[risks] Risks Digest 22.05

From: RISKS List Owner (riskoat_private)
Date: Sun May 05 2002 - 15:09:45 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.06"

    RISKS-LIST: Risks-Forum Digest  Sunday 5 May 2002  Volume 22 : Issue 05
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.05.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    "Don't Touch That Dial--Or You're Under Arrest!" (Lauren Weinstein)
    Re: "Don't Touch That Dial--Or You're Under Arrest!" (Dan Gillmor)
    Vivendi suspects electronic vote fraud (NewsScan)
    Lost password' delays Mali vote count (PGN)
    Online voting in UK (Toby Gottfried)
    How to rig an election (*The Economist* via Mohammad Al-Ubaydli)
    Seattle City light billing disputes (Jason Axley)
    Risks of differing Unices (Theo Markettos)
    CIA warns of Chinese plans for cyber-attacks on U.S. (Mike Hogsett)
    Smart inventory control overshoot (Paul Breed)
    California DMV online data base (Bruce Stein)
    A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook
      (John Schwartz via John F. McMullen)
    How not to warn about viruses (Rob Slade)
    IE 6 Privacy features open users to attack (Monty Solomon)
    Midwest Express Web site security (Midwest Express)
    Robot cameras 'will predict crimes before they happen' (Merlyn Kline)
    Re: Online banking system failure in a big way (Ishikawa)
    Re: Nanny-Cam may leave a home exposed (Marc Roessler)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Sun, 05 May 2002 14:51:01 -0700
    From: Lauren Weinstein <laurenat_private>
    Subject: "Don't Touch That Dial--Or You're Under Arrest!"
    
    Greetings.  According to some in the entertainment industry, consumers risk
    becoming outlaws if they skip the commercials during television programs!
    The latest Fact Squad Radio short audio segment concerns the escalating
    technology and political battle between the entertainment industry and their
    consumers, and is entitled:
    
       "Don't Touch That Dial--Or You're Under Arrest!"
    
    It's playable via: 
    
       http://www.factsquad.org/radio
    
    Lauren Weinstein   +1 (818) 225-2800
    laurenat_private or laurenat_private or laurenat_private
    Co-Founder, PFIR, People For Internet Responsibility: http://www.pfir.org;
      Fact Squad: http://www.factsquad.org; URIICA - Union for Representative 
      International Internet Cooperation and Analysis - http://www.uriica.org
    Moderator, PRIVACY Forum - http://www.vortex.com
    
    ------------------------------
    
    From: Dan Gillmor <dgillmorat_private>
    Date: Sun, 05 May 2002 14:16:49 
    Subject: Re: "Don't Touch That Dial--Or You're Under Arrest!"
    
      [From Dave Farber's IP, written in response to Dave's posting a
      notice from Lauren Weinstein similar to the above.  PGN]
    
    Dave, today's column [by Dan] is on point:
    
    http://www.siliconvalley.com/mld/siliconvalley/business/columnists/3200101.htm
    
    Dear Reader:
    
    If you are reading this column in the newspaper, but did not read every
    article and look at every advertisement in previous sections, stop now. You
    must go back and look at all of that material before continuing with this
    column.
    
    If you are reading this column on the Web and did not go to the newspaper's
    home page first, stop now. Go to the home page and navigate through whatever
    sequence of links our page designers have created to reach this page, and
    don't you dare fail to look at the ads.
    
    Ridiculous? Of course.
    
    Tell that to the dinosaurs at some major media and entertainment companies.
    They insist they have the right to tell you precisely how you may use their
    products.
    
