[risks] Risks Digest 21.51

From: RISKS List Owner (riskoat_private)
Date: Mon Jul 16 2001 - 14:49:45 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.52"

    RISKS-LIST: Risks-Forum Digest  Monday 16 July 2001  Volume 21 : Issue 51
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.51.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    CD-eating fungus amongus (Gary Stock)
    The computer is taking over the train (Hanan Cohen)
    Trains Ain't Planes, it's plain to see (Daniel P Dern)
    Eli Lilly e-mail snafu reveals identities of Prozac users (Jeremy Epstein,
      Allan Noordvyk)
    Brownouts take out computers in Livermore (Fred Cohen)
    Phoenix BIOS phones home? (Merlyn Kline)
    Hacked caller ID? (Alexandre Pechtchanski)
    Anatomy of an Internet scam (NewsScan)
    Who watches the watchdog? (Gary Barnes)
    Autoresponder goes haywire (Joshua M Bieber)
    Auto-banner ads (Mark Richards)
    Microsoft pulls controversial Smart-Tag feature (NewsScan)
    Yearly siren test ... (Marco Frissen)
    4 to 6 *million* votes uncounted in 2000 election (PGN)
    US Voting Systems Standards - available for public comment (Thom Wysong)
    Re: Electoral fraud (David Hedley, Lindsay Marshall)
    Re: WashingtonPost.com real estate database (Tramm Hudson)
    Re: Uncleared disk space and MSVC (John Sullivan, Peter da Silva)
    Re: The risks of clueless marketing (Toby Riddell)
    10th USENIX Security Symposium (Tiffany Peoples)
    Abridged info on RISKS (comp.risks)
    Date: Tue, 19 Jun 2001 13:22:22 -0400
    From: Gary Stock <gstockat_private>
    Subject: CD-eating fungus amongus
    >From Electronic Telegraph:
    Scientist finds fungus that eats through compact discs
    By Robert Uhlig, Technology Correspondent
    FIRST there was the computer virus. Now scientists have found a fungus
    that eats compact discs.
    Victor Cardenes, of Spain's leading scientific research body, stumbled
    across the microscopic creature two years ago, while visiting Belize.
    Friends complained that in the hot and sticky Central American climate,
    a CD had stopped working and had developed an odd discoloration that
    left parts of it virtually transparent.
    Dr Cardenes and colleagues at the Superior Council for Scientific
    Research in Madrid discovered a fungus was steadily eating through the
    supposedly indestructible disc. The fungus had burrowed into the CD from
    the outer edge, then devoured the thin aluminium layer and some of the
    data-storing polycarbonate resin. 
    Dr Cardenes said: "It completely destroys the aluminium. It leaves
    nothing behind." Biologists at the council had never seen this fungus,
    but concluded that it belonged to a common genus called geotrichum. 
    Philips, the Dutch electronics company that invented the compact disc,
    said it believed the Belize case was probably a freak incident caused by
    extreme weather conditions.
    Gary Stock  UnBlinking  gstockat_private  http://unblinking.com/
    Date: Thu, 12 Jul 2001 08:50:58 +0200
    From: Hanan Cohen <hanan_cohenat_private>
    Subject: The computer is taking over the train
    Overhead on the MUNI this morning: "Hang on, please. The computer is
    taking over the train." A feeling of dread rippled through the train.
    "Finally," we all thought, "the war with the machines is beginning."
    Hanan Cohen - http://www.info.org.il
    Date: Wed, 20 Jun 2001 10:19:12 -0400 (EDT)
    From: Daniel P Dern <ddernat_private>
    Subject: Trains Ain't Planes, it's plain to see
    Usually, I do my work-related travel between Boston and New York by
    plane, but I've been meaning to try train again, especially Amtrak's
    allegedly-faster Accela.
    So I call the company travel office to make reservations.  (I already
    know which trains -- whatever the rail equivalent of "flights" is --
    I want.)  An e-mail confirmation shows up a few minutes later, with a URL
    pointing to an itinerary.
    The itinerary showed the correct train numbers and arrival times.  No
    departure times.
    And had me going between (something like, IIRC) Aptco Test, Texas and
    someplace in Arkansas.
