[risks] Risks Digest 21.89

From: RISKS List Owner (riskoat_private)
Date: Tue Jan 29 2002 - 15:16:00 PST


RISKS-LIST: Risks-Forum Digest  Tuesday 29 January 2002  Volume 21 : Issue 89

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.89.html>
and by anonymous ftp at ftp.sri.com, cd risks .

  Contents:
Wireless technology criticized for vulnerabilities (NewsScan)
Wireless bypassing the firewall (Jeremy Epstein)
Free airport wireless network, and spam launcher (Mike Hogsett)
Consumer beware: Are you really there? (Rob Graham)
Risks of deceptive characters in URLs: Gabrilovich/Gontmakher (PGN)
Water line break closes 911 center & police department (Dave Bank)
New official self-service litigation system available in England & Wales
  (Tony Ford)
Royal chat session failed (Erling Kristiansen)
Risks of bouncing e-mail (Nick Brown)
Stupid defaults in database conversion (Paul Wallich)
Spam prevention gone too far (Jonathan Kamens)
BBC News: Iceland places trust in face-scanning (Chris Leeson)
Brisbane ISP in court (Peter Deighan)
RSA Conference e-mail has tracking bugs (Rex Sanders)
Re: Buffer overflows and other stupidities (Earl Boebert)
Re: Software uncovers e-mail untruths (Russ Perry Jr)
Remote mobile phone configuration changes via SMS service (S. Llabres)
REVIEW: "Algebraic Aspects of Cryptography", Neal Koblitz (Rob Slade)
Infowar Con 2002, call for papers (Winn Schwartau)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 29 Jan 2002 08:37:15 -0700
From: "NewsScan" <newsscanat_private>
Subject: Wireless technology criticized for vulnerabilities

Lawrence Livermore National Laboratory in California has banned all wireless
networks, including Microsoft's Wi-Fi, because of security concerns. Wi-Fi
supporters say the technology is secure when it's been properly installed,
but experts say that only about 10% of all users install them correctly.
(*USA Today*, 28 Jan 2002; NewsScan Daily, 29 January 2002)
  http://www.usatoday.com/life/cyber/tech/2002/01/29/wifi.htm

------------------------------

Date: Fri, 25 Jan 2002 17:01:13 -0500
From: "Jeremy Epstein" <jepsteinat_private>
Subject: Wireless bypassing the firewall

Wireless carriers including Sprint, Cingular, and Seven (a startup) are
putting together products that tunnel through the firewall to allow you to
access the e-mail, calendars, etc. on your desktop machine remotely from a
wireless device.  But not to worry, since it "conforms to the highest levels
of transport security".  After all, what could go wrong with a tunnel like
this?  NOT!  The risks are apparent to everyone except the vendors involved.

Full story at
  http://www.infoworld.com/articles/hn/xml/02/01/28/020128hnport.xml

------------------------------

Date: Tue, 29 Jan 2002 13:13:03 -0800
From: Mike Hogsett <hogsettat_private>
Subject: Free airport wireless network, and spam launcher

Soon business travelers passing through Minneapolis-St. Paul International
Airport will be able to access the Internet at high speeds for free.

Anyone want to send out lots of SPAM or launch attacks?  Just go to MSP.

http://www.startribune.com/stories/535/1130636.html

------------------------------

Date: Mon, 28 Jan 2002 10:46:57 -0500
From: "Rob Graham" <ceoat_private>
Subject: Consumer beware: Are you really there?

This potential risk was sent to me at work today.  At click glance of the
site below, you may truly feel that you viewing a drastic mistake at
microsoft.com, or the evil doings of a disgruntled employee.  I as a Web
developer and consultant quickly determined how it was done (simply passing
a username and password to the true url to display the page).  However, a
link contained within an e-mail to the unsuspecting consumer bringing them
to a site like this could be a disaster.

