[risks] Risks Digest 21.48

From: RISKS List Owner (riskoat_private)
Date: Mon Jun 18 2001 - 12:14:48 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.49"

    RISKS-LIST: Risks-Forum Digest  Monday 19 June 2001  Volume 21 : Issue 48
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.48.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Unexpected network congestion: remote consequences of Seti@Home 
      (Steve Loughran)
    Site puts private cell calls on Web (Bruce Hamilton)
    European Commission "Net-security" site invaded by hackers (Declan McCullagh)
    Formula 1's string of control-system failures (Stellios Keskinidis)
    A320 Incident (Peter B. Ladkin)
    Re: Computer train trauma (Philip Nasadowski)
    Lincolnshire University offers first course on rail disasters (Tom Van Vleck)
    NYSE: "Throw up your hands and reboot" (Chris Norloff)
    Re: Billboard error messages (David M Chess)
    Response to LWN's statement about Linux security costs (Kevin Postlewaite
        via Gerrit Muller)
    Windows XP adds its own links (George C. Kaplan)
    Re: Office XP modifies what you type (Andy Newman, Gerard A. Joseph)
    Re: Steve Gibson's and Windows XP (Chris Dodd)
    Re: The risks of clueless marketing (Tony Martin-Jones)
    Re: And you thought Keith Lynch was kidding! (Phil Carmody, Paul Ward, 
        Ken Knowlton)
    On the deceptiveness of pop-under ads (ocschwar)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 12 Jun 2001 17:10:24 -0700
    From: "Steve Loughran" <slo4at_private>
    Subject: Unexpected network congestion: remote consequences of Seti@Home
    
    I came across an interesting little article on Sun's best practices site,
    titled, "Network Wedged by Little Green Men"
      http://dcb.sun.com/practices/devtales/network_wedged.jsp
    
    It covers how a small firm's network kept on slowing down to a halt. The
    problem was tracked down to Seti@home screen savers repeatedly trying to
    connect to the Seti servers, which were inaccessible due to attempted cable
    theft (as noted in past RISKS).  The local firm's Internet access used NAT
    address translation, and each screen saver made multiple attempts to
    connect.  Each connection attempt used a NAT assignment, an assignment which
    took a while to be cleaned up. Before long the company had exhausted their
    pool of 128 NAT addresses, even though only six people were present. Only
    through router interrogation was the problem identified.
    
    The article closes by saying the problem was "solved" by increasing the
    number of available NAT addresses, although of course that didn't fix the
    problem, merely caused it to 'go away'. A real solution would be to have the
    screen-saver software implement incremental backoff and other mechanisms
    designed to gracefully handle a complete loss of remote server access.
    
    One would hope that the authors of the next generation of distributed
    computation applications take heed of the lessons of the current batch.
    
    -Steve
    
    ------------------------------
    
    Date: Thu, 7 Jun 2001 10:57:01 -0700 
    From: bruce_hamiltonat_private
    Subject: Site puts private cell calls on Web
    
    Citizens in Ottawa were probably not aware that they were providing content
    for a new Web site that streams live audio onto the Net. The site uses
    conversations pulled from a radio that scans cellphone frequencies in the
    city.  *CTIA Daily News* <http://www.canoe.ca/OttawaNews/OS.OS-06-07-0003.html>
    
    Bruce Hamilton bruce_hamiltonat_private  Tel: 650-485-2818  Fax: 650-485-8092
    Agilent Technologies MS 24M-A, 3500 Deer Creek Road, Palo Alto CA 94303
    
    ------------------------------
    
    Date: Wed, 13 Jun 2001 09:58:18 -0400
    From: Declan McCullagh <declanat_private>
    Subject: European Commission "Net-security" site invaded by hackers
    
    European 'safer Internet' site hit by hackers, By Joris Evers (IDG)
    http://www.cnn.com/2001/TECH/internet/06/11/safer.net.hack.idg/index.html
    
    Hackers embarrassed the European Commission last week by identifying and 
    exploiting two security holes on a new commission-sponsored Web site that 
    promotes safer use of the Internet. One of the holes allowed the hackers to 
    get administrator privileges on the server that powers the Safer Internet 
    Exchange site [...]
    