    I called the travel group back; they called Amtrak.  My reservation's
    correct, but when the AmTrak system passed info to the next system, it tried
    to parse City Codes as Airport Codes.
    More obvious than the "metric vs. English" glitch, but still shows that just
    because two programs _can_ talk to each other doesn't mean they've agreed on
    what they're saying...  Fortunately, if I get on a southbound train from
    Boston (traveling at n miles an hour accompanied by a parrot with a balloon
    tied to one foot) it'll be hard to miss arriving in New York.
    Daniel Dern, Executive Editor, Byte.com <ddernat_private>
    Date: Thu, 5 Jul 2001 18:31:50 -0400
    From: "Jeremy Epstein" <jepsteinat_private>
    Subject: Eli Lilly e-mail snafu reveals identities of Prozac users
    Eli Lilly sent an announcement that it was discontinuing a mailing list,
    using CC instead of BCC.  Some of the more than 600 recipients were unhappy
    about having their e-mail addresses and Prozac use disclosed, because the
    purpose of the list was to send out reminders to fill prescriptions for the
    anti-depressant drug.  According to a *ComputerWorld* article, "Eli Lilly is
    preparing a code audit review and 'working on a program that would block all
    outbound e-mails with more than one address.'"  The American Civil Liberties
    Union (ACLU) has asked the Federal Trade Commission (FTC) to investigate.
    A little bit of anonymity is a good thing, even if it's not totally
    anonymous (e.g., a Hotmail account).
    Date: Thu, 5 Jul 2001 12:56:29 -0700 
    From: Allan Noordvyk <anoordvykat_private>
    Subject: Eli Lilly e-mail snafu reveals identities of Prozac users
    This kind of error is made frequently by new users of e-mail software, but
    it is interesting (but perhaps not surprising) to see that corporations
    running large mailing lists occasionally making the same error.  In either
    case, it's usually merely an annoyance, or a strategic embarrassment (i.e.,
    effectively giving away your customer list to your competitors).  However,
    in this case the desire of the patients to keep their medical condition
    private adds another more serious layer to the risk.
    Allan Noordvyk
    Date: Thu, 12 Jul 2001 16:27:52 -0700 (PDT)
    From: Fred Cohen <fcat_private>
    Subject: Brownouts taking out computers in Livermore
    On 11 Jul 2001, the power levels in Livermore, CA dropped to voltages so low
    that air conditioners and computers could no longer operate.  Computers and
    air conditioning units went off and on moment by moment -- some lighting
    systems ended up burnt out, and those without UPSs on their computers had
    significant data corruption.  It is especially noteworthy that this area was
    NOT on the areas scheduled for blackouts.
    It turned out to be a set of changes they were making in the infrastructure
    -- half of our house became out of power, the other half still worked.  We
    went to motor generator for the down half till we determined what was up,
    then switched over to a cross feed from the rest of the house.  When power
    came back we switched back - thank you UPSs and motor generators...
    Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
    Fred Cohen & Associates: http://all.net - fcat_private - tel/fax:925-454-0171
    Fred Cohen - Practitioner in Residence - The University of New Haven
    Date: Wed, 20 Jun 2001 10:04:48 +0100
    From: "Merlyn Kline" <merlynat_private>
    Subject: Phoenix BIOS phones home?
    >From slashdot: http://slashdot.org/yro/01/06/19/2039216.shtml
    Myrv writes: "There is an interesting thread over at DSL Reports discussing
    Phoenix Technologies new BIOS. This BIOS contains the PhoenixNet Internet
    Launch System. ILS resides safely within ROM and is activated the first time
    a user launches a PhoenixNet-enabled PC with a Windows 98 Operating
    System. When the PhoenixNet ILS detects an Internet connection, it makes
    contact with the PhoenixNet server and delivers user-selectable
    services. These services are delivered to the user as hotlinks on the
    desktop and in the web browser or, as applications that PhoenixNet
    automatically packages, downloads and installs. It's 3 a.m., do you know who
    your motherboard's talking to????"