This false representation is an easy way to exploit information from 
consumer thinking they are buying/subscribing/requesting information 
from a company - when in fact, it may be a scenario like the link below:

3Dq209354at_private/nyheter/feb01/Q209354">http://www.microsoft.com&item=3Dq209354at_private/nyheter/feb01/Q209354
  %20-%20HOWTO.htm

------------------------------

Date: Mon, 28 Jan 2002 22:45:21 PST
From: "Peter G. Neumann" <neumannat_private>
Subject: Risks of deceptive characters in URLs: Gabrilovich/Gontmakher

Related to Rob Graham's item in RISKS-21.89, an even more insidious URL risk
is described in an excellent column on the Inside Risks page of the February
2002 CACM:

  Evgeniy Gabrilovich and Alex Gontmakher
  The Homograph Attack
  Communications of the CACM, vol 45, no 2, inside back page

This is a WONDERFUL RISKS-relevant article.  Please read it.
For your convenience, this column is now on the Inside Risks Web site
  http://www.csl.sri.com/neumann/insiderisks.html
as
  http://www.csl.sri.com/neumann/insiderisks.html#140
The examples given use Cyrillic characters.  For example, a Russian "o" 
and an English "o" look alike but can have radically different results.

------------------------------

Date: Thu, 24 Jan 2002 17:19:08 -0500 (EST)
From: Dirk the Daring <dirkat_private>
Subject: Water line break closes 911 center & police department

  http://www.newsobserver.com/ncwire/news/Story/903276p-902507c.html

In Durham, NC (USA), a waterpipe break on early Saturday (12-Jan-2002)
morning forced the closure of the city police department building and 911
center. The water flooded a subbasement and took out the electrical
equipment and backup power generators. Callers to 911 got busy signals or
disconnects (I suppose that's better than hold muzak) until the temporary
location (at Duke University) was online about 12 hours later, with
dispatchers taking call information on paper (no computers).

RISKS:

    1) Putting all the eggs, police dept and 911 center, in one building

    2) Putting critical electrical equipment in a place where it can
        be easily flooded out and in the same building

    3) Not having 911 services "roll-over" to somewhere else (for example,
        Cary, NC - about 20 miles from Durham - has an agreement with
        the Wake County 911 center that if Cary becomes unable to take a
        given 911 call, it automatically rolls over to Wake's 911
        center) - a (*gasp*) backup

Dave Bank  aka Dirk the Daring  dirk at psicorps dot org

------------------------------

Date: Sat, 26 Jan 2002 15:43:09 +0000
From: Tony Ford <tony.fordat_private>
Subject: New official self-service litigation system available in England & Wales

Today's Daily Telegraph (a quality UK broadsheet newspaper) carries a
*potentially* disturbing report describing a new service, "Money Claim
Online", whereby individuals and law firms (solicitors) can issue most
simple legal proceedings (where a sum less than UK pounds 100,000 is
claimed, = USD 140K)) and enforce judgments via a Web browser.  The new
service has been set up without publicity by the Lord Chancellor's
Department, which runs the courts system in England and Wales.  It seems
that the system is accessible to the public now, although it has not been
officially launched.

People using the service are (oddly) referred to as "customers" .... and 
there is a Customer Help Desk ...

The newspaper report is also viewable at this Daily Telegraph link on-line: 
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2002/01/26/nsue26.xml&sSheet=/news/2002/01/26/ixhome.html

The service can be seen on-line at:
https://www.moneyclaim.gov.uk/csmco/index.html

No details are apparent of what measures are taken to validate the identity
of the claiming party or prevent other gross miscarriages of justice ....
but it would appear that the potential exists for significant trouble ....
even though the site warns that "vexatious litigants" are not allowed to us
it (these are people who have abused the litigation system in the past to
such an extent that they have been declared "vexatious litigants",
restricting their ability freely to issue legal proceedings).

PS: I am a lawyer myself, although I don't practise in this area .. but do 
work in-house for a large IT company ... these comments are offered purely 
in a personal capacity.

Tony Ford, Guildford, Surrey, UK <tony.fordat_private>

------------------------------

Date: Wed, 23 Jan 2002 21:20:45 +0100
From: Erling Kristiansen <ekristiaat_private>
Subject: Royal chat session failed

A public chat session was scheduled yesterday between, on one hand, the
Dutch Crown Prince Willem Alexander and his fiancee Maxima Zorreguieta and,
on the other hand 100 selected citizens. The session was made available for
everybody to watch on a Web site.

The server failed after a few minutes and did not come up again, so the rest
of the session was canceled.

According to several news sources (radio and TV news, printed press), KPN,
who provided the server, says that the crash was caused by "sabotage", and
that the site, that was designed for "tens of thousands" of users, received
3 billion (Yes, 3,000,000,000) hits.

