[risks] Risks Digest 22.72

From: RISKS List Owner (riskoat_private)
Date: Sat May 10 2003 - 17:17:39 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.73"

    RISKS-LIST: Risks-Forum Digest  Saturday 10 May 2003  Volume 22 : Issue 72
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at
      http://catless.ncl.ac.uk/Risks/22.72.html
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Software bug sent Soyuz off course (Tom Van Vleck)
    Microsoft admits Passport was vulnerable (Monty Solomon)
    E-mail hoax at University of Maryland (Paul Kafasis)
    Pair held in plot to steal thousands of identities (Monty Solomon)
    "Jeff Jackboot" -- more spelling-checker follies? (Daniel P. B. Smith)
    Misquoting Google (Monty Solomon)
    T-Mobile Hotspot uses SSN for passphrase (Conrad Heiney)
    Making it harder for prying eyes (Monty Solomon)
    Re: Friendly Fire (Matt Jaffe)
    Re: Patriots and Friendly Fire (Peter B. Ladkin)
    Re: OpenBSD release protects against buffer-overflow attacks (Jeremy Ardley)
    Re: Pilots fail exams (Don Lindsay, Vince Mulhollon, Toby Gottfried)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Mon, 5 May 2003 19:42:58 -0400
    From: Tom Van Vleck <thvvat_private>
    Subject: Software bug sent Soyuz off course
    
    A mysterious software fault in the new guidance computer of the Soyuz TMA-1
    spacecraft was the cause of the high-anxiety off-course landing over the
    weekend, NASA sources tell MSNBC.com.  ONCE IDENTIFIED, the error should be
    easy to fix in the computer of the Soyuz TMA-2, which is now attached to the
    International Space Station to provide the new two-man crew with a way to
    return to Earth..."  [Source: James Oberg, NBC News Space Analyst, 5 May
    2003] 
      http://www.msnbc.com/news/909677.asp
    
      [I like that "should."  THVV]
        [Also noted by James Paul and Nancy Leveson.  PGN]
    
      [The autopilot suddenly reported it had ``forgotten where it was and which
      way it was headed'' -- whereupon it switched to backup.  The result was a
      twice-as-rapid deceleration and premature landing.  PGN]
     
    ------------------------------
    
    Date: Fri, 9 May 2003 01:42:20 -0400
    From: Monty Solomon <montyat_private>
    Subject: Microsoft admits Passport was vulnerable
    
    Muhammed Faisal Rauf Danka, a computer researcher in Pakistan discovered
    how to breach Microsoft Corp.'s security procedures for its popular Internet
    Passport service, designed to protect customers visiting some retail Web
    sites, sending e-mails and in some cases making credit-card purchases.
    
    Microsoft acknowledged the flaw affected all its 200 million Passport
    accounts but said it fixed the problem early Thursday, after details were
    published on the Internet.  Product Manager Adam Sohn said the company was
    unaware of hackers actually hijacking anyone's Passport account, but several
    experts said they successfully tested the procedure overnight.
    
    In theory, Microsoft could face a staggering fine by U.S. regulators of up
    to $2.2 trillion.  Under a settlement with the Federal Trade Commission last
    year over lapsed Passport security, Microsoft pledged to take reasonable
    safeguards to protect personal consumer information during the next two
    decades or risk fines up to $11,000 per violation.
    
    The FTC said it was investigating this latest lapse.  The agency's assistant
    director for financial practices, Jessica Rich, said Thursday that each
    vulnerable account could constitute a separate violation _ raising the
    maximum fine that could be assessed against Microsoft to $2.2 trillion.  ...
    [Source: Ted Bridis, Associated Press, 8 May 2003]
      http://apnews.excite.com/article/20030508/D7QTDPQ03.html
      http://finance.lycos.com/home/news/story.asp?story=34127595
    
    ------------------------------
    
    Date: Sun, 4 May 2003 13:28:07 -0400
    From: "Paul Kafasis" <paulat_private>
    Subject: E-mail hoax at University of Maryland
    