    Merlyn Kline = merlynat_private 
    Date: Fri, 13 Jul 2001 15:53:49 -0400
    From: Alexandre Pechtchanski <pechtcaat_private>
    Subject: Hacked caller ID?
    I've recently discovered an incoming number in my caller ID list that looks
    suspiciously as a hack.  The number is listed as 212-555-1212, which is a
    long-distance directory assistance for New York, NY and, AFAIK, cannot be an
    originating number.  I called Verizon Communications, which serves both my
    home code 201 and New York's 212, and their service representative confirmed
    that call could not have originated from this number, but refused to
    speculate on why I would see it on my caller ID.  I wonder how long will it
    take for exploits of such hole in telecommunication infrastructure to
    invalidate law enforcement evidence as in, say, RISKS-21.50 article by
    <knhawat_private> on Risks in inept election fraud, which mentions
     > * Prosecutors say they traced the IP address back to an AT&T
     >WorldNet user who repeatedly used the "Katie Stevens" Hotmail
     >account by connecting from Gunhus' home number. (Guess they keep
     >Caller ID logs.)
    Alexandre Pechtchanski, Systems Manager, RUH, NY
    Date: Tue, 03 Jul 2001 09:54:11 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Anatomy of an Internet scam
    Federal investigators have charged 53-year-old mid-westerner Donald A.
    English with perpetrating an Internet-based "Ponzi" scheme that bilked tens
    of thousands of small investors out of $50 million. In a Ponzi scheme, early
    investors are paid phony "profits" from the money taken from other investors
    who follow them, after hearing about the huge, fast profits.  Since no money
    is really being earned, the pyramid eventually collapses, when the supply of
    new investors diminishes. Many of the investors in English's operation,
    which was called EE-Biz Ventures, were people who are elderly or sick. One
    of them wrote: "I need at the least a full refund of the $3,000 spent if you
    do not intend to pay anyone back.  Remember, I have cancer and am unable to
    work for the next six months."  [*The New York Times*, 3 Jul 2001,
    http://partners.nytimes.com/2001/07/03/business/03PONZ.html; NewsScan Daily,
    3 July 2001]
    Date: Fri, 22 Jun 2001 08:37:25 +0100
    From: Gary Barnes <gkbat_private>
    Subject: Who watches the watchdog?
    Thousands of consumers' credit card details were leaked by a "flaw" on a
    (UK) Consumers' Association website, according to the BBC:
    The consumers affected were people who had bought tax calculation software 
    from the Consumers' Association.
    The ironic thing is that as a watchdog organisation for consumers, the
    Consumers' Association is responsible for administering the Which? Web
    Trader scheme which aims to make online shopping "easy and safe".
    The Which? Web Trader Code of Practice at:
    says of sites displaying the Which? Web Trader logo:
    "You must have an effective security policy that you review regularly. 
     Your policy must include the following: 
     - you must ensure that your web site is secure so that consumers' personal
     information and transactions remain confidential and cannot be interfered
    This incident will do more than most to make consumers aware of the RISKS of
    shopping on the Net, given the current level of security of Web traders'
    Gaz  gkbat_private (Gary "Wolf" Barnes)
    Date: Fri, 13 Jul 01 09:50:36 EDT
    From: "Joshua M Bieber (852-5436)" <jbieberat_private>
    Subject: Autoresponder goes haywire
    I had a strange experience with one of the mailing lists that I have
    subscribed a week ago.  I am sure that this was mentioned in the past, if so
    perhaps it is time for a reminder...
    Basically what happened was that one of the subscribers to the mailing list
    decided to get a new e-mail address, and as a courtesy to those who still
    use the old e-mail address, set up an autoresponder on the old e-mail
    address that sends the following message: (you know what got changed to
    protect who)
    >  From: guilty.oldaddy.com
    >  To:   you.youraddy.com
    >  Subject: Re: current discussion topic
    >  Hello,
    >  My new e-mail address is guilty.newaddy.com
    >  Guilty Person
    Ok, so what happened? Well, someone decided to post a message to the mailing
    list which promptly sent a copy to all subscribers.  The autoresponder
    picked it up and posted the above message to the sender which happened to be
    the mailing list.  The mailing list then sent a copy of the autoresponder's
    e-mail to all subscribers including the sender.  The autoresponder then sent
    another e-mail to remind the mailing list of the new address.  Ad infinitum.
