[risks] Risks Digest 21.65

From: RISKS List Owner (riskoat_private)
Date: Sat Sep 08 2001 - 11:18:18 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.66"

    RISKS-LIST: Risks-Forum Digest  Saturday 8 September 2001  Volume 21 : Issue 65
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.65.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    More about Star Wars 2: "Letter from America" (Pete Mellor)
    The Heavens at War: NMD assessed (Leonard Erickson)
    Getting the Facts Out - Announcing "FACT SQUAD" (Lauren Weinstein)
    Citibank ATM network outage (Joshua L. Weinberg)
    France Telecom inadvertent disclosure blamed on "computer error" 
      (Peter Campbell)
    Photo tickets dismissed in San Diego (Jim Griffith)
    Web filter considered harmful (Thomas Roessler)
    Early morning phone call angers citizens (Barry Hurwitz)
    New software lets managers search e-mail (Jonathan Leffler)
    Consumer Reports password policy risks (Bill Bumgarner)
    Norton Personal Firewall (Ben Laurie)
    Solar parking meters are a bad idea in wet Britain (David Mediavilla Ezquibela)
    Sacramento woman denied $2.8 million jackpot (Max)
    Accidental disclosure (Gene Spafford)
    Re: Air Force office mails confidential information (Maj. John Robinson)
    Abridged info on RISKS (comp.risks)
    Date: Sun, 2 Sep 2001 21:11:07 +0100 (BST)
    From: Pete Mellor <pmat_private>
    Subject: More about Star Wars 2: "Letter from America" 
    The following is a summary of Alistair Cooke's "Letter from America" this 
    week (BBC World Service and Radio 4, Sunday 2nd September 2001).  
    As in my previous message about "The Heavens at War", I have tried to give 
    a fair summary, indicating personal comments by [PM: blah, blah].  
    Technical Aspects: 
    Cooke summarised the progress on the National Missile Defense (NMD) project,
    and referred to the recent successful interception flight test (IFT-6).
    He then raised a problem with the vehicle used as a target.  After talking
    about the various technical terms used in defence (going back to the time
    when journalists had to learn terms like "uranium" and "plutonium") he
    introduced the latest term: "spin-stabilisation".
    [PM: I downloaded the glossary of terms and acronyms from the Ballistic
     Missile Defense Organization's website.  It occupies over 800 Kbytes in 
     pdf format.
     Follow the link from: 
     http://www.acq.osd.mil/bmdo/bmdolink/html/bmdolink.html ]  
    An advanced missile such as the USA is capable of launching would use
    spin-stabilised warheads.  Rotating them increases their accuracy, but also
    makes their trajectory more predictable and so they are easier to track in
    mid-course than cruder missiles.  The targets used in the interception
    flight tests were spin-stabilised.
    Cooke quoted an anonymous source in the DoD who said that he had no
    illusions about the difficulty of implementing the Star Wars interception
    system, but having to intercept crude "wobblers" was an enormously difficult
    task, particularly in the presence of similarly wobbly decoys.  The problem
    is due precisely to the primitive nature of the missiles that are likely to
    be launched in an attack from a less developed country!
    Around 100 acres of US Government land in Alaska have been set aside for
    testing interceptor flights to hit some of the USA's own crude wobbly
    rockets. Cooke's source said: "To succeed will take years and years".  So,
    if North Korea can wait until 2004 before launching a rogue attack, the US
    might be able to intercept it!
    Three systems are therefore under development:-  
    1. To intercept a spin-stabilised warhead, 
    2. To intercept the "wobbly tumbler" warheads which are still capable of
       causing massive damage although they might end up miles off target, and  
    3. (The supreme technical achievement) to detect real from fake wobbly
       tumblers and hit the right one.  
    Cooke quoted General Ronald T. Kadish: 
    Our test philosophy is to add, step-by-step over time, complexity such as
    countermeasures and operations in increasingly stressful environments.  
    This approach allows us to make timely assessments of the most critical
    design risk areas.  It is a walk-before-you-run, learn-as-you-go
    development approach.  These testing activities provide critical
    information that reduces developmental risk and improves our confidence
    that a capability under development is progressing as intended.
    [The Ballistic Missile Defense Program.  Address by Lieutenant General
     Ronald T. Kadish, USAF Director, Ballistic Missile Defense Organization, 
     before the House Armed Services Committee on the Amended Fiscal Year 2002 
     Budget. July 19, 2001
     http://www.acq.osd.mil/bmdo/bmdolink/html/kadish19jul01.html ]  
    (Cooke added a contemptuous "Harrumph".)  