    ------------------------------
    
    Date: Fri, 8 Jun 2001 18:35:48 +1000 (EST)
    From: Stellios Keskinidis <stellioskat_private>
    Subject: Formula 1's string of control-system failures
    
    If you've been watching F1 over the past month or so you would of very
    likely heard about making launch control and traction control systems
    legal and how nearly all teams are using them. Unfortunately, not all
    things have been going to plan for team I am the most a fan of -
    
    "Since the electronic device was legalised by the FIA at the Spanish Grand
    Prix, Mika Hakkinen has fallen foul of it once and Coulthard twice.
    Software programming has been stated as being the main cause of its
    malfunction."
    
    	- http://www.formula1.com/news/headlines01/06/s5819.html
    
    and further
    
    "Coulthard stalled his car on the grid at the first traction control race
    in Barcelona prompting team boss Ron Dennis (Team Boss), to accuse him of
    'Brain fade'....  Dennis admitted that it was a software glitch and he was
    wrong to have thought that it may have been down to driver error. "
    
    	- http://www.formula1.com/news/headlines01/05/s5731.html
    
    not to mention the four cars that stalled it on the grid in Austria
    
    "Several teams have expressed their anxiety over the possibility of a
    recurrence of the situation in Austria, where four cars failed to start.
    With the narrowness of the makeshift pit straight on the Monte Carlo
    street circuit there will be less room in which to manoeuvre cars and
    avoid potential disaster."
    
    	- http://www.formula1.com/news/headlines01/05/s5607.html
    
    Are the cars becoming too computerised and resulting in more points of
    failure? Are the teams throwing themselves out of the competition by not
    testing properly, possibly due to the time constraints? The catch there is
    that they think they are ready (in testing) when they are not in a live run
    paying a costly price. Just another classic case of Software Engineering.
    
    Cars can only go so fast around any track, I think within the next 5-10
    years they will reach their limits in speed and the teams will focus more
    than they are now, on the "computerisation" of the car where we will see
    more failures/crashes and stalls on the grid.
    
    This sounds all too familiar when the aviation industry embraced
    technology. Are they repeating those mistakes?  It can now be said "Would
    you hop into a car that travels over 300km/h that is controlled by
    software you wrote".
    
    One thing is for sure, this is soon to be race against technology and not
    who was the better driver on the day and as if it wasn't already a 2-man
    race anyway (Mclaren and Ferrari).
    
    Stellios Keskinidis  http://members.optushome.com.au/stelliosk
    
    ------------------------------
    
    Date: Mon, 18 Jun 2001 12:54:17 +0200
    From: "Peter B. Ladkin" <ladkinat_private-bielefeld.de>
    Subject: A320 Incident
    
    Tim van Beveren reported in *Flight International*, 22-28 May 2001, on a 20
    Mar 2001 incident to a Lufthansa Airbus A320 on takeoff from Frankfurt.
    This incident was reported at greater length and detail in *Air Safety Week*,
    4 Jun 2001, by David Evans and Tim van Beveren.
    
    The captain was Pilot Flying (PF). there was some degree of turbulence
    during takeoff, shortly after rotation, which resulted in the left wing
    moving down. The captain applied correction (right lateral roll control) but
    the wing dipped further left, reaching 21 degrees bank, and the wingtip is
    reported to have come within half a meter of the ground, and according to
    computer modelling of the digital flight data recorder the airplane "came
    within a few seconds of striking the ground".
    
    The First Officer, the pilot not flying (PNF), realising there could be a
    control problem, switched "priority" to his sidestick controller and
    recovered the aircraft. The aircraft was flown up to 12,000ft on autopilot,
    the crew confirmed the problem, that the CAP's sidestick was controlling for
    roll in the reverse sense (normally, putting the sidestick to the left
    commands left roll; to the right commands right roll.  Control-reversal here
    means that CAP's sidestick gave right roll on a left movement and left roll
    on a right movement).
    
    The aircraft had just come out of maintenance. Maintenance is a known risk --
    James Reason, an authority on human factors in aviation safety and Professor
    of Psychology at the University of Manchester, amongst others, has detailed
    how significant problems may arise through maintenance of complex systems.
    
    It has happened many times that aircraft have come out of maintenance with
    control systems reversed in one or more of the three axes (roll, pitch,
    yaw). This has been the cause of a number of accidents with general aviation
    aircraft, but my informal requests for information turned up no recent
    accidents to commercial aircraft due to this cause. Evans and van Beveren
    report that "reversed controls are deemed impossible on transport-category
    aircraft" and that Boeing claims that the B737 aircraft cannot be
    reverse-connected without it being discovered before flight, normally
    through mandatory post-maintenance checks, but at the latest by the pilot's
    preflight check, as the controls could not be moved.
    
