[risks] Risks Digest 21.42

From: RISKS List Owner (riskoat_private)
Date: Fri May 25 2001 - 16:24:00 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.43"

    RISKS-LIST: Risks-Forum Digest  Friday 25 May 2001  Volume 21 : Issue 42
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.42.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Thought-provoking book on software: David Parnas (Jim Horning)
    Software Engineering, Dijkstra, and Hippocrates (Michael L. Cook)
    Lost train (Debora Weber-Wulff)
    Aimster vs. the recording industry (NewsScan)
    Converting Pi to binary: DON'T DO IT! (Keith F. Lynch via Russ Perry Jr.)
    ``The Wind Done Gone'' ban done gone -- with abandon, gone (PGN)
    FBI arrests dozens for Internet fraud (NewsScan)
    What they know or don't know about you! (Monty Solomon)
    EU considers retaining *all* telecom traffic (Dave Weingart)
    CERT subjected to "just another attack" (NewsScan)
    Great DoS attack for cell phones (Robert Moskowitz)
    Office XP modifies what you type: Peter Deegan in Woodyswatch 
      (via Jonathan Arnold)
    Weatherbug (James Garrison)
    37% of programs used in business are pirated (NewsScan)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Fri, 25 May 2001 15:20:48 -0700
    From: Jim Horning <horningat_private>
    Subject: Thought-provoking book on software: David Parnas
    
    Despite a half-century of practice, a distressingly large portion of today's
    software is over budget, behind schedule, bloated, and buggy.
    
    To those who wonder why, and whether anything can be done about it, I have
    long recommended the book The Mythical Man-Month, by Frederick P. Brooks, Jr.
      http://www.amazon.com/exec/obidos/ASIN/0201835959/
    This book has stayed continuously in print since 1975, and remained
    remarkably relevant.
    
    Now there is another book I would put beside it.  A little more technical
    and less management-oriented, but equally thought-provoking.  It is Software
    Fundamentals: Collected Papers by David L Parnas, Daniel M. Hoffman and
    David M. Weiss (eds.), Foreword by Jon Bentley:
      http://www.amazon.com/exec/obidos/ASIN/0201703696/
    
    Parnas has been writing seminal and provocative papers about software and
    software development for more than 30 years, and this book collects more
    than 30 of them.  It includes well-known classics such as "On the Criteria
    to Be Used in Decomposing Systems into Modules," "On a 'Buzzword':
    Hierarchical Structure," "On the Design and Development of Program
    Families," "Designing Software for Ease of Extension and Contraction," "A
    Rational Design Process: How and Why to Fake It," and "Software Engineering:
    An Unconsummated Marriage."  It also has some lesser-known gems, such as
    "Who Taught Me About Software Engineering Research?", "Active Design
    Reviews: Principles and Practices," and "Software Aging."
    
    Browsing or reading this book, I think you'll be struck with how much of
    today's "conventional wisdom" about software was introduced (or championed
    very early) by Dave, and by how many of his good ideas have still not made
    their way into current practice.  (Why?)
    
    Parnas isn't always right, but he's never dull.  One of the most valuable
    things to do with this book is to pick something he says that you disagree
    with, and try to construct a convincing argument that he's wrong -- you'll
    probably find it harder than you expect, and you'll almost surely learn
    something valuable.
    
    Jim H.
    
    PS.  Truth in advertising: I wrote introductions for two of the papers, but
    I don't get royalties.
    
    ------------------------------
    
    Date: Mon, 14 May 2001 17:58:35 -0500
    From: "Michael L. Cook" <MLCookat_private>
    Subject: Software Engineering, Dijkstra, and Hippocrates
    
    The March 2001 issue of the *Communications of the ACM* contains an
    article by Edsger Dijkstra called "The End of Computing Science?"
    
    In it, he states "I would therefore like to posit that computing's central
    challenge 'How not to make a mess of it,' has *not* been met."
    
    As many of the RISKS entries have shown, application and other developers
    have certainly made a mess of things at times, often of Laurel and Hardy
    proportions ("That's another fine mess you've got us into."), and worse.
    
    If/when Software Engineering becomes a fully licensed profession, perhaps
    part of the code of ethics should be similar to the intent of part of the
    Hippocratic Oath, "First, do no harm".  This is a paraphrase of the statement
    "The health and life of my patient will be my first consideration" which
    is from the World Medical Association's "Declaration of Geneva" of 1948.
    
