[risks] Risks Digest 21.46

From: RISKS List Owner (riskoat_private)
Date: Tue Jun 12 2001 - 16:51:05 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.47"

    RISKS-LIST: Risks-Forum Digest  Tuesday 12 June 2001  Volume 21 : Issue 46
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.46.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Another NY Stock Exchange outage (PGN)
    California power grid hacked (PGN)
    PC parrot drives firemen crazy (Merlyn Kline)
    Computer reports unreported wreck (Chris Norloff)
    U.K. plans mandatory IP indoctrination for children (Cluebot via 
      Declan McCullagh)
    Re: Billboard error message (Robert Meineke, Rick Prelinger, John Dallman)
    Re: Risks of clueless marketing (Jamie McCarthy)
    Re: Steve Gibson: Windows XP Vulnerable; Big ISPs just don't care (Mike Nuss)
    Re: Steve Gibson's report and Windows XP "Vulnerabilities" (David Crooke)
    They're at it again: Internet Explorer Smart Tags in WinXP (Stef Maruch)
    Re: Office XP modifies what you type (Andy Newman, Jay Jennings)
    Microsoft, 'Mitigating Factors' and Public Relations (Jackson Ratcliffe)
    Broken shopping carts (Steve Loughran)
    How to avoid Internet interruption at AAS meeting (Clive Page)
    There's no such thing as software `piracy' (Fred Gilham)
    Re: Another fear of Risks (James K. Huggins)
    Re: McDonald's testing cashless payments (Jeffrey Jonas, John R Levine)
    Credit where it isn't due (William Paul Fiefer)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Fri, 8 Jun 2001 19:21:22 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Another NY Stock Exchange outage
    
    A software upgrade glitch resulted in the New York Stock Exchange being
    unable to trade roughly half of its stocks in the morning of 8 Jun 2001.
    Consequently, the exchange was shut down entirely (on grounds of fairness)
    until 11:35 a.m. EDT.  
    
    The RISKS archives note a 41-minute shutdown on 24 Feb 1971 (when both
    primary and backup systems failed), a 24-minute outage on 22 Oct 1991 (due
    to a power dip), a one-hour outage on 18 Dec 1995 (also due to a botched
    software update), and a one-hour crash on 26 Oct 1998.  Uninterrupted
    service is clearly not easy to achieve.  The Nasdaq exchange computer system
    also shut down last week for 20 minutes (while the staff was working to
    increase capacity), a case that has not previously been reported here.
    
    ------------------------------
    
    Date: Tue, 12 Jun 2001 08:13:22 -0700
    From: "Peter G. Neumann" <neumannat_private>
    Subject: California power grid hacked
    
    Reuters reported on 11 June 2001 that the California Independent System
    Operator's flow-control computer systems had been hacked for at least 17
    days before it was detected on 11 May 2001 -- in the midst of the ongoing
    power crisis.  Although they attacks did not noticeably disrupt operations,
    they apparently came quite close -- and exposed some vulnerabilities that
    demonstrably need to be fixed.  The main attack was seemingly from someone
    in China's Guangdong province, via China Telecom, and exploited Internet
    servers in Tulsa OK and Santa Clara CA.
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 13:08:17 +0100
    From: "Merlyn Kline" <merlynat_private>
    Subject: PC parrot drives firemen crazy
    
    In an article in *The Register*, Kieren McCarthy
      <http://www.theregister.co.uk/content/28/19525.html> 
    reported that West Midlands firemen, having rescued a cat from a tree, were
    called to an office in Willenhall to rescue what was thought to be an
    escaped parrot.  After an hour's search, they discovered that a PC
    screensaver was intermittently parroting a parrot's squawks.  Kieren
    speculated on whether the firemen thought it was a joke or "more reasonably,
    smashed the PC to pieces with their axes."  [Merlyn called this a "terrible
    parroty error", although I doubt that the firemen thought it was a parody.
    Instead, it was truly a case of a polly-morphic PC!  PGN-ed]
    
    ------------------------------
    
    Date: Thu,  7 Jun 2001 08:44:52 -0400
    From: "Chris Norloff" <cnorloffat_private>
    Subject: Computer reports unreported wreck
    
    You just can't outrun a satellite.  A Merced, California, man took his fully
    equipped 2001 SUV out onto some nearby country roads, navigating swiftly and
    confidently with the optional OnStar Global Positioning System.  When he got
    into an accident, he decided to run for it.  But the guidance system had
    already notified OnStar headquarters of the accident, specifying where it
    had happened and giving a complete description of his vehicle to the
    California Highway Patrol.  The officers followed a trail of coolant about a
    mile into an orchard, where they found and arrested the driver.  [Source:
    *Road & Track* magazine, July 2001; PGN-ed]
    
    THE RISKS?
    
