[risks] Risks Digest 22.77

From: RISKS List Owner (riskoat_private)
Date: Wed Jun 18 2003 - 10:41:46 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.78"

    RISKS-LIST: Risks-Forum Digest  Wednesday 18 June 2003  Volume 22 : Issue 77
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
      http://catless.ncl.ac.uk/Risks/22.77.html
    The current issue can be found at
      http://www.csl.sri.com/users/risko/risks.txt
    
      Contents:
    Cyberterrorists in the U.S. Senate (Curt Sampson)
    Digital mobile phones can phreak pacemakers (George Michaelson)
    United Airlines to offer e-mail on domestic flights (NewsScan)
    $24-million spreadsheet "boo-boo" (Jonathan Levine)
    Crash loses names of Canadian firearms registrants (Derek K. Miller)
    Scotland Yard outage chaos (Dave Austin)
    eBay fraud (John Reinke)
    Tiny tracking chips surface in retail use (Monty Solomon)
    Smart cellphone would spend your money (Steve Holzworth)
    Virginia grievance system online - with a slight problem (Jeremy Epstein)
    Sign someone up to be an organ donor! (Giles Todd)
    Continental Airlines check-in computer foul-up (Steve Bellovin)
    Downloading data can turn your computer into a server (greep)
    Re: U of Calgary to teach virus writing (Crispin Cowan)
    Computer bugs and believing reliable sources (Mark Brader)
    Re: Slade's Review of Mission Critical Security Planner (Eric Greenberg)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Wed, 18 Jun 2003 14:56:12 +0900 (JST)
    From: Curt Sampson <cjsat_private>
    Subject: Cyberterrorists in the U.S. Senate
    
      The chairman of the Senate Judiciary Committee [Sen. Orrin Hatch, R-Utah]
      said Tuesday he favors developing new technology to remotely destroy the
      computers of people who illegally download music from the Internet.
      http://www.salon.com/tech/wire/2003/06/17/hatch_download/
    
    I don't know that there's much more to be said.
    
    Curt Sampson  <cjsat_private>   +81 90 7737 2974   http://www.netbsd.org
    
      [There's lots more to be said.  For example, some software vendors would
      like to do that to their competitors, not just to their customers.  PGN]
    
    ------------------------------
    
    Date: Thu, 12 Jun 2003 10:02:57 +1000
    From: George Michaelson <ggmat_private>
    Subject: Digital mobile phones can phreak pacemakers
     
    http://www.newsfactor.com/perl/story/21695.html
    
    The new generation of digital mobile phones can interfere with many types of
    heart pacemakers, claims a new study in the Institute of Physics journal
    Physics in Medicine and Biology. Pacemakers can confuse mobile-phone signals
    with the heart's own electrical signals, causing a malfunction.
    
    George Michaelson, APNIC, PO Box 2131 Milton QLD 4064, Australia
      +61 7 3367 0490  http://www.apnic.net  ggmat_private
    
    ------------------------------
    
    Date: Wed, 18 Jun 2003 08:35:11 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: United Airlines to offer e-mail on domestic flights
    
    By the end of the year, United Airlines will become the first domestic
    airline to offer e-mail on all of its domestic flights.  Industry analyst
    Jonathan Gaw of IDC says the service will be a good attraction for business
    users, who both need their e-mail and who can expense it."  For $15.98 a
    flight, a passenger will be able to send and receive e-mail and attachments,
    by connecting a laptop computer to a jack on the Verizon Airfone handset
    available throughout the plane.  [*Baltimore Sun*, 18 Jun 2003; NewsScan
    Daily, 18 June 2003]
      http://www.sunspot.net/technology/bal-bz.email18jun18,0,7414783.story
      ?coll=bal-technology-headlines
    
      [And I presume first-class passengers will be offered a plate of Spam as
      an appetizer, with Monterey Jack.  (And why is Jack always female in this
      context?)  What about people SENDING spam from the plane?  What about spam
      filters for incoming e-mail?  Nothing like sitting on a 6-hour flight and
      watching your spam pile up.  PGN]
    
