[risks] Risks Digest 21.61

From: RISKS List Owner (riskoat_private)
Date: Fri Aug 17 2001 - 14:54:29 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.62"

    RISKS-LIST: Risks-Forum Digest  Friday 17 August 2001  Volume 21 : Issue 61
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.61.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Censorship in action: why I don't publish my HDCP results (Niels Ferguson)
    Florida relies on students, not experts (Adam Shostack)
    PDAs increasingly vulnerable to hackers (Monty Solomon)
    Welland Canal Bridge runs into ship (Chris Smith)
    U.S. Web sites fall short of global privacy standards (NewsScan)
    DejaGoogle rides again (Dave Weingart)
    Risks to lose sleep over (Mike Knell)
    Re: AT&T Worldnet exposes all user passwords (Dylan Northrup, Mike Tuffs)
    Telephone "*" codes (Alan Miller)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Fri, 17 Aug 2001 22:49:48 +0200
    From: Niels Ferguson <nielsat_private>
    Subject: Censorship in action: why I don't publish my HDCP results 
    
      [Copyright Niels Ferguson.  Published with permission of the author.  PGN]
    
    Censorship in action: why I don't publish my HDCP results 
    Niels Ferguson, 15 Aug 2001
    
    Summary
    
    I have written a paper detailing security weaknesses in the HDCP content 
    protection system. I have decided to censor myself and not publish this 
    paper for fear of prosecution and/or liability under the US DMCA law.
    
    Introduction
    
    My name is Niels Ferguson. I'm a professional cryptographer. My job is to 
    design, analyse, and attack cryptographic security systems, a bit like a 
    digital locksmith. I work to make computer systems and the Internet more 
    secure. You would think that people would be in favour of that, right?
    
    Computer security and cryptography are hard. It is easy to make mistakes, 
    and one mistake is all it takes to create a weakness. You learn from your 
    mistakes, but there are too many mistakes to make them all yourself. That's 
    why we publish. We share our knowledge with others, so that they don't have 
    to repeat the same mistake. Take a look at 
    <http://www.macfergus.com/niels/dmca/index.html../pubs/publist.html>my 
    publications. You will see a mixture of new designs, analyses, and attacks. 
    This is how we learn and how we improve the state of the art in computer 
    security.
    
    HDCP
    
    Recently I found the documentation of the 
    <http://www.digital-cp.com>High-bandwidth Digital Content Protection (HDCP) 
    system on the Internet. HDCP is a cryptographic system developed by Intel 
    that encrypts video on the DVI bus. The DVI bus is used to connect digital 
    video cameras and DVD players with digital TVs, etc. The aim of HDCP is to 
    prevent illegal copying of video contents by encrypting the signal.
    
    HDCP is fatally flawed. My results show that an experienced IT person can 
    recover the HDCP master key in about 2 weeks using four computers and 50 
    HDCP displays. Once you know the master key, you can decrypt any movie, 
    impersonate any HDCP device, and even create new HDCP devices that will 
    work with the 'official' ones. This is really, really bad news for a 
    security system. If this master key is ever published, HDCP will provide no 
    protection whatsoever. The flaws in HDCP are not hard to find. As I like to 
    say: "I was just reading it and it broke."
    
    What do you do when you find a result like this? First, you have to write 
    it down and explain it. Then you publish your paper so that the mistakes 
    can be fixed, and others can learn from it. That is how all science works. 
    I wrote a paper on HDCP, but I cannot publish it.
    
    DMCA
    
    There is a US law called the Digital Millennium Copyright Act (DMCA), that 
    makes it illegal to distribute "circumvention technology", such as systems 
    that break copyright protection schemes. HDCP is used to protect 
    copyrights. There are lawyers who claim that a scientific paper like mine 
    is a circumvention technology within the meaning of the DMCA, because it 
    explains the weaknesses of a system. I have been advised by a US lawyer who 
    works in this field that if I publish my paper, I might very well be 
    prosecuted and/or sued under US law.
    
    This is outrageous.
    
    The risk to me
    
    I travel to the US regularly, both for professional and for personal 
    reasons. I simply cannot afford to be sued or prosecuted in the US. I would 
    go bankrupt just paying for my lawyers.
    