    At Lufthansa's code-sharing partner, United Air Lines, certified inspectors
    must be stationed both inside and outside the cockpit to conduct a
    functional check after the flight control system has been worked on; a
    flight test is also required before the aircraft is returned to service
    after this kind of repair. It is believed that either of these measures
    would have caught the control-reversal problem, and so general maintenance
    procedures at Lufthansa Technik will be subject to detailed inquiry.
    
    There have been a number of reports as to what fault caused the lateral
    control reversal, including the two sources above. However, I have found
    none of the explanations so far satisfactory, as they raise further puzzles
    that they do not solve.
    
    The following architectural description of the A320 primary flight control
    system (PFCS) is drawn from Cary R. Spitzer, Digital Avionics Systems,
    Second Edition, McGraw-Hill 1993. The A320 sidestick controller generates
    input to five of the seven flight control computers which form part of the
    primary flight control system (PFCS). These five are the two Elevator
    Aileron Computers (ELACs) and the three Spoiler Elevator Computers (SECs).
    Each wing has two outboard ailerons, and five inboard spoilers (overwing
    surfaces which can be raised). Lateral (roll) control proceeds via four of
    the five spoilers and the two ailerons. Each of the two ELACS and three SECs
    control some combination of these 12 control surfaces. There is a
    significant amount of control redundancy.
    
    Initial reports said that Lufthansa Technik personnel had been repairing
    one of the two ELACs, and had found a damaged pin on a connector. They
    had replaced the connector and this had apparently caused the control
    reversal. This explanation made no sense to me as it stood, because
    (a) the connectors are standardised. Replacing one with another should
        give exactly the same connections as were there before;
    (b) if one ELAC was receiving reversed signals, and the other was not,
        and the three SECs were not, then
      (i) the PFCS architecture would detect a discrepancy on the channels, and
      (ii) on each side, one aileron would operate counter to the other, but
           all spoilers would operate correctly-sensed, and it is hard to see
           how this could lead to the extreme control discrepancy reportedly
           experienced by the PF.
    
    The Aviation Safety Week report on June 4 suggested that "Repair work
    involving complete rewiring "upstream" of the connector pins was conducted
    over several work shifts". The ELAC connector with the damaged pin has 140
    pins and is one of four such for the ELAC, for a total of 560 pins.
    
    It seems to me that to get control reversal without the phenomena in (b)
    above, there must have been a reversed signal downstream of the sidestick
    but upstream of where the sidestick movement is multiplexed into the five
    input signals to the five PFCS computers which receive them. I do not yet
    have, nor have I heard, a coherent suggestion as to how that could occur.
    
    There has been considerable discussion of and speculation concerning:
    maintenance procedures at Lufthansa Technik, which has one of the very
    highest reputations for maintenance quality; wiring, wiring conventions and
    connectors in the A320 series; why the pilots did not discover the
    discrepancy during the usual preflight control checks (the A320 displays
    control surface displacement on the cockpit display, the ECAM, when the
    sidestick is intentionally moved and the airplane is on the ground, as
    during a preflight control system check). I think it is fair to say that few
    hard facts have emerged yet concerning any of these, and I find it hard to
    make any useful inferences about what actually went on from the publicly
    available information.
    
    What emerges most clearly so far from this incident is that the simple
    physical complexity of the control system has confused some. Amongst other
    things, explanations have been proposed by presumably technically competent
    people that do not fit the control system architecture. It is hard to see
    how that phenomenon could have occurred with the simpler architectures of
    mechanical control systems. On the other hand, the PNF was able to take over
    normal control of the aircraft with one button push (the "control priority"
    takeover on the sidestick), which could also not happen with the simpler
    mechanical architectures.
    
    We have very little information so far on the incident. It is certain that
    the puzzles will be solved further along the investigative line, and very
    likely that the results of the investigation will be highly significant for
    the care and feeding of fly-by-wire architectures.
    