    ------------------------------
    
    Date: Wed, 4 Jun 2003 17:08:10 -0600
    From: Victor the Cleaner <jonathanat_private>
    Subject: $24-million spreadsheet "boo-boo"
    
    From *The Calgary Sun*, 4 Jun 2003:
    
      TransAlta Corp said yesterday a "clerical error" was a costly one for the
      power producer -- $24 million US to be exact.  The Calgary-based company
      said a spreadsheet goof by an employee last April caused the company to
      pay higher than intended rates to ship power in New York.  CEO Steve
      Snyder told a conference call yesterday a "cut-and-paste" foul-up in an
      Excel spreadsheet on a bid to New York's power grid operator led TransAlta
      to secure 15 times the capacity of power lines at 10 times the price.  The
      costly human error couldn't be reversed by the grid operator and while
      TransAlta has since tried to recoup the mammoth losses, it was left with a
      $24-million US lesson.  [...]
    
    The RISKS?  Jeez, where do you start?  This sort of thing is becoming so
    depressingly common that it barely makes print.  Enormously complicated and
    powerful tools that are capable of simultaneously magnifying minor errors
    and burying from sight the megabuck consequences?  The apparent "we're
    terribly sorry, but our computers aren't programmed to issue refunds"
    response of the "New York power grid operator"?
    
    Jonathan Levine, Middle Digital Inc. http://www.realweasel.com
      [Also noted by Morty Ovits.
         http://reddeeradvocate.com/editorials/radB948F.htm
       and George N. White III.  PGN]
    
    ------------------------------
    
    Date: Wed, 04 Jun 2003 15:29:19 -0700
    From: "Derek K. Miller" <dkmillerat_private>
    Subject: Crash loses names of Canadian firearms registrants
    
    A database crash now threatens to turn people trying to comply with an
    unpopular law into lawbreakers instead.
    
    The Canadian government has been attempting to implement a nationwide
    firearms registry for several years now.  What was originally supposed to
    cost at most a few million dollars to document every previously undocumented
    rifle or shotgun in the country has now ballooned into a $1 billion-plus
    megaproject that appears not to work.
    
    http://www.cbc.ca/news/features/firearms_act.html
    
    Even those, like me, who are firmly for Canada's strong gun-control laws
    find the way this project has been put together to be laughable (and that's
    a charitable assessment). In many rural parts of Canada, a long gun is a
    necessity, at least to hunt for food or as protection against potentially
    dangerous wildlife (everything from polar bears to moose and wolverines,
    depending on where you are) for people living or working in the bush, from
    native communities to petroleum exploration teams.
    
    The latest registry mishap to come to light is that the database software,
    overloaded before the registration deadline was extended several months from
    its original 1 January 2003 date, crashed, and apparently took some
    registrants' names with it. No one seems to know how many, and I haven't
    been able to track down any details of the kinds of software or platforms
    that were in use.
    
    http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1054726691584_31/
    
    To add to the federal government's trouble, a number of provinces have now
    said they will refuse to prosecute people who flout the act by not
    registering their guns -- and there are many such scofflaws.
    
    >From the CTV article above:
    > The federal Firearms Act and the Criminal Code state that anyone possessing a
    > firearm as defined in Section 2 of the Code must hold a valid firearms
    > registration certificate. The new legislation requires that owners of
    > long-guns such as rifles and shotguns, register their weapons by July 1 or
    > face legal action.
    > 
    > Critics of the gun registry have argued that the legislation is nothing more
    > than a costly waste of time.
    >
    > The auditor general has projected it could end up costing more than $1
    > billion by 2005 rather than the net $2 million over 10 years projected
    > when it was established in 1995. And many say people who would use their
    > firearms for violent offences aren't likely to register their guns anyway.
    
    Aside from the direct risks of setting up a database without the bandwidth
    or computational headroom for large increases of traffic before a deadline,
    lacking proper file journaling, and insufficiently backed up, there is the
    additional risk that the predictable failure of such a system will cast
    further bad light on a project already suffering from a reputation for
    inefficiency and poor planning.
    