    What constitutes an "accident"? (Air bags seem to go off quite easily,
    taking out the windshield and dashboard [$$$] in a fender-bender).
    
    Will GPS-reported accidents become like household burglar alarms - sending
    out mostly false alarms?
    
    Who will hack into the OnStar system to falsely report accidents?  
    
    Who will use the OnStar system to efficiently dispatch lawyers to accident
    sites?
    
    How soon until OnStar sells accident records so used-car purchasers can
    learn the vehicle's history?
    
    Chris Norloff
    
    ------------------------------
    
    Date: Wed, 6 Jun 2001 12:17:49 -0400
    From: Declan McCullagh <declanat_private>
    Subject: U.K. plans mandatory IP indoctrination for children (from Cluebot)
    
    http://www.cluebot.com/article.pl?sid=01/06/05/2338246
                                          
       U.K. Plans Mandatory IP Indoctrination for Children
       posted by vergil on Wednesday June 06, @12:10PM
       from the get-em-while-they're-young dept.
    
       Forget digital watermarks and cease-and-desist letters.  The future of
       intellectual property enforcement lies not in technological access
       controls or litigation, but mandatory education.  Anthony Murphy, the UK
       Patent Office's Director of Copyright since 1999, has hit upon a novel
       solution to stamp out public disregard for copyright law by nipping
       future file-swappers in the bud.
    
       In a move that's an eerie cross between Brave New World and the Lehman
       Working Group's "Just Say Yes" (to licensing) proposal, the UK's Patent
       Office and Department of Education have teamed up to teach youngsters the
       virtues of copyright.  Starting in fall 2002, reverence to intellectual
       property -- and, presumably, disdain for Napster and its successors --
       will become part the "Citizenship" aspect of England's National
       Curriculum for secondary school students.
       
       According to a April 26, 2001 UK Patent Office press release:
       
       "In Autumn 2002, a new subject, Citizenship, is being introduced into
       the National Curriculum in UK secondary schools. Its aim is to teach
       children how to be good, moral, citizens and Anthony Murphy believes
       the subject would be an ideal vehicle for teaching children about
       intellectual property.
       
       'By bringing awareness of the importance of copyright into our
       schools, tomorrow's consumers can take their place in a community
       which understands, values and respects intellectual property.'"
    
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    
    ------------------------------
    
    Date: Thu, 07 Jun 2001 09:02:06 -0700
    From: "Robert Meineke" <robert_meinekeat_private>
    Subject: Re: Billboard error message (PGN, RISKS-21.45)
    
    Just for fun, check out
      http://www.daimyo.org/bsod/
        [This Web site shows some classic blue screens 
        of death in very conspicuous places.  PGN]
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 11:15:50 -0700
    From: Rick Prelinger <footageat_private>
    Subject: Re: Billboard error messages (PGN, RISKS-21.45)
    
    The best CalTrans error message I have seen was sometime last fall on 
    the San Francisco approach to the Golden Gate Bridge, where an 
    industrious purple LED sign repeatedly flashed "NO DATA."
    
    Rick Prelinger, Prelinger Archives, P.O. Box 590622, San Francisco, Calif. 
      94159-0622  +1 415 750-0445  http://www.prelinger.com footageat_private
    
    ------------------------------
    
    Date: Fri, 8 Jun 2001 00:16 +0100 (BST)
    From: jgdat_private (John Dallman)
    Subject: Re: Billboard error message (PGN, RISKS-21.45)
    
    My personal favourite was the time I found a hole-in-the-wall cash 
    dispenser that had fallen over and was displaying a "C:>" prompt. A little 
    playing with the keyboard revealed that MS-DOS was running - or something 
    else that said "Bad command or file name" - and the keypad gave me 
    numbers, ESC, BACKSPACE and ENTER. With no ALT key or letters, I couldn't 
    do more, so the design had some limited degree of fail-safety.
    