The story does not look very plausible to me. To deliver 3,000,000,000 IP
packets, even short ones, in a few minutes takes something like a 10
Gbits/sec connection into the server, and would require quite a powerful
attacking machine with a comparable network connection, or a concerted
attack by tens of thousands of home PC's on modem lines.

I also had a look at 
  http://internettrafficreport.com
Such a volume of traffic in a short time should cause some slowdown of other
Internet traffic in the networks concerned. I saw no noticeable performance
degradation in any of the Dutch routers monitored by this site, nor anywhere
else, around the time of the event.

Speculation in the media now goes that the site simply received more genuine
hits than it was designed for, but not billions (Holland has 16 million
inhabitants), and could not cope, and that KPN is reluctant to admit their
mis-estimation of the traffic.

Does anybody have more information about what really happened?

------------------------------

Date: Thu, 24 Jan 2002 08:50:21 +0100
From: BROWN Nick <Nick.BROWNat_private>
Subject: Risks of bouncing e-mail

The Strasbourg newspaper "Dernières Nouvelles d'Alsace" reports (in French)
an interesting case of e-mail forgery.  The exact circumstances are not yet
clear, but it appears that:

- An e-mail was sent from the account of the mayor, telling members of a
city commission to vote in favour of a plan to extend a local hypermarket.
The official, public policy of the city council and the mayor is to oppose
this extension.
- The mail to one member of the commission bounced, because the recipient's
name was incorrectly spelled.
- An assistant to mayor Fabienne Keller, who has access to her mailbox,
noticed the "undeliverable" reply and determined that the mail had been sent
at a time when the mayor could not have sent it.
- The general manager of the hypermarket is under police investigation for
illegal entry into a computer system, forgery, use of forged documents, and
attempted fraud.

Original texts in French for those interested:

> http://www.dna.fr/cgi/dna/motk/idxlist_light?a=art&aaaammjj=200201&num=180
> 41610&m1=keller&m2=mairie&m3=
http://www.dna.fr/cgi/dna/motk/idxlist_light?a=art&aaaammjj=200201&num=19049
910&m1=keller&m2=mairie&m3=

I suppose the RISK is that if you're going to pretend to be someone else,
make sure you can spell !

Nick Brown, Strasbourg, France

------------------------------

Date: Fri, 25 Jan 2002 17:20:05 -0500
From: Paul Wallich <pwat_private>
Subject: Stupid defaults in database conversion

Even in the sticks there are risks:

Last autumn, the propane company that fills our tank (for stove, hot water
and drier) was taken over by another propane company. We learned last night,
when all of our gas-fired appliances stopped working, that "some customers
fell through the cracks" during the acquisition, to wit, the new company
wasn't refilling their tanks and was apparently relying on calls like ours
to let it know whom it had forgotten. They promised a delivery "first thing"
in the morning. So about noon we called, and learned a few additional
tidbits: apparently customers scheduled for regular deliveries from the old
company had been silently changed to "will call" status by the new one, and
no, the new company didn't believe it had any liability for interrupted
service.

The risk of mistranslating fields in an acquired database should be obvious,
as should the rule that any untranslatable values get flagged and/or at
least converted to the least-damaging equivalent in the new system. (There's
also the obvious financial risk that customers won't want a company that
careless involved in delivering a commodity know to blow folks to bits when
mishandled.)

------------------------------

Date: Thu, 24 Jan 2002 16:23:17 -0500
From: Jonathan Kamens <jikat_private>
Subject: Spam prevention gone too far

I recently attempted to send E-mail to the author of a RISKS submission.
Since my DSL line was down when I sent the E-mail, and since outbound SMTP
connections are blocked from the dial-up accounts provided by my ISP, I had
to send my E-mail through my ISP's mail server.  It bounced as follows (the
identify of the intended recipient has been masked):

  <RECIPIENT@RECIPIENT-HOST>:
  Connected to RECIPIENT-HOST-IP but sender was rejected.
  Remote host said: 571 <jikat_private>... Return address  jikat_private  does not match sending computer  mail11.speakeasy.net  -- check your configuration. http://www.RECIPIENT-HOST/mail/571_2.html for details.