      [For IP archives see:
         http://www.interesting-people.org/archives/interesting-people/ ]
    
    ------------------------------
    
    Date: Mon, 29 Apr 2002 09:13:08 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Vivendi suspects electronic vote fraud 
    
    Vivendi Universal, the Paris-based media giant, is calling for a criminal
    investigation of suspected fraud by unnamed computer hackers during a
    shareholders vote by Internet last week. Vivendi thinks the vote tampering
    "could have been carried out by a small team armed with a transmitter-
    receiver and detailed knowledge of the procedures and technical protocols of
    electronic voting." (AP/*The Washington Post*, 29 Apr 2002; NewsScan Daily,
    29 Apr 2002)
      http://www.washingtonpost.com/wp-dyn/articles/A64981-2002Apr29.html
    
    ------------------------------
    
    Date: Tue, 30 Apr 2002 8:42:06 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Lost password' delays Mali vote count
    
    The announcement of the results of Mali's presidential election on 28 Apr
    2002 has been suspended after a computer technician had a car accident,
    election officials have said.  He is the only person with the password to
    access the election centre's computers.  The technician was reportedly
    recovering in the hospital.  [BBC, PGN-ed]
      http://news.bbc.co.uk/hi/english/world/africa/newsid_1959000/1959327.stm
    
      [... except that nobody wanted to admit how easy it might have been to
      break in without knowing the password, which would have blown the cover of
      the folks who had already rigged the election?  PGN]
        [This item was noted by several readers.  TNX]
    
    ------------------------------
    
    Date: Thu, 2 May 2002 15:51:53 -0700
    From: "Toby Gottfried" <tobyat_private>
    Subject: Online voting in UK
    
    Apparently the British are making moves toward voting in a "high tech" way.
    
    And there are the worriers ...
      http://www.bbc.co.uk/webwise/column/col128.shtml
      http://www.bbc.co.uk/webwise/column/col139.shtml
    
    "...  But if there are unexpected results from next week's local elections
    in the UK it is entirely possible that they will be blamed on hackers,
    programming errors or network failures.  The reason is that the May 2002
    local elections are being used to test a selection of alternative voting
    methods. Most of these are 'e-voting' systems which use computers and
    networks, including the Internet. So if something unexpected happens there
    will be a temptation to blame it on the computers rather than take it as an
    reflection of a change in local opinion.  ..."
    
    Followup:
    
    Quoting from the start and end of
    http://society.guardian.co.uk/modlocalgov/story/0,7999,645401,00.html
    which has links to more articles,
    
      Residents of Sheffield and Liverpool will be able to vote over the
      Internet and by mobile phone text message in the May local government
      elections as part of a nationwide wave of 30 innovative electoral pilots
      announced today. [ Feb 5 2002 ]
    
      The pilots will provide a crucial first test of Internet voting, and could
      be a step towards an online general election.  .....  His announcement
      came as the independent Electoral Reform Society (ERS) warned that the
      government should not rush into online voting. Ministers need to ensure
      the technology used is thoroughly tested and that tough safeguards are in
      place to prevent fraud.
    
    ------------------------------
    
    Date: Tue, 30 Apr 2002 15:00:27 -0400
    From: "Dr Mohammad Al-Ubaydli" <moat_private>
    Subject: How to rig an election (*The Economist*)
    
    [An article from *The Economist* print edition, 25 Apr 2002, considers a
    situation which readily generalizes to a state with N Congressional
    districts in which one redistricting gives results of N to 0 representatives
    one way, and another redistricting gives results of 1 to N-1 the other way.
    Starkly PGN-ed from Dave Farber's IP
      http://www.interesting-people.org/archives/interesting-people/
      http://www.economist.com/world/na/displayStory.cfm?story_id=1099030]
    
    ------------------------------
    
    Date: Tue, 23 Apr 2002 11:33:02 -0700
    From: Jason Axley <jason-risksat_private>
    Subject: Seattle City light billing disputes
    
    Still no light has been shed on what is causing the massive overcharging of
    many Seattle City Light customers -- some as much as 10 times above normal.
    
    Some quotes:
    
      Seattle City Light, beleaguered by scores of customer complaints about
      inflated bills, now plans to do things "the Nordstrom way," meaning it
      will resolve billing disputes quickly and in the customer's favor when
      there's a question, Mayor Greg Nickels vowed yesterday.
    
      The city made some headway in trying to turn around what has become a
      public-relations disaster. But after promising Friday to come up with a
      definitive explanation on the inflated bills for the mayor by Monday, it
      came up a bit short.
    