    John Dallman <jgdat_private>
    
    ------------------------------
    
    Date: Mon, 4 Jun 2001 21:57:48 -0400
    From: Jamie McCarthy <jamieat_private>
    Subject: Re: Risks of clueless marketing (Searle, RISKS-21.44)
    
    > Has anybody else realized that "XP" is a person wincing [...]?
    
    This is the company that named an earlier operating system "WinCE".
    Maybe their *market* is people with pained facial expressions.
    
    ------------------------------
    
    Date: Thu, 07 Jun 2001 16:46:45 -0400
    From: Mike Nuss <nmxat_private>
    Subject: Re: Steve Gibson: Windows XP Vulnerable; Big ISPs just don't care
    
    I felt I had to respond to this article, because it's simply ridiculous.
    
    Raw sockets support, the supposed "vulnerability," is not a security risk. This
    capability is already present in every major Unix operating system, and can be
    acquired in every version of Windows with the addition of a library.
    
      >From atstake.com:
      The "powerful Internet-connection capabilities" which are hyped in this
      article is merely the ability to write raw IP packets. This is where an
      application program controls every field in the IP packet. This
      functionality is required if you were writing your own network bridge
      program for Windows or other low level network applications. An IDS for NT
      that resets connections would need this functionality. AntiSniff, which
      detects sniffers on a network, requires this functionality.
    
      This capability, which this article states is so dangerous to the
      Internet, is already available practically everywhere. It is available in
      every commercial and open source unix distribution and is already
      available for all Windows platforms (not just Windows XP) through the use
      of free add on libraries such as winpcap and libnetNT.
    
      The hype and hyperbole is astounding. From reading this article you'd
      think a deluge of DDoS attacks was building up just waiting to be released
      once Microsoft releases the all powerful new API. Nothing could be further
      from the truth. When XP arrives it will receive a collective yawn from
      DDoS attackers who would much rather have their win32 DDoS clients run on
      every version of Windows using the already available add on libraries.
    
      Once an attacker has administrative control of a machine they can run any
      code they want, whether it is native or in an uploaded executable. There
      is absolutely nothing stopping an attacker from spoofing IP addresses from
      a Windows machine today or tomorrow.
    
    The real RISK here is *The New York Times'* propagation of false information
    for the sole purpose of provoking Fear, Uncertainty, and Doubt.
    
    Mike Nuss
    
    ------------------------------
    
    Date: Thu, 07 Jun 2001 00:48:25 -0500
    From: David Crooke <daveat_private>
    Subject: Re: Steve Gibson's report and Windows XP "Vulnerabilities"
    
    I have to take issue with Steve's assessment of how important this new
    capability in Windows 2000 / XP is - given the technical mastery required to
    subvert a machine in the first place, it's not a major endeavour to
    implement one's own source IP spoofing in any number of ways - a second
    virtual interface, bundling a custom IP stack with the trojan, or just
    changing the IP address of the machine. The fact that most current attacks
    don't use IP spoofing is not because Microsoft has failed to provide a
    convenient API - attackers simply haven't felt the need. Other operating
    systems have "supported" IP spoofing for years without it being regarded as
    risk contributing to hacking efforts.
    
    The real takeaway from Steve's write-up is that the endpoints of the
    Internet can no longer be trusted; it is time for network administrators at
    ISPs, universities and commercial premises to take up the cudgel and police
    the traffic emanating from their networks; source IP filtering is trivial to
    implement at this level. It is also time for backbone providers to introduce
    sensible firebreaks and reduce their trust in traffic passing through their
    systems.
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 12:55:52 -0700
    From: Stef Maruch <stef@cat-and-dragon.com>
    Subject: They're at it again: Internet Explorer Smart Tags in WinXP
    
    A while back, when www.deja.com still archived Usenet news, they tried
    to generate revenue by inserting URLs into Usenet posts archived on
    their site. Needless to say, this upset a lot of Usenet posters, who
    considered it a copyright violation.  
    
    Now Microsoft is up to much the same thing with a new feature of WinXP
    called "Internet Explorer Smart Tags":
    
    http://public.wsj.com/sn/y/SB991862595554629527.html
    
      In effect, Microsoft will be able, through the browser, to re-edit
      anybody's site, without the owner's knowledge or permission, in a way that
      tempts users to leave and go to a Microsoft-chosen site -- whether or not
      that site offers better information.
    