If you visit the URL referenced above, you discover that this site's system
administrators have decided to block all E-mail for which the host name in
the envelope address can't be matched up obviously (using a simple string
comparison) with the host name of the mail server sending the message.  In
other words, if you have your own domain name, but you send E-mail through
your ISP's mail server, you simply can't send E-mail to this site.
Supposedly, they check their logs for such bounces "as we have time" and add
messages that should have gone through to an exception list, but who knows
when/if they'll ever get around to doing that in any particular case.
Furthermore, they provide no mechanism for contacting them by E-mail or Web
to ask to be excepted -- all they give on the Web page is a long-distance
telephone number.

Fortunately for me, or so I thought, I *do* send outbound mail through my
own mail server when my DSL line is up, and it was fixed yesterday, so I
decided to attempt to resend my message.  It bounced again, with a different
error:

  RECIPIENT@RECIPIENT-HOST
      (reason: 550 We do not accept mail from the spam-relay machine:  jik-0.dsl.speakeasy.net.. http://www.RECIPIENT-HOST/mail/571_1.html for details.)

If you visit *that* URL, you see that they're claiming that my machine is a
spam relayer.  It isn't and never has been.  I've never sent spam and I
block all third-party relaying through my machine.  I can't find an entry
for either my IP address or my subnet in any of the black-lists checked by
  <URL:http://relays2.osirusoft.com/cgi-bin/rbcheck.cgi>.

Of course, they don't bother to say *why* they think my machine is a
spam-relay machine, so who knows where they got that charming idea?  And, as
mentioned above, they don't provide any way to contact them on-line to
complain about it.  For example, many sites which enforce restrictions this
draconian provide an address which is exempt from the restrictions to which
people can complain; the spammers don't ever bother complaining, so it
really isn't particularly burdensome to do this.  Unless, of course, you
really don't care if people can't send legitimate E-mail to your site.

I understand the desire to block spam, but there are ways to do it which
don't also block legitimate E-mail, or at the very least which provide an
on-line mechanism people can use for getting themselves unblocked.  This is
just really excessive; I would even go so far as to say that I question the
legitimacy of allowing RISKS submissions from people who make it impossible
for people to send them E-mail responses to their submissions.

  jik

------------------------------

Date: Fri, 25 Jan 2002 09:40:31 -0000
From: "LEESON, Chris" <CHRIS.LEESONat_private>
Subject: BBC News: Iceland places trust in face-scanning

According to the BBC News Web Site, Iceland's main airport is introducing
"face recognition technology" to identify "any hijackers on wanted lists".

http://news.bbc.co.uk/hi/english/sci/tech/newsid_1780000/1780150.stm

The article notes that a similar system was tried in Florida, and abandoned
after two months. The article notes:

  "'In my opinion, had this system been installed at airports in North
  America last summer, it would have increased the chances of catching those
  criminals who hijacked the planes,' said Keflavik airport police
  commissioner, Johann Benediktsson.  [...]  A recent report by the America
  Civil Liberties Union showed that over a two-month period, the software
  failed to identify a single person photographed in the department's
  criminal database.  Instead, the software produced many false
  identifications, said the ACLU report.  [...]

  "For Jonina Bjartmortz, a member of the foreign affairs committee in the
  Icelandic parliament, the system has become a sure way of reassuring
  nervous passengers.  'We are at the western most tip of Europe and a
  gateway to America.  We only have one airline and we felt it was very
  necessary to invest in the technology,' she said.  It seems to have
  worked. Flights coming and going from Keflavik airport are generally full
  and passengers appear happy."

One is tempted to say "The Usual Risks":
  - False Positives and False Negatives
  - Customers (and Management) with a potentially false sense of security
  - It will only pick up "known" faces. What if your hijacker not "known"? 

That said, we can hope that the existing security precautions will pick up
the "unknown" hijackers.  At least the risk is no greater unless security
staff come to rely on the system.

Chris Leeson

------------------------------

Date: Thu, 24 Jan 2002 21:17:40 +1100
From: Peter Deighan <deighanpat_private>
Subject: Brisbane ISP in court

The following is the entirety of a story printed in *Australian Financial
Review* 21 Jan 2002, attributed to Australian Associated Press:

"Dataline in court"
"The ACCC has begun legal action against Brisbane-based Internet
provider Dataline.net.au, its managing director, Mr John Russell, and
associated companies Australis Internet and World Publishing Systems.
Dataline allegedly intercepted e-mails and debited consumers' credit
cards without authority."

