[risks] Risks Digest 22.08

From: RISKS List Owner (riskoat_private)
Date: Wed May 22 2002 - 10:58:49 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.09"

    RISKS-LIST: Risks-Forum Digest  Wednesday 22 May 2002  Volume 22 : Issue 08
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.08.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    SPAM-demon-ium overload countermeasure (PGN)
    AT&T's e-mail filter filters AT&T's e-mail (NewsScan)
    Air-traffic control software reliability (Peter B. Ladkin)
    Disk crash destroys law-enforcement mug shots in Michigan (Thomas Insel)
    WashDC database crash linked to a death by a falling tree (Przemek Klosowski)
    Fun with fingerprint readers (Bruce Schneier via Monty Solomon)
    "Medication errors could be eliminated ..." (Dr. David Alan Gilbert)
    Copy Protected CDs -- risk of selling marker pens (Doug Sojourner)
    Re: Apple: break your new PC with a copy-protected CD ... (Bill Bumgarner)
    FBI does not care about standards, nor getting that information 
      (Peter Ha*kanson)
    2 unsolved telephone mysteries - software faults? (Andrew Goodman-Jones)
    Candy machine punishes the quick-thinking (Fredric L. Rice)
    Compaq issues refunds for one-cent PCs (Tudor Bosman)
    Re: Your bash has Alzheimer's (Bob Bramwell)
    REVIEW: "CISSP Exam Cram", Mandy Andress (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Weds, 22 May 2002 10:12:43 PDT
    From: RISKS List Owner <riskoat_private>
    Subject: SPAM-demon-ium overload countermeasure
    
    I was away from the RISKS directory for almost a week, and went an overly
    long 10 days between RISKS-22.06 and 22.07.  Out of over 1000 e-mail
    messages in a 6-day period, there were about 20 potential contributions, and
    one message from a would-be subscriber whose mailer had mistakenly sent his
    "accept" response to RISKS rather than replying to majordomo.  About *98
    percent* of the RISKS e-mail during that period was spam that I deleted
    unseen based only on the subject message or the From: address.  (Excuse me
    if I accidentally deleted one of your legitimate submissions!)  The RISKS
    spam rate has enormously increased over the past year (when I mentioned it
    in RISKS-21.39, one year ago, it had just reached 50% for the first time).
    At 98%, it has now reached absolutely ridiculous proportions and
    necessitates some draconian action.  For example, we could use some sort of
    challenge-response confirmation technique and hope that your mail systems
    will be able to cope with it; however, as we have read here in the past,
    such schemes can create further risks.  CONSEQUENTLY, as a simpler measure,
    we have just installed SpamAssassin (free software from spamassassin.org),
    and in the first few minutes it is *already* a huge success as the spam
    pours into another mailbox that I hopefully will seldom look at.  Of course,
    SpamAssassin may also filter out some of your legitimate mail, without
    letting you know.  So, if you have sent in an absolutely marvelous
    contribution or an urgent request and believe that I may never have seen it,
    please send an out-of-band message to that effect.
    
    Incidentally, the annual seasonal RISKS slowdown will begin as usual this
    year in mid-June, which means just a few issues now and then over the
    northern hemisphere's summer.  Let's hope there are not too many disasters
    needing to be reported during that period.
    
    Stay tuned.  PGN
    
    ------------------------------
    
    Date: Wed, 22 May 2002 08:27:09 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: AT&T's e-mail filter filters AT&T's e-mail
    
    An example of foot-in-mouth filtering? AT&T Broadband offered its high-speed
    Internet users an e-mail software filter to block spam, but later found out
    that it had blocked its own messages to customers notifying them of a rate
    increase. An AT&T executive tried to put the best face on it: "If there is a
    silver lining, it appears our spam filtering system works so well that it
    even deletes mass e-mails from our own company." The company will resend
    customer notices of the rate increases.  [AP/*USA Today* 2002; NewsScan
    Daily, 22 May 2002]
      http://www.usatoday.com/life/cyber/tech/2002/05/22/e-mail-filter.htm
    