    Seems to me they should be called "Internet Explorer Sneak Tags."
    
    Stef  **  rational/scientific/philosophical/mystical/magical/kitty
        **  stef@cat-and-dragon.com <*> http://www.cat-and-dragon.com/~stef
      **
    I mean, 'e' was *already* the most common letter in the English
    language. -- AM, complaining about the online commerce explosion
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 18:41:07 +1000
    From: Andy Newman <andyat_private>
    Subject: Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)
    
    When I saw the headline I thought "Oh, oh, MS at it again" but after
    reading further on must agree with what they're doing.  A quick glance
    at an appropriate RFC - 2396, Uniform Resource Identifiers: Generic Syntax -
    shows that forward slash is reserved within URI paths and may not appear
    twice in succession. I quote,
    
        The path may consist of a sequence of path segments separated by a
        single slash "/" character.  Within a path segment, the characters
        "/", ";", "=", and "?" are reserved.
    
    Also having written a few simple web servers and many robots I find the
    claim that there are many uses of '//' rather dubious.  The people are
    probably thinking that some kind server's path normalisation is normal
    or the laziness of many HTTP server authors in transforming "entity"
    paths into the names of files storing those entities makes their invalid
    URLs allowable.
    
    I think the real risk of URLs (and I's and N's) is that they appear
    too similar to the names used in many file systems.  This leads to things
    like thinking '//' in the middle of a path is valid (hey Unix copes!) or
    that ".jpg" on the end of a URL actually means something and you can
    ignore the entity type sent back with the data (common browser problem).
    
    Andy Newman, Silverbrook Research, <andyat_private>
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 15:24:18 -0400 
    From: "Jennings, Jay" <jay.jenningsat_private>
    Subject: Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)
    
    Two interesting points. First, in previous versions of Microsoft Word, the
    feature that changed capital letters could be turned off - it was called the
    "Auto Correct" feature and could be tweaked through the tools menu. The
    second point is more ironic. I received the link below in an e-mail
    yesterday:
    
    http://shop.microsoft.com//Products/Products_Feed/Online/SQLServer2000%5B101
    45%5D/ProductQuestions.asp
    
    I was quickly able to deduce that Office XP was not used to compose the
    e-mail.
    
    Jay Jennings
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 07:39:45 -0700
    From: "Ratcliffe, Jackson" <jratcliffeat_private>
    Subject: Microsoft, 'Mitigating Factors' and Public Relations
    
    Microsoft recently announced yet another security flaw, this one related to
    Exchange 2000's Outlook Web Access (OWA).  Apparently java/vbscript
    attachments are automatically run 
      http://www.microsoft.com/technet/security/bulletin/MS01-030.asp 
    with no security.  This is a REAL glaring flaw.
    
    So to make sure that it doesn't sound quite so bad, in Microsoft's e-mail
    announcement they tried to list the mitigating factors.  Have a laugh.
    
    Mitigating Factors:
    
     - The vulnerability could only be exploited if the user were using OWA in
       conjunction with IE.  (isn't that the whole point of the product ?)
    
     - The vulnerability is only exploitable by attachments that are received
       via OWA. In general, an attacker would have no way to determine whether a
       user would open an attachment using OWA rather than an Outlook client.
       (Isn't the whole point of .net to get rid of client-based Outlook?)
    
         [CC:ed on this item by Jackson, Gregory D. Marx concludes that 
         "based on the first mitigating factor, I guess MS is suggesting 
         that we switch to Netscape!?!?!"  PGN]
    
    ------------------------------
    
    Date: Wed, 6 Jun 2001 22:56:34 -0700
    From: "Steve Loughran" <slo4at_private>
    Subject: Broken shopping carts
    
    I was just trying to by something from an on-line catalog (autosport.com),
    but was having problems as the shopping cart doubled the number of items I
    entered; the minimum purchase was two.
    
    On a whim, I entered a negative number -and the shopping cart updated to
    show that I was ordering -2 items, and had to pay -$188.
    
    I didn't go ahead with the transaction, but it would be an interesting
    experiment to see whether it would actually be possible to get free cash
    from shopping at this web site.
    