    The Political Dimension:-  
    Although journalists are in the habit of saying that the President will do
    this or that, the budget for any proposal must go through both Houses of
    Congress before it is passed and funds become available.  (The President
    proposes, Congress disposes.)
    A further question is: Does the President have the constitutional right to
    abrogate the ABM treaty?
    A 2/3 majority in Congress is required to empower the President to sign a
    In 1978 the late Senator Barry Goldwater brought suit against President
    Jimmy Carter to prevent him withdrawing from the Mutual Defence Treaty
    with Taiwan. The Supreme Court ruled 6 to 2 in Carter's favour, and stated
    in its judgment that such a decision is down to the executive and
    branches or the legislature.
    A senior constitutional lawyer has stated that the Senate should decide next
    week after its summer recess if the President does have that power.  If the
    Goldwater/Carter case is taken as a precedent, then the President could in
    theory opt out of any or all treaties to which the US is party (including
    withdrawing from the United Nations and NATO!)
    Cooke concluded that, all things considered, including the probable cost
    [PM: $7,044.779 million for fiscal year 2002 alone, from Kadish's address]
    and the serious doubts about the constitutional right to abrogate the ABM
    treaty, "The prospect for Star Wars 2 seems, to put it mildly, ill-starred!"
    [PM: Footnote.  See slide 13 in the news briefing on the interceptor
     flight test:-  
     Several software problems interfered with the functioning of the ground
     tracking station.] 
    Peter Mellor, Centre for Software Reliability, City University, Northampton 
    Square, London EC1V 0HB +44 (0)20 7040 8422  <p.mellorat_private> 
    Date: Sun, 2 Sep 2001 05:31:10 PST
    From: shadowat_private (Leonard Erickson)
    Subject: The Heavens at War: NMD assessed
    I'm just going to point out a few examples of a major risk here, the
    arguments being advanced as to possible counter-measures against lasers
    show a *fundamental* misunderstanding of the means by which weapons
    lasers damage targets.
    They don't *burn* thru the surface, they deposit *huge* amounts of
    energy (kilojoules to megajoules) into the surface layers of the target
    in *microseconds*. 
    The time scale makes rotating the vehicle a bad joke. And the energy
    levels make reflective coatings an equally bad joke. 
    At these energy levels, the target spot *explodes* into plasma with
    effect equivalent to a fair sized chunk of TNT. 
    And this has pointed out back when SDI was being worked on. Yet these
    *same* "problems" are still being pointed out.
    There are similarly disingenuous aspects to the discussion of decoys.
    Given that none of this appears to have been mentioned in the program,
    I have to conclude that it wasn't even *remotely* objective in assessing
    the missile defense program.
    In short, from what was reported to RISKS, the program was badly
    slanted. And hardly anything to base a risk evaluation on. 
    Other aspects of the post make it seem inappropriate for RISKS as well.
    As a counter,let me just note that there are risks to *not* trying to
    develop a defense. And to spreading grossly inaccurate "risk
    assessments" regarding something that is in it's early testing stages.
    There are potential problems. But bringing up "problems" like the ones
    I mention above is not eliminating risks, it's spreading propaganda.
    Other items brought up may be valid risks or invalid ones, depending on
    one's assessment of the relative risks of no missile defense versus one that
    is not 100% effective. But *that* aspect of things is *not* a valid topic
    for *this* list! Not unless there's been a major policy change that I'm
    unaware of.
    Leonard Erickson (aka shadow{G})  shadowat_private
    Date: Thu, 6 Sep 2001 19:26:50 -0700 (PDT)
    From: pfirat_private (PFIR - People For Internet Responsibility)
    Subject: Getting the Facts Out - Announcing "FACT SQUAD"
    PFIR - People For Internet Responsibility - http://www.pfir.org
       [ To subscribe or unsubscribe to/from this list, please send the
         command "subscribe" or "unsubscribe" respectively (without the 
         quotes) in the body of an e-mail to "pfir-requestat_private". ]
              Getting the Facts Out - Announcing "FACT SQUAD"
    	               September 6, 2001
    Greetings.  Immediately following the recent People For Internet
    Responsibility "Future of the Internet" Workshop, technology columnist Dan
    Gillmor reported on the event within his widely-read column.  He especially
    noted one of the key points of agreement at the meeting -- there's a serious
    need for coordinated information sources and experts to counter the often
    skewed information provided by lobbyists and other vested interests relating
    to technology issues.  As it stands, it's usually those well-heeled
    interests who have successfully organized, for their own betterment, to
    provide information about technical matters to media, politicians, and many
    Dan used the term "fact squad" to describe the need for a coordinated effort
    to provide some balance in these matters.