    Derek K. Miller - dkmillerat_private
      [Also noted by Dan Haggarty.  PGN]
    
    ------------------------------
    
    Date: Fri, 6 Jun 2003 11:01:37 +0100
    From: "Dave Austin" <dave.austinat_private>
    Subject: Scotland Yard outage chaos 
    
    I thought that this was of interest, an old risk but surprising to find such
    a high profile building vulnerable:
    
    Yard crisis as power fails , 4 Jun 2003 
    
    Scotland Yard was plunged into crisis today by a massive power and
    communications failure.  All phones in the building were cut off as all
    lines to the Yard were down, while the central system for handling 999 calls
    also failed and had to be switched to local police stations.  Computers
    which log emergency and other calls to police in London - known as the CAD
    system - failed, along with a second system to Hendon which was supposed to
    provide an emergency back-up.  Emergency generators restored power to the
    building, but officers had to resort to using mobile phones.  A group of
    senior officers was called together to handle the crisis. One police source
    said the meeting had examined the possibility that the power failure was a
    terrorist or a criminal act, though this had been ruled out.  The failure
    showed the vulnerability of the Yard's communications network at a time when
    London is on alert for a possible terrorist outrage.  The phones and
    electricity crashed at about 9.30am and were still out of action two hours
    later. A Yard spokesman said the crisis was caused by a single workman
    cutting through an electricity cable in the Victoria area, and that the
    company's chief executive had personally apologised to senior officers.  As
    engineers from the Yard and outside companies were working flat-out to solve
    the problem, the police spokesman emphasised that officers were still
    responding to 999 calls which had been routed through the main London police
    stations.  "We have contingency plans in place which are working well,"
    added the spokesman. "We are still able to provide emergency cover for
    London.  "This is a serious matter and we are seeking to bring the building
    back on-line as quickly as possible."  One employee at the building said:
    "We're in the hands of the engineers." Asked if it was causing huge
    problems, he said: "You could say that."  Visitors to the Yard's reception
    who had fixed appointments were told they couldn't be seen today because of
    "internal communication problems".  Staff at reception were unable to make
    internal phone calls and unless visitors had the mobile phone numbers of
    staff they were due to meet, they were told they would not be able to see
    them.  Other buildings in the area were also affected by the blackout.
    London Ambulance said its 999 service was still operational but calls were
    being handled on paper for about an hour and a half while the power was
    disrupted. Scotland Yard has contingency plans to relocate its emergency
    systems and senior officers in the event of a massive crisis such as a
    terrorist attack.  However, this did not happen this morning.  Another
    police source said: "This could come from the plot of a film.  "One wonders
    whether there is a massive criminal heist going on somewhere in London.
    "The fact that someone can bring the building to a halt by cutting a single
    cable is a little alarming.  "I am sure there will be a few internal
    inquiries about this."
    
    Police chiefs told to explain blackout 
    
    5 June 2003 
    
    Police chiefs have been ordered to provide a full report into the power
    failure which led to computers and telephones at Scotland Yard crashing for
    more than seven hours.  Toby Harris, chair of the Metropolitan Police
    Authority, said there were "grave concerns" after an engineer blacked out
    the HQ yesterday by accidentally cutting a single cable in the street.  He
    added it called into question the Met's ability to cope in a crisis.
    
    Source: (London) Evening Standard - also covered in The Times et al.
    
    Dave Austin <dave.austinat_private>  www.insight.co.uk
    
    ------------------------------
    
    Date: Fri, 13 Jun 2003 09:14:12 -0400
    From: "John Reinke" <reinkeat_private>
    Subject: eBay fraud
    
    Police in South Salt Lake, Utah, are working with eBay to determine just how
    many people were victimized by what authorities say was one of the biggest
    frauds in the auction site's history.  Police arrested 31-year-old Russell
    Dana Smith last weekend after hundreds of auction winners complained that
    they sent $1,000 or more to a company named Liquidation Universe for laptop
    computers they never received.  Police say the firm appears to have raked in
    $1 million from about 1,000 victims in just a few weeks.  [...] [Source: Bob
    Sullivan, MSNBC, Man arrested in huge eBay fraud; Buyers criticize auction
    site's seller verification service]
      http://www.msnbc.com/news/925433.asp?0dm=C12LT
    