    I was surprised to see 15 such entries in my mailbox when I checked my
    e-mail before logging off that Sunday night.  When I realized that this is
    what happened, I immediately notified via ICQ the owner of that mailing list
    who happened to be on-line and she was able to put a stop to it immediately.
    It isn't clear to me at this point whether she actually stopped it or the
    guilty person logged on at that time and put a stop to it.  By the time it
    stopped, a total of 46 notifications were sent.  This took up 100MB of my
    allotted 4000MB mailbox space at malaspina.com. So if this hadn't been
    stopped in time, a lot of mailboxes would have been full.
    So what went wrong?  For starters:
    1) Guilty Person forgot to change all mailing list subscription or
       more specifically, this particular one.
    2) The autoresponder wasn't configured to send exactly one e-mail to
       any given user (or maximum of one per day).
    3) The mailing list in question didn't have a mechanism that would
       recognize duplicate message body being sent over and over again
       and reject duplicate submissions.
    I notified the mailing list site with a copy of the offending e-mail
    explaining what happened and asked them to do what they can to prevent this
    from happening again.  The mailing list owner deleted the duplicate entries
    from the archives and Guilty Person apologized.
    Date: Thu, 12 Jul 2001 21:40:06 -0400
    From: "Mark Richards" <mark.richardsat_private>
    Subject: Auto-banner ads 
    As reported in last weeks' NTK digest (http://www.ntk.net), auto-generated
    banner ads (particularly when appearing in news pages) can generate
    significant embarrassment.
    NTK illustrates it at http://www.ntk.net/2001/07/06/dohburn.gif
    however they are not certain as to its authenticity.
    At any rate, having a banner ad titled "Burn baby, burn" (a reference to
    a CD ROM burner) above a story titled, "One toddler dead, another
    critical after house fire", certainly brings home the point.
    With mindless automation, the embarrassment possibilities are infinite.
    Date: Thu, 28 Jun 2001 09:18:41 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Microsoft pulls controversial Smart-Tag feature (Re: RISKS-21.46)
    Bowing to a wave of criticism, Microsoft says it will kill plans to include
    a Smart Tag feature in its forthcoming Windows XP operating system.  The
    feature would have allowed Internet Explorer to turn any word on any Web
    site into a link to Microsoft's own sites and services, or to a site of
    Microsoft's choosing. The company continues to defend Smart Tags in
    principle, and plans to work toward including it in a future version of
    Windows or Internet Explorer, but group VP Jim Allchin said the decision was
    made to remove the Smart Tags because "we got way more feedback than we ever
    expected." Although many people view the public reaction against Smart Tags
    as excessive, Wall Street Journal columnist Walter Mossberg says,
    "...Microsoft's dominant Internet Explorer browser is like a television set,
    or a digital printing press, for the Web. Its function is to render --
    accurately and neutrally -- all Web pages that follow standard
    programming... Microsoft has a perfect right to produce and sell its own Web
    content with its own points of view. But it is just plain wrong for the
    company to use the browser to seize editorial control and to steal readers
    from other sites." [*Wall Street Journal*, 28 Jun 2001
    (sub req'd); NewsScan Daily, 28 June 2001]
    Date: Thu, 7 Jun 2001 13:39:58 +0200
    From: marco.frissenat_private
    Subject: Yearly siren test ...
    On 6 June 2001, 12:00, 12:05 and 12:10 were targeted for the siren test in
    the Netherlands. The sirens are used to warn people if a catastrophe has
    happened (remember Enschede, fireworks factory), or war has started.  In the
    past, when sirens were still mechanical, these tests occurred once every
    month (first Monday of the month).  Now, everything is computerised, and
    'they' have decided to test only once a year.  Well, after the test this
    time, a lot of sirens did not work at all, or some started to late.  In
    Limburg, a province in the south, 6 sirens refused work, due to a software
    glitch.  In Groningen, in the North, also. Other areas were also 'silent'.