    PFIR has now set up a structure that we hope can provide assistance in
    filling this fact gap.  We've created "Fact Squad" -- its home page,
    which describes the project in more detail, is at:
    Fact Squad is oriented specifically towards folks who need straightforward,
    direct, and largely "jargon-free" information about these topics.  It is a
    coordinated resource for media, researchers, or anyone else -- cutting
    through the hype and getting to the facts.
    Fact Squad by itself obviously cannot be the complete solution to the
    long-festering and worsening problems of manipulated information and
    propaganda relating to technical issues and their impact on society.  But we
    think it's potentially an important step in the right direction.
    In addition to the Fact Squad home page listed above, three new contact
    e-mail addresses have been established relating to this effort:
    - Questions or information about specific topics or issues: 
    - General inquiries:
    - Information about participating in Fact Squad:
    We look forward to your questions, comments, and participation.
    Thanks very much.
    Lauren Weinstein
    laurenat_private or laurenat_private or laurenat_private
    Tel: +1 (818) 225-2800
    Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
    Moderator, PRIVACY Forum - http://www.vortex.com
    Member, ACM Committee on Computers and Public Policy
    Peter G. Neumann
    neumannat_private or neumannat_private or neumannat_private
    Tel: +1 (650) 859-2375
    Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
    Moderator, RISKS Forum - http://catless.ncl.ac.uk/Risks
    Chairman, ACM Committee on Computers and Public Policy
    Date: Wed, 05 Sep 2001 09:16:25 -0700
    From: "Joshua L. Weinberg" <joshuaat_private>
    Subject: Citibank ATM network outage
    Citibank's network of 2000 automated teller machines went down on the
    evening of 4 Sep 2001, due to software problems.  It was still down the next
    day.  Citibank's online Internet system also crashed at the same time.
    Basic service was restored about two hours later, but various problems
    persisted.  [Source: Reuters item, 5 Sep 2001; PGN-ed]
    Joshua  L. Weinberg, 2 Townsend St., Apt 1-905, San Francisco, CA 94107
    1-415-777-3339  joshuaat_private
    Date: Thu, 6 Sep 2001 20:28:19 -0500
    From: "Peter Campbell" <peter.a.campbellat_private>
    Subject: France Telecom inadvertent disclosure blamed on "computer error"
    A variant on the risk of leaving information you don't want disclosed in
    'comments' part of a MS Office document, except that instead of the
    consequences being just egg-on-face, there are selective disclosure issues
    and the potential for accusations of unfairness.  In the US, class action
    lawsuits have been attempted for less.
    For the uninitiated, selective disclosure of material information is a
    mortal sin in the investment world.  The underlying principle of financial
    markets is one of fairness to all shareholders -- stock in a company is not
    called "equity" for nothing.  Executing trades based on information to which
    all shareholders do not have access is called insider trading, though
    mechanisms do exist that allow insiders to trade in a perfectly legitimate
    and legal fashion, and is a grave offense in most countries with developed
    financial markets.  Of course, most large investors have more time,
    resources and expertise to devote to decision making than most small ones,
    so their advantage is undeniable. But the basis for making investment
    decisions, so-called material information, must be available to all
    investors, large and small.  A widely discussed regulation, dubbed Reg FD
    (for Fair Disclosure) was adopted by the SEC in October of 2000: more
    information on that here:
    Back to the subject and the risk: the error is obviously human and the risks
    of email compounded with the notes/comments/change-tracking features have
    been discussed many times in Risks.  Indeed the company I work for released
    a PR document with the revision history intact...  I can happen to the best
    of us !
    Date: Tue, 4 Sep 2001 18:22:57 -0500 (CDT)
    From: Jim Griffith <griffithat_private>
    Subject: Photo tickets dismissed in San Diego
    A judge in San Diego dismissed 290 tickets issued by a new red light camera
    system.  The issue was a $70 contingency fee paid per ticket to the private
    company operating the system, which gave that company a clear monetary
    incentive to issue more tickets.  The case in question may impact the
    fifty other cities in the nation which also use red light camera systems.
    The judge did not question the accuracy of the technology itself.
    Date: Fri, 7 Sep 2001 12:42:11 +0200
    From: Thomas Roessler <roessler@does-not-exist.org>
    Subject: Web filter considered harmful
    Today, I had to call Palm Support Germany about some problems encountered
    with one of their new models (insert m500 into the USB cradle, and the PC
    will occasionally reboot).
    The call-center guy I had on the phone hadn't heard about the problem.
    However, I had done a web search before, and had found some mailing list
    discussions where someone reported that Palm's US second-tier support knew
    the problem quite well.