    [FJR: Guarantees are only as good as the guarantor. There ain't no free
    lunch. When will people take security seriously?]
      [This one is a long and ugly story.  PGN]
    
    ------------------------------
    
    Date: Tue, 10 Jun 2003 01:34:38 -0400
    From: Monty Solomon <montyat_private>
    Subject: Tiny tracking chips surface in retail use
    
    Tom Pounds waved his overflowing grocery basket at the wall and offered a
    glimpse of our shopping future.  The coffee cans, razor blades, and other
    items in his basket each carried a stowaway -- a tiny chip, the size of a
    fleck of black pepper, coupled with an antenna.  Each emitted a short burst
    of identifying data that streamed via radio waves to a sensor on the wall.
    [...] Within fractions of a second, a computer translated those received
    signals onto a monitor as images of each product in the basket.  [...]  In
    15 or 20 years, futurists predict, the pervasive RFID tags will link to
    massive computer networks, enabling speedy checkout from the grocery store,
    medicine cabinets that tell you when to take pills, and milk cartons that
    inform your fridge when to add another gallon to the grocery list.  [...]
    [Source: Chris Gaither, Radio Frequency Identification Tiny tracking chips
    surface in retail use Retail uses for ID chips surfacing, *The Boston
    Globe*, 9 Jun 2003]
      http://www.boston.com/dailyglobe2/160/business/
      Tiny_tracking_chips_surface_in_retail_use+.shtml
    
    ------------------------------
    
    Date: Tue, 17 Jun 2003 11:32:52 -0400
    From: Steve Holzworth <schat_private>
    Subject: Smart cellphone would spend your money
    
      "A consortium of the world's top consumer electronics firms, mobile
      networks and broadcasters are funding the development of cellphones that
      will spend money on your behalf. The consortium, called Mobile VCE,
      includes Nokia, Sony, Vodafone and the BBC.  It might sound like a
      bankruptcy waiting to happen, but software engineer Nick Jennings is
      supremely confident the phones will not mess up anybody's life.  [...]
      The cellphone agents only offer help if triggered by a diary event or if a
      definite pattern of behaviour, such as going to the movies every Friday,
      has been established."  [Source: New Scientist]
        http://www.newscientist.com/news/news.jsp?id=ns99993818
    
    [SCH - how many "supremely confident" software engineers have watched
    as their rocket booster exploded, their online store got hacked, etc.?]
    
    What mechanisms will be in place to dispute or refuse purchases that your
    cellphone agent makes on your behalf?  Be *sure* that you always want to go
    to the movies every Friday...
    
    I own a DirecTivo video recorder, which has a similar agent-like process
    that automatically records "suggested" programs for you, based on analyzing
    your previous viewing habits.  I'm still often amused by some of the
    "suggestions" it makes, which have no obvious relevance whatsoever to my
    typical viewing habits.
    
    I suppose that if your life runs on a rigid schedule, this might be useful.
    My life certainly doesn't...
    
    Steve Holzworth Senior Systems Developer SAS Institute - Open Systems R&D
    VMS/MAC/UNIX, Cary, N.C.  schat_private
    
    ------------------------------
    
    Date: Fri, 6 Jun 2003 11:10:44 -0400 
    From: Jeremy Epstein <jeremy.epsteinat_private>
    Subject: Virginia grievance system online - with a slight problem
    
    Virginia put its workplace grievance system online as a way of improving
    responsiveness (the old system typically took a year to process), according
    to *The Washington Post* Expected savings are $100,000/year, possibly more.
    As a Virginia taxpayer, that's good.... every little bit helps.
      [http://www.washingtonpost.com/wp-dyn/articles/A10481-2003Jun3.html]
    
    "The system is secure from prying eyes, yet those who need to know a case
    history can view an entire file by using the employee's Social Security
    number."  So... yet another new system that uses the employee's SSN as the
    key.  That's bad.  [And we won't even get into how they know that "the
    system is secure from prying eyes".]
    