    ------------------------------
    
    Date: Wed, 15 May 2002 10:03:39 +0200
    From: "Peter B. Ladkin" <ladkinat_private-bielefeld.de>
    Subject: Air-traffic control software reliability
    
    An article in *Aviation Week and Space Technology*, "Why Controllers Are
    Skeptics Regarding New Technology", by Bruce Nordwall, 6 May 2002, pp.50-51,
    tells the following tale recounted recently at an air-traffic controllers'
    conference by Philippe Domogola, supervisor at the Maastricht Upper Area
    Control Center.
    
    "Some years ago," a new European ATC center installed software specified as
    "99.99% reliable", which apparently meant 99.99% availability in each
    calendar year, or a maximum of roughly 52 minutes down-time per year.  The
    software "failed" a couple of months after installation, and suffered 20
    hours down-time. "The manufacturer's conclusion was: human error that will
    not happen again" (come to think of it, any specific software bug can be put
    down to "human error that will not happen again").
    
    Someone had forgotten about leap years. It failed at 23:59 on February 28.
    
    Some controllers suggested that since the software was "99.99% reliable" and
    it had failed for 20 hours, it follows there were going to be no more
    failures for the next 25 years.
    
    They were right. It does follow.
    
    Peter B. Ladkin, University of Bielefeld, Germany
    http://www.rvs.uni-bielefeld.de
    
    ------------------------------
    
    Date: Sat, 11 May 2002 12:56:07 -0700 (PDT)
    From: Thomas Insel <tinselat_private>
    Subject: Disk crash destroys law-enforcement mug shots in Michigan
    
    On 11 May 2002, *The New York Times* (page A13 of the National Edition)
    reported that the Macomb County, Michigan, sheriff's department lost over
    50,000 photographs of criminals on a crashed hard drive.  Not particularly
    exciting, except that they had wisely made hardcopy backups of some of the
    photos.  The issue of electronic backups was never even raised.  Perhaps
    many computer users no longer realize such a thing is possible?
      http://www.nytimes.com/2002/05/11/national/11BRFS.html
    
    ------------------------------
    
    Date: Sat, 18 May 2002 23:15:08 -0400
    From: Przemek Klosowski <przemekat_private>
    Subject: WashDC database crash linked to a death by a falling tree
    
    Among the world cities, the beautiful Washington DC is probably right up
    there in terms of a number of parks and wooded neighborhoods; it is possible
    to drive into the center of the city on roads that are visually completely
    surrounded by trees.
    
    Unfortunately, the DC city government is still struggling with many
    municipal services; the city is sometimes few stray blocks short of Mary
    Poppins' proper child nursery. Tree maintenance is a particular problem:
    many trees have dead branches, and some are sick or dead.  In the recent
    wave of violent spring storms, quite a number of trees were partly or
    completely felled, causing significant property damage, some injuries, and
    at least one death:
    
      http://www.washingtonpost.com/wp-dyn/articles/A17238-2002May14.html
    
    Part of the reason for this is the usual lack of funds and bureaucratic
    inertia, but there's also a computer angle:
    
      "One major obstacle for the city is that its database of public
      trees that needed pruning or removal crashed in 2000 and couldn't
      be restored. At that time, the city had a backlog of 5,000 dead
      trees that needed to be removed. Now, it doesn't know how many it has."
    
    ------------------------------
    
    Date: Fri, 17 May 2002 17:27:36 -0400
    From: Monty Solomon <montyat_private>
    Subject: Fun with fingerprint readers
    
    Excerpted from Bruce Schneier's CRYPTO-GRAM, May 15, 2002
    
    Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at
    biometric fingerprint devices that attempt to identify people based on their
    fingerprint. For years the companies selling these devices have claimed that
    they are very secure, and that it is almost impossible to fool them into
    accepting a fake finger as genuine. Matsumoto, along with his students at
    the Yokohama National University, showed that they can be reliably fooled
    with a little ingenuity and $10 worth of household supplies. [...]
    http://www.counterpane.com/crypto-gram-0205.html#5
    
      [They were able to spoof 80% of the machines.  PGN]
    
    ------------------------------
    
    Date: Sun, 19 May 2002 19:52:48 +0100
    From: "Dr. David Alan Gilbert" <gilbertdat_private>
    Subject: "Medication errors could be eliminated ..."
    