    Or, as colleague Glen McCort once said in a meeting, "Don't do anything
    really stupid."
    
    Michael Cook
    
      [There is a big difference between Hippocrates and Hypocrites.
      In particularly, there are quite a few Hypocrites who claim they are 
      "Software Engineers" but nonetheless write extremely riskful software.  PGN]
    
    ------------------------------
    
    Date: Wed, 16 May 2001 22:38:54 +0200
    From: Debora Weber-Wulff <weberwu@fhtw-berlin.de>
    Subject: Lost train
    
    I was in Chur in Switzerland last week and read the sad story of the lost
    train in the local newspaper. They were having trouble with a train that had
    to be diverted because of technical troubles along the line. Someone made a
    mistake while entering in the departure times in their tracking system. The
    system complained, something along the lines of: "You can't enter a
    departure time that has already passed", but someone pushed "do it anyway",
    and somehow managed to get the train sent off.  They called, manually, each
    station along the (beautiful and scenic) route to Chur to let them know that
    the train was coming. No problem, except that someone forgot to tell the
    penultimate stationmaster. Since he did not know the train was coming, he
    dispatched the last little train of the evening off to the skiing resort
    Davos, and was packing up his things to go home when the train came into his
    station.  Imagine his shock! There were still 5 passengers on the train that
    wanted to get home. Apparently it took quite a lot of discussion before
    everyone managed to get a taxi home, courtesy of the Swiss National Train
    Company.
    
    Just goes to show you: If people think they have entered in something
    correctly, no amount of error messages will convince them otherwise.
    
    Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin
    GERMANY  +49-30-5019-2320  http://www.f4.fhtw-berlin.de/people/weberwu/
    
      [Not quite Chur-noble, but perhaps Chur-lish.  PGN)
    
    ------------------------------
    
    Date: Mon, 21 May 2001 08:33:35 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Aimster vs. the recording industry
    
    The recording industry may be hoisted on its own petard if the Napster-like
    music swapping service called Aimster is successful in its legal strategy
    against the Recording Industry Association of America (RIAA). Unlike
    Napster, Aimster (which has no central servers to maintain and leaves users
    individually responsible for their actions) encrypts transmissions, and so
    there is no way for the RIAA or any other outside party to distinguish
    between files which are in compliance with copyright law and those that
    infringe on it. Of course, RIAA could simply decrypt the files -- but then
    it would be in violation of the Digital Millennium Copyright Act (DMCA), a
    law that it strongly supports, and that makes it a criminal offense to
    circumvent encryption protection of copyrighted material. (*The New
    Republic*, 21 May 2001; NewsScan Daily, 21 May 2001;
      http://www.tnr.com/cyberlaw/babbitt051101.html
    
      [NB: Correct English usage is: "hoist with one's own petard" (victimized
      or hurt by one's own scheme) (Webster via PGN)]
    
    ------------------------------
    
    Date: [not included]
    From: "Keith F. Lynch" <kflat_private> 
    Subject: Converting Pi to binary: DON'T DO IT! (via Russ Perry Jr.)
    
    Newsgroup: alt.math.recreational
    
    WARNING:  Do NOT calculate Pi in binary.  It is conjectured that this
    number is normal, meaning that it contains ALL finite bit strings.
    
    If you compute it, you will be guilty of:
    
    * Copyright infringement (of all books, all short stories, all
      newspapers, all magazines, all web sites, all music, all movies,
      and all software, including the complete Windows source code)
    * Trademark infringement
    * Possession of child pornography
    * Espionage (unauthorized possession of top secret information)
    * Possession of DVD-cracking software
    * Possession of threats to the President
    * Possession of everyone's SSN, everyone's credit card numbers,
      everyone's PIN numbers, everyone's unlisted phone numbers, and
      everyone's passwords
    * Defaming Islam.  Not technically illegal, but you'll have to go
      into hiding along with Salman Rushdie.
    * Defaming Scientology.  Which IS illegal -- just ask Keith Henson.
    
    Also, your computer will contain all of the nastiest known computer
    viruses.  In fact, all of the nastiest POSSIBLE computer viruses.
    
    Some of the files on my PC are intensely personal, and I for one
    don't want you snooping through a copy of them.
    