    I want to make it quite clear that Intel, who developed the HDCP system, 
    has not threatened me in any way. But the threat does not come only from 
    Intel. The US Department of Justice could prosecute me. Any other affected 
    party, such as a movie studio whose films are protected with HDCP, could 
    sue me under the DMCA. That is a risk I cannot afford to take.
    
    The simple alternative would be to never travel to the US again. This would 
    harm me significantly, both professionally and personally. It would lock me 
    out of many conferences in my field, and keep me away from family and friends.
    
    It all sounds a bit too far-fetched, right? Who would sue over the 
    publication of an article? Well, there are very good reasons to believe 
    that I risk a lawsuit if I publish my paper. A team of researchers led by 
    Professor Edward Felten was recently threatened with a DMCA-based lawsuit 
    if they published their own scientific article. The resulting court case is 
    still pending.
    
    Freedom of speech
    
    We have this little principle called the freedom of speech. It is codified 
    in the <http://www.hrweb.org/legal/udhr.html>Universal Declaration of Human 
    Rights, the <http://www.law.emory.edu/FEDERAL/usconst.html>US Constitution, 
    and Dutch law. The whole point of freedom of speech is to allow the free 
    circulation of ideas and to let the truth be heard. There can be no doubt 
    that my paper is protected by the free speech rights.
    
    The DMCA imposes a serious restriction on the freedom of speech. The DMCA 
    makes it illegal to talk about certain security systems. The equivalent law 
    for non-digital protection systems would make it illegal to warn people 
    about a cheap and very weak door lock being installed on their houses 
    because criminals could also use that same information.
    
    In western society we restrict the freedom of speech only for very serious 
    reasons, and after careful consideration. For example, it is illegal to 
    shout "fire" in a crowded theatre, or to ask someone to commit a murder. 
    The DMCA restricts the freedom of speech because the movie industry is 
    afraid of losing money. Below I will argue that the DMCA does not achieve 
    that goal, but that aside: do we really want to sell our freedom of speech 
    for money?
    
    The DMCA is a scary development. Next time that commercial interests clash 
    with the freedom of speech, the industry will point to the DMCA and claim 
    they need equivalent protection. They might outlaw the publication of a 
    report detailing bad safety features in a car, or of flaws found in a 
    particular brand of tires. After all, those publications harm industry too. 
    Where will it stop?
    
    Jurisdiction
    
    The DMCA is a US law. I am a citizen of the Netherlands, and I live and 
    work in Amsterdam in the Netherlands. Why do I care about the DMCA at all?
    
    The USA is apt to apply its own laws way beyond its own borders. Dmitry 
    Sklyarov, a Russian programmer, was arrested last month in the US. He is 
    charged with violating the DMCA while performing his work in Russia as an 
    employee for a Russian firm. As far as we know, what he did was perfectly 
    legal in Russia, and in most other countries in the world. He is now out on 
    bail, but cannot leave northern California until further notice.
    
    Where does this lead to? What if countries start applying their own laws to 
    the things people do in other countries? Will you be arrested next time you 
    go abroad? Do you really want to take that holiday in China if you have 
    more than one child? Are you sure that Germany allows you to have those 
    links to political pamphlets on your web site? This type of 
    extraterritorial application of national law violates a basic human right, 
    because you cannot possibly know which laws apply to you. Imagine living in 
    a country where the laws are kept secret, and you never know whether you 
    are violating a law.
    
    Suppose a US citizen works for a firearms manufacturer in the US, making 
    guns. One of those guns turns up here in Amsterdam and is used to commit a 
    crime. This person takes a holiday over here in Europe, and is arrested for 
    violating the Dutch firearms laws because he helped manufacture the gun in 
    the US. That is what happened to Dmitry. Is that fair? Is that how we want 
    to run this world?
    
    The principle of applying national laws to anybody that publishes anything 
    anywhere in the world is terrifying. If we allow this principle to be used, 
    we will never be free again. You will get a choice. You can decide to never 
    leave your country for any reason whatsoever. This means you might not even 
    be able to attend a wedding or funeral of a loved one. Alternatively, you 
    can restrict all your statements to satisfy the laws of all the countries 
    you could conceivably travel to. You might as well not say anything, 
    because it is very hard to find something that is legal in all 
    jurisdictions. We either lose our right to travel, or our right to speak 
    and be heard. Which fundamental human right do you want to give up today?
    