      The hearing examiner "indicated that all my bills were from direct meter
      reads, so the bill in question was not a makeup bill," O'Leary said. "He
      also said the bill on its face was wrong. His conclusion was, however,
      that the meter never lies, and I must prove I did not use the power. How
      does one prove a negative?"
     
      Zarker emphasized that the billing problem does not lie with the city's
      new $40 million computer. "It works," he declared.
    
    [Source: *Seattle Times*, "Nickels says City Light billing disputes will be
    resolved quickly, in customer's favor", 16 Apr 2002]
    http://archives.seattletimes.nwsource.com/cgi-bin/texis.cgi/web/vortex/display?slug=citylight16m0&date=20020416
    
    ------------------------------
    
    Date: Tue, 30 Apr 2002 22:05:33 +0100 (BST)
    From: Theo Markettos <theomat_private>
    Subject: Risks of differing Unices
    
    Both Linux and HPUX provide a 'killall' command.  Under Linux 'killall
    <process name>' is used to kill all processes with the given name -- for
    example, as root one might kill all instantiations of httpd.
    
    Under HPUX, killall kills _every_ process, except those required for
    shutdown.  It takes an optional signal argument, but ignores this if it
    doesn't recognise it as a valid signal name.  Hence 'killall httpd' kills
    everything except a handful of processes required for shutdown.  If not
    running as root, it kills all processes owned by the current user.
    
    The RISK?  Don't assume something that is safe on one OS is on another,
    and don't assume that running a command without arguments to get help will
    do the right thing.
    
    ------------------------------
    
    Date: Thu, 25 Apr 2002 14:07:50 -0700
    From: Mike Hogsett <hogsettat_private>
    Subject: CIA warns of Chinese plans for cyber-attacks on U.S.
    
    U.S. intelligence officials believe the Chinese military is working to
    launch wide-scale cyber-attacks on American and Taiwanese computer networks,
    including Internet-linked military systems considered vulnerable to
    sabotage, according to a classified CIA report.
      http://www.latimes.com/news/nationworld/world/la-042502china.story
    
    ------------------------------
    
    Date: Mon, 29 Apr 2002 14:15:16 -0700
    From: Paul Breed <Paulat_private>
    Subject: Smart inventory control overshoot
    
    I've been working on an old car, in the process of removing the spot welds I
    needed a specific sized bullet tipped drill bit. The bit would only last
    about 5 welds and I had hundreds to do.  The only place I could find locally
    to buy the bits was in a pack of 15 various size bits at the local home
    center.
    
    So, over the period of three months, I purchased all of their drill sets,
    every weekend (usually 3 sets).  Now I have disassembled the old car and
    don't need more bits. The last time I was in the home center they had so
    many of these drill bit sets that they were overflowing on to the floor.
    
    From my experience the computerized inventory system has a delay of about 3
    months.  It determined that this item sold out for 12 weeks straight,
    plugged this into it's inventory tracking prediction S/W and ordered
    hundreds and hundreds of sets......
    
    ------------------------------
    
    Date: Wed, 24 Apr 2002 17:17:50 -0700
    From: Bruce Stein
    Subject: California DMV online data base
    
    From the Los Angeles Times, 24 Apr 2002
    http://www.latimes.com/news/printedition/highway1/la-000028975apr24.story
    
    At the California DMV Web site at http://www.smogcheck.ca.gov , click on 
    "Vehicle Smog Check History".  Enter just a license plate number, and you 
    will be provided with:
    
    Vehicle Identification Number (VIN)
    Make, Model, and Year of the vehicle
    The date and location of every smog test the vehicle has had.
    
    The location of the smog test is almost always the neighborhood where the 
    car lives.
    
    In the case of Personalized License Plates, you get all of the vehicles the 
    plate has ever been on.
    