    Because the new sirens have high-tone 'woops', the sound doesn't travel
    nearly as far as the old sirens. If one fails, there's little chance of
    hearing another for people living close to the 'silent' siren.  The Risk?
    Only your life...
    Marco Frissen    CryptoWorks
    Date: Mon, 16 Jul 2001 14:05:13 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: 4 to 6 *million* votes uncounted in 2000 election
    One person, one vote?  NO.  And Florida was not the worst state.  According
    to the Caltech/MIT study, Illinois, South Carolina, Idaho, Wyoming, and
    Georgia had even higher rates of uncounted ballots.  In all, up to 2 million
    ballots were discarded because of faulty/aged equipment or poorly designed
    ballots; up to 3 million due to registration foul-ups; up to another million
    or so because of polling-place screwups; and an unknown number of absentee
    ballots discarded.
    And the 15 Jul 2001 issue of *The New York Times* had several articles
    documenting widespread irregularities in the counting of absentee ballots in
    Date: Mon, 02 Jul 2001 22:35:36 -0400
    From: Thom Wysong <wysongat_private>
    Subject: US Voting Systems Standards - available for public comment
    The US Federal Election Commission (FEC) has made available for public
    comment an updated version of their Voting Systems Standards (VSS). The
    original US VSS were published in 1990. They have gone un-revised until
    now. The draft for the updated "Volume 1: Voting System Performance
    Standards" is currently available. The draft for the updated "Volume 2:
    Voting System Test Standards" is scheduled to be released for public comment
    in late 2001.
    The FEC press release is at http://www.fec.gov/press/062801nvra.html
    An overview of the Voting Systems Standards is at 
    The current draft of VSS Volume 1 is at 
    Comments may be submitted to the FEC at vssat_private
    Date: Fri, 13 Jul 2001 14:13:40 +0100
    From: David Hedley <dhedleyat_private-net.com>
    Subject: Re: Electoral fraud (Finch, RISKS-21.50)
    While not disagreeing that fraud in UK Elections has been made easier by
    easing restrictions on postal votes, things are not as bad as Tony Finch
    The procedure is as reported - I can phone and ask for as many forms as I
    wish. But I can't just sit and fill them all in. To obtain a postal vote,
    it is necessary to be on the electoral register to start with. If you are
    on the register, then you can fill in one form for a postal vote, and
    receive your postal vote. In the past, you were expected to vote in person
    unless there was a good reason not to do so. Now, anyone may obtain a
    postal vote. The voting papers are then sent to your address for you to
    fill in and return by post. You are blocked from voting in person. Filling
    in a second form (for the same voter) does not acquire an extra vote!
    The system is open to fraud. To get on the electoral register is easy. All
    there is to do is list the people who live at an address on a particular
    date and who are eligible to vote. It is presumably easy to add a few names
    at this stage. It is also not unknown for impostors to vote, especially for
    dead people. It is extremely rare, however, for an impostor to vote instead
    of a living person.
    There is now an extra potential for fraud. In the past, postal votes could
    only be obtained for one vote at time. Now it is possible to obtain a
    postal vote for life, no matter what changes of address occur.
    I can also assure Tony that many Brits are happy to criticise the US
    "banana republic election" and don't feel pillocks for doing so.
    I am happy that (a) my [postal] vote was counted, (b) I was not barred from
    voting because I lived in a black neighbourhood and/or may have once had a
    conviction, (c) the voting process and checking of electoral lists is not
    in the hands of a political party, (d) the judges who rule on the validity
    of the voting are not appointees of a political party.
    And, of course, the party with the most votes won the election.
    David Hedley
    Date: Fri, 13 Jul 2001 11:04:58 +0100 (BST)
    From: Lindsay.Marshallat_private
    Subject: Re: Electoral fraud (Finch, RISKS-21.50)
    Tony Finch describes the process for getting postal vote in the UK. His
    description does not match my experience at all. Yes, I had to phone a
    number, but I was then sent an *application* form which I had to fill in and
    return. There was never any opportunity a) for saying how many votes I
    wanted or b) for geting more vote forms. (I should also add that there was
    never any opportunity for me to vote either as the post office managed to
    take over a week to deliver my application and so I missed the closing date
    for applications so I never even got to see a postal vote form)
    Date: 18 Jun 2001 23:50:14 GMT
    From: hudsonat_private (Tramm Hudson)
    Subject: Re: WashingtonPost.com real estate database
    Nick Laflamme <dplaflammeat_private> wrote in comp.risks 21.49:
    > WashingtonPost.com, in association with a local real estate agency, has put
    > up a database of home sale prices and property tax appraisal values.