    Peter Ladkin, University of Bielefeld, http://www.rvs.uni-bielefeld.de
    
    ------------------------------
    
    Date: Sat, 16 Jun 2001 21:45:17 -0400
    From: Philip Nasadowski <nasadowskat_private>
    Subject: Re: Computer train trauma (RISKS-21.47)
    
      [PGN notes: Lord Wodehouse forwarded Philip's reply to his message 
      in RISKS-21.47, with this comment:
        As we make systems more complex and clever, they become when they fail,
        less reliable and more stupid. The present efforts to overcomplicate
        engineering solutions in the name of progress and efficiency thus
        continues the themes explored in Edward Tenner's book Why Things Bite
        Back published 1996, which although I do not like his term "revenge
        effect", because it is too emotive, is a good description of various
        well intentioned(?) ideas and efforts that have had surprising(?)
        results, which were not what was intended. Pharmaceutical companies not
        excepted either!  John]
    
    I'm in the US, and we have the same stupidity over here too.  The new GE
    locomotives for Amtrak (our national joke of a railroad) are excessively
    computerized, and grind to a halt on occasion - requiring a lengthy (10
    minutes!) reboot.  This is especially bad when one dies on approach to NY
    city!
    
    The recent Long Island Rail Road cars have had numerous problems too: The
    automated announcements are always not working (to the extent of announcing
    stations in an order that cannot exist), worse, the computerized door
    systems were an early nightmare - they would sometimes open the doors
    enroute (imagine a standing room only train going 60 - 80 mph over rough
    track), or refuse to open the doors when stopped.  The latter was caused
    because the system will "lock out" any door panel where the conductor
    (guard) presses a door open/close button repeatedly (which was needed with
    the old pneumatic system on the old cars).
    
    Most disturbing was the early brake failures.  The computer-controlled
    braking systems would on occasion react very slowly to braking commands.
    This caused a number of trains to be removed from service, enroute.
    
    Oddly enough, the 30 year old electric units the LIRR has, which have been
    battered and poorly maintained, seem to run just fine without all this
    computer stuff in them.
    
    ------------------------------
    
    Date: Mon, 18 Jun 2001 12:03:50 -0400
    From: Tom Van Vleck <thvvat_private>
    Subject: Lincolnshire University offers first course on rail disasters
    
      http://dailynews.yahoo.com/h/nm/20010618/od/college_dc_1.html
    
    ------------------------------
    
    Date: Thu, 14 Jun 2001 08:11:00 -0400
    From: "Chris Norloff" <cnorloffat_private>
    Subject: NYSE: "Throw up your hands and reboot"
    
    When the New York Stock Exchange computer systems crashed for 85 minutes (8
    Jun 2001), Andrew Brooks, chief of equity trading at Baltimore mutual fund
    giant T. Rowe Price, was quoted as saying "Hey, we're all subject to the
    vagaries of technology. It happens on your own PC at home. You just throw up
    your hands and reboot."
    
    The RISKS?
    
    Thinking that a world trading center needs no more reliability than a
    desktop PC.
    
    A certain company (who's "not a monopoly") is training legions of users to
    expect computer systems to be unreliable.
    
    source:
    http://www.washingtonpost.com/ac3/ContentServer?articleid=A42885-2001Jun8&pagename=article
    
    Chris Norloff
    
    ------------------------------
    
    Date: Wed, 13 Jun 2001 16:53:44 -0400
    From: "David M Chess" <chessat_private>
    Subject: Re: Billboard error messages (RISKS-21.45,46)
    
    The most notable example I've seen was one of those portable highway-side
    signs that was declaring in foot-high letters "BATTERIES NEED RECHARGING".
    I suffered momentary brain-lock trying to figure out how it could know that
    some car going by had a battery problem.
    
    The general risk, of course, is in piping STDERR to STDOUT.  Web sites that
    send complex error dumps to visitors' browsers are doing the same pointless
    thing...
    
    ------------------------------
    
    From:  "Kevin Postlewaite" <kevin.postlewaiteat_private>
    To:  "'lwnat_private'" <lwnat_private>
    Subject: Response to LWN's statement about Linux security costs
    Date:  Thu, 31 May 2001 12:25:25 -0700
    
      [From Linux Weekly News, courtesy of Gerrit Muller, Re: 
        http://www.extra.research.philips.com/natlab/sysarch/]
    
    In LWN's front page article about the relative security costs of Linux
    versus Windows, you wrote:
      "While it is nice to see a (hopefully) objective result that favors Linux,
      it is also a little disappointing. 5-15% is a fairly small margin; we
      should really be able to do better than that. It's a start, anyway. "
    
    I used to work for PricewaterhouseCoopers auditing computer security of our
    clients.  We would go in and try to penetrate our clients' systems (with
    their permission, of course).  The main flaws that existed did not have to
    do with the particular OS but depended on the skill and conscientiousness of
    the system administrators, as well as the computer-security education of the
    company's employees.  The most successful penetrations were obtained when
    some sysadmin would set the root password to root (or better yet, none at
    all) or have the Windows Administrator password be Administrator.  Also, a
    surprisingly high number of employees would gladly give out useful
    information (including accounts and passwords) to people that they didn't
    know over the phone.  People were the weakest link, not the OSes.  Thus, I
    wouldn't expect that the underlying OS would affect the expected damages by
    much.  Far more important than installing Linux is educating the users(not
    that they shouldn't install Linux anyway :-) ).
    