    ------------------------------
    
    Date: Sat, 27 Apr 2002 10:45:57 -0400 (EDT)
    From: "John F. McMullen" <observerat_private>
    Subject: A new risk to computers worldwide: W32/KLEZ.H" in MS Outlook
    
      [Source: John Schwartz, *The New York Times*, 27 Apr 2002]
    
    A rogue computer program that is the online equivalent of a quick-change
    artist is infecting computers around the world via e-mail and clogging
    computer networks.  The program, W32/KLEZ.H, is a "blended threat,"
    combining elements of a virus, which infects machines, and a worm, which
    transports itself from machine to machine. It also tries to disable some
    antivirus programs.  It makes itself hard for users to spot by changing its
    e-mail subject line, message and name of the attachment at random, drawing
    from a database that includes, for example, such subject lines as "Hello,
    honey," and "A very funny Web site."  The program has grown increasingly
    common as users unknowingly activate it sometimes without even opening the
    e-mail attachment that carries the virus and allow it to send copies of
    itself to those in the victim's e-mail address file.  [PGN-excerpted]
    
    ------------------------------
    
    Date: Thu, 2 May 2002 10:28:11 -0800
    From: Rob Slade <rsladeat_private>
    Subject: How not to warn about viruses
    
    The Klez family of viruses is not new: on the publicity page that I provide
    at http://www.osborne.com/virus_alert/ I first warned of the family in
    November of 2001.  However, the author (or authors) has been continually
    active, and some of the recent variants (particularly Klez.H) have been
    successful enough that the virus warnings have been flying around the net.
    
    Unfortunately, not all of the warnings have been particularly helpful.  Klez
    os one of the new breed of polymorphic e-mail viruses.  Unlike Melissa,
    Loveletter, Hybris, or Sircam with their identifiable subject lines,
    attachment filenames, implied pornography, or ungrammatical message bodies,
    Klez variants present with a wide variety of subjects, bodies, filenames,
    topics, and (most recently) senders.
    
    Recently I got my hands on what has to be one of the worst examples of a virus 
    warning that I've ever seen:
    
    > I have been advised that ther is a very bad computer virus out.  If opened
    > the virus will attach itself to your address book. 
    > 
    > If you get an e-mail from W32.klezat_private
    >
    > Do not open the attachment
    >
    > Delete it right away
    
    I might note that, although I can't tell the source of this misinformation,
    it make several obvious errors.  The attempt at a CARO virus name has a few
    problems: it doesn't have a variant designation (such as Klez.H), there
    appears to be some confusion with another extent virus (which makes mention
    of "Jenna"), and the "mass mailer" designation is usually .mm rather than
    .nn.  More importantly, Klez does not have a consistent "From" indicator.
    Also, this particular company uses Microsoft Outlook for e-mail, and has no
    policy regarding the preview pane or other security related configuration.
    By the time anyone notices that an attachment exists, it will likely be too
    late.
    
    (More recent Klez variants tend to pick a real e-mail address harvested from
    the infected computer to generate the "From" line in generated e-mail.
    Therefore, those attempting to track infections will often concentrate on a
    machine or user that is not the source of the infection.  I have heard from
    someone in another company who has been targeted by management as the
    source of the infection.  This was interesting in that he was travelling at
    the time of the occurrence, and his computer was not connected to the
    Internet at all for a few days on either side of the event.)
    
    For those interested in trying to detect Klez messages, three of the more
    reliable, but by no means universal, indicators are that, viewed manually,
    the MIME file type often does not match the filename extension, the filename
    extension is one of the usual executable crowd (.BAT, .PIF, .SCR, .EXE,
    etc.), and the size of the encoded file usually ranges between 120K and
    180K.
    
    (The old advice to avoid running attachments still holds true, albeit with a
    few provisos.  Those who use Microsoft Outlook or Outlook Express may,
    because of the specialized construction of the message, still be at risk
    even if the attachment is not run deliberately run by the user.  Due to this
    same construction, users of other mailers, such as Pegasus or Netscape
    Communicator, may never see the attachment at all, and therefore may be at
    no risk.)
    