    It appears that a gaping security hole at the University of Maryland led
    to an unexpected "canceling" of classes for Friday, April 11th. One or
    more students sent an e-mail to an address on campus which sent out to
    3500 students and had no protection on it. From speaking to students at
    the school, it appears that they were signed up for an e-mail list without
    their knowledge, a list which accepted submissions from anywhere.
    Thursday night (4/10), they began receiving confusing e-mails from each
    other, trying to unsubscribe from the list. Before the OIT department
    shut it down, a virus and a hoax e-mail canceling classes for the
    following day due to "budget cuts" had been sent out. 
    
    The culprits even went so far as to spoof the format of other letters sent
    out campus wide, as well as the headers and reply-to address. As their OIT
    spokewoman said:
    
    "E-mail is one of the most easily forged or compromised mediums," she
    said. "Always verify anything that looks suspicious or strange."
    
    Of course, if the students are correct that this was an open list sending
    mail to 3500 people, they were just asking for trouble.
    
    http://www.inform.umd.edu/News/Diamondback/archives/2003/04/14/news2.html
    
    It looks like the culprits were making a Catch-22 reference to Colonel
    Cathcart, but no one at the school got it. I found that to be the
    funniest part of the article.
    
    ------------------------------
    
    Date: Mon, 5 May 2003 01:07:26 -0400
    From: Monty Solomon <montyat_private>
    Subject: Pair held in plot to steal thousands of identities
    
    Federal authorities have arrested an Irvington, New Jersey, man and woman
    who allegedly schemed to steal the identities of as many as 3,700 clients at
    one of the nation's largest mortgage companies.  FBI agents found credit
    reports, fake licenses, and recently purchased high-tech equipment.  Each
    bore the names of customers at Weichert Financial Services, the Morris
    Plains-based company that operates as a partner to Weichert Realtors.  One
    of the suspects has worked as an administrative assistant for the company
    since May 2001.  A federal complaint released yesterday said she and her
    roommate used a high-speed Internet connection from their home to access
    more than 500 credit reports of Weichert clients between 11 Jan and 7 Feb
    2003.  [Source: Article by John P. Martin, Feds charge Irvington couple used
    the Internet to illegally access credit reports from mortgage firm, *Newark
    Star-Ledger*, 2 May 2003; PGN-ed]
      http://www.nj.com/news/ledger/jersey/index.ssf
      ?/base/news-3/1051857944181440.xml
    
    ------------------------------
    
    Date: Sat, 03 May 2003 20:10:18 -0400
    From: "Daniel P. B. Smith" <dpbsmithat_private>
    Subject: "Jeff Jackboot" -- more spelling-checker follies?
    
    Googling for news, I ran across an opinion piece in an Australian
    publication by someone styling himself "Jeff Jackboot."  This didn't sound
    like a real surname, and I assumed it to be some kind of curious nom de
    plume.
    
    The dictionary meanings of "jackboot" are "a stout military boot that
    extends above the knee," "a person who uses bullying tactics, especially to
    force compliance," and "the spirit sustaining and motivating a militaristic,
    highly aggressive, or totalitarian regime or system," and I wondered why
    this columnist would want readers to make such associations.
    
    On reading further, the piece seemed oddly familiar... and Jeff Jackboot was
    identified as "a columnist with *The Boston Globe*."
    
    I suddenly realized that this was, in fact, *Globe* columnist Jeff Jacoby. 
    
