[risks] Risks Digest 22.29

From: RISKS List Owner (riskoat_private)
Date: Wed Oct 09 2002 - 13:00:31 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.30"

    RISKS-LIST: Risks-Forum Digest  Wednesday 9 October 2002  Volume 22 : Issue 29
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.29.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Police close fake online bank (Dave Stringer-Calvert)
    Risks of automatic Windows updates, and HIPAA legality (Allan Engelhardt)
    Weak encryption kills wolves (Urban Fredriksson)
    Microsoft says 1% of bugs cause half of all software errors(Henry Baker)
    BugBear steals lead from klez in virus prevalence (Security Wire Digest)
    No-fly blacklist snares political activists (Tim Meehan)
    Phone system could have your number (Mark White via Dave Farber)
    Prediction: e-mail will become double-trouble in 3 years (NewsScan)
    Gender: Unknown -- the risks of perception (Chris Leeson)
    Re: Too fast fingers, or bad shortcut design? (Greg Searle)
    Re: Address change blocked by online entry validation (Chris Smith)
    Re: Butterfly ballots and other election stuff (David Olsen, Leonard Erickson)
    REVIEW: "Information Security Management", Gurpreet Dhillon (Rob Slade)
    2003 IEEE Symposium on Security and Privacy, Call for Papers (Steve Bellovin)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 08 Oct 2002 19:32:13 -0700
    From: Dave Stringer-Calvert <dave_scat_private>
    Subject: Police close fake online bank
    
    British police on Tuesday said they uncovered a fake Internet bank used to
    con at least two people out of nearly $100,000. The National Criminal
    Intelligence Service (NCIS) said the Web site had been set up using a domain
    name very similar to that of "a major British bank" and appeared almost
    identical. "It looks very professional," said a spokesman, declining to name
    the bank involved because the investigation is still ongoing. "There's also
    a reputation issue to think of and the issue of trust online."
    
    http://zdnet.com.com/2110-1106-959644.html
    http://news.bbc.co.uk/2/hi/technology/2308887.stm
    
    ------------------------------
    
    Date: Mon, 07 Oct 2002 19:55:09 +0100
    From: Allan Engelhardt <allaneat_private>
    Subject: Risks of automatic Windows updates, and HIPAA legality
    
    A recent article in InfoWorld discusses Microsoft Windows Service Packs in the 
    context of health care providers.
      http://www.infoworld.com/articles/op/xml/02/09/16/020916opwinman.xml
    
    Apparently, the latest Service Packs for the popular Microsoft Windows 2000
    and XP operating systems contains new licence language that allows Microsoft
    to install new updates on your machine at will and without notifying you.
    
    The RISKS of having your computer systems changing on their own accord
    should be obvious.  As the article points out, this "upsets many companies
    whose PCs can't be allowed to morph at will".  Indeed.
    
    The article quotes a systems manager at a teaching hospital:
    
      "Our procedures sometimes involve surgery to place over 100 recording
      electrodes in the patient, sometimes on the surface of the brain.  These
      PC-based systems use Microsoft Windows..."
    
    Having a Windows application controlling the voltage to 100 pins surgically
    embedded in your brain is scary enough, but what happens if it updates to
    the latest Service Pack and that causes the systems to fail?  While the pins
    are in your brain...
    
    The article makes the further point that, from 14 Apr 2003, it may be
    illegal under the Health Insurance Portability and Accountability Act
    (HIPAA) to install Windows Service Packs.  In a strange twist, it may also
    be illegal _not_ to install the Service Packs...
    
    See http://www.hipaadvisory.com/regs/HIPAAprimer1.html for more information
    on the HIPAA.
    
    The article concludes:
    
      "It's not just hospitals but every user of Windows who should be
      wondering.  You'd think Microsoft would understand that customers don't
      want their mission-critical systems changing in the dead of night. This
      isn't brain surgery."
    