    You might get away with computing just a few digits, but why risk it?
    There's no telling how far into Pi you can go without finding the secret
    documents about the JFK assassination, a photograph of your neighbor's six
    year old daughter doing the nasty with the family dog, or a complete copy of
    the not-yet-released Pearl Harbor movie.  So just don't do it.
    
    The same warning applies to e, the square root of 2, Euler's constant, Phi,
    the cosine of any non-zero algebraic number, and the vast majority of all
    other real numbers.
    
    There's a reason why these numbers are always computed and shown in decimal,
    after all.
    
    ------------------------------
    
    Date: Fri, 25 May 2001 15:03:17 -0700 (PDT)
    From: "Peter G. Neumann" <neumannat_private>
    Subject: ``The Wind Done Gone'' ban done gone -- with abandon, gone
    
    Although it is not directly computer relevant, this case is nonetheless
    noteworthy in RISKS, where April-Fools' spoofs and parodies are an old
    tradition.  A U.S. appeals court in Atlanta today overturned a lower-court
    ruling that Margaret Mitchell's estate could block the publication of ``The
    Wind Done Gone'', an apparent parody of ``Gone With the Wind'' that is
    written from the point of view of black slaves.  [Source: Karen Jacobs,
    Reuters, 25 May 2001, PGN-ed]
    
    ------------------------------
    
    Date: Thu, 24 May 2001 09:32:40 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: FBI arrests dozens for Internet fraud 
    
    The Federal Bureau of Investigation has in the past ten days charged 88
    individuals with Internet crimes, including wire and mail fraud and money
    laundering. A government prosecutor said: "Internet fraud -­ whether it's in
    the form of securities and other investment schemes, online auction and
    merchandising schemes, credit card fraud and identity theft -­ has become
    one of the fastest-growing and most pervasive forms of white-collar crime."
    (Bloomberg News/*The Washington Post*, 24 May 2001; NewsScan Daily, 24 May
    2001; http://washingtonpost.com/wp-dyn/articles/A67744-2001May23.html)
    
    ------------------------------
    
    Date: Fri, 11 May 2001 23:39:05 -0400
    From: Monty Solomon <montyat_private>
    Subject: What they know or don't know about you!
    
    When Richard Smith (Privacy Foundation's CTO) obtained his FBI file from
    Choicepoint in Georgia, he discovered that he had died in 1976, and had had
    aliases with Texas convicts known as Ricky or Rickie.  This is apparently
    the kind of info that the FBI now depends on.  In 1998, a Chicago woman with
    no criminal record was fired after Choicepoint info mistakenly indicated she
    was a shoplifter and convicted drug dealer.  Choicepoint info was also
    involved in thousands of Floridians being mistakenly identified as felons
    and disenfranchised in the November 2000 election.  Choicepoint blames that
    on a data aggregator, DBT.
      [Source: Julia Scheeres, What They (Don't) Know About You, 11 May 2001
        http://www.wired.com/news/privacy/0,1848,43743,00.html; PGN-ed]
    
        [With regard to flagrant data mining of incorrect information,
           What's yours is mined.  PGN]
    
    ------------------------------
    
    Date: Thu, 17 May 2001 13:14:01 -0400
    From: Dave Weingart <dave.weingartat_private>
    Subject: EU considers retaining *all* telecom traffic
    
    According to an article in The Register, the Council of the European Union
    is considering implementing rules that call for storing all telecom traffic
    (all phone calls, all Net usage, every e-mail) and making this data
    accessible for at least seven years.  This will be done in the name of
    "public safety and law enforcement," no doubt.
    
    http://www.theregister.co.uk/content/5/19003.html
    
    Technical considerations aside (the concept of server farms the size of 
    France comes to mind), the whole thing is just a dreadful idea.
    
