start the cycle over after user input once power had been restored. This is the right thing when you consider a repair person who wouldn't want the machine starting by itself unexpectedly when power is restored after electrical work. ------------------------------ Date: Wed, 9 Jul 2003 22:06:16 -0400 From: Monty Solomon Subject: Sony recalling some Vaio laptops for shock risk Sony is recalling some Vaio FRV laptops because of a static-electric shock hazard, which can occur if and your phone rings whenever the laptop is plugged in and and connected to a grounded peripheral, the phone line is disabled, and you are touching a metal part of the laptop. No injuries have been recorded, and fewer than 10 complaints. (PGN-ed from 9 Jul 2003 Reuters item) http://finance.lycos.com/home/news/story.asp?story=34798831 ------------------------------ Date: Fri, 11 Jul 2003 09:43:19 -0600 From: Thomas Wicklund Subject: Re: "Soft walls" = dangerous avionics? (DeForest, RISKS-22.79) The "soft walls" idea of steering planes away from restricted airspace leaves the question of what constitutes "restricted" airspace? After adding all possible terrorist targets, I can imagine a flight into a large east coast city weaving through the narrow "safe" course to the airport but leaving the airlines bankrupt paying for air sickness bags. Of course, the airport itself is a terrorist target and should be restricted, right? ------------------------------ Date: Wed, 9 Jul 2003 19:23:05 -0400 From: Robert Woodhead Subject: Re: "Soft walls" = dangerous avionics? (DeForest, RISKS-22.79) > ... and it only takes one airplane with the soft-wall avionics missing or > disabled, to defeat the purpose of the whole system. Not to mention subverting the code so that at a particular date and time, the logic inverted and the exclusion zones became the only place where the airplanes would fly... ------------------------------ Date: Tue, 08 Jul 2003 22:53:41 -0700 From: Crispin Cowan Subject: Re: RFID Site Security Gaffe ... (Solomon, RISKS-22.79) Hmmm ... How well do RFID embedded chips survive exposure to stun guns, cattle prods or other colorful toys? http://www.violetwands.com/entrance.html I'm not above wanding my groceries with some high voltage to preserve some privacy. Chips can be hardened, but radio chips would seem to be more difficult to harden against high voltage. Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/ ------------------------------ Date: Sun, 13 Jul 2003 15:26:31 +0200 From: "Josef Janko" Subject: Re: The risks of assuming things: German payrolls (DWW, RISKS-22.79) It must be a wonderful picture imagining how thousands of software developers delay their vacations to provide a poor public servant like DWW with her paycheck in time... However, recalling my experience with the Berlin local government, the reality is not so dramatic. The payment system now is not more "wacky" than it was 28 years ago, when I first came into contact with it. Every year the government and the unions have "concocted" changes like these, and without a word the additional money has been paid one, two, or even three months later. So where is the problem, the reason for this outburst? The problem is, that for the first time after WW II in Germany public servants have to work more and get less for that - from my point of view only a fair deal under the circumstance that their jobs guaranteed. It is not a problem of IT: it is a problem of perception - being forced to face the reality outside the ivory tower. ------------------------------ Date: Tue, 15 Jul 2003 07:59:12 -0800 From: Rob Slade Subject: REVIEW: "Computer and Intrusion Forensics", George Mohay et al. BKCMINFO.RVW 20030605 "Computer and Intrusion Forensics", George Mohay et al., 2003, 1-58053-369-8, U$79.00 %A George Mohay %A Alison Anderson %A Byron Collie %A Olivier de Vel %A Rodney McKemmish %C 685 Canton St., Norwood, MA 02062 %D 2003 %G 1-58053-369-8 %I Artech House/Horizon %O U$79.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1580533698/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580533698/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580533698/robsladesin03-20 %P 395 p. %T "Computer and Intrusion Forensics" The traditional data recovery aspect of computer forensics has been covered by Kruse and Heiser in "Computer Forensics" (cf. BKCMPFRN.RVW), and by Caloyannides in "Computer Forensics and Privacy" (cf. BKCMFRPR.RVW) (and somewhat less ably by Casey [cf. BKCMCRIN.RVW], Kovavish and Boni [cf. BKHTCRIH.RVW], Icove, Seger, and VonStorch [cf. BKCMPCRM.RVW], Marcella and Greenfield [cf. BKCYBFOR.RVW], van Wyk and Forna [cf. BKINCRES.RVW], and Mandia and Procise [cf. BKINCDRS.RVW]). So far network forensics has only been specifically dealt with in the not-terribly-useful "Hacker's Challenge," by Schiffman (cf. BKHKRCHL.RVW). "Computer and Intrusion Forensics" is the first attempt to bring both topics into a single book. (It is intriguing to note that Eugene Spafford, who wrote the foreword, is a pioneer of the "third leg": software forensics, which the book does not cover.) Chapter one is an introduction to computer and network (intrusion) forensics, pointing out the ways that computers can be involved in the commission of crimes and the requirements for obtaining and preserving evidence in such cases. While the material provides a good foundation, the text is inflated in many places, and could benefit from stricter adherence to the topic and more focused writing. (One illustration shows a pattern of concentric rings indicating that the set of productive activities encompasses all legal endeavors which, in turn, encompasses all approved actions. I suspect that a great many legal and even approved activities are unproductive--while no doubt a number of illegal activities would be approved, at times.) "Current Practice," in chapter two, is a broad overview of the concerns, technologies, applications, procedures, and legislation bearing on digital evidence recovery from computers. In fact, this single chapter is the equivalent of, and sometimes superior to, a number of the computer forensics books mentioned above. However, the breadth of the discussion does come at the expense of depth. This content is quite suitable for the information security, or even legal, professional who needs to understand the field of computer forensics, but it does not have the detail that a practitioner may require. Although chapter three is supposed to deal with computer forensics in law enforcement (and there is a brief section on the rules of evidence), it is primarily a reiteration (and some expansion) of the procedures for data recovery and the software tools available for this task. Forensic accounting, and the algorithms that can be used to detect fraud, are outlined in chapter four, but very little is directly relevant to computer forensics as such. Case studies, demonstrating the techniques discussed earlier and some that are not, are described in chapter five. Intrusion forensics concentrates on intrusion detection systems (IDS), although it does not provide a very clear or complete explanation of the distinctions in data collection (host- or network-based) or analysis engines (rule, signature, anomaly, or statistical). Chapter seven finishes off the book with a list of computer forensic research which is being, or should be, undertaken. While the computer forensic content is sound, and it is heartening to see other fields being included, the very limited work on network forensics is disappointing. This text is a useful reference for those needing background material on forensic technologies, but breaks no new ground. copyright Robert M. Slade, 2003 BKCMINFO.RVW 20030605 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@CSL.sri.com . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address " ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.80 ************************