    -Kevin
    
    ------------------------------
    
    Date: Thu, 07 Jun 2001 20:37:04 -0700
    From: "George C. Kaplan" <gckaplanat_private>
    Subject: Windows XP adds its own links
    
    Walter S. Mossberg's "Personal Technology" (*Wall Street Journal*, 7 Jun
    2001) describes a new "feature" of Internet Explorer under Windows XP: it
    will turn some words on web pages you view into hyperlinks, pointing to
    Microsoft web sites.
    
    So, first we have Office XP changing your documents as you type them,
    without telling you (Jonathan Arnold, RISKS-21.42).  Now Internet
    Explorer will edit your documents for you at the other end:  when 
    people read them.  
    
    Mossberg discusses this feature and the associated risks in detail.
    Microsoft's arrogance shines through brilliantly in one quote: the new
    feature "will spare users from 'under-linked' sites".
    
    Words fail me.
    
    George C. Kaplan, Communication & Network Services
    University of California at Berkeley 510-643-0496 gckaplanat_private
    
    ------------------------------
    
    Date: Thu, 14 Jun 2001 08:42:32 +1000
    From: Andy Newman <andyat_private>
    Subject: Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)
    
    Thanks to the many who pointed out my mis-reading of the RFC and the missing
    of the empty path segment.  Therefore MS *are* wrong in modifying the path.
    The interesting thing is I fell into the risk I pointed out - seeing a
    collection of '/' separated tokens (empty or not) made me apply a file
    system interpretation to a URL and stopped me even contemplating what use an
    empty path component is and why it should be valid.
    
    Andy Newman, Silverbrook Research, <andyat_private>
    
    ------------------------------
    
    Date: Wed, 13 Jun 2001 17:05:56 +1000
    From: "Gerard A. Joseph" <gerardat_private>
    Subject: Re: Office XP modifies what you type (Deegan/Arnold, RISKS-21.42)
    
    I am in total agreement with the people complaining about
    automatically-enabled mechanisms that unilaterally correct textual input.
    
    I have just migrated to Windows 2000 and am now in a state of euphoria that
    I can actually enter a one-word folder name in upper case without the second
    and subsequent letters being preemptively and irreversibly changed to lower
    case.  Imagine, I can now name a folder NSA without it reappearing as Nsa.
    (If it was possible to do this in Windows 95, no one was able to tell me
    how.)
    
    For years, I have had to put up with such aberrations as letters addressed
    to "Mr Ga Joseph", a combination of an autocorrect feature that is enabled
    by default (or by an administrator), and an imbecilic writer who (a) omits
    periods between initials, (b) doesn't know how to either turn off the
    feature or reverse its individual perpetrations, (c) accepts as gospel
    anything the word processor dishes up from his input, and (d) lacks the
    intelligence or good manners to care about any of the foregoing.  And then
    all those well-known organizations Ibm, Cia, Hr, Po, Cert, Un, etc.
    
    Of course, at the spiritual heart of all this nonsense is the bone-headed
    spelling checker, one of the stupidest abominations ever unleashed on a
    para-literate user community.
    
    There's a universal truth, as true in textual composition as it is in 
    computer security: no piece of technology can substitute for appropriate 
    human practices.
    
    ------------------------------
    
    Date: Fri, 15 Jun 2001 06:19:25 -0000
    From: chrisdat_private (Chris Dodd)
    Subject: Re: Steve Gibson's and Windows XP (Crooke, RISKS-21.46)
    
    > It is also time for backbone providers to introduce sensible firebreaks
    > and reduce their trust in traffic passing through their systems.
    
    IMO this conclusion is completely wrong -- the whole point of the Internet
    is that the component parts need not be trusted to be infallible.  Its never
    been the case that the endpoints are entirely trustworthy, but as the
    Internet grows, this problem becomes more noticeable.  As far as the
    proposed solution is concerned, its already the case that potentially useful
    features of the Internet (such as source routing) are mostly useless due to
    the fact that many routers don't follow the protocol in the name of
    security.  Source IP filtering (at least as proposed by RFC 2827) is even
    worse, as it breaks things that are actually being used, such as Mobile IP
    (RFC 2002).  What's more, it wouldn't even do anything to stop the attack
    reported by Steve.
    