    Allan Engelhardt  http://cybaea.com/
    
    ------------------------------
    
    Date: Mon, 07 Oct 2002 18:02:51 +0200
    From: Urban Fredriksson <griffonat_private>
    Subject: Weak encryption kills wolves
    
    Well, of course it's really hunters who do it, but there are strong
    indications they've been helped by weak encryption. In 1998 40 Swedish
    wolves, out of about 100, were fitted with transponders in order to track
    their movements to learn more about how wolves reestablish a presence. Of
    them, 20 are still alive, 11 have been found dead with working transponders,
    one has been found dead as a result of illegal hunting without transponder
    and eight (four this summer) have disappeared. That that many transponders
    have failed is considered very unlikely. Current plans are to quickly
    replace the transponders to something "not everyone can triangulate". It's
    not clear from the article in Dagens Nyheter what sort of encryption is used
    now, but it's clear from the context transmissions has to be coded and that
    one was aware from the beginning wolf-haters would like to take advantage of
    the tracking equipment.
    
    ------------------------------
    
    Date: Thu, 03 Oct 2002 12:05:00 -0700
    From: Henry Baker <hbaker1at_private>
    Subject: Microsoft says 1% of bugs cause half of all software errors
    
    I was shocked, shocked, to hear this stunning statistic!
    I was also shocked, shocked, to hear that pi was irrational, that
    the world was round, and that the Beatles had split up.
    
    Microsoft says 1 percent of bugs cause half of all software errors
    Reuters, 2 Oct 2002
    
    One percent of the bugs in Microsoft Corp.'s software cause half of all
    reported errors with 20 percent of bugs responsible for 80 percent of the
    mistakes, Chief Executive Steve Ballmer said on 2 Oct 2002.  Microsoft has
    been criticised for unstable and unwieldy software -- which runs on more
    than 90 percent of personal computers.  "Let's acknowledge a sad truth about
    software: any code of significant scope and power will have bugs in it,"
    Ballmer told customers in a memo similar to one by Chairman Bill Gates this
    year renewing Microsoft's commitment to trustworthy computing.
    
    But Ballmer said Microsoft was arming itself with better information to help
    develop its software, by building error reporting features into its
    products.  Engineers use the reports, sent in a short burst over the
    Internet, to track software bugs and provide a fix, he said.  "We've been
    amazed by the patterns revealed in the error reports that customers are
    sending us.  About 20 percent of the bugs cause 80 percent of all errors,
    and -- this is stunning to me -- one percent of bugs cause half of all
    errors."
    
    While reassuring users the information was used for no other purpose than to
    fix bugs, Ballmer said such information was shared with other makers of
    software and hardware to try to improve Microsoft's products.  He said
    Microsoft would work to better the system.  "As we understand more errors,
    we're adding an option for customers to go to a Web site where they can
    learn more about and even fix the errors they report.  In the future we want
    to enable customers to look up the history of their error reports and our
    efforts to resolve them."
    
      http://biz.yahoo.com/rc/021002/tech_microsoft_ballmer_1.html
    
    ------------------------------
    
    Date: Thu, 03 Oct 2002 01:00:00 -0500
    From: Security_Wire_Digestat_private
    Subject: BugBear steals lead from klez in virus prevalence
    
    By Shawna McAlearney, SECURITY WIRE DIGEST, 4, 74, OCTOBER 3, 2002 [excerpt]
    
    First found circulating in the wild last Sunday, the W32.BugBear worm has
    raced to the top of virus prevalence lists, displacing Klez for the first
    time since its discovery last April.
    
    "BugBear is increasing steadily in volume and spreading like Klez, which
    became the biggest virus ever," says Alex Shipp, senior antivirus
    technologist at MessageLabs. "Each day, we're seeing more of BugBear all
    around the world--at least 1,000 copies an hour. It could very well grow to
    become as big a problem as Klez has been and has gotten firmly entrenched in
    the home user population."
    
    Similarities to Klez include the use of inconsistent body text, attachment
    names and subject lines, as well as forged e-mail addresses.
    
    BugBear exploits an unpatched Microsoft vulnerability. After infection, the
    worm copies itself into the Windows system directory and start-up folder as
    an executable file with a random three-letter name. It installs a Trojan
    keystroke logger and attempts to disable antivirus and firewall
    software. BugBear also attempts to infect other networked PCs via the
    address book and network shares.
    
