[risks] Risks Digest 21.39

From: RISKS List Owner (riskoat_private)
Date: Fri May 11 2001 - 16:40:43 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.40"

    RISKS-LIST: Risks-Forum Digest  Friday 11 May 2001  Volume 21 : Issue 39
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.39.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    U.S. Air Force blasts Outlook security patch (Yves Bellefeuille)
    Univ. Virginia prof uses computer to catch cheaters (Richard Kaszeta)
    Potential timestamp overflow on 9 Sep 2001 (Don Stokes)
    Excel-lent leaks (Christophe Augier)
    Foolish wireless network access policies and spam engines (Thor Lancelot Simon)
    Cops say teen concocted radio calls (Steve Hutto)
    The RISKS spam crossover has finally taken place! (RISKS)
    DMV screws up on licenses (PGN)
    To drive or to avoid identity theft: mutually exclusive? (Brett Glass)
    Re: Recording industry threatens researcher (Douglas W. Jones)
    16th Annual Software Engineering Symposium 2001 (Carol Biesecker)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Fri, 04 May 2001 17:28:25 -0400
    From: yanat_private (Yves Bellefeuille)
    Subject: U.S. Air Force blasts Outlook security patch
    
    A paper, "Reinforcing dialog-based security," by Martin Carlisle and Scott
    Studer, of the US Air Force Academy Computer Science Department, is to be
    presented on 5 Jun 2001 at the IEEE Systems, Man, and Cybernetics
    Information Assurance Workshop in West Point, NY, sponsored by NSA.  The
    paper criticizes the Outlook 2000 SR-1 E-mail Security update [RISKS-21.36],
    developed in response to the I Love You virus to block certain types of
    attachments.  
    
      [Source: *Infoworld* Article by Sumner Lemon, PGN-ed. Thanks also to Monty
      Solomon. http://www.infoworld.com/articles/hn/xml/01/05/04/010504hnairf.xml]
    
    ------------------------------
    
    Date: Tue, 8 May 2001 11:01:03 -0500 (CDT)
    From: Richard Kaszeta <kaszetaat_private>
    Subject: U. Virginia prof uses computer to catch cheaters
    
    The latest Wired News includes an article that discusses how a University of
    Virginia professor nabbed 122 students for plagiarism using a computer
    program he wrote himself.  The program basically compares papers and looks
    for phrases shared between papers.  Using this technique, the professor
    caught 122 of 500 students in his class cheating.  All the students caught
    were referred to the schools Honor committee.
      (http://www.wired.com/news/school/0,1383,43561,00.html) 
    
    As a seasoned systems administrator in a college department and former
    student myself, I know that in a college environment, the efforts to which
    some students will go to cheat show an astonishing amount of
    creativity---breaking into accounts, exploiting lack of permission control
    on other users' accounts, searching through the recycle bins, etc.  The use
    of technology in this environment has made cheating easier, and harder to
    trace.
    
    The risk is that some of the students are probably innocent, merely being
    guilty of having their own papers copied without their knowledge.  Indeed,
    some of the students claim towards the end of the article that exactly that
    has happened.
    
    Unfortunately, the technology of online composition and submission of papers
    (as typically done at most Universities) lacks sufficient security,
    encryption, and authentication standards.
    
    Richard W Kaszeta, Engineer, University of MN, ME Dept
    richat_private  http://www.kaszeta.org/rich
    
    ------------------------------
    
    Date: Mon, 07 May 2001 01:46:08 +1200
    From: Don Stokes <donat_private>
    Subject: Potential timestamp overflow on 9 Sep 2001
    
    In case no-one else has noticed ...
    
    On 9 Sep 2001, at 1:46:40 UTC, the Unix time_t value (the number of seconds
    since the 1st of January 1970 0:0:0 UTC) ticks over from 999999999 to
    1000000000, thereby moving from being a nine digit decimal number (as it has
    been since 1973) to a ten-digit number.
    
    Anyone storing decimal time_t values into a nine-digit field is going to
    have an interesting problem on that date. 
    