    ------------------------------
    
    Date: Fri, 13 Jun 2003 22:22:23 +0200
    From: Giles Todd <gat_private>
    Subject: Sign someone up to be an organ donor!
    
    Add anyone you like to the UK's NHS Organ Donor Register at:
      https://www.uktransplant.org.uk/odronline/servlet/mydetailsservlet
    
    Apart from trivial address validity checks, the sole attempt to ensure that
    the person being signed up is really who he or she says he or she is is an
    e-mail message sent to the e-mail address supplied.
    
      Date: Fri, 13 Jun 2003 21:11:12 +0100 (BST)
      From: odrat_private
      Subject: I want to be a donor
    
      Thank you for joining the NHS Organ Donor Register.  Your new record will 
      now be downloaded directly to the register.
    
      If you wish to amend the personal information held on the register at any 
      time you can do so through this website, or by contacting:
        The Organ Donor Line (0845 60 60 400) between 7am and 11pm seven days a 
        week for a form, or by writing to:
          The NHS Organ Donor Register, UK Transplant, PO Box 14, FREEPOST
          Patchway, BRISTOL BS34 8ZZ  UK
    
    ------------------------------
    
    Date: Sat, 14 Jun 2003 13:35:54 -0400
    From: Steve Bellovin <smbat_private>
    Subject: Continental Airlines check-in computer foul-up
    
    This morning, I tried to check in for a Continental flight from Newark to
    Seattle.  But all of the self-service check-in kiosks and all of the
    domestic check-in computers were down.  It seems that they'd done a software
    upgrade at 0200, and when things got busy the system died.  One of the
    customer service managers was muttering that they should have installed the
    upgrade on a Sunday morning instead.
    
    They told people to go upstairs to the International check-in area, which
    hadn't been "upgraded".  But they didn't allocate enough desks -- or enough
    people from the non-functional domestic check-in -- to handle the crowd.
    Nor, despite assurances from Customer Service, did they hold any flights.
    The system wouldn't let me check in 10 minutes prior to flight time, of
    course, which is reasonable under normal circumstances but not when their
    own software has fouled things up.  They also didn't have any priority
    procedure for folks on earlier flights.
    
    But it turns out that they did hold the flight, or so it seems -- checking
    the Continental Web site when I got home, I found that my flight took off 25
    minutes late.
    
    In possibly-unrelated computer confusion, one of the arrival status monitors
    at EWR was displaying the Internet Explorer "this page is not available"
    screen, while one of the departure monitors was showing a typical Windows
    desktop.  Hmm -- looking at the pictures I took, I see that it has Winzip
    installed....
    
    Steve Bellovin, http://www.research.att.com/~smb
    
    ------------------------------
    
    Date: Fri, 6 Jun 2003 12:49:02 -0700
    From: greep <greepat_private>
    Subject: Downloading data can turn your computer into a server
    
    The Register reports
    (<http://www.theregister.co.uk/content/6/31080.html>) that Joltid is
    using "content distribution technology that utilises users' own PCs to
    disseminate content for publishers."  According to the article, when
    someone loads content (such as software) using the Joltid system, the
    computer loading the data then becomes a server for that same data.
    
    There seem to be a number of potential risks to users of such a system:
    
    They could held liable for "publishing" information over which they have no
    control.  This liability could include copyright and patent infringement.
    If the content is found to contain viruses or material which is illegal, the
    liability could be even more severe.
    
    Bugs in the Joltid software could expose their personal files to the outside
    world, even if their computers run no other server software.
    
    Their own network throughput, or other computer resources, might be affected
    by having their computers act as servers.
    
    They may be subject to additional ISP charges for excessive outbound
    traffic.
    
    People who retrieve data from another customer's computer (not from the
    original publisher) need to consider the possibility that the data has been
    altered.  The article does say: "All files are digitally signed to prevent
    tampering, the company claims", but no details are provided.
    