    "BugBear is another example of a worm written with instructions to kill an
    extremely long list of security apps," says Steven Sundermeier, product
    manager at Central Command. "The idea of terminating various AV and personal
    firewall applications is becoming increasingly popular among virus authors."
    
    On the brighter side, Shipp says the BugBear worm could have been much
    worse.
    
    "We haven't found any remote control facilities yet, which makes the virus
    less dangerous than it could be otherwise," Shipp says. "Our analysis isn't
    complete yet so we can't say for certain that it doesn't have that
    capability, but it appears unlikely."
    
    Antivirus experts recommend updating AV signatures; blocking all Windows
    programs at the e-mail gateway, if possible; and deploying updated
    versions of Outlook, Explorer and Outlook Express.
      http://www.messagelabs.com/viruseye/report.asp?id=110
      http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
    
    To SUBSCRIBE to Security Wire Digest, go to:
    http://infosecuritymag.bellevue.com
    
    ------------------------------
    
    Date: Tue, 1 Oct 2002 12:40:42 -0400
    From: "Tim Meehan - OCSARC" <timat_private>
    Subject: No-fly blacklist snares political activists
     
    http://www.sfgate.com/cgi-bin/article.cgi
    ?file=/chronicle/archive/2002/09/27/MN181034.DTL
    
    A federal "No Fly" list, intended to keep terrorists from boarding planes,
    is snaring peace activists at San Francisco International and other U.S.
    airports, triggering complaints that civil liberties are being trampled.
    [...]  Critics question whether Sister Virgine Lawinger, a 74-year-old
    Catholic nun, is the kind of "air pirate" lawmakers had in mind when they
    passed the law.  Lawinger, one of the Wisconsin activists stopped at the
    Milwaukee airport on April 19, said she didn't get upset when two sheriff's
    deputies escorted her for questioning.  [Source: Alan Gathright, *San
    Francisco Chronicle*, 27 Sep 2002]
    
    Tim Meehan, Communications Director
    Ontario Consumers for Safe Access to Recreational Cannabis  Web: ocsarc.org
    
    ------------------------------
    
    Date: Tue, 8 Oct 2002 9:08:44 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Phone system could have your number (Mark White via Dave Farber's IP)
    
    >From: Mark White <tausyankeeat_private>
    
    Phone system could have your number
    Kate Mackenzie, *The Australian*, 7 Oct 2002
    
    A single telephone number doubling as an e-mail address could soon be
    available in Australia despite fears the technology could become a de facto
    identification number.  Under the ENUM system being analysed by the
    Australian Communications Authority, one number could track down a person
    via a home or mobile phone number, or an e-mail or website address.  The
    technology has attracted controversy overseas because of privacy
    implications of people being identified by a single number.
    
    The ACA wants feedback on a discussion paper it has issued, saying privacy
    is one of its concerns.  But ACA numbering manager Neil Whitehead said
    potential benefits of the system could be enormous.  "People would only need
    to remember one number to contact other people in a variety of devices," he
    said.  Equipment manufacturers and Internet service providers were keen to
    pursue the technology.
    
    Telstra proposed a single-number service in 1997 and offered numbers
    beginning with 0500 that could redirect to any number. Called Telepath, the
    service, which cost $7 a month, failed to attract many subscribers.  ENUM
    would have to be deployed across all telecommunications and Internet
    providers to be effective.
    
    IP Archives at: http://www.interesting-people.org/archives/interesting-people/
    
    ------------------------------
    
    Date: Mon, 30 Sep 2002 08:36:11 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Prediction: e-mail will become double-trouble in 3 years
    
    IDC, the technology research firm, is predicting that within just three
    years, the number of e-mail messages sent worldwide will increase from the
    current level of 31 billion daily to more than 60 billion daily. Most of it
    will be spam (unsolicited commercial messages), and if the problem of spam
    is not dealt with by more effective message-filtering, the usefulness of
    e-mail as an effective business and personal communications tool will be
    endangered. IDC executive Mark Levitt says, "Like water flowing out of a
    hose, e-mail has the potential to fill our inboxes and workdays,
    overwhelming our abilities to navigate through the growing currents of
    content." [VNUNet 30 Sep 2002; NewsScan Daily, 30 September 2002]
      http://www.vnunet.com/News/1135485
    
    ------------------------------
    
    Date: Wed, 2 Oct 2002 16:53:00 +0100 
    From: "LEESON, Chris" <CHRIS.LEESONat_private>
    Subject: Gender: Unknown -- the risks of perception
    
    An interesting juxtaposition of "Design" and "User Perception".
    