    ------------------------------
    
    Date: Fri, 4 May 2001 09:14:05 -0400
    From: "Christophe Augier" <augierat_private>
    Subject: Excel-lent leaks
    
    This amusing story was told to me by a friend, whose company name will stay
    hidden.  Once upon a time, there was a sales director in a big spirit and
    wines company. This person managed the whole team for a big European
    country. One day she had to take the decision of laying off a high position
    salesman, working for this company since years. Because of the turmoil
    generated inside the team by this firing, she wanted to set the organization
    changes, and she made a new Org-chart and asked her administrative assistant
    to forward the file to all the sales team.  
    
    Well... Everything looks fine, since you don't know yet that the new
    org-chart was made on an Excel Book. "Book" means several sheets... So, what
    was distributed to the whole team?....
    
    Sheet 1 : The Org-chart : ok. At least THAT was good.
    Sheet 2 : All the names of the salesman for the whole country, their salary,
      and appreciation commentaries (kind off:"this guy will never succeed / 
      he is a burden") and raises projection. By the way, with a good raise 
      projection for herself :)
    Sheet 3 : A road-map to lay off the old salesman. all the information,
      dates, argumentation needed to get rid of him.
    
    Isn't that nice?
    
    Conclusion : A nightmare ! all the guys with a bad appreciation went postal
    (one guy from the south realized that his "sibling" of the north was making
    double money for the same work & results, etc...). I guess they should have
    had a lot of resignation...  And a friend of the fired salesman forwarded
    the mail to him, giving him good material for the lawsuit he was engaging
    against the company.
    
    The risks?  When you don't know how to use Excel or any software : don't use
    it for critical information !  When you send an e-mail : watch out what you
    are sending !
    
    ------------------------------
    
    Date: 3 May 2001 20:53:30 -0400
    From: tlsat_private (Thor Lancelot Simon)
    Subject: Foolish wireless network access policies and spam engines
    
    A local university has deployed a large 802.11 wireless network without WEP
    or any other security measure.  Given the complexity of distributing WEP
    keys to huge numbers of students, faculty, and staff, not to mention the
    need for periodic changes, and the notorious insecurity of WEP itself, this
    might seem to be a reasonable choice.  They have decided to provide public
    access to their IP connectivity for those within radio range of their campus
    rather than tackle the very significant issues associated with restricting
    access.
    
    The RISK?  Their campus mail-handling machines will relay mail to any inside
    or outside destination if it's received from an address "inside" their
    campus network.  The network architecture they've chosen for their wireless
    deployment dictates that anyone can walk onto their (large, urban) campus,
    or even just park his car outside, and spam away freely with hundreds of
    megabits per second of bandwidth to most points on the Internet.
    
    Basically, their entire campus just became a "safe harbor" for anyone owning
    a laptop and wireless card to do nefarious things to outside hosts with,
    essentially, perfect, impenetrable anonymity.  There's not even a billing
    record for a throwaway dialup account to trace back; just a MAC address that
    can be trivially changed and the knowledge that it was used *somewhere* on
    their campus to do Bad Things at some point in the past.
    
    Thor Lancelot Simon <tlsat_private>
    
    ------------------------------
    
    Date: Fri, 11 May 2001 12:07:04 -0600 (MDT)
    From: Steve Hutto <shuttoat_private>
    Subject: Cops say teen concocted radio calls
    
    *Rocky Mountain News*, 11 May 2001 (excerpt)
    http://rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_455095,00.html
    
    "A 16-year-old boy using a handheld radio and a computer allegedly sent Denver 
    police cruisers and a helicopter to fake emergencies and called officers off 
    legitimate 911 calls for more than a month before getting caught.
    
    Police said Thursday that the teen managed to hack into the department's 
    computer-controlled radio system, program his radio to transmit on the 
    department's frequency from his Southwest Denver home and then took on the 
    alias of Jerry Martinez, a fictitious Denver police officer."
    
    The teen enjoyed chatting with police helicopters flying overhead as well as 
    reporting non-existent emergencies and accidents.
    
    Eventually, police dispatchers caught on.  When he called requesting
    license-plate information, they kept him talking for an hour and a half while
    the FCC physically located him using "special equipment".  The final straw
    came a couple days later when an informant talked him into modifying another
    radio to transmit on police frequencies.  The teen was charged with a dozen 
    misdemeanors and a dozen felonies.
    