    DMCA does not work
    
    The DMCA is a fundamentally flawed law. It is ineffective, and actually 
    harmful to the interests it tries to protect. It stops me publishing my 
    paper now, but someday, someone, somewhere will duplicate my results. This 
    person might decide to just publish the HDCP master key on the Internet. 
    Instead of fixing HDCP now before it is deployed on a large scale, the 
    industry will be confronted with all the expense of building HDCP into 
    every device, only to have it rendered useless. The DMCA ends up costing 
    the industry money. No points for guessing who ends up paying for it in the 
    end.
    
    In the long run, the DMCA will make it much easier to create illegal 
    copies. Why? If we cannot do research in this area, we will never develop 
    good copyright protection schemes. We will be stuck with flawed systems 
    like HDCP, to the delight of the criminals.
    
    The DMCA has been called the Snake Oil Protection Act. When a manufacturer 
    makes a defective product, you expect them to fix it. Not in this case. The 
    DMCA protects the manufacturer of a defective product by making it illegal 
    to show that the product is defective. Who came up with this idea?
    
    Copyright law
    
    Copyright law is a careful balance between the rights of the author and the 
    public interest. The author gets a limited-time exclusive right to 
    reproduce his work. The public gets free use of the work once the copyright 
    expires. Furthermore, the public gets certain "fair use" rights. These 
    include the right to use short quotes from the work in a review, for 
    example, and the right to create a parody. If you buy a copy of a 
    copyrighted work, you also have the right to make an extra copy for your 
    own use. A student can make a copy of a page in his textbook to mark it up 
    while he studies.
    
    In a sneaky way the DMCA eliminates all these "fair use" rights of the 
    public. As long as the work is protected using copyright protection 
    technology, none of the "fair use" rights can be exercised, because it is 
    illegal to create or own the tool with which you can exercise your fair use 
    rights. Copyright expires, but the DMCA ensures that even when it does, the 
    work still does not enter the public domain. The US supreme court has held 
    that the "fair use" rights are exactly the safety valve that prevent the 
    copyright law from violating free speech rights. This might be another 
    reason why the DMCA is unconstitutional.
    
    In Dmitry's case, he wrote software that decoded encrypted digital books. 
    His software has many uses. Many digital books only allow the book to be 
    viewed on the screen. If you are blind and want to read the book on your 
    braille display you have to use something like Dmitry's software. This is 
    perfectly legal under the "fair use" rules of copyright law, but the DMCA 
    forbids it thereby prohibiting blind people from accessing such books.
    
    Why this mess?
    
    Why did the movie industry campaign for the DMCA if it doesn't work? The
    movie and record industry have a history of claiming that new technologies
    will bankrupt them. When video recorders were first introduced, they swore
    that they would go bankrupt if people could record movies. Now they make a
    lot of money selling video tapes. Now they swear that they will go bankrupt
    if we do not restrict the freedom of speech and the public's fair use
    rights. Why should we believe them this time around?
    
    The DMCA exists because the movie and record industry lobbied heavily for 
    it. It is a very one-sided law that clearly has not been thought through 
    properly. The industry has managed to eliminate the careful balance of the 
    copyright law and replace it with a law that effectively gives them an 
    unlimited monopoly on copyrighted works. Could it just be that this is the 
    real motive behind their lobby?
    
    Can we fix the DMCA?
    
    Sure. That wouldn't even be very difficult. Making and selling unauthorised
    copies of copyrighted works is already illegal in most jurisdictions. We
    could change the copyright law to impose stiffer penalties if the copyright
    violation involves breaking a copyright protection scheme. A bit like the
    difference between trespassing and breaking and entering. A law like this
    would achieve exactly what we want: it would restrict illegal copying of
    copyrighted works. It would not restrict the freedom of speech, or do away
    with our fair use rights.
    
    More information
    
    You can find lots more information about the DMCA and the cases of 
    Professor Felten and Dmitry Sklyarov on the <http://www.eff.org>EFF web site.
    My <http://www.macfergus.com/niels/dmca/index.htmlfelten_declaration.html>
    declaration in the Felten court case.
    