    I had to visit one of our local hospitals. I went to Reception and
    identified myself to the receptionist. She asked if I had filled in the
    Questionnaire (in effect, the Personal Details form) and I hadn't.
    
    She brought out her copy of the form, which had been partially filled in by
    the administrator who made the original appointment.
    
    It started with the following information:
    
    Name: Andrew Leeson   [Andrew being my first name]
    Gender: Unknown
    
    Our reactions to this little piece of data were quite different:
    
    Her reaction was to mutter darkly about the administrator who could not tell
    that "Andrew" was clearly "Male".
    
    My reaction was that:
    
     (a) The database designer had understood that it was possible for the
         gender to be unknown (at least at the time the appointment was set up),
         and chosen suitable values for the field: male, female and (default)
         unknown.
     (b) In the absence of supplied information, the administrator had not
         assumed that any one name implied a specific gender.
    
    So, the system was designed correctly, the administrator used it correctly,
    but the receptionist interpreted it as "bad" because the result was not what
    she thought of as reasonable.
    
    The actual event - wrong gender data - is not much of a risk.  The
    difference in perception could be.
    
    ------------------------------
    
    Date: Wed, 09 Oct 2002 12:14:35 -0400
    From: Greg Searle
    Subject: Re: Too fast fingers, or bad shortcut design? (Huuskonen, R-22.28)
    
    Note also that the shortcut for inserting a "hard return" in a formatted
    e-mail is Shift-Enter.  This is sometimes necessary for, say, creating a
    multiple-line item in a bulleted list.  You can easily send your
    partially-complete e-mail instead of inserting a hard return just by
    accidentally misplacing one finger a little lower on the keyboard.
    
    Send any responses to greg_searle(at)hotmail(dot)com.
    
    ------------------------------
    
    Date: Wed, 9 Oct 2002 11:27:45 -0400 (EDT)
    From: "Chris Smith" <smithat_private>
    Subject: Re: Address change blocked by online entry validation (White, R-22.28)
    
    Hopefully those mailing databases are configured to catch transcription
    errors for Canadian postal codes. In all of the above examples,
    transcription errors would likely result in the erroneous code failing the
    standard test of ANA NAN (letter-number-letter number-letter-number) that
    covers all Canadian postal codes. Further reduction in undetected
    transcription errors is achieved by disallowing certain letters: Q U O I D F
    are not permitted in Canadian postal codes. I suspect that Q O D are just
    too similar to sort out, U is too much like V, F confuses the issue with E,
    and a plain I (straight vertical stroke) is easily confused with parts of
    letters like T and L. Some of these may be driven by the requirement to
    determine postal codes on mail by scanning and recognizing handwritten
    codes.
    
    It's important to know what RISK-reducing features are available - and then
    take advantage of them. Better yet would be a snippet of javascript to check
    the postal codes before the WWW address form is even submitted.
    
    ------------------------------
    
    Date: Tue, 08 Oct 2002 16:50:57 -0700
    From: David Olsen <olsenat_private>
    Subject: Re: Butterfly ballots and other election stuff (Russell, RISKS-22.28)
    
    The messages about elections in Britain and Germany where the ballots are
    counted by hand seem to indicate (though it wasn't entirely clear) that each
    ballot contains only one or two races.  I agree that in this case hand
    counting is quite feasible.  But in the United States, that assumption does
    not hold.
    
    As a resident of Portland, Oregon, I get to vote for all of the following
    elected positions: US president, US senator, US representative, state
    governor, state senator, state representative, secretary of state, state
    attorney general, state treasurer, state labor commissioner, state
    superintendent of schools, state supreme court judges, state appeals court
    judges, state circuit court judges, regional government commissioners,
    county commissioners, county sheriff, city mayor, city council members,
    school board members, and the water & soil conservation district directors.
    Not all of these positions are up for election at the same time, but in the
    general election in even numbered years a majority of them are.  In addition
    to candidates, I also get to vote for or against any changes to the city
    charter or state constitution, any property tax levies, any laws referred to
    the voters by the state legislature (usually to avoid the governor's veto),
    and any initiatives that citizens have put on the ballot by submitting
    enough signatures.
    