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Thu, 25 Apr 2002 02:13:41 -0400
    From: Monty Solomon <montyat_private>
    Subject: IE 6 Privacy features open users to attack
    
    By Brian McWilliams, *Newsbytes*, 23 Apr 2002
    
    Security flaws in privacy features added to Microsoft's Web browser could
    enable attackers to perform several privacy-robbing attacks, including
    hijacking victims' MSN Messenger accounts, a security researcher warned.
    According to Thor Larholm, a developer with Denmark-based Internet portal
    Jubii.dk, "severe" bugs in the "Privacy Report" feature in Internet Explorer
    version 6 can be exploited "in effect removing all privacy."  Last week,
    Larholm posted an advisory and harmless demonstrations of the flaws at his
    personal Web site. One example showed how the browser bugs enable a Web site
    to launch programs that exist on the user's hard disk. Another demo page
    silently sends a message to users in the target's MSN Messenger contact
    list.  ...
      http://www.newsbytes.com/news/02/176077.html
    
    ------------------------------
    
    Date: Fri, 26 Apr 2002 21:41:18 -0700
    From: Midwest Express
    Subject: Midwest Express Web site security
    
      [via Mark Luntzel]
    
    On the morning of Monday April 22, Midwest Express Airlines was informed
    that customer profile data had been published on the Internet, specifically
    on the U.S. Space and Naval Warfare Systems Command Web site. The data
    published contained a handful of user profiles including names and e-mail
    addresses. This screenshot of data was captured from the Midwest Express
    test server, not the actual Web site. This test server is used for testing
    new enhancements to www.midwestexpress.com.
    
    Midwest Express has always taken steps to ensure security. As a result of
    this situation, a number of additional precautionary measures were taken to
    ensure that customer data was protected:
     
    * The U.S. Space and Naval Warfare Web site immediately removed the defaced
      Web page from the Internet.
      
    * A security company was contracted to eliminate any vulnerability to our
      test server.
    
    * All customer passwords to Web profiles were changed to protect and
      restrict access to the customer data.
    
    Since all passwords have been changed, the next time you visit
    midwestexpress.com and login to your profile, you will be prompted to change
    your own password upon successfully answering a challenge/response question
    that you created.
    
    While Midwest Express is confident in the security of its Web site, we are
    always assessing our Web site for potential vulnerabilities and taking
    appropriate steps when needed. We assure you that your customer information,
    purchases and other transactions are secure.
    
    Tom Vick, Senior Vice President and Chief Marketing Officer
    
    ------------------------------
    
    Date: Mon, 22 Apr 2002 13:36:51 +0100
    From: "Merlyn Kline" <merlynat_private>
    Subject: Robot cameras 'will predict crimes before they happen'
    
    According to the UK broadsheet *The Independent*, Dr Sergio Velastin, of
    Kingston University's Digital Imaging Research Centre, has developed
    software to analyse CCTV images for the purpose of predicting crime:
      http://news.independent.co.uk/uk/crime/story.jsp?story=287307
    
    Quote from the article:
    
      Scientists at Kingston University in London have developed software able
      to anticipate if someone is about to mug an old lady or plant a bomb at an
      airport.  It works by examining images coming in from close circuit
      television cameras (CCTV) and comparing them to behaviour patterns that
      have already programmed into its memory.  The software, called Cromatica,
      can then mathematically work out what is likely to happen next. And if it
      is likely to be a crime it can send a warning signal to a security guard
      or police officer.
    
    ------------------------------
    
    Date: Sun, 21 Apr 2002 09:16:09 +0900
    From: Ishikawa <ishikawaat_private>
    Subject: Re: Online banking system failure in a big way (RISKS-22.03)
    
    Here are a few interesting points to follow up the original story of online
    banking system failure of Japan's Mizuho bank.
    
    It has been revealed that the Tokyo Electric utility which services the
    heavily populated Tokyo and its surrounding areas had asked the (soon-to-be)
    Mizuho bank for a dry-run of the utility bills payment before the merger
    back in February.  The utility company was worried about the large scale
    change and requested that about 100,000 sample bills be run through the new
    integrated system to see if such bills are handled correctly.  However, the
    bank turned down the request saying that their internal testing would be
    enough.
    
    Obviously it was not!
    
    The utility company requested the testing albeit the first refusal, but then
    again the request was turned down.
    