    *The Pharmaceutical Journal* (a journal for U.K. Pharmacists) Vol 268, page
    697, in an article on the sixth annual conference on electronic prescribing
    and medicines administration, has a picture of a health professional using a
    computer with the caption:
    
      'Medication errors could be eliminated by the use of electronic prescribing
      systems'
    
    The accompanying article (and another in the same issue) is more careful to
    say 'reduce' errors; but it is another example of the danger of what a
    computer can be expected to do.
    
    Dr. David Alan Gilbert  gro.gilbert @ treblig.org  http://www.treblig.org
    
    ------------------------------
    
    Date: Mon, 20 May 2002 13:13:17 -0700
    From: Doug Sojourner <doug_sojournerat_private>
    Subject: Copy Protected CDs -- risk of selling marker pens
    
    > ``Copy-Proof'' CDs Cracked with 99-Cent Marker Pen, 20 May 2002,
    > By Bernhard Warner, European Internet Correspondent 
    >   Technology buffs have cracked music publishing giant Sony Music's
    >   elaborate disc copy-protection technology with a decidedly low-tech
    >   method: scribbling around the rim of a disk with a felt-tip marker.
    
    Given that marking pens can be used to overcome Sony's CD protection scheme,
    will it now become illegal to sell pens?
    
    ------------------------------
    
    Date: Sun, 19 May 2002 10:43:54 -0400
    From: Bill Bumgarner <bbumat_private>
    Subject: Re: Apple: break your new PC with a copy-protected CD ... (R 22 07)
    
    Is it a car company's fault if you put sugar water in the gas tank and it 
    destroys the engine?
    
    Is it a printer manufacturer's fault if you put toilet paper through your 
    printer and completely destroy the print heads?
    
    No -- is the consumer's fault in those cases.
    
    In the case of the copy protected CDs, things aren't so clear.  It still
    isn't the computer manufacturers fault-- at the time of design and
    manufacture, they cannot predict changes in technology and they certainly
    can't predict and account for changes in technology that are designed to
    break their products!
    
    The problem with the copy protected audio CDs is that the CD manufacturer
    has purposefully designed a CD to be incompatible with computer hardware.
    They have purposefully violated a standard that hardware manufacturers have
    been manufacturing to for nearly two decades (since 1983/1984).
    
    Let's rephrase the question slightly:
    
      Should it be legal for antitheft devices to destroy property?  In
      particular, should it be legal to destroy property in contexts where it is
      not 100% guaranteed that a theft was actually in progress?
    
    That is exactly what the audio CD manufacturers (to be fair, the folks
    mastering the CDs) are doing.  They are purposefully creating a piece of
    media that, when inserted into a computer, can cause data loss [a number of
    PCs outright crash when faced with these CDs] or even changes to the
    hardware that require relatively nasty fixes (as is the case with the Macs
    -- it doesn't hurt it, just leaves it such that there is no way to get the
    damned disk out).
    
    Sure -- it may be the fault of the consumer for actually sticking the CD into
    their computer.
    
    But it would seem that the folks that created the format in direct violation
    of published standards should share some of the blame and resulting
    liability.
    
    ------------------------------
    
    Date: Sun, 19 May 2002 11:22:58 +0200
    From: peter h <peterat_private>
    Subject: FBI does not care about standards, nor getting that information
    
    A few days ago I noticed that one of my children got spam in his mailbox.
    Browsing through it,it looked very nasty, advertizing child-pornography. As
    this is a crime both in my country and in Maryland, USA, I decided to report
    it.
    