    The best part of the story is near the end:
    
    "Police have not determined how the teen allegedly hacked into their radio 
    system. The police department's emergency radio system uses two sets of 
    security identification codes and a computer to prevent unauthorized access."
    
    Considering all the possible risks here is a scary proposition, especially
    if used judiciously by someone with a bit more restraint.
    
    -Steve Hutto
    
    ------------------------------
    
    Date: Wed, 2 May 2001 16:31:28 PDT
    From: RISKS List Owner <riskoat_private>
    Subject: The RISKS spam crossover has finally taken place!
    
    Subsequent to the posting of RISKS-21.35, for the very first time in our
    almost 16 years of RISKS issues, the number of spam e-mail messages has
    exceeded 50% of all RISKS e-mail (despite filtering by our incoming mail
    systems).  This is an extremely unfortunate happening, because I first have
    to filter out and delete all the e-junk before I can even hope to ferret out
    the good stuff that you are faithfully submitting.  Also noteworthy is that
    the volume of legitimate contributions continues to increase (which is
    wonderful because more of you are responding, but is sad because I cannot
    include everything)...
    
    I hate to recommend draconian anti-spam measures, but the problem is clearly
    out of control.  We are of course opposed to short-sighted legislation and
    censorship -- especially if it overzealously filters out desired e-mail.
    Perhaps it is time to implement some radical techniques such as that
    described in a 1992 paper by Cynthia Dwork and Moni Naor, Pricing Via
    Processing Or Combatting Junkmail, Proc. Crypto 1992, LNCS 740.
    
    PGN
    
    ------------------------------
    
    Date: Fri, 11 May 2001 07:58:14 -0700 (PDT)
    From: "Peter G. Neumann" <Neumannat_private>
    Subject: DMV screws up on licenses
    
      [TNX to KFWB item from Lauren Weinstein]
    
    DMV Sends Licenses To Wrong Addresses 
    
    California's Department of Motor Vehicles has mailed as many as 3,000
    driver's licenses to the wrong addresses due to a malfunction in an
    8-year-old sorting machine that processes more than 7 million licenses and
    ID cards every year.  DMV officials say they will retire the machine.
    
    It is unclear exactly how many licenses were erroneously mailed.  There are
    202 confirmed errors so far, but officials expect more.
    
    Officials say they are not concerned about the stray licenses. They are
    asking those who receive a license that does not belong to them to return
    it. Those who do not could face criminal charges.
    
    For the actual license owners, the DMV will issue a new license number upon
    request to prevent identity theft.
    
    Motorists with questions should call DMV's information line at
    1-800-777-0133. 
    
    ------------------------------
    
    Date: Fri, 11 May 2001 09:36:11 -0600
    From: Brett Glass <brettat_private>
    Subject: To drive or to avoid identity theft: mutually exclusive?
    
    This February, my driver's license came up for renewal -- a fairly ordinary
    event. I expected to wait briefly at the local Department of Transportation
    office, take an eye test, have an unflattering photo taken, and be on my way
    in short order. Alas, it was not to be. When I submitted the renewal form, I
    was shocked and dismayed to discover that the clerk would not renew my
    license unless I placed my Social Security number on it. There was no
    Privacy Act notice on the form (as required by the 1974 Privacy Act), so I
    asked the clerk why she believed she could to demand my Social Security
    number -- and refuse me a license if I did not supply it.
    
    What I found out was chilling. Not only does Federal Law -- thanks to the
    striking of a single word from a huge statute -- require that drivers submit
    their Social Security numbers when applying for licenses. It also requires
    that all of the information maintained about a driver by a state --
    including that number -- be revealed to virtually all comers. Here are the
    details of these onerous laws, along with additional information about the
    laws in my particular state (which are typical of state laws throughout the
    country). I'll also describe the way in which one state is fighting the
    Federal laws that would require it to compromise its citizens' privacy and
    subject them to trivially easy identity theft.
    