    One of the reasons for the overload at the bank was mentioned as the failure
    of many transactions due to incorrect input data.  It seems that the new
    integrated banking system required the conversion of old branch numbers of
    three banks into the newly assigned branch numbers.  Some branch numbers
    were common among the three banks and they needed to be reassigned a new
    number once Mizuho bank went into operation.  Apparently, some companies
    requesting the automatic billing failed to update the branch numbers in
    their transaction input (on MT!) and such transactions were deemed errors
    and manual intervention to inspect and rectify the aborted transactions were
    necessary.
    
    Some of the double billings, etc. were attributed to the incorrect handling
    of magnetic tapes.  Some tapes were obviously run through the system twice
    under the confused circumstances.
    
    I think by failing to perform the 100,000 bills test run, the bank missed a
    great opportunity to test the integrated computer system and make sure the
    the manual steps to intervene in case of failure is well organized and known
    to operation staff members.
    
    There ARE now visible damages.
    
    The utility companies (gas, electricity) and telephone companies can't
    figure out whether their bills were paid by the subscribers. The amount of
    money mentioned amounts to 25,000,000,000 yen.  (That's approximately US$191
    million at 1 dollar = 130.5 yen.)
    
    Mizuho bank is negotiating with telephone companies and others to pay an
    agreed-upon ball-park sum of money, but since individual transactions can't
    be confirmed, the utility company can't figure out, say, if I paid the bill,
    so to speak.  It seems that the utility companies decided to send out BLANK
    invoice notices without filling in the status of the payment that were due
    in April!)  The utility companies are considering to ask the bank to pay for
    the additional cost to send complete receipts to their customers.
    
    Small companies are hit hard when their payments didn't make it on time due
    to the banking failure.  The small business associations all over Japan
    seemed to be flooded with complaints of their reputation being on the line
    due to the delay caused by the bank, not by their own failure.
    
    I just heard a case of gas station owner whose salary payment to part time
    workers at the station failed to materialize in the worker's account on TV
    news.
    
    This is getting serious.
    
    In Japan, many companies have 25th as the monthly salary payment day, and
    since the long holiday weekend called Golden Week starts in April 27, the
    banking system will be busier.  It is expected that many people begin
    withdrawing cash to use during the holidays and so the workload on the
    banking system is expected to soar due to the monthly salary payment, and
    the people taking out money from ATMs.
    
    Since I am a customer of Mizuho, I have reason to concern...
    
    With the revelation of the refusal to perform a dry run with the electric
    utility company to test the real world workload and a top management saying
    earlier at the parliament hearing about "No real harm was done to the
    customers", the Mizuho bank's reputation is all time low.
    
    The Mizuho bank seems to think that their system can withstand the workload
    toward the end of the month, but who knows.
    
    LATER-ADDED NOTE:
    
    The bank has decided to stop ATMs all over Japan May 3rd and 4th, which are
    part of the holiday season.  They had planned to operate ATMs during the
    holidays, but they deemed it necessary to stop the ATMs and check the
    banking system offline throughly.
    
    ------------------------------
    
    Date: Tue, 23 Apr 2002 10:56:29 +0200
    From: Marc Roessler <marcat_private>
    Subject: Re: Nanny-Cam may leave a home exposed (RISKS-22.04)
    
    This is nothing new. Such cameras are even installed in some public
    restaurants and shops. Note that this basically voids all claims of the shop
    owners concerning privacy and data protection -- ANYONE can receive that
    data.  And, as more and more cameras are installed, the risk of malicious
    "camera takeovers" rises significantly. Think about webcams, cams integrated
    into notebooks/cellular phones, car dashboards (detect the driver falling
    asleep)..  Those are easily tapped (or subverted, such as by installing
    trojan software/ firmware).. this has some enormous potential. The case of
    the Nanny-Cams shows the deviousness of this kind of attack: as the devices
    are not suspected to be used to spy on their owner ("I own that device; that
    makes it trusted"), they function more or less as hidden cameras. For more
    "camera takeover" scenarios take a look at my paper "How to find hidden
    cameras" [1].
    
    [1] http://www.franken.de/users/tentacle/papers/hiddencams.pdf
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.05
    ************************
    



    This archive was generated by hypermail 2b30 : Sun May 05 2002 - 17:10:02 PDT