    Finding www.fbi.gov was easy. Finding an e-mail address was difficult. In
    fact, I failed finding an e-mail address. What was available was one of
    those Webforms that never really is appropriate for the task in hand.  As
    the Webform was the only alternative, I tried to register my complaints,
    hoping that someone would contact me via e-mail so all details could be
    reported.
    
    Within hours there was an attempt, I say attempt because my mailserver is
    configured to reject connections from abusive and rfc-ignorant sites. A
    common technique that spammers hide behind is sending e-mail from a domain
    that does not exist. Those mails can never be replied to, nor complained
    about.
    
    Guess what? the connection attempt was from <NO-Reply-IFCCat_private>
    
    I see two problems with FBI'S attitude.  The serious one is that they will
    miss some tips and e-mails with data (not everyone has an explorer browser
    available).  The other problem is that their IT-responsibility seems to be
    totally clueless.
    
    What's most important?  To get those tips - or to make sure that everyone
    uses Microsoft Explorer whenever they contact FBI.  I have my opinion, but
    unfortunately I cannot vote in the US.
    
    I also sent a copy of the same mail to the Swedish police, where I could
    find e-mail addresses, but they seem to have ignored the report.
    
    ------------------------------
    
    Date: Thu, 23 May 2002 00:48:22 +1000
    From: "Andrew Goodman-Jones" <goodieat_private>
    Subject: 2 unsolved telephone mysteries - software faults?
    
    It's 5am.  My mum gets woken by one ring on her home phone.  It stops before
    she can answer it.
    
    Being her curious and paranoid self (wonder where she gets that from?), she
    gets up anyway and checks the Caller ID unit.  The number is her own mobile.
    Her mobile is in her bedroom on the table.  It has a flip down panel that
    covers the keypad (which prevents accidental dialing by bumping the
    buttons).  She checks the recent outgoing calls list (after asking me how to
    view it).  Her home number is in the list.
    
    How did her mobile phone make a call by itself at 5am?
    
    It is believed that no-one else intervened in this situation (i.e.,
    cat-burglars, children etc)
    
    Anyone have any ideas? (BTW, it's a Samsung GSM phone if that helps.  I have
    the same model and this has never happened to me, that I know of.)
    
    This is the second on my list of Weird Stuff.  First on the list is:
    
    Back in 1996 when I went to NYC, a call was made from my phone in my office
    in Sydney a few days after I had left.  Ok, not too weird - it was probably
    the other guy I was sharing the office with.  Here's the weird bit: A call
    at a very similar time was made on my HOME phone to the same number (which I
    don't recognise at all).  No-one from the office had any association at all
    with my home.  Different bills, different suburbs, different exchanges etc.
    I have no idea at all what happened here.
    
    I reckon that both events were software faults.  The first in the mobile
    phone's firmware, the second at the billing dept. of the phone company.
    
    Andrew Goodman-Jones <goodieat_private>
    
    ------------------------------
    
    Date: Thu, 09 May 2002 13:12:03
    From: "Fredric L. Rice" <friceat_private>
    Subject: Candy machine punishes the quick-thinking
    
    While picking up my company snail mail, I observed a guy shove a dollar bill
    into a candy vending machine, slowly look over the selections, and then
    punch in a choice.  He was rewarded with not only candy but also change for
    his buck.  Good deal; everybody walked away happy.
    
    There were some mints in the machine that I wanted so I walked up, shove my
    dollar into the machine, and punched D2 only to be rewarded with an "ERROR:
    Cost $.70" message and no sign of my dollar.  After a minute or two of
    pounding, kicking, and yelling at the machine (I'm a programmer) I tried
    again (I'm also a sucker) only this time I shoved in the dollar and waited
    for the display to show "Credit: $1.00."  When I made my selection -- D2
    again -- this time I got my mints and my change.
    
    It turns out that there's a period of time between when you shove in your
    buck and get the "Credit: $1.00" message that if you make a selection the
    machine will eat the dollar and then swear up and down you never gave it
    one.
    