ACCC stands for Australian Competition and Consumer Commission, or in
tabloid-ese "The consumer watchdog".

Other contributors to RISKS have mentioned packet sniffing and electronic
"dumpster diving" to extract credit-card numbers.  This looks to be much
simpler.  If the ACCC is correct, this seems a good reason to become an ISP.
Is this a new risk?  Probably not.

The full and more worrying set of allegations is at ACCC's Web site:
  http://www.accc.gov.au/media/mediar.htm
then click on
  18 January 2002 ACCC Takes Action Against Internet Service Provider

Peter Deighan <deighanpat_private>

------------------------------

Date: Thu, 24 Jan 2002 17:10:14 -0800
From: Rex Sanders <rsandersat_private>
Subject: RSA Conference e-mail has tracking bugs

Today I received the "RSA Conference 2002 eNewsletter, Volume 2".  Much to
my dismay, this HTML-ized e-mail had several hidden tracking features,
including the classic 1x1 pixel GIF with a unique identifier encoded in the
URL pointing to a company I've never heard of.

RISK: assuming you can trust e-mail from a conference and a company (RSA
Security, Inc. sponsors the conference) which emphasizes security and
privacy.

-- Rex Sanders, USGS

------------------------------

Date: Wed, 23 Jan 2002 07:56:09 -0700
From: Earl Boebert <boebertat_private>
Subject: Re: Buffer overflows and other stupidities (RISKS-21.87)

 [Earl Boebert's message in RISKS-21.87 provoked many responses that are not
  included in this issue of RISKS, but to which Earl offered the following
  generic response.  PGN]

Well, I'm glad I provoked at least some discussion of the issue.
Unfortunately, many of the responses, including some from people who should
have known better, exhibited a depressing degree of ignorance about the role
of processor architecture in implementing protection mechanisms. To respond
to these in detail would involve the moral equivalent of a course in the
subject, which I do not currently have either the time or the inclination to
do. I would refer interested parties to Dick Kain's book [1], which (along
with some of the more informative replies) shows that there are more things
in heaven and earth than dreamt of in the x86 philosophies.  I suppose a
final note would be: Relying on any one element of an integrated
hardware-software system for protection from hostile code is
dangerous. Currently popular processor architectures contain such
stupidities that they place an impossible burden on software and programmer
discipline. Yes, these things can shoulder the burden in theory, but the
historical evidence is that they fail consistently in practice.

[1] If you don't know this reference, you probably shouldn't be in this 
business.

------------------------------

Date: Tue, 22 Jan 2002 22:24:14 -0600
From: Russ Perry Jr <slapdashat_private>
Subject: Re: Software uncovers e-mail untruths (NewsScan, RISKS-21.88)

> SAS Institute has developed software that it says can sift through
> e-mails and other electronic text to discern falsehoods.

It would be interesting to take a press release or privacy statement
regarding this product and run them THROUGH said product, ne?

Russ Perry Jr   2175 S Tonne Dr #114   Arlington Hts IL 60005 
847-952-9729    slapdashat_private 

------------------------------

Date: Fri, 25 Jan 2002 01:40:36 +0100
From: Llabres <sllabres@baden-online.de>
Subject: Remote mobile phone configuration changes via SMS service

The German publishing house "Heise" reports in its online news about a
remote configuration change of mobile phones via the short message service
(SMS) which is available in GMS networks:
  http://www.heise.de/newsticker/data/pmz-24.01.02-000/

The Swiss telco Swisscom has confirmed that it has sent to selected
customers special SMS messages that deleted roaming information on the SIM
cards of the customers' mobile phones.  Swisscom says that the purpose for
the messages is to test for the introduction of new services in the Swisscom
mobile phone network.  The customers have not been informed about the
change. The SMS appeared as empty messages sent from the phone number
"0800".

The magazine also reported that insiders believe that the modification of
the roaming information was to direct traffic to networks owned by Vodafone
-- which acquired a 25% share of Swisscom on april last year.

Customers have to re-enter the information to their phones manually.