    Copyright 2001 by Niels Ferguson, last update 2001-08-16, comments to 
      <mailto:nielsat_private>nielsat_private
    <http://www.macfergus.com/niels/dmca/index.html../index.html>[home page]
    
    ------------------------------
    
    Date: Fri, 17 Aug 2001 13:26:15 -0400
    From: Adam Shostack <adamat_private>
    Subject: Florida relies on students, not experts
    
    > FORT LAUDERDALE, Fla. (AP) - Broward County officials considering
    > the $20 million purchase of a touchscreen voting system want
    > students to try to tamper with the computers during a mock election.
    >
    > "One of the biggest concerns raised is whether there is the
    > potential for computer abuse, and we really need to see how
    > foolproof or tamperproof this equipment is," county commission
    > Chairman John Rodstrom said. "If there is a problem, it will happen
    > now or later. And some of these kids are pretty smart."
    > http://ap.tbo.com/ap/florida/MGAJ6W8YGQC.html
    
    The risks are legion, and well documented.  It's too bad that Florida
    officials are relying on students to reproduce them, but hey, one of them
    may learn the value of reading the literature, instead of re-inventing it.
    
      [And if someone with very little experience can demonstrate the lack of
      security, *that* might impress some of the folks who are either supremely
      gullible or counting on opportunities for fraud.  But please remember that
      some of the most insidious riskful vulnerabilities are those that can be
      exploited by insiders in the development and maintenance process.  Once
      again, recognize that all of the touch-screen systems today have
      absolutely no independent voter-verified audit record such as a printed
      ballot image that can be stored in ballot boxes guarded at least as well
      as paper ballots are today -- whether punched-card or optically scanned.
      Thus, there is no reasonable guarantee in touch-screen systems that your
      ballot as cast is actually equivalent to the ballot that is counted.  
      This could be remedied relatively easily, as recommended in Rebecca
      Mercuri's PhD thesis <http://www.notablesoftware.com/evote.html>.  PGN]
     
    ------------------------------
    
    Date: Fri, 17 Aug 2001 02:50:22 -0400
    From: Monty Solomon <montyat_private>
    Subject: PDAs increasingly vulnerable to hackers
    
    Handheld computers are increasingly vulnerable to hacker attacks and should
    not be trusted to store "any critical or confidential information," security
    experts warned Thursday.  [Reuters, 16 Aug 2001]
    
    http://news.cnet.com/news/0-1006-200-6894699.html
    
    ------------------------------
    
    Date: Fri, 17 Aug 2001 13:01:17 EDT
    From: Chris Smith <smithat_private>
    Subject: Welland Canal Bridge runs into ship
    
      [Three parts, sent separately, merged into one item.  PGN]
    
    1. Sent 13 Aug 2001
    
    The following two news reports from the Canadian Broadcasting Corporation
    cover a Saturday evening accident in the Welland Canal (southern Ontario,
    Canada, near the border with Buffalo, NY) when a lift bridge was lowered too
    soon, shearing off the top of the wheelhouse of a 700 ft bulk
    freighter. Damage to the out-of-control freighter followed, first in
    collision with the canal, and then with a fire breaking out on board. The
    fire flared up again briefly Monday morning.
    
    At least one news report stated that the bridge is under remote control,
    with bridge cameras monitored from the remote control location. For now, the
    clear risk is not having a working fallback to deal with situations that are
    never supposed to happen. We await news of what went wrong (we hope
    something did actually go wrong!) that gave rise to this accident.
    
      http://cbc.ca/cgi-bin/templates/view.cgi?/news/2001/08/12/shipfire_010812
      http://cbc.ca/cgi-bin/templates/view.cgi?/news/2001/08/13/shipfire_010813
    
    Here is a good location to read further details and watch for continuing
    details. This page is maintained by a regular canal and ship watcher in the
    area:
    
      http://www.wellandcanal.ca/transit/2001/august/windocstory.htm
    
    2. Sent 16 Aug 2001
    
    Just to make me look silly, I'm certain, the report is now that the bridge
    is run directly from a command cabin on the lift section itself. (I checked
    the CBC video stream, and they did explicitly say the bridge was under
    remote control.)
    