    It would also be interesting to see if the credit card companies fraud
    protection works in reverse -detecting and flagging too many refunds coming
    from a single vendor.
    
    ------------------------------
    
    Date: Mon, 4 Jun 2001 16:07:56 +0100
    From: Clive Page <cgpat_private>
    Subject: How to avoid Internet interruption at AAS meeting
    
    Astronomers planning to attend the American Astronomical Society meeting
    on now were advised as follows in an e-mail circular:
    
      If you plan on attending the AAS Meeting in Pasadena, CA 3-7 June 2001,
      you will most likely want to use the Meeting's Cyber Cafe for E-mail and
      Web Browsing.  In order to ensure continuous access to your home site,
      please notify your local system and security administrators of the
      following:
    
      The Internet traffic flowing from the meeting attendees, will be coming
      from the IP addresses ranging from [CENSORED...  actual addresses removed
      for obvious reasons].
    
      In the past government sites have become aware of heavy traffic from our
      meetings and without notice shut off ALL access to attendees.  This was
      done as a security measure, unaware that the traffic was originating at an
      AAS Annual Meeting.  It caused several days of service interruption for
      meeting registrants.  Informing your system administrators of the IP
      addresses could save you a lot of distress later!
    
    The risk: trying to avoid denial-of-service attacks might cause almost as
    much disruption to your staff as an actual attack, and just when they are
    least likely to be able to do much about it.
    
    Clive Page, Dept of Physics & Astronomy, University of Leicester.  U.K.
    
    ------------------------------
    
    Date: Tue, 05 Jun 2001 10:12:33 -0700
    From: Fred Gilham <gilhamat_private>
    Subject: There's no such thing as software `piracy'
    
    I know it's not a new idea, but I think it needs to be reiterated that
    piracy (which apparently is still practiced in some parts of the world) is a
    crime of violence, often resulting in the death of its victims, whereas
    making unauthorized copies of software that is copyright or licensed, while
    illegal in most places, is not a crime of violence.
    
    It may be tilting at windmills, like trying to get people to use the term
    `crackers' instead of `hackers'.  Perhaps the people who write stories about
    this stuff would be more careful with their terminology if people started
    referring to `taggers' (i.e., graffiti vandals) as `journalists'?  After
    all, they both work with words....
    
    ------------------------------
    
    Date: 31 May 2001 10:18:07 -0400
    From: hugginsat_private (James K. Huggins)
    Subject: Re: Another fear of Risks
    
    Sorry ... here I go on a rant ...
    
    "Bob Frankston" <rmf2gOtherat_private> writes:
    
    > I'm using IE 6.0 and it works pretty much like 5.0. With one notable
    > exception -- UPS explicitly checks for it and doesn't let me use their
    > service with an unapproved browser. I presume that feel it is better for
    > them to lose customers than risk .. risk what?
    
    Risk spending countless hours of time on the phone (and therefore $$) with
    irate customers blaming UPS when the customers' new-fangled "compatible"
    browser doesn't work with the UPS site.  Risk having people blame UPS
    instead of Microsoft when IE 6.0 turns out to not be 100% compatible with IE
    5.x in a couple of features which the UPS cite depends upon to function
    correctly ... especially if those incompatibilities didn't surface in any of
    the pre-release versions.
    
    > UPS is loses two ways. They force me to use other services and they
    > lose the value of users doing testing for them.
    
    In my humble opinion, most users aren't interested in doing testing
    for companies.  That's what we pay the companies to do for themselves.
    
    Furthermore, relying on user reports for testing is full of its own
    problems.  Users (and I count myself in that category) will often
    blame others for problems they cause themselves, or problems caused by
    third parties (e.g. ISPs) which aren't the fault of either endpoint.
    
    > They can warn me that they haven't tested with my browser but
    > disallowing it is not only short-sighted, it represents a basic
    > misunderstanding of the PC and the large effort put in to assure
    > compatibility with previous versions of programs. 
    
    Who says UPS won't eventually support IE 6.0?  Given that it's just
    been released, UPS may just be trying to give itself some time to 
    test IE 6.0 for itself and fix any compatibility problems on its end.
    
    > Old MIS (before they were called IT) departments did have a great
    > fear of upgrades since each mainframe system was extensively
    > patched. But that reasonable fear is now a phobia.
    