It would be interesting:
* If there is any security mechanism protecting anyone from sending
  such "special" messages.
* Which setting on the mobile phone can be changed (or probably
  retrieved from the phone) without knowledge to the customer.
* If the network provider must implement such features, I do not
  understand why this must happen unperceived by the customer.
  Why not send a message telling people what will happen?

S.Llabres

------------------------------

Date: Mon, 28 Jan 2002 07:37:01 -0800
From: Rob Slade <rsladeat_private>
Subject: REVIEW: "Algebraic Aspects of Cryptography", Neal Koblitz

BKALASCR.RVW   20011122

"Algebraic Aspects of Cryptography", Neal Koblitz, 2001,
3-540-63446-0, U$64.99
%A   Neal Koblitz koblitzat_private
%C   175 Fifth Ave., New York, NY   10010
%D   1998
%G   3-540-63446-0
%I   Springer-Verlag
%O   U$64.95 212-460-1500 800-777-4643
%P   206 p.
%T   "Algebraic Aspects of Cryptography"

When certain technical people find out that I am involved in data security,
they assert an interest in cryptography, and an intention to write a
cryptographic program sometime.  While I not wish to disparage this goal,
questioning of the individual's background in mathematics tends to point out
that the task is harder than they might have foreseen.  The magic phrase
"number theory" is usually the dividing line.  For those who make it past
that limit, I am going to recommend that they get Koblitz's work.  Not that
I am implying that this book is more demanding than it needs to be: only
that the topic itself is a difficult one.

This is the heart of cryptology: the underlying foundations that make it
work.  The material presented does not address specific programs, standards,
or even algorithms, but deals with the basic mathematical theory that can be
used to construct algorithms, or test their strength.

Chapter one is something of an overview, touching on many fields of
cryptography and introducing an appropriate and exemplar equation for each.
Theories related to the strength of cryptographic algorithms are given in
chapter two.  Basic algebra associated with primes are discussed in chapter
three, underlying the more common asymmetric (public key) systems such as
RSA.  Chapter four outlines an illustrative history of the development,
cracking, and improvement of one particular algorithm, demonstrating the
mathematical work necessary to each step.  Knapsack type problems and
theories are explained in chapter five.  Chapter six deals with the
currently very highly regarded elliptic curve algorithms, and is backed up
with an even more extensive appendix on hyper-elliptic curves.

This is not an introduction.  It is intended as a text for graduate (or
possibly advanced undergraduate) work, and requires a solid background in
mathematics or engineering.  For those seriously interested in cryptography,
though, it is worth the work.

copyright Robert M. Slade, 2001   BKALASCR.RVW   20011122
rsladeat_private  rsladeat_private  sladeat_private p1at_private
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

------------------------------

Date: Wed, 23 Jan 2002 09:24:27 -0500
From: Winn Schwartau <winnsat_private>
Subject: Infowar Con 2002, call for papers

Homeland Defense & CyberTerrorism:
Dealing With Harsh New Realities
3-6 Sep 2002, Washington, DC
http://www.misti.com/

Your Sponsors:
Winn Schwartau, Interpact, Inc. - www.interpactinc.com
MIS Training Institute - www.misti.com
White Wolf Consulting  www.whitewolfconsulting.com

We are soliciting creative analytic, interoperable real-world opinions and
solutions that will function in:
* Countering the threats of Global and National Cyberterrorism
* National and Municipal Critical Infrastructure Protection
* Military and Government Information Operations (Defense and Offense)

Submission Deadline: February March 11, 2002 [sic.  one or the other? PGN]
For inquiry or discussion on submissions, please contact Winn Schwartau at
1-727-393-6600, or InfowarConat_private or winnsat_private
Winn Schwartau, President, Interpact, Inc. www.security-aware.com

------------------------------

Date: 12 Feb 2001 (LAST-MODIFIED)
From: RISKS-requestat_private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-requestat_private> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomoat_private .
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .MIL users should contact <risks-requestat_private> (Dennis Rears).
   .UK users should contact <Lindsay.Marshallat_private>.
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
   Lindsay Marshall has also added to the Newcastle catless site a
   palmtop version of the most recent RISKS issue and a WAP version that
   works for many but not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing,
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 21.89
************************



This archive was generated by hypermail 2b30 : Tue Jan 29 2002 - 16:32:39 PST