    The Age has not answered my e-mail inquiry about the error. I suspect this
    was probably a spelling-checker error, although my copy of Microsoft Word
    does not not make this correction.
    
    http://www.theage.com.au/handheld/articles/2003/04/25/1050777406269.htm
    (or just do a Google search for "Jeff Jackboot")
    
    ------------------------------
    
    Date: Sun, 4 May 2003 11:45:08 -0400
    From: Monty Solomon <montyat_private>
    Subject: Misquoting Google
    
    Posted, May. 1, 2003
    Updated, May. 2, 2003
    
    Misquoting Google
    
    By Jonathan Dube
    MSNBC Sr Producer
    CyberJournalist.net Publisher
    
    Google has become such a part of our culture that writers often quote how
    frequently a name or phrase appears in a Google search as an indicator of
    popularity. Unfortunately, more often than not, the numbers published are
    completely wrong.
    
    Here are a few examples of Google hit counts being cited in publications
    within the past month. Before you read on, do a search for each of these
    yourself and see if you can figure out if they're in the ballpark or way
    off:
    
      A Google search for the phrase "Iraq war" returns 3.2 million hits. 
      -- *The Raleigh News & Observer*
    
      "The best defense is a good offense." That favorite saying of heavyweight
      champion Jack Dempsey gets a half-million hits on Google... -- *The New
      York Times*
    
      The phrase "geopolitical climate" is a favorite among market
      commentators. A Google search found 1,410 mentions of it. It makes me feel
      important to use it.  -- *The Motley Fool*
    
      A search on the Google search engine under "boycott American products"
      found 117,000 page hits. -- UPI
    
      Most people, when doing searchs, fail to put their terms in quotes.
      Searching for Iraq War will give you more than 3 million pages, because
      Google is searching for any pages that have the words Iraq and War in
      them, in any order.  Searching for "Iraq War" will give you about 635,000,
      because Google is only looking for the exact phrase.
    
    Pulitzer-prize winner Bill Dedman, who runs PowerReporting.com and alerted
    me to The New York Times' goof listed above, points out another problem with
    not using quotes: Google ignores common words in most searchs.
    
    http://www.poynter.org/column.asp?id=32&aid=32072
    
      [Ah, yes!  We have noted this problem here before.  PGN]
    
    ------------------------------
    
    Date: Thu, 8 May 2003 16:20:34 -0700
    From: "Conrad Heiney" <conradat_private>
    Subject: T-Mobile Hotspot uses SSN for passphrase
    
    I just signed up for T-Mobile Wireless' "Hot Spot" service, which provides
    wireless Internet access via Starbucks Coffee, Borders Books, and many other
    semi-public places in the U.S. As a current T-Mobile telephone subscriber I
    was given a good deal. I was also given a user name and a passphrase,
    neither one of which can be changed. The user name is my telephone number
    and the pass phrase is the last four digits of my social security number.
    
    The obvious RISK of using the phone number and SSN in this manner is
    pretty awful (identity theft, etc.) but what's also quite funny is that
    those are the two things you need to identify yourself to T-Mobile for
    any other purpose, too. Try again, guys.
    
    Conrad Heiney  conradat_private  http://fringehead.org
    
    ------------------------------
    
    Date: Mon, 05 May 2003 20:52:33 -0700
    From: Monty Solomon <montyat_private>
    Subject: Making it harder for prying eyes
    
    A bill in the California state legislature would protect the anonymity of
    Internet users by requiring Internet service providers to send customers
    copies of subpoenas seeking to learn their identities.  If passed,
    California's Internet Communications Protection Act would become the second
    state law requiring that consumers be alerted when an ISP is issued a
    subpoena to find out an anonymous Internet user's true identity. Virginia
    passed a similar statute last year.
    
    The debate over anonymous online speech has heated to a boil in recent
    years, with companies and individuals increasingly seeking to have ISPs and
    Web publishers subpoenaed to learn the names of online critics and people
    suspected of copyright violations. Yahoo alone expects to receive 600 civil
    subpoenas this year -- a 50 percent jump from 2002.
    
    Such requests seek a variety of personal information about Internet users,
    including full names, Social Security numbers, home addresses and pseudonyms
    they've used online.
    