    Requirement for Collection
    
    Very recently, welfare reform legislation changed Federal law to require
    that states collect all citizens' Social Security numbers when they apply
    for driver's licenses. (Earlier versions of the law only required it if one
    applied for a *commercial* driver's license, on the theory that one could
    threaten a deadbeat parent's livelihood if he or she required that license
    to work.) But a subtle amendment, slipped in just recently, struck the word
    "commercial," requiring the SSN to be collected from all applicants. The
    ironically numbered passage at 42 USC 666(a) (see
    http://www4.law.cornell.edu/uscode/42/666.html) says:
    
    >(13) Recording of social security numbers in certain family matters. - 
    >Procedures requiring that the social security number of -
    >
    >    (A) any applicant for a professional license, driver's
    >    license, occupational license, recreational license, or
    >    marriage license be recorded on the application;
    >
    >    (B) any individual who is subject to a divorce decree,
    >    support order, or paternity determination or acknowledgment be
    >    placed in the records relating to the matter; and
    >
    >    (C) any individual who has died be placed in the records
    >    relating to the death and be recorded on the death certificate.
    >    For purposes of subparagraph (A), if a State allows the use of a
    >    number other than the social security number to be used on the
    >    face of the document while the social security number is kept on
    >    file at the agency, the State shall so advise any applicants.
    
    Note that while a different number may be used on the "face" of some
    licenses, the state must still collect the Social Security number. Also note
    that many of the items mentioned above are public records which can be
    accessed by all comers (in some cases, due to open record laws such as
    Wyoming's).
    
    Requirement to Disseminate
    
    The requirement that states disseminate Social Security Numbers it has
    collected comes from a law misleadingly titled the "Drivers' Privacy
    Protection Act." This law did in fact start out as a law to protect drivers'
    privacy, but due to amendments promoted by monied lobbyists it has just the
    opposite effect. (It is said, justifiably, that the law should really be
    called the "Drivers' Privacy Prevention Act.")
    
    The law is reproduced on the Web at
      http://www.networkusa.org/fingerprint/page1b/fp-dmv-records-18-usc-123.html
    
    Note that this law makes ALL of the information you submit to your state's
    DMV/DOT available to *anyone* who claims that it's needed for any business
    purpose. If I wanted your driving records and SSN, all I'd have to do is
    walk into the courthouse and claim that you owed me a dollar.
    
    The DPPA was challenged by the Alabama Attorney General on states' rights 
    grounds and was ruled unconstitutional by a Federal district court:
    
    http://www.networkusa.org/fingerprint/page1b/fp-dppa-al-appeal.html
    
    However, the US Supreme Court, in a chilling ruling that dubbed our 
    personal information "items in interstate commerce" and therefore subject 
    to Congressional control under the Commerce Clause, reversed the Circuit Court:
    
    http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl
      ?court=US&navby=case&vol=000&invol=98-1464  [SPLIT URL]
    
    In retrospect, challenging the law on the basis of states' rights was
    probably a big mistake. The Alabama AG might have had better success had he
    cited the right to personal privacy delineated in Griswold v. Connecticut.
    
    State SSN Requirements And Public Records Acts
    
    The laws of many states also mandate the collection of Social Security 
    numbers -- and make the forms containing those numbers public records. I 
    live in Wyoming, and this is the case in my state. (The details of the 
    laws are instructive because they are similar to those in other states; 
    however, if you're uninterested in the specifics, you may want to skip 
    down to the heading "Michigan's Challenge" to learn more about a recent 
    challenge to the Federal laws.)
    
    Wyoming law, at W.S. 31-7-111 (b) ("W.S." = "Wyoming Statutes"), 
    describes the information required on a driver's license application:
    
    >(b)  The application shall include:
    >
    >     (i)  The full legal name and current mailing and residential 
    > address of the
    >          person;
    >
    >     (ii)  A physical description of the person including sex, height 
    > and weight;
    >
    >     (iii)  Date of birth;
    >
    >     (iv)  The person's social security number or other numbers or letters
    >           deemed appropriate on applications for instruction permits,
    >           driver's licenses, commercial driver's licenses and
    >           commercial driver instruction permits;
    
    Note that the statute does provide for an alternative; however, the 
    phrase "deemed appropriate" (By whom? What is the standard of propriety?) 
    is vague. The clerk said that she, at least, deemed no other numbers or 
    letters to be "appropriate."
    