    Dave Weingart, Randstad North America  dave.weingartat_private        
    1-516-682-1470                  
                                                      
    ------------------------------
    
    Date: Thu, 24 May 2001 09:32:40 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: CERT subjected to "just another attack" 
    
    The Web site of the federally funded Computer Emergency Response Team (CERT)
    was clogged by a "denial of service" attack that lasted 30 hours this
    week. CERT, which is located at Carnegie Mellon University in Pittsburgh,
    has a mission of providing warnings about computer attacks and viruses. An
    official of the organization said: "We get attacked every day.  This is just
    another attack. The lesson to be learned here is that no one is immune to
    these kinds of attacks. They cause operational problems, and it takes time
    to deal with them." [AP/*USA Today*, 24 May 2001; NewsScan Daily, 24 May 2001
      http://www.usatoday.com/life/cyber/tech/2001-05-24-cert-hacked.htm]
    
    ------------------------------
    
    Date: Tue, 15 May 2001 12:35:09 -0400
    From: Robert Moskowitz <rgmat_private> 
    Subject: Great DoS attack for cell phones
    
      (by way of David Kennedy)
    
    Courtesy of the FAA:
    
    The FAA has this neat airport traffic website:
    
    http://www.fly.faa.gov/flyFAA/index.html
    
    where you can check out conditions at any airport.  Well, recently they 
    added the option to get e-mail on airport conditions:
    
    http://www.fly.faa.gov/Notify_Signup/notify_signup.html
    
    with a warning to be careful not to select all airports as that would be a 
    lot of mail.
    
    Now the way this works is you put in an e-mail address and a password.  this 
    is the password to make changes on the FAA's site.  Then they ask you what 
    airports and how many characters your e-mailer can handle.
    
    I have selected DTW and for days I will get no mail.  This morning I have 
    already gotten 3 messages about various delays due to different thunderstorms.
    
    SO if someone does not like someone else, they just set this system to mail 
    bomb the other person's cell phone.  Imagine how annoying it will be with a 
    phone constantly going off and not knowing how to stop the  mail.  would 
    most people figure out how to get this stopped?  **I** have not contacted 
    my cellular provider on how to stop SMS spam, so I doubt if there is much 
    experience here.  there will be before this year is done.
    
    Robert Moskowitz, Senior Technical Director  rgmat_private
    ICSA Labs, a division of the TruSecure Corporation   (248) 968-9809
    
    ------------------------------
    
    Date: Wed, 23 May 2001 15:10:44 -0400
    From: Jonathan Arnold <jdarnoldat_private>
    Subject: Office XP modifies what you type: Peter Deegan in Woodyswatch
    
    [From Woody's Office Watch (http://www.woodyswatch.com)]
    
      4. IN OFFICE XP, THE LINK YOU TYPE AIN'T WHAT YOU GET 
      Remember when I asked you to send me your rants about Office XP? 
      Editor-in-Chief Peter Deegan has a great one:
    
      I didn't believe it when it first happened to me, but now Microsoft
      arrogantly and shamelessly confirms the bug.  When you type a hyperlink in
      FrontPage 2002, Word 2002, Excel 2002, PowerPoint 2002, or Outlook 2002
      (using Word as your email editor), the Office application will alter what
      you've typed, without notifying you or giving you an opportunity to undo
      the "correction." In fact, in most cases, you can't override the
      "correction" at all: you're stuck with FP, Word or Excel's version of what
      you typed.  Tough luck Charlie.
    
      Try it yourself. In Office XP, choose Insert | Hyperlink then type in this
      fake hyperlink
        http://www.fred.com/trial//2345/
      Hit enter, and the double slash is unceremoniously converted to a single
      slash. You aren't notified. You aren't given a chance to change it. In
      fact, with one exception, you can't even *override* Office's ham-handed
      mangling of your carefully constructed hyperlink.
    
      The exception: in FrontPage 2002 you can fix the link by going into HTML
      mode and overtyping - but there's no such option in Word, Excel
      PowerPoint, or Outlook.  Even Microsoft can't suggest a workaround.
    
      It's even worse than you might imagine. The text appears in the document
      the way you typed it - that is, you'll see
        http://www.fred.com/trial//2345/
      in your document. But the link itself - the part behind the scenes that
      controls where you go when you click on the text - is altered to
        http://www.fred.com/trial/2345/
      without any notice. Don't believe me? Follow these instructions, then
      right-click on the hot text and pick Edit Hyperlink. Look in the Address
      box. See that?
    
      While a double slash is unusual, it is a valid hyperlink used in the real
      world, most commonly as a delimiter between parameters. Microsoft has no
      right to arbitrarily change a link I've typed, especially if there's no
      way to override the change.
    