    The California legislation would require ISPs to send copies of civil
    subpoenas to their customers by registered mail within 14 days of receiving
    them. If the customer decides to fight the request, he or she would have 30
    days to serve both the ISP and the issuing party with written copies of the
    objection.
    
    ISPs that fail to comply with the act could be sued by their customers.
    
    Source: Article by Julia Scheeres, New California law regarding anonymous
    customer information, 5 May 2003; wired.com
    
    http://www.wired.com/news/politics/0,1283,58720,00.html
    
    ------------------------------
    
    Date: Wed, 07 May 2003 06:54:25 -0700
    From: Matt Jaffe <jaffemat_private>
    Subject: Re: Friendly Fire (Vorbrueggen, Risks-22.71)
    
    Perhaps I can shed some additional light on the points Mr. Vorbrueggen
    makes.  This subject was touched on quite a while ago in RISKS-08.74, but I
    think more emphasis was placed there on the problems with the modes and
    codes than on this discussion of altitude.  Although related, the issues are
    different enough to perhaps warrant some additional discussion here.
    
    The first point to clarify here is that at the time of the Vincennes shoot
    down, Aegis almost certainly did not display vertical rate or vertical
    acceleration data to its operators.  (The original HMI design as of the
    EDM-3C PDR in the mid 1970's did not provide that data; of that I am
    certain.)  It displayed computed altitude only (not rate).  We debated that
    issue (adding a vertical rate [but not acceleration] indicator to some of
    the operational displays) quite heatedly during the design phase for the
    original Aegis human-machine interface.  It was no casual oversight that it
    was omitted.  The reason for the omission was essentially as Mr. Vorbrüggen
    notes: "These values, derived as they [would have to have been] from noisy
    measurements, [would have been] notoriously unreliable."
    
    Since the "rawer" (not by any means raw) initial altitude estimates were
    intrinsically noisy, a timely display of vertical rate would thus be
    intrinsically unstable ("It's climbing; no, its descending; no, now it's
    climbing again; no, now it's descending ... .") and a more stable estimate
    requiring extensive filtering/damping would be too sluggish of response to
    be tactically useful.  ("Oh, Captain, you'll undoubtedly be pleased to know
    that the missile that hit us 30 seconds ago was dropped from an aircraft
    that we now know was descending, not level, when it launched.")
    
    With regard to Mr. Vorbrüggen's comment about error bars: In those
    prehistoric days, neither the main PPI nor the auxiliary data readout CRT
    had graphics, color coding, or font variation capabilities. (I think we were
    on the old AN/UYA-4/OJ-194 series at the beginning).  Had we decided (as,
    after extensive debate, we did not) to provide a vertical rate display, we
    surely then would have considered generalizing from the old Naval Tactical
    Data System 2-dimensional track quality indicator (that I believe we
    retained in 2-D form) to provide a quality indicator for vertical domain
    data; but there would have been little utility in so doing: At the ranges
    where the difficult tactical decisions got made, the altitude data (and
    hence even more so any derived vertical rate estimate) would always have
    been of the same unvaryingly poor quality.  Using scarce tactical display
    real estate to display such essentially constant information ("low quality
    vertical rate") would not seem good HMI design.
    
    Overall, after many years, I think the conclusions that I stated in
    RISKS-08.74 still stand (the interested reader is referred to the RISKS
    archives): Although the expression is overused these days, the fog of war is
    very real and there will always be intrinsic limitations on our ability to
    design systems (including their organizational and procedural aspects) to
    aid in penetrating it.  To put such systems into play in ambiguous
    environments is to risk catastrophe. But *that* of course, is a political
    decision, not a technical, organizational, or operational one.
    
    http://backoff.pr.erau.edu/jaffem
    
    ------------------------------
    
    Date: Tue, 06 May 2003 13:03:56 +0200
    From: "Peter B. Ladkin" <ladkinat_private-bielefeld.de>
    Subject: Re: Patriots and Friendly Fire
    
    Friendly Fire incidents during armed hostilities have been discussed
    in Risks-22.65 (Paul, PGN), -22.66 (Tyson), -22.67 (Eachus, Russ,
    Youngman), -22.68 (Ladkin, van Meter, Guaspari), -22.69 (Ladkin, Goodall),
    much of it concerning the statistics and the interpretation thereof.
    