    I had to check the price for the most famous address in the DC area,
    2600 Pennsylvania Ave NW.  According to the database, it is owned by
    the Exxon Corporation, has zero bathrooms and was assessed at US$1.3M.
    My screenshot of the listing is available here:
    The risks are obvious...
    hudsonat_private  hudsonat_private  http://www.swcp.com/~hudson/ 
    W 505.986.60.75  KC5RNF @ N5YYF.NM.AMPR.ORG            
    Date: Fri, 13 Jul 2001 03:40:16 +0100
    From: John Sullivan <johnat_private>
    Subject: Re: Uncleared disk space and MSVC (Winfrey, RISKS-21.50)
    > Anyone compiling programs with MSVC may want to examine the output closely
    > for data that shouldn't be there.
    Well, it's not really MSVC's fault - it is definitely the operating system's
    job to make sure that no sensitive data is leaked from one process to
    another, in any way whatsoever. If MSVC exhibits this behaviour then it
    could just as easily happen to Word or any other application, and I bet your
    company sends out far more Office documents than finished executables.
    You didn't mention what OS or filesystem you were running. If it was Windows
    95/98/ME or NT on a FAT filesystem, then it would still be a seriously bad
    defect, but one I wouldn't be *too* surprised to see existing.  If it was NT
    on an NTFS filesystem, then it is absolutely unforgivable because that's
    exactly the sort of leak it claims to prevent.
    And don't forget that even if your OS doesn't leak sensitive information via
    disk or memory allocations, most compilers *deliberately* leak small
    amounts of information identifying the build environment - for example gcc
    puts dummy symbols "gcc2_compiled." in all object files which you have to be
    careful to strip out if that's important to you. Not that I imagine it's too
    hard to identify a compiler without such blatant clues.
    Date: 13 Jul 2001 12:59:48 GMT
    From: peterat_private (Peter da Silva)
    Subject: Re: Uncleared disk space and MSVC (Winfrey, RISKS-21.50)
    It's not the compiler's fault, it's the operating system's fault.
    Application programs should never have a mechanism that lets them look
    at the contents of unallocated blocks.
    Actually, it may not even be the operating system's fault.
    I suspect your "clearspace" program overwrote some blocks the OS
    thought were already cleared. If they use a "block clearing daemon" to
    clear unallocated blocks in the background, your program could have
    caught them after the daemon had passed them by.
    Still, I can't think of any reason for the OS to actually read cleared
    blocks off disk.  They should hand out a freshly zeroed block of memory
    and write it to disk later. . . possibly it did do that, then since the
    compiler never modified those blocks it didn't write them back to disk
    since they were already clear.
    A risk of using third-party utilities that modify things without informing
    the OS?
    Date: Sun, 1 Jul 2001 08:10:20 -0700 (PDT)
    From: Toby Riddell <tobyriddellat_private>
    Subject: Re: The risks of clueless marketing (J.McCarthy RISKS-21.46)
    chi-rho sounds rather like Cairo. I don't follow Microsoft all that closely
    but wasn't this one of their codenames?
      [also noted by Craig Cottingham.  PGN]
    Date: Mon, 16 Jul 2001 10:14:58 -0700
    From: Tiffany Peoples <tiffanyat_private>
    Subject: 10th USENIX Security Symposium
    10th USENIX Security Symposium
    August 13-17, 2001, Washington, D.C.
    For more information and to register, visit:
    REGISTER BY JULY 20, 2001 AND SAVE UP TO $200!
    The 2001 10th Security Symposium is sponsored by 
    USENIX, the Advanced Computing Systems Association.   www.usenix.org
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    End of RISKS-FORUM Digest 21.51

    This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 15:37:35 PDT