    Funny, though, that people who know exactly what they want in life before
    they pay their money are the ones who get rooked the most while the people
    who shove in their buck and then examine the variety of available choices
    life has to offer are the ones who get rooked less.
    
    The risks?  I suspect that the software that went in to the machine was
    tested by the programmer and not tested in the field before being released
    -- though the only way to find out would be to ask.  Not doing real-world
    testing is a common risk but this fault was dumb and should have been easy
    to catch before the software was released.
    
      [Just wait until the thing starts accepting debit and credit cards.  More
      good ways to make the software fail!  }:-} ]
         [So, we need atomic transactions from a candy machine!  PGN]
    
    ------------------------------
    
    Date: Sat, 11 May 2002 12:16:49 -0700
    From: Tudor Bosman <tudorbat_private>
    Subject: Compaq issues refunds for one-cent PCs
    
    The RISK is obvious.  From http://zdnet.com.com/2100-1106-903686.html:
    
    Despite its initial denials, Compaq Australia now admits that it did in fact
    process the payments of customers who bought Presario laptops for just one
    cent as a result of an online pricing hiccup.  [...]  Compaq is still
    adamant, however, that it is not obligated to honor the accidental one-cent
    pricing, despite mounting industry criticism and ongoing threats of a
    customer-initiated class action law suit.  [...]  "As this was a genuine
    error, Compaq canceled all orders from the system. In instances where 1
    cent was debited from customers accounts it will be refunded."
    
    ------------------------------
    
    Date: Sun, 19 May 2002 03:28:08 +0000 (GMT)
    From: Bob Bramwell <bbramwelat_private>
    Subject: Re: Your bash has Alzheimer's (Maziuk, RISKS-22.07)
    
    Interestingly enough, not merely is my bash mentally deficient, but so is
    ksh, sh, csh, and tcsh. This is on a SunBlade 100 running Solaris 8.  Now,
    what does this say about Korn, Bourne, Joy, and Grevstad I wonder?  Methinks
    it is a little unfair to single out Larry Wall for such criticism, but I
    appreciate the "heads up"!
    
    Bob Bramwell, ProntoLogical, 60 Baker Cr. NW, Calgary, AB  T2L 1R4, Canada    
    +1 403/861-8827  
    
    ------------------------------
    
    Date: Mon, 13 May 2002 11:56:34 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "CISSP Exam Cram", Mandy Andress
    
    BKCISPEC.RVW   20020321
    
    "CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6,
    U$34.99/C$53.99/UK#24.49
    %A   Mandy Andress
    %C   14455 N. Hayden Road, Suite 220, Scottsdale, AZ  85260
    %D   2001
    %G   1-58880-029-6
    %I   Coriolis
    %O   U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193
    %P   265 p.
    %T   "CISSP (Exam Cram)"
    
    It is interesting, and somewhat disturbing, to note that while there are a
    number of effusive quotes on and inside the cover extolling the virtues of
    the Exam Cram series, none specifically mention this book.
    
    Bound into the inside front cover is a cram sheet, with 50 points on
    it that are obviously supposed to be vitally important to the exam. 
    Leaving aside both the simplistic nature of the information presented,
    and the difficulty of answering a 250 question exam with a mere 50
    points, we only have to get to the third point on the sheet before we
    run into rather significant errors.  (Role-based access control is not
    an alternative to discretionary or mandatory controls, but can
    implement either.)  This does not bode well.
    
    The introduction explains the CISSP (Certified Information Systems Security
    Professional) designation.  The text makes frequent references to the
    (ISC)^2 web site, but, since the recent site redesign, all these URLs are
    incorrect.  There is also a short self- assessment section, intended to help
    you determine whether or not you are prepared for the exam, but the vague
    and generic metrics suggested are unlikely to help determine your readiness.
    