    There were in total three friendly fire incidents in the 2003 Iraq War
    that we know about in which Patriot surface-to-air (SAM) missile systems
    are implicated. A UK Royal Air Force Tornado GR4 was shot down by a Patriot
    on 23 March [1]. On 24 March, a Patriot radar "locked on" to a USAF F-16CJ.
    The F-16 destroyed the Patriot battery with an anti-radiation (HARM)
    missile [1]. In a third incident, in which a US Navy F/A-18C was shot down
    by a SAM, US Central Command confirmed that a Patriot is suspected [2].
    
    The US Department of Defence's technology chief say that there is a
    requirement to look at new technology to help prevent friendly fire
    incidents [3].
    
    Concerning the varying statistics on friendly fire and their
    interpretation, Col. (ret.) Scott Snook, in his book referenced in
    my Risks-22.68 note, remarks that 24% (35 out of 148) of all U.S. combat
    fatalities in the first Gulf War were caused by friendly fire ([4], p11).
    The 24% figure was repeated by William Safire in his Language column in
    the International Herald Tribune of 5 May, 2003 [5]. This precision
    contrasts with the undefined 5% figure of the US Army FM 100-14 which I
    mentioned in my Risks-22.69 note.
    
    Safire mentions that "In Gulf War II, the rate of [friendly fire] battle
    deaths dropped to 8 per cent ...." [5]
    
    There are a number of different phrases used for combat damage caused by
    one's own side. Safire found a first use of "friendly fire" in an NYT
    article on April 3, 1944. He mentions that the term "fratricide", seemingly
    preferred by the military nowadays, "emerged in the press in the '80s." He
    notes that there has not yet been a sororicide [5]. It has been called
    "amicicide" (semantically a more appropriate phrase) by C.R. Shrader in the
    title of a 1982 book [6]. Flight International has used the phrase "blue on
    blue" [2,3]. In war games, Safire explains, "friendly" forces are known as
    "blues", and "enemy" forces as "reds".
    
    References
    
    [1] Accidents Take Their Toll, Flight International, 1-7 April 2003, p6.
    
    [2] Flight International, Patriot under fire for second error, 8-14 April
    2003, p10.
    
    [3] Flight International, Science could prevent friendly fire, 15-21 April
    2003, p8.
    
    [4] Scott A. Snook, Friendly Fire: The Accidental Shootdown of U.S. Black
    Hawks over Northern Iraq, Princeton University Press, 2000. Details at
    http://pup.princeton.edu/titles/6847.html
    
    [5] William Safire, Of severe/acute: Is the acronym SARS redundant?
    International Herald Tribune, 05 May 2003, available from
    http://www.iht.com/ihtsearch.php?id=95223&owner=(NYT)&date=20030505130338
    
    [6] C. R. Shrader, Amicicide: The Problem of Friendly Fire in Modern War,
    Fort Leavenworth, Kansas: U.S. Army Command and General Staff College
    Press, 1982.
    
    Peter B. Ladkin, University of Bielefeld, Germany 
    http://www.rvs.uni-bielefeld.de
    
    ------------------------------
    
    Date: Sun, 4 May 2003 14:30:51 +0800
    From: "Jeremy Ardley" <jeremyat_private>
    Subject: Re: OpenBSD release protects against buffer-overflow attacks (R 22-71)
    
    It is commendable that the FreeBSD group is doing protecting against buffer
    overflow attacks.
    
    What is not so apparent is why technology that was developed and operating
    over 30 years ago is just being re-invented in software.
    
    The Burroughs 6700 implemented a hardware solution to the problem by
    assigning 3 bits of very 51 bit memory location to the type of data
    contained.
    