    The law also requires the state to keep the application on file even 
    after it is processed. According to W.S. 31-7-120,
    
    >31-7-120.  Records to be kept by division; exception.
    >
    >  (a)  The division shall maintain a readily available file of and 
    > suitable indexes for:
    >
    >     (i)  All license applications denied with the reasons for denial 
    > noted thereon;
    >
    >     (ii)  All applications granted;
    >
    >     (iii)  Every licensee whose license has been suspended or revoked 
    > and the reasons
    >            for the action;
    >
    >     (iv)  All accident reports and abstracts of court records of convictions
    >           received under the laws of this state with suitable notations for
    >           each licensee showing the convictions of the licensee and the 
    > traffic
    >           accidents in which he has been involved.
    
    What's more, the application is, according to the state's open records 
    law, a public record that anyone may access. According to W.S. 16-4-201(a)(v),
    
    >(v)  "Public records" when not otherwise specified includes the original 
    >and copies of any paper, correspondence, form, book, photograph, 
    >photostat, film, microfilm, sound recording, map drawing or other 
    >document, regardless of physical form or characteristics that have been 
    >made by the state of Wyoming and any counties, municipalities and 
    >political subdivisions thereof and by any agencies of the state, 
    >counties, municipalities and political subdivisions thereof, or received 
    >by them in connection with the transaction of public business, except 
    >those privileged or confidential by law;
    
    Needless to say, an open records law would be meaningless if a government 
    agency were allowed to censor the records on its own initiative before 
    revealing them! So, if the Social Security number were to be redacted, 
    the Department of Transportation would have to be specifically authorized 
    by law to do it. Alas, as in most states, there appears to be no Wyoming 
    statute declaring the form -- or the information on it, including the 
    Social Security number -- to be privileged or confidential. Worse still, 
    any such declaration would arguably be overridden by the Federal statute.
    
    Wyoming Violates the Privacy Act
    
    The Wyoming Department of Transportation (WYDOT) also violates the 
    Federal Privacy Act by failing to place a Privacy Act Notice on its 
    driver's license applications. 5 U.S.C. § 552a note (1982) (see 
    http://www.usdoj.gov/foia/privstat.htm), also called the Privacy Act of 
    1974, provides that:
    
    >(b) Any Federal, State or local government agency which requests an
    >individual to disclose his social security account number shall inform
    >that individual whether that disclosure is mandatory or voluntary, by what
    >statutory or other authority such number is solicited, and what uses will
    >be made of it.
    
    Without a Privacy Act notice (which does *not* appear on the current 
    application), WYDOT is not permitted to collect Social Security numbers 
    whether there is a Federal requirement for it to do so or not. This was 
    affirmed in Gredinger v. Davis (see 
    http://www.networkusa.org/fingerprint/page2/fp-ssn-davis.html). 
    Nonetheless, the state's Department of Transportation refuses to issue 
    the license based on an otherwise complete application.
    
    Michigan's Challenge
    
    The Michigan Secretary of State is challenging the Federal laws that, 
    together, require collection and disclosure of Social Security numbers. 
    The two press releases at
    
    http://www.sos.state.mi.us/pressrel/active/010227-1n.html
    
    and
    
    http://www.sos.state.mi.us/pressrel/active/010104-1n.html
    
    describe the progress of the case.
    
    When the Federal law was modified to encompass all drivers' licenses, it 
    was claimed by overzealous legislators that the change was necessary to 
    collect drivers' Social Security numbers to pursue deadbeat parents. The 
    Michigan Secretary of State, however, says that it would actually make 
    their system LESS effective, not more, because of the actual logistics of 
    tracking deadbeat parents. In the second press release cited above, her 
    office wrote:
    