    In the November 2000 general election I had about 45 things to vote for on
    my ballot.  When all the various cities, special districts, and state
    legislature districts are factored in, the county elections board had a
    total of 117 different races for which it had to count votes in that
    election.
    
    I am by no means an election expert, but here are my opinions anyway: It
    seems to me that counting every one of those races by hand would be much
    slower, more tedious, and more error prone than counting them by machine.  I
    think the best way to cast and count votes is to have the voter fill in
    ovals on a piece of paper, have an optical scanner read the ballots and
    count the votes, and have any recounts done by hand.  That seems to provide
    the best combination of ease and accuracy of voting, quick counting of
    results, and verifiability of results when disputes arise.
    
    David Olsen <olsenat_private>
    
      [The alternative that makes a single-issue piece of paper possible is that
      you vote for your delegated representative, and everything else follows
      therefrom.  You are describing the other extreme.  PGN]
    
    ------------------------------
    
    Date: Tue, 8 Oct 2002 18:43:59 -0800
    From: shadowat_private (Leonard Erickson)
    Subject: Re: Butterfly ballots (Russell, RISKS-22.28)
    
    Well, as an example, here in Oregon, we can vote by *mail* in most
    elections. But the votes cannot legally be counted until 8 pm on election
    day. You can vote as late as that by dropping off the ballot at a collection
    site!
    
    That means *millions* of votes have to be counted in a few hours.
    
    > Why keep paper ballots unless you have trained and experienced humans
    > in place to count them?  And if you have that, why not just get the
    > humans to count the papers in the first place?
    
    Time. We can't *afford* that many people, nor do we have that many
    trained volunteers available. So if it *does* come down to a manual
    count, it'll require recruiting and training a *lot* of people.
    
    > I'd have to check the Guinness Book of Records for this, but I think
    > the record number of counts in a British General Election is
    > something like 7, and it took about 20 hours from when the polls
    > closed.  A far cry from Florida in 2000, where it wasn't possible to
    > count every vote even once in several months.
    
    Much of this was due to court fights. And the fact that the (poorly
    designed) ballots were hard to make out the vote on. They had to stop the
    count several times, and then restart it. Often with changes in the rules as
    to what constituted a "valid" vote ("hanging chad", "dimpled chad", etc)
    
    Also, look up the population of Florida and compare it with the
    population of Britain.
    
    [More on multiple races and issues...]  My "ballot" for one election a while
    back was both sides of *six* sheets of paper. With something like six
    "columns" of things to vote on.
    
    Our ballots are the type where you use a pencil to fill in an oval. The
    technology for scanning those is something like 40 years old. It's
    pretty mature and reliable. 
    
    And I'm told that any questionable ballots get kicked out to be looked
    at by a human. 
    
    Even so, it only takes a few hours to run the ballots for a major
    election in the Portland Metro area.
    
    It's not perfect. But I think it's a pretty good compromise between
    speed, usability and security.
    
    Leonard Erickson (aka shadow{G})   shadowat_private
    
      [Further comment on long US ballots from Andrew Sapuntzakis.  PGN]
    
    ------------------------------
    
    Date: Fri, 13 Sep 2002 12:48:08 -0800
    From: Rob Slade <rsladeat_private>
    Subject: REVIEW: "Information Security Management", Gurpreet Dhillon
    
    BKINSCMN.RVW   20020628
    
    "Information Security Management", Gurpreet Dhillon, 2001,
    1-878289-78-0, U$69.95
    %A   Gurpreet Dhillon
    %C   1331 E. Chocolate Ave., Hershey PA   17033-1117
    %D   2001
    %G   1-878289-78-0
    %I   Idea Group Publishing
    %O   U$69.95 800-345-4332 fax: 717-533-8661 cust@idea-group.com
    %P   184 p.
    %T   "Information Security Management: Global Challenges in the New 
          Millennium"
    
    This is a collection of essays by different authors.  The preface,
    however, states that the intention was to bring together diverse views
    and yet to "build an argument."  What the argument, or central thesis,
    of the work is, has not been stated.
    