    This makes a lot more sense, especially from the point of view of avoiding
    accidents. Which leaves us with an open RISKS question to be checked later
    when it is known what caused this collision.
    
    3. Sent 17 Aug 2001
    
    As the referenced newspaper article makes clear, the Welland Canal bridge
    that collided with the freighter "Windoc" was *not* a remotely-operated
    bridge:
    
      http://www.scstandard.com/news/010814/5106699.html
    
    This contradicts -- authoritatively -- the statement earlier in a Canadian
    Broadcasting Corporation report that the bridge was remotely controlled.
    
    Only one of eight lift-bridges across the canal is remotely controlled. The
    rest are staffed 24 hours a day during the shipping season.
    
    The article gives a good description of the ship-bridge passage protocol.
    
    Chris Smith <smithat_private>
    
    ------------------------------
    
    Date: Fri, 17 Aug 2001 08:52:25 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: U.S. Web sites fall short of global privacy standards
    
    A survey of 75 U.S. corporate Web sites found that none were in compliance
    with a set of international privacy guidelines developed by the U.S. and the
    European Union last year. The guidelines require companies to: notify
    consumers how their personal data is used; use the information only for its
    stated purpose; allow consumers to examine and correct data collected about
    them; give consumers an option to forbid sharing that data for marketing
    purposes; store the data in a secure manner; and provide recourse for
    consumers whose privacy has been violated. The survey, conducted by
    Andersen, found that travel and leisure companies scored the best on notice
    and security provisions, while financial services firms were most likely to
    offer adequate choice. U.S. companies must make progress on revamping their
    Web privacy standards or "Disruption to the conduct of business is a real
    risk," says Andersen principal Kerry Shackelford.
      [Reuters 16 Aug 2001; NewsScan Daily, 17 August 2001]
      <http://news.excite.com/news/r/010816/11/net-tech-privacy-dc> 
    
    ------------------------------
    
    Date: Fri, 17 Aug 2001 13:30:19 -0400
    From: Dave Weingart <dave.weingartat_private>
    Subject: DejaGoogle rides again
    
    I recently had to look for a message in rec.arts.sf.fandom, one of the 
    Usenet groups I follow and popped onto http://groups.google.com (Google 
    having taken over Deja's Usenet archives).  Knowing the thread title and 
    the approximate date, I entered those into Google's advanced group 
    search.  Bingo, one result returned, with a notice that read:
    
    "In order to show you the most relevant results, we have omitted some 
    entries very similar to the 1 already displayed.  If you like, you can 
    repeat the search with the omitted results included."
    
    Whoops.  The omitted entries were *all* the other entries in the rest of the
    thread -- clicking on the link they provide shows all the other messages.  I
    leave the risks of this behavior as an exercise for the reader.
    
    Dave Weingart, Randstad North America  dave.weingartat_private  
     1-516-682-1470
                                                      
    ------------------------------
    
    Date: Sat, 11 Aug 2001 10:01:33 +0100
    From: Mike Knell <mpkat_private>
    Subject: Risks to lose sleep over
    
    While staying in a German youth hostel a couple of weeks ago, I was woken up
    at midnight by someone telling me I hadn't paid to stay that night, so would
    have to pay them DEM33 or leave. Ungh, gnurgh, I said (having been freshly
    woken up), no, I've definitely paid in advance for two nights. This is the
    second night. No, they said, you've only paid for one.
    
    Okay, okay. Look, I've got a receipt. Can I come downstairs and sort this
    out? Sure thing, they said. Better be down in five minutes at the most.
    So I put some clothes on, found the receipt in my wallet and presented it
    at the front desk. Sure enough, it was a receipt for 2*DEM33 == DEM66. Two
    nights, all paid. But no, they said. Look, the departure date printed on
    your receipt shows you've only paid for one night, and the computer agrees,
    so you'll have to pay us DEM33 for tonight or leave. By now I was beginning
    to wonder whether I was hallucinating. My receipt for two nights wasn't
    being accepted as such? Why not? At about this point I stopped speaking
    German and switched to English, because arguing in a foreign language when
    you've been awake for two minutes and you're starting to doubt your sanity
    anyway is tricky. 
    