      We put this problem to Microsoft's PR folks with a series of questions to
      help clarify the situation. Their response was among the most arrogant and
      obfuscatory we've seen in many years of dealing with the company - a
      dismissive response not designed to help or reassure prospective Office XP
      purchasers. In fact, it has only made a bad situation worse.
    
      Microsoft says it's not an issue at all!  The change is done intentionally
      for (you gotta love this) "cleanliness and consistency." Oy. Apparently
      the accuracy of a hyperlink is secondary to it looking nice.
    
      Microsoft dismisses the double-slash change problem saying they "don't
      know of any servers which deal with a double slash in the path component
      any way other than to treat it as a single-slash". C'mon. Call
      1-800-GET-A-CLUE guys.  Double slashes are used all the time. More than
      that, it isn't Microsoft's job to decide whether the URLs I type are
      politically correct.
    
      Microsoft goes on to say "some older servers did not like to have the
      double-slashes in the path and had difficulties with double slashes."
      Well, OK, that may be true but there are plenty of other typing errors
      that can make a link break. Double-slashes may be a problem in some cases,
      but in others they are necessary.
    
      I really wanted to hURL when the 'Softies said, "we don't change the
      parameter data, only the path part of the URL."  Good grief. This comes
      from a company that assumes everyone uses the Microsoft method of passing
      information through links. In the Microsoft world you pass data to a web
      page by adding a question mark to the end of the link then adding the
      variables. Incredibly, not everyone uses Microsoft servers, and there are
      other ways to pass information through a web link. One of the ways we've
      found includes having double-slashes. Microsoft Office XP now blocks those
      uses with no recourse.
    
      Even if you accept the logic that double-slashes in hyperlinks are
      non-existent or bad, that doesn't change the more general principal that
      the user is entitled to type in something and have it stick, unchanged. If
      Microsoft wants to make a change for "cleanliness and consistency" they
      should build in a warning to the user and a way to reverse the change. A
      Smart Tag would work nicely. But in this case neither of these basic
      design courtesies is honored. The company has gone too far in compulsory
      changes to the link with no warning to the user or any workaround to fix
      the Autocorrect.
    
      Adding injury to insult, there's no documentation on these changes in the
      help file. Microsoft has declined to provide details of any other
      compulsory changes made to hyperlinks in Office XP nor have they suggested
      any workaround for those affected, or some way to switch off this
      behavior.  The Microsoft arrogance shows through: it's not a problem, so
      why bother fixing it?
    
      The fact that Microsoft has declined to detail what changes are
      arbitrarily made to links makes us even more concerned.  Office XP users
      don't know what compulsory changes will be made to their links. Chances
      are they'll find out the way I did - the hard way.
    
    Jonathan Arnold  jdarnoldat_private  Senior Product Developer
    Integrated Delivery Systems  http://www.smartdrops.com  
    
    ------------------------------
    
    Date: Tue, 22 May 2001 17:31:03 -0500
    From: James Garrison <jhgat_private>
    Subject: Weatherbug
    
    Someone recently sent me a reference to a program called Weatherbug and
    asked me to evaluate it from the perspective of a network admin for a small
    company where some employees are using it.
    
    It's a Windows program that places a local temperature icon in your taskbar
    and then continuously monitors local weather data from the AWS Weathernet.
    If you click on the taskbar icon it displays a panel showing local weather
    data updated in near-real- time.
    
    The service and Weatherbug executable are free and the whole thing is
    supported by advertising that is displayed in the Weatherbug window.  I was
    curious about the security implications so I downloaded and installed
    Weatherbug with the intention of monitoring the IP traffic it generates with
    a packet sniffer.
    
    The first thing that happens during install is you are asked if you want to
    also install two additional tools, "Gator" and "Offer Companion".  Here's
    the blurb on the install dialog:
    
       By including Gator and its OfferCompanion Software with
       Weatherbug, we're making your computer smarter!
    
       Gator and OfferCompanion are among the web's most popular
       products.  Gator fills in your passwords and online forms
       automatically - with no typing! And OfferCompanion delivers
       great offers to you based on web sites you visit!
    