    >Secretary Miller argued in her exemption requests that the collection of 
    >Social Security numbers would violate the strong interest her department 
    >has in protecting customer privacy.  The process would be expensive and 
    >counterproductive to measures already in place by the state to track 
    >those owing child support.  It was also noted that in addition to being 
    >an unfunded federal mandate, the law raises questions about its ability 
    >to protect the welfare of Michigan children.
    >
    >This federal law applies only to citizens with driver licenses, which 
    >severely limits the ability to locate deadbeat parents. Consequently in 
    >Michigan, more than four million people would be overlooked because the 
    >databases containing records of suspended drivers, state identification 
    >card holders and those on the Qualified Voter File would be excluded 
    >from any search.
    >
    >Currently, the Michigan Family Independence Agency (FIA) conducts 
    >searches of all Secretary of State databases for deadbeat parents using 
    >a name, or even part of a name.  It is successful in obtaining 
    >identification 90 percent of the time, according to figures from FIA and 
    >the Secretary of State. The Secretary of State estimates that the 
    >success rate would drop to about 60 percent under the federal law 
    >primarily because searches would be limited to only residents with 
    >driver licenses. Other problems with the federal law identified by 
    >Secretary Miller include:
    >
    >* States would not be required to verify the Social Security numbers 
    >collected by their Department of Motor Vehicles or Secretary of State 
    >offices are correct.
    >
    >* The law represents a significant duplication of effort because both 
    >the Internal Revenue Service and Michigan Department of Treasury already 
    >have databases of Social Security numbers.
    >
    >* The law places the majority at risk for possible misuse of their 
    >Social Security numbers and identity fraud in attempts to target a 
    >minority guilty of delinquent child support payments.
    
    Unfortunately, because the suit is being brought in only one Federal 
    district, a ruling in favor of the Michigan Secretary of State would not 
    be binding in the rest of the country.
    
    My Status
    
    Deb Ornelas, an administrator at the Wyoming Department of 
    Transportation, insists that I submit my Social Security number in order 
    to keep my license. She says that she believes that her hands are tied by 
    both state and Federal law. Indeed, due to a lack of vigilance by 
    legislators and citizens, they may well be unless the law is challenged 
    and that challenge is successful. Thus, I may need to decide between the 
    risk of trivially easy identity theft or loss of my right to drive.
    
    Suggestions regarding how to proceed, and help in starting an initiative 
    to have the Federal laws changed, would be greatly appreciated.
    
    --Brett Glass
    
    ------------------------------
    
    Date: Fri, 4 May 2001 11:00:07 -0500 (CDT)
    From: "Douglas W. Jones" <jonesat_private>
    Subject: Re: Recording industry threatens researcher (RISKS-21.37)
    
    I cannot avoid suggesting an analogy (in the spirit of the analogy
    fest cited in the previous item in the same Risks Digest):
    
    If I present a paper about the construction of a gun, nobody threatens to
    sue me.  In fact, if I possess a gun, I am protected by the second
    amendment.  My right to talk about and possess guns is unlimited.  Only my
    use of guns to injure or kill is regulated by law.
    
    If, on the other hand, I wish to present a paper describing the weakness of
    a commercial encryption product, where that weakness could be used to
    violate a copyright law, my first ammendment right to free speech is
    irrelevant.  Discussion of the weakness itself is forbidden, without regard
    to whether I construct a mechanism to exploit that weakness and without
    regard to whether I actually injure the interests of a copyright holder.
    
    We can conclude from this that the second ammendment is far stronger than
    the first ammendment, or that the interests of copyright holders are far
    more important than the right to life of potential shooting victims.
    
    It is ironic that the entertainment industry is directly behind this
    round of attacks on the first ammendment!
    
    Doug Jones <jonesat_private>
    
    PS: http://www.cs.uiowa.edu/~jones/compress/#intro contains, in the
    solution to machine problem 3, the source code of a program that I
    believe would violate the DMCA if anyone were stupid enough to use
    a ROTn Caesar cypher to protect a copyrighted work (distributing the
    work in ROTn encrypted form, and selling the value of n to to
    customers).  This program finds n for almost any ROTn encrypted
    English text.
    
    ------------------------------
    
    Date: Mon, 7 May 2001 19:30:22 +0000 (UTC)
    From: cbat_private (Carol Biesecker)
    Subject: 16th Annual Software Engineering Symposium 2001
    
    Catalysts for Improving Acquisition and Development of 
      Software-Intensive Systems
    
    SEI 16th Annual Software Engineering Symposium 2001
    15 -- 18 Oct 2001 
    Grand Hyatt at Washington Center, Washington, D.C.
    
    For more information about the Symposium, contact
    Symposium 2001 Conference Coordinator
    Phone:   412 / 268-3007
    FAX:   412 / 268-5556
    E-mail: symposiumat_private
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.39
    ************************
    



    This archive was generated by hypermail 2b30 : Fri May 11 2001 - 17:15:07 PDT