    Chapter one is supposed to set forth the new challenges to information
    security, but ends up telling us, at great length, that "the times
    they are a-changin."  (Extracting further information from the
    academic-speak is not made any easier by the many grammatical oddities
    and awkward constructions.)  Policy is central to security, and so it
    is no surprise to see it as the topic of chapter two.  What is
    astounding is the fact that so much is wrong with this paper that it
    is hard to know where to start.  Everything seems to be backwards.  It
    is stated that an audit should be done as the prelude to policy
    development, by how can you conduct an audit with no policy to measure
    compliance against?  Again, the essay says that the procedures in
    place will form the policy, whereas it should be the policy that
    guides development of procedures.  A simplistic discussion of ethics
    makes up chapter three.  There really isn't any analysis: after a few
    facile presentations of both sides of a variety of issues the author
    just asserts that X is or is not moral.  Chapter four is supposed to
    argue that ethical policies build trust and trust promotes e-commerce,
    but instead actually just lists a number of random security topics.  A
    look at "cyber terrorism," in chapter five, seems to consist only of
    listing Web sites for known terrorist organizations.  Prescription
    fraud is never rigorously defined, so it is hard to say whether the
    technical measures proposed in chapter six are relevant or not. 
    Chapter seven tells us (surprise, surprise) that disaster recovery
    planning is often done inadequately, or left undone.  A discussion of
    development models, in chapter eight, seems to be so abstract that it
    is of no digital use.  Internet and e-business security touches on
    some miscellaneous subjects in chapter nine.  The author obviously
    thinks Compliance Monitoring for Anomaly Detection (CMAD, with some
    kind of trademark symbol appended to it) is vitally important, but
    chapter ten's explanation seems to just describe another type of
    statistical change measurement.  Chapter eleven vaguely discusses some
    of the security issues involved with the use of agent or mobile
    software.  The final chapter lists some "motherhood" security
    principles.
    
    One of the interesting, and disturbing, aspects of the book is that
    each paper is accompanied by a bibliography of sources, but almost
    none of the standard security reference works in the various fields
    addressed are cited.  How can you discuss, for example, computer
    ethics without having read Deborah Johnson's (cf. BKCMPETH.RVW) works?
    
    Compilation works tend to be hard to pin down, and to vary in quality
    and usefulness.  This work has a remarkable consistency, in that the
    items included are all vague, uninteresting to the professional, and
    unhelpful to the practitioner.
    
    copyright Robert M. Slade, 2002   BKINSCMN.RVW   20020628
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: Tue, 08 Oct 2002 01:33:22 -0400
    From: Steve Bellovin <smbat_private>
    Subject: 2003 IEEE Symposium on Security and Privacy, Call for Papers
    
    2003 IEEE Symposium on Security and Privacy
    11-14 May 2003, The Claremont Resort, Oakland, California, USA
      sponsored by
    IEEE Computer Society Technical Committee on Security and Privacy
      in cooperation with
    The International Association for Cryptologic Research (IACR)
    
    Paper submissions due:   6 Nov 2002
    Panel proposals due:     6 Nov 2002
    5-minute abstracts due: 17 Mar 2003
    For submission guidelines see
      http://www.research.att.com/~smb/oakland03-cfp.html
    For questions, please contact the program chairs, at
    oakland-chairs03at_private
    
    Symposium Committee:
    General Chair: Bob Blakley (IBM Software Group - Tivoli Systems, USA) 
      (bblakleyat_private)
    Vice Chair: Lee Badger (Network Associates Labs, USA)
    Program Co-Chairs: Steven M. Bellovin (AT&T Research, USA)
    David A. Wagner (University of California at Berkeley, USA)
    
    Steve Bellovin, http://www.research.att.com/~smb
    
      [This has been probably the most important research conference
      on security and privacy for over two decades.  PGN]
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestat_private> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.29
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Oct 09 2002 - 14:04:40 PDT