    Memory that was tagged as data could not be executed. The result was that no
    stack overflow attack was possible.
    
    Today's Intel based fix is appears to be a hack to work around a deficient
    architecture.  The question that arises is why the architecture of today
    ignores the solid groundwork or previous years?
    
      [Because mass-market operating systems don't use the protection that is
      available in today's hardware.  Note that Multics had a similar execute
      bit solution in 1965 that prevented execution of data.  Executable
      attachments are clearly an abomination.  PGN]
    
    ------------------------------
    
    Date: Sun, 4 May 2003 00:37:11 +0000 (GMT)
    From: Don Lindsay <dlindsay@don-lindsay-archive.org>
    Subject: Re: Pilots fail exams (RISKS-22.71)
    
    > The pilots couldn't pass the psychological and physical tests to be
    > allowed to carry a firearm --- but flying huge planes full of people is
    > OK.  Oh, this makes so much sense! The risks should be obvious.
    
    Indeed, it does make sense. It would be risky so assume that one skill set
    implies another.
    
    The two domains (commercial piloting and inflight weapons use) do have some
    things in common. Both require the ability to learn procedure, and both
    require efficient action under stress. But they differ significantly.
    Piloting involves relatively few interpersonal skills, whereas the use of
    weapons requires judgments of motive and threat, discrimination of
    perpetrators from hostages, and the like. Also, piloting can be done safely
    by a bigot, but you don't give police powers to someone who feels that
    everyone in a particular ethnic group is better off dead. Some people are so
    nervous about weapons that their hand shakes, and they can't hit the broad
    side of a barn door. And so on.
    
    I'm pleased that domain-specific testing was applied.
    
      [Also commented on by Bill Hopkins.  PGN]
    
    ------------------------------
    
    Date: Mon, 5 May 2003 09:03:48 -0500
    From: "Vince Mulhollon" <vlmat_private>
    Subject: Re: Pilots fail exams (RISKS-22.71)
    
    The belief that carrying a gun and flying an airplane are the same is a
    false analogy.  That makes irrelevant the implication that failures of the
    gun program are bad pilots.
    
    I can think of several examples which would disqualify a pilot carrying a
    gun, but not flying a plane.
    
    As for failing the background check, a income tax cheater could be a felon,
    and felons can't carry.  But, an income tax cheat could be an excellent,
    safe pilot.
    
    As for failing psychological tests, what about a conscientious objector?  If
    a pilot learns during training, that they cannot take a human life, there is
    no point in giving them a weapon.  A pilot whom is unwilling to kill is
    probably an otherwise safe pilot.
    
    As for physical test failures, the impact load of a pistol is more intense
    than any other physical task required to fly an airplane.  If someone has
    experienced stress fractures in their arm or wrist in the past, it would be
    dumb to give them a .45, as after they shoot the hijacker, they'd likely
    break their arm again, and then be unable to fly the plane.  Or, as an
    chronic issue, good marksmanship requires regular training, and someone with
    tendonitis or carpal tunnel should probably not aggravate those problems by
    regular firearms practice, although the low impact task of flying may be
    perfectly safe.
    
    Finally as for marksmanship training, the ability to get a bullseye has no
    relation to piloting ability.
    
    ------------------------------
    
    Date: Mon, 5 May 2003 08:27:57 -0700
    From: "Toby Gottfried" <tobyat_private>
    Subject: Re: Pilots fail exams (RISKS-22.71)
    
     "Officials said the four rejections showed that the government was serious
     about providing guns only to pilots who were psychologically and physically
     fit to carry firearms in flight and defend their planes against attackers."
    
    Can we presume, then, that these four would not be allowed to fly as
    co-pilots with another pilot who had passed the tests and was armed ?
    
    ------------------------------
    
    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.72
    ************************
    



    This archive was generated by hypermail 2b30 : Sat May 10 2003 - 17:55:11 PDT