    The checkbox indicating that you want to install these "products" is checked
    by default.  Needless to say, I did NOT allow it to install them (but then
    how do I know whether it listened to me or not ;-).  Gator is clearly
    dangerous.  I assume it keeps a database of previously seen web forms and
    the data you entered previously, and then re-enters the same data the next
    time you visit the same page.  Regular RISKS readers should be cringing
    visibly by now :-)
    
    Anyway, I started up Weatherbug and monitored its traffic:
    
    1) During registration you are asked to provide quite a bit of
       personal info, including name, address, and income.  Luckily
       (or I wouldn't have proceeded) all data is optional except
       for your Zip code, so it can locate weather stations nearby.
       The registration data is sent to a Weatherbug server in 
       an HTTP GET request.
    
    2) After you register, the software sends an HTTP POST to
       216.33.111.107, which does not seem to have a reverse DNS
       entry.  The POST data is:
       
          InstallType=Full+Install&GatorStatus=Opt-Out&BCheck=
    
    3) It appears to do everything over HTTP, so it's totally "pull"
       based.  It does not *appear* to open any persistent
       connections. Also it seems to issue only GET requests in normal
       operation.  I didn't see any POSTs other than the one described
       above. Of course, it's quite possible to send any data as
       parameters in a GET, so the absence of POST shouldn't be taken
       as implying anything positive.
    
    4) In addition to retrieving weather data from the location you
       configured (any of over 5000 AWS sites located mainly at
       schools), it downloads ad gifs from doubleclick.net.
    
    5) During registration you are assigned a registration ID that is
       sent to the Weatherbug server at various times.  I did not see
       any evidence that the registration ID is sent to sites other
       than Weatherbug (i.e. ad requests didn't include the
       registration ID)
    
    6) Every time Weatherbug starts up, my Win2K machine issues a
       single NETLOGON request to the PDC with a blank username, which
       is rejected. I don't know enough about MS authentication
       protocols to know if Weatherbug is doing this or it's just a
       byproduct of how Windows works.
    
    7) When the main window is hidden (to a taskbar icon), most IP
       traffic stops.  I still checks the weather data about once a
       minute but does not appear to load ads.
    
    8) If you uninstall and re-install Weatherbug you are not asked to
       register again.  The uninstall does not delete registry keys,
       so in order to completely remove it you must manually edit the
       registry.
    
    I found no evidence that Weatherbug is "spyware", but then this was a very
    cursory examination.  It does seem to limit its data capture to your direct
    interactions with its GUI, but the possibilities for abuse are so high that
    I would not personally use it on an ongoing basis.  It include an automatic
    software update capability and there's no guarantee that future versions
    won't quietly slip in some "enhanced" data gathering techniques.  When the
    capability is there, the temptation to use it has got to be tremendous.
    
    Beyond the obvious security risks I'm also concerned about Weatherbug's
    bandwidth usage. When the main window is open and updating both weather data
    and ads in real time, it consumes about 20 kilobits/second. If you're a
    small company depending on an ISDN, DSL or fractional T1 link, it doesn't
    take very many of these to adversely affect other users.
    
    I'm curious to know if anyone else has conducted a more thorough
    evaluation and analysis of Weatherbug.
    
    James Garrison, Athens Group, Inc., 5608 Parkcrest Dr, Austin, TX 78731
    jhgat_private    1-512-345-0600 x150  http://www.athensgroup.com
    
    ------------------------------
    
    Date: Mon, 21 May 2001 08:33:35 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: 37% of programs used in business are pirated
    
    Software piracy grew in 2000 for the first time in more than five years,
    according to the Business Software Alliance, which estimates that 37% of all
    software programs used by businesses worldwide are illegal copies. The
    Asia-Pacific region -- where more than half of all software in use last year
    was stolen -- tops the list in terms of dollars (an estimated $4 billion)
    lost to piracy.  Meanwhile, Eastern Europe has the highest piracy rate, with
    63% of its software illegally copied in 2000. In the U.S., 24% of programs
    are pirated copies.  Although progress is being made in some regions, BSA
    director of enforcement Bob Kruger takes little comfort.  "That's kind of
    like saying that I'm having fewer heart attacks than I used to. But the
    damage that's being caused by piracy is still devastating.  It can be
    counted in the thousands of jobs and billions of dollars lost." (AP 21 May
    2001; NewsScan Daily, 21 May 2001;
      http://news.excite.com/news/ap/010521/07/software-piracy ]
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.42
    ************************
    



    This archive was generated by hypermail 2b30 : Fri May 25 2001 - 16:55:33 PDT