    So I gave the list archive's URL to the guy, asking that he investigates the
    "Sorry, I can't access this through our web proxy.  They want to be sure
    that we don't surf for private purposes during work hours."
    The RISK should be obvious: Filtering support employees' web access for
    security or whatever other reasons can seriously damage these employees'
    ability to do their job.
    Thomas Roessler                        http://log.does-not-exist.org/
    Date: Sun, 2 Sep 2001 06:49:52 -0500
    From: "Barry in Indy" <barryindyat_private>
    Subject: Early morning phone call angers citizens
    A lightning strike caused a computer to begin sending out an automated phone
    message in the middle of the night. The meeting announcement, scheduled to
    be delivered during the day on Friday, August 31, but was sent starting
    after 9 PM Thursday night, and continued until 3:30 AM Friday. There were
    about 50 complaints.
    The RISKS? Political suicide, at the least.
    Barry Hurwitz
    Date: Wed, 5 Sep 2001 12:49:04 -0700 (PDT)
    From: Jonathan Leffler <jlefflerat_private>
    Subject: New software lets managers search e-mail
    Note from *Computerworld*: Managers everywhere will soon have the power to
    remotely check employee e-mail boxes, search for common words and even
    delete e-mail without notification, thanks to new software.
    [JL: The risks of abuse seem legion.  And accidental abuse could occur;
    what if that deleted email was actually important?]
    Jonathan Leffler (Jonathan.Lefflerat_private) 
    Guardian of DBD::Informix v1.00.PC1 -- http://www.perl.com/CPAN
    Date: Wed, 05 Sep 2001 17:40:57 -0400
    From: Bill Bumgarner <bbumat_private>
    Subject: Consumer Reports password policy risks
    My family regularly uses *Consumer Reports* to evaluate various products
    before we make a purchasing decision.
    The enclosed e-mail is the culmination of a rather round-about discussion.
    The original problem was that I could not log into my CR account [paid
    subscription] because it kept claiming the password is incorrect.
    Eventually, I discovered that I could log in if I claimed that I had
    forgotten my password and forced the site to send me a "click here to change
    your password" URL via email (in plain text, of course).
    Along the click trail of "click here to change your password", the user
    enters a new password twice, verifies the two passwords matches, logs the
    user in (to the edit the account page-- ugh), and presents the user with the
    site as if they had successfully logged in.
    If the user happens to choose a password containing an exclamation point
    (!), the site silently drops the exclamation point without giving the user
    any feedback that it has done so.  Subsequent login attempts, of course,
    fail (unless the user happens to forget to type the (!)).
    Risk #1: Silently modifying the user's entered password, claiming successful
    entry, and storing the modified (and likely insecure password)
    Risk #2: Limiting passwords to just letters/numbers.  Most good password
    crackers will brute force through all the various 'dog', 'd0g', d)g'
    Risk #3: Having a "forgot your password" click path that leads directly to
    all of the pertinent account information.  Thankfully, it does not display
    your FULL credit card-- but does give the last five digits and does allow
    the user to modify various bits of critical information.
    Risk #4: Sending the "forgot your password" URL in a plain text email.  A
    dead horse.
    Risk #5: Having nice, responsive customer support that had *no clue* that
    this problem existed (or even that it was a problem) when, in fact, the
    problem has been an issue for nearly a year (maybe longer).
    I'm sure there are others...
    (enjoying a 'Fisher & Paykel' as a result of information found on the 
    above site.... talk about killer engineering.  Drop a couple of wet 
    sneakers in it, set it to spin dry at 7,000 RPM and it actually balances 
    the drum to keep the thing from tearing itself apart!)
    Begin forwarded message:
    > From: customerserviceat_private
    > Date: Wed Sep 05, 2001  05:14:24  PM America/Montreal
    > To: "Mr. Bill Bumgarner" <bbumat_private>
    > Subject: Message from Consumer Reports Online - Ref:382442
    > Dear Mr. Bumgarner:
    > Thank you for your recent e-mail.  It was a pleasure to hear from you.
    > After reading your e-mail, I'm sorry to say that your password cannot have
    > an exclamation point (!).  However, please be assured that your password
    > can indeed consist of letters and numbers.  If you have any questions,
    > please feel free to contact our Online Subscription Department toll-free 
    > at
    > (800) 633-0663.  A representative will be more than happy to assist you.
    > Again, thanks for your e-mail.  I hope you continue to enjoy the benefits
    > of Consumer Reports OnlineĈ.
    > Sincerely,
    > Jenny Manzueta
    > Customer Relations
    > 382442
    In cyberspace, no one can hear you laugh.