    The real RISK here is in the rush to improve security (at least for some
    people), we end up seriously impairing the functionality of the Internet for
    everyone.
    
    Chris Dodd <chrisdat_private>
    
    ------------------------------
    
    Date: Thu, 14 Jun 2001 06:48:09 +1000 (EST)
    From: tmjat_private (Tony Martin-Jones)
    Subject: Re: The risks of clueless marketing (J.McCarthy RISKS-21.46)
    
    On the contrary: as "XP" are the Greek letters of the chi-rho, the monogram
    for the name of Christ, they obviously hope it will be Micros**t's saviour.
    
    ------------------------------
    
    Date: Thu, 14 Jun 2001 17:31:03 GMT
    From: Phil Carmody <fatphil_without_this_suffixat_private>
    Subject: Re: And you thought Keith Lynch was kidding! (RISKS-21.47)
    
    It's not really the 'HEX' that is the gz file, it's the 'binary', written in
    LSB-last format (and the LSB is byte-aligned).  For reference, it is not the
    whole of the source that has been zipped, as that was too large to
    mathematically prove as prime -- it is just the descramble functions.  My
    justification was that copyleft's 2 T-shirts did the same split, and they
    were subpoenaed for them both. No attempt was made to be clever, I simply
    wanted source code that had been already accused of being a circumvention
    device to be propagated.
    
     [My favourite headline was "When Mathematicians Turn Bad", in *The Register*.]
    
    Phil
    
        [Phil noted subsequently that Keith's posting was two months after
        Phil's earlier postings, and that RISKS is actually recycling a topic
        that has been beaten to death elsewhere.  Apologies to readers of
        elsewhere.  PGN]
    
    ------------------------------
    
    Date: 14 Jun 2001 10:28:43 -0400
    From: paswardat_private
    Subject: Re: And you thought Keith Lynch was kidding! (PGN, RISKS-21.42)
    
    One of the strangest consequences of copyright law is that it would seem to
    outlaw possession of certain integers, as does trademark and trade secret
    law.  In fact, any piece of intellectual property can be encoded as a single
    integer, which would be protected.  Don't blame DMCA for what is an inherent
    property of all intellectual property law.
    
    paulward (DrGS)
    
    ------------------------------
    
    Date: Wed, 13 Jun 2001 21:11:32 EDT
    From: KCKnowltonat_private
    Subject: Re: And you thought Keith Lynch was kidding!
    
    Illegal possession of certain integers (RISKS Vol 21 Issue 47) is not really
    new.  Any 10-color, 200x200-pixel image of child pornography is simply a
    40,000-digit integer that I think, for quite some time now, has been illegal
    for you to possess.
    
    Ken Knowlton
    
    ------------------------------
    
    Date: Thu, 14 Jun 2001 03:55:13 -0400
    From: "The guy named after an Om Kalthoum song" <ocschwarat_private>
    Subject: On the deceptiveness of pop-under ads (Re: RISKS-21.47)
    
    Nytimes.com and latimes.com do indeed use pop-unders, but if you look at the
    script used to pop them, you will find that in the NY Times version, there
    is a myDelay variable, but it is set to 0, and no such variable in the LA
    Times version.
    
    The folks in fastclick.net ought to kick themselves for even thinking of
    delaying the pop-unders, without which their ethics would be less likely to
    fall under criticism.  The folks in nytimes.com deserve both credit and
    discredit for setting myDelay to 0. Of course, this still leaves them open
    to reprobation if someone visits their site while his computer is under a
    heavy load, and the pop-under takes a while to pop under.
    
    Pop-unders, when their origin isn't concealed, are actually a smart idea.
    One of the problems with web advertising for funding the Web is that under
    that scheme writers attract viewers only to send them to who-knows-where.
    This solves that problem by attracting the viewer to the ad after he is done
    reading the article and thus more likely to have a look-see.
    
    And the RISK? There is no need to compromise 
    your own reputation by writing the equivalent of this:
    " $I_Am_Slimy = 0; if ($I_Am_Slimy) { ... }" when 
    you can just choose not to be slimy. 
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.48
    ************************
    



    This archive was generated by hypermail 2b30 : Mon Jun 18 2001 - 12:56:14 PDT