    After a bit more arguing of the "I've paid!" "No, you haven't!" sort,
    and a lot more fiddling about with the registration computer, the problem
    was solved. Yes, I'd paid two nights at DEM33 each. But this had been
    recorded in the booking system as 2 persons for one night, not one person 
    for two nights, so I'd been flagged as having departed. This also explains 
    the discrepancy in the departure date on the receipt. Since everything
    was now In Order, I was graciously permitted to return to my dorm and go 
    back to sleep.
    
    The RISKS here are obvious -- the computer's not always right when it's 
    been given the wrong information in the first place. This was, however, the
    first time I've encountered anyone not believing the evidence of their
    own eyes -- my receipt for two paid nights and my keycard with the correct
    departure date written on it -- because the computer didn't agree with it. 
    I'd also mention the RISKS of waking me up in the middle of the night just 
    to annoy me like this, but they're pretty obvious too.
    
    Mike <mpkat_private>
    
    ------------------------------
    
    Date: Tue, 7 Aug 2001 15:35:56 -0500 (CDT)
    From: Dylan Northrup <docxat_private>
    Subject: Re: AT&T Worldnet exposes all user passwords (RISKS-21.57)
    
    An infinite number of monkeys in the guise of a RISKS contributor wrote:
    
    :=Then she asked for my e-mail password.  When I refused she
    :=informed me my password is not a secret, and that *all passwords* connected
    :=to my Worldnet account (a Worldnet account can have up to 6 e-mail accounts)
    :=are *visible* on her screen.
    
    This is not surprising.  When working for another major ISP, the database
    for their users also had passwords available for each customer and were used
    by customer service as well as system administrators to help diagnose
    specific problems with customers.  When working with a problem that affects
    a specific customer, sometimes the best way to reproduce it from the other
    end is to use the service as the customer.
    
    That the CS representative asked for your password is unique or at least
    questionable (our user base was instructed to never give that information
    over the phone and that CS reps would be able to access that information
    if necessary).
    
    Dylan Northrup <*> docxat_private <*> http://www.io.com/~docx/
    
    ------------------------------
    
    Date: Wed, 8 Aug 2001 09:47:55 -0700 
    From: "Tuffs, Mike" <mike_tuffsat_private>
    Subject: Re: AT&T Worldnet exposes all user passwords (Smith, RISKS-21.57)
    
    WRT the comments in this posting about blocking caller-id when used for
    credit-card authorisation purposes, I recently called a credit-card company
    to authorize my new card, using a blocked caller-id. The system was able to
    identify me without anything other than my card number, due to caller-id.
    When I asked how they were able to do this, as the id was blocked, they
    informed me that their equipment simply ignored the blocked bit in the id
    string. I assume this is possible for anyone?
    
    Mike Tuffs, Mentor Graphics Corp  (503) 685 0736 mike_tuffsat_private
    
    ------------------------------
    
    Date: Tue, 14 Aug 2001 12:36:12 -0500
    From: Alan Miller <ajmat_private>
    Subject: Telephone "*" codes (Re: Burstein, RISKS-21.59)
    
    Danny Burstein writes on CNID/Caller ID:
    >The former, which is what is used by (the vast majority of) homes and
    >"regular" (non "800") business lines, can be blocked by the caller on
    >either a permanent per-line basis, or as a choice per-call. (Usually by
    >prepending a special code, generally "*70", before dialing out).
    
    Actually, "*70" is almost always the code to toggle call waiting 
    notification, primarily used so incoming calls won't cause a beep on the 
    line while a data call is in progress.
    
    "*67" is the most commonly used code to toggle outgoing caller ID 
    information.  This was discussed fairly heavily in RISKS or the Telecom 
    Digest (or both) when caller ID first became available, since for 
    customers with per-line blocking it's the code to _enable_ caller ID for 
    the following call, and there's no way to find out whether caller ID is 
    enabled for a line or call.
    
    In some areas, "*69" is used for "last number callback," which calls the 
    number that originated the previous call (answered or not, I believe).  
    I believe that this service has a range of options and is handled 
    differently by different LECs.
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe] 
     which requires your ANSWERing confirmation to majordomoat_private .  
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.61
    ************************
    



    This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 15:06:15 PDT