    Date: Tue, 04 Sep 2001 20:31:08 +0100
    From: Ben Laurie <benat_private>
    Subject: Norton Personal Firewall
    I recently had a problem with a Web site I run. A user complained that
    Norton Personal Firewall was saying the site was "trying to access her bank
    account details". Much investigation later, we discovered that the problem
    was completely stupid.
    NPF protects the user from sites that allow them to enter sensitive
    information in a form that is not secured by SSL. I guess there's some value
    in this. However, a number of factors combine to produce completely
    unnecessary FUD, not to mention a complete waste of everyone's time.
    Firstly, users are advised to protect their credit/debit card numbers by
    entering only some of the digits - the recommended number being 4.
    Secondly, the "firewall" objects to a web page being served by the server
    containing the sensitive information if the page contains a form and is not
    secured by SSL. However, it does not check whether the data presented is
    even in the form.
    Thirdly, the message presented to the user suggests that the webserver is
    somehow trying to _access_ the sensitive data rather than present it (I'm
    afraid I do not have the exact wording - figuring out the problem was
    tedious enough without trying to elicit such details from the user).
    The net effect of all this is that you get hysterical messages from the user
    (and everyone else on the mailing list they post this problem to) saying
    that you are trying to steal their credit card numbers.
    And the cause? A link containing a timestamp in seconds. For any 4 digit
    sequence the timestamp will match it for 1 second approximately 10 times a
    day, for 10 seconds once a day, for 100 seconds every 10 days, and so
    on. This lucky user happened to have a number that recently matched all the
    time for a period of 12 days.
    Date: Thu, 6 Sep 2001 20:26:55 +0200 
    From: David Mediavilla Ezquibela
    Subject: Solar parking meters are a bad idea in wet Britain
    Nottingham Council (United Kingdom) admitted that the 215 parking meters
    powered by solar energy that they installed didn't function as expected.
    They followed the example of other countries in sunny Southern Europe, but,
    even when this summer has been sunnier in Nottingham, several meters have
    failed allowing parking for free during periods. Others didn't work even in
    sunshine because they were under trees.  The provider, Metric, is adjusting
    them for winter to save energy.
    David Mediavilla Ezquibela	<davidme.forumat_private>
    Date: Fri, 07 Sep 2001 15:28:16 -0700
    From: Max <max7531at_private>
    Subject: Sacramento woman denied $2.8 million jackpot
      [The RISK: having a failure mode the same as the winning mode.  Max]
    Nevada Gaming Control Board agents say a Sacramento woman did not win a $2.8
    million jackpot she thought she won last month at a Reno casino because the
    machine malfunctioned. "The first reel started to spin, and it touched a
    maintenance card," said Paul Dix, a Gaming Control Board supervisor. "And
    the machine did what it was supposed to do. It went into a tilt." But
    Francesca Galea, 29, insists her play was a legitimate win. And she's
    willing to fight for the winnings.  [PGN-excerpted from AP report, 7 Sep 2001]
    Date: Wed, 5 Sep 2001 08:42:03 -0500
    From: Gene Spafford <spafat_private>
    Subject: Accidental disclosure
    Several recent Risks Digests have (once again) illustrated hazards 
    associated with accidental disclosure of personal information online.
    Readers who do not get the Computing Research Association News might want to
    check the May issue.  I wrote a cautionary article about using online
    applications and recommendation letter collection, specifically for
    See <http://www.cra.org/CRN/issues/0103.pdf> for " Protecting 
    Personal Information in Academia."
    Date: Wed, 05 Sep 2001 14:53:18 +0000
    From: tympaniat_private
    Subject: Re: Air Force office mails confidential information (RISKS-21.63)
    Re: the USAF Academy e-mail foul-up mentioned in RISKS-21.63: the standard
    e-mail package for Air Force offices is MS Outlook, which lets you assemble
    lists of names into addressee groups to avoid the hassle of typing or
    reselecting a large list of names each time you want to send out a mass
    message. What likely happened here is that the officer responsible simply
    clicked the wrong addressee group in haste or carelessness; for instance,
    instead of selecting "Cadet Group Headquarters" he might have selected
    "Cadet Group," which would shotgun the message out to everybody.
    Of course there are any number of other ways this could have happened, but I
    doubt that there are any shenanigans going on.
    Maj. John Robinson, USAF
      [Still, it could be SirCam.  PGN]
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe] 
     which requires your ANSWERing confirmation to majordomoat_private .  
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    End of RISKS-FORUM Digest 21.65

    This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 11:59:12 PDT