    Chapter one's discussion of the exam, and techniques for writing the exam,
    does contain some useful recommendations (if you don't know, answer anyway),
    but other advice is problematic, and may be detrimental.  Access control, in
    chapter two, is the first of the ten domains of the Common Body of Knowledge
    (CBK) of the CISSP.  The material is presented as a list of key terms and
    phrases, and the presentation might be helpful to the exam candidate were it
    not for the extremely limited nature of the deliberation and frequent
    errors.  For some reason a significant amount of space is given to topics
    (like SYN floods) that do not belong in this domain.  There is a brief list
    of questions at the end of the chapter, with answers and discussion
    presented immediately afterward.  Unfortunately, these questions are so
    simplistic that they cannot be said to represent, in any way, the exam
    itself, and the wording is so careless that it is often impossible to say
    whether the answers given are, in fact, right or wrong.
    
    Chapter three provides an almost random assortment of topics related to
    telecommunications and networking.  (There is a modicum of structure in that
    subjects are grouped together, but there is no logical flow: IPsec is
    discussed before the base IP concepts are covered.)  There are many problems
    with the material: it is difficult to say whether the definition of a
    "circuit gateway" firewall means anything, let alone is right or wrong, and
    we are told that SSL (Secure Sockets Layer) is only used for host-to-host
    communications and resides in the session layer.  (The book contradicts
    itself: chapter six does note that SSL is used between client browser and
    web server.)  Again, many irrelevant topics are included while important
    areas are missed.  (PPP (Point-to-Point Protocol) is listed, PPTP
    (Point-to-Point Tunnelling Protocol) is not.)  Security management practices
    are not covered in chapter four: the vital areas of policies and risk
    analysis are given brief mention at the end of a meandering and incomplete
    list of management concerns.  Another haphazard catalog of terms takes the
    place of the applications development domain in chapter five.  (The
    definition of a virus is that of a trojan and the definition for a worm
    seems to fit payload.)  That the author is unfamiliar with basic concepts of
    cryptography is obvious when, in chapter six, "strong encryption" is defined
    as the use of a 128-bit key.  (In the discussion of triple DES (Data
    Encryption Standard), the "meet-in-the-middle" attack is obviously confused
    with "man-in-the-middle.")  Chapter seven's review of security architectures
    contains another arbitrary list of computer architecture topics.  There is
    some material that is security related, but in the discussion of the Bell-La
    Padula model, about the only reliable information is that it involves
    security levels.  Operations security is fairly straightforward, so chapter
    eight doesn't make any glaring errors.  (The content is, however, very
    terse.)  Much the same holds true for business continuity and disaster
    recovery in chapter nine.  Aside from an over-emphasis on US legislation,
    chapter ten does not do a really bad job with law, investigation, and
    ethics.  Chapter eleven collates some checklists related to physical
    security, but has numerous gaps in the discussion of the overall topic.
    
    About the best that can be said for this book is that most of the items in
    the common body of knowledge get a mention at some point.  Beyond that, the
    material is too scattered and unreliable to be used either to study for the
    CISSP exam (unless you want to play "spot the error"), or even as a quick
    guide for those charged with security.
    
    copyright Robert M. Slade, 2002   BKCISPEC.RVW   20020321
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
      [Perhaps Coriolis can Force you to pass the exam?  Quite a spin!  PGN]
    
    ------------------------------
    
    Date: Mon, 20 May 2002 10:43:19 -0700
    From: Alex Walker <alexat_private>
    Subject: 11th USENIX Security Symposium (excerpted for RISKS)
    
    11th USENIX Security Symposium
    August 5-9, 2002, San Francisco, California
    http://www.usenix.org/sec02
    
    Register online by July 10, 2002, and SAVE up to $400!
    
    KEYNOTE SPEAKER, Whitfield Diffie, Distinguished Engineer, Sun
      Microsystems speaking about "Information Security in the 21st Century"
    Simon D. Byers, ATT Labs - Research
    Professor Edward W. Felten, Princeton University.
    Paul Kocher, Cryptography Research, Inc.
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.08
    ************************
    



    This archive was generated by hypermail 2b30 : Wed May 22 2002 - 12:56:58 PDT