    Nope.  Look, I've had much the same problem with the Netscape 4->6
    transition.  When I upgraded to the "improved" Netscape 6 on my home
    machine, lots of sites that I used to visit simply refused to work
    anymore.  When I contacted the sites to complain, most state that the
    problem is Netscape's and that I should either downgrade back to 4.72
    or switch to IE.
    
    There ain't nothing that's 100% backward compatible, especially in 
    a x.0 release.
    
    Just my $.02.
    
    --Jim Huggins, Kettering University, Flint, MI  (jhugginsat_private)
    
    ------------------------------
    
    Date: Tue, 29 May 2001 22:11:30 -0400 (EDT)
    From: Jeffrey Jonas <jeffjat_private>
    Subject: Re: McDonald's testing cashless payments (RISKS-21.43)
    
    > McDonald's Corporation has begun testing the use of a cashless payment
    > system that uses the kind of radio transponder technology that was first
    > developed by state highways to allow motorists to drive through toll plazas
    > without having to stop to make a payment.
    
    A friend said that McD's once had a credit card but dropped it.
    Sure, it made checkouts faster and less handling of cash,
    but it had an unexpected side effect.
    Folks saw the monthly bill and realized how all those meals were
    adding up to real money and cut back their spending
    since it was so easily auditable.
    
    Another interesting interaction:
    > Newsgroups: alt.consumers.experiences,misc.consumers
    > Subject: Re: McDonald's 30-Second DT Guarantee
    
    McD's apparently has some promotion where they guarantee you get the food
    30 seconds after paying.  The immediate analysis is that they'll take
    as long as before, just not collect the money 'till it's ready.
    Now with the speed-pass, will the guarantee still hold?
    
    ------------------------------
    
    Date: 30 May 2001 02:26:29 -0400
    From: "John R Levine" <johnlat_private>
    Subject: Re: McDonald's testing cashless payments (RISKS-21.43)
    
    I had a Mobil speedpass for a while.  It's about the diameter of a pencil
    and an inch long, with a hole through the end so it can go on your keychain.
    You wave it at the pump, a light on the pump goes on to tell you it knows
    who you are and you pump your gas.  Mobil links theirs to a credit card.
    
    It worked fine until one day my bank called me up to say that I had been
    buying an awful lot of gas in towns east of here, had I lost my card?  
    No, but it turned out that I'd lost my speedpass.  It fell off my keychain
    the last time I used it, but it was so small that I didn't notice it was
    gone, what with all the frequent shopper barcode tags et al with my keys.  
    I finally got it straightened out and Mobil ate the bogus charges, a
    relief since the card company said their usual anti-fraud rules don't
    apply when you don't use your physical card for a transaction.
    
    I decided I'll spend the extra two seconds per visit and swipe my card.
    
    I do have an E-ZPass toll transponder in my truck, but that's different
    for two reasons: it's large enough to miss and is firmly glued to the
    inside of the windshield, and they give me the incentive of significant
    toll discounts (in NYC at least) if I use it.
    
    John Levine, johnlat_private, Primary Perpetrator of "The Internet for Dummies",
    Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
    
    ------------------------------
    
    Date: Wed, 06 Jun 2001 19:55:27 -0500
    From: William Paul Fiefer <yamadaat_private>
    Subject: Credit where it isn't due
    
    So you request a credit card and it comes by mail with a peel-off sticker 
    across the signature plate. The sticker tells you to call a toll-free 
    number to activate the card. This is, apparently, a theft-prevention thing.
    
    Don't bother.
    
    The cards activate automatically. At least "Blue" from American Express and 
    the "Platinum" series ($100,000 credit limit -- $250,000 for the "Quantum" 
    series) from MBNA do.
    
    I ordered these cards but did not activate them. I found myself receiving 
    mail regarding these accounts. I received privacy notices, which I opted 
    out of. Then I asked MBNA why I had a card I did not activate.
    
    If you do not activate our cards, the customer rep said, they activate 
    themselves after a set time limit. The American Express rep told me no such 
    activation occurred but could not explain why my card was active. She even 
    tried to discourage me from cancelling the thing!
    
    The RISK? You'll have credit due where none is applied for.
    
    William Paul Fiefer  630.892.5180  www.prairienet.org/~yamada
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.46
    ************************
    



    This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 17:39:42 PDT