    ------------------------------
    
    Date: Sat, 14 Jun 2003 14:53:10 -0700
    From: Crispin Cowan <crispinat_private>
    Subject: Re: U of Calgary to teach virus writing (Weaver, RISKS-22.76)
    
    How is it that worms specifically, or malicious code in general, is a 
    legitimate area of research, but not a legitimate study topic for 
    students in a class? How are we to obtain more defensive experts such as 
    Weaver if we do not train young people in the area.
    
    Techniques to write viruses and worms are evidently already very well known
    in the black hat community, as evidenced by the proliferation of such
    worms. It is only in the defensive community where ignorance is relatively
    common, as evidenced by the naive defenses that are proposed over and over
    again. In light of that, how is the suppression of malicious coding
    techniques in the education system any different from the suppression of how
    to sharpen a pointed stick with which to murder one's neighbor?
    
    I'm sorry, but the cat is clearly out of the bag, and there is little
    benefit in attempting to suppress knowledge of how to write a worm.  IMHO,
    all the hand-wringing over this course is badly misplaced.
    
    Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
    Chief Scientist, Immunix       http://immunix.com
                http://www.immunix.com/shop/
    
    ------------------------------
    
    Date: Fri, 13 Jun 2003 17:13:52 -0400 (EDT)
    From: msbat_private (Mark Brader)
    Subject: Computer bugs and believing reliable sources
    
    Back in comp.risks 22.73, Monty Solomon quoted
    <http://finance.lycos.com/home/news/story.asp?story=34131541>:
    
    | Computer bugs have been around since malfunctions in a 1945
    | [Harvard] Mark II were blamed (facetiously) on a moth trapped
    | in a relay.
    
    In fact, the malfunction in question *was* caused by the moth trapped in a
    relay -- the facetious part was the association of this event with the
    existing slang term for a problem, i.e. "bug".  As
    <http://americanhistory.si.edu/csr/comphist/objects/bug.htm> shows, the moth
    was preserved along with the annotation, "First actual case of bug being
    found".  (Note the word "actual".)
    
    Now that's not Risks-worthy, but I think the other error in the quoted
    sentence is: the Lycos writer gave the date of the incident as 1945.  As the
    web page I just cited shows, the logbook with the moth now belongs to the
    Smithsonian Institution's National Museum of American History, and *they*
    say that the correct date is 1947.  Since the illustrated page does not show
    the year, I e-mailed infoat_private to query the point.  They replied to say
    that 1947 is correct and that "The year does not appear on the page, but it
    does appear elsewhere in the logbook."
    
    Now try a google search for the phrase "first computer bug" and each of the
    years 1945 and 1947.  Go ahead, I'll wait...  But here are the counts I get
    when I do it.
    
            "first computer bug" 1945               388
            "first computer bug" 1947               140
    
    Of course, some of these will be false hits -- the year being mentioned in
    another context on the same web page -- but it's easy to see from the google
    synopses that many of the 388 hits do give the wrong date.  Among these are:
    
        http://www.history.navy.mil/photos/images/h96000/h96566kc.htm
        http://www.computer.org/history/development/1945.htm
    
    and a *large* number of university sites.  Obviously sources that you would
    expect things to be right, aren't they?  I even found one page (but I lost
    it again, so no cite) that seems to show Grace Murray Hopper, who was part
    of the group working on the computer, herself saying that the incident was
    in 1945.
    
    And it's actually even worse than the above numbers suggest.  Of the 140
    hits in the second (1947) search, many *are* false.  If you search for the
    phrase together with *both* years, there are 103 hits, and many of these are
    pages that date the incident to 1945 and then mention 1947 in another
    context.
    
    Everyone learns quickly enough that you can't believe everything you
    read on the Web.  But in this case there are enough pages at enough
    reliable-seeming sites that it's hard to believe that they're all
    wrong -- and yet (unless my correspondent at the Smithsonian, where
    the actual logbook is, was lying or mistaken) they are.
    
    The difference between a 1945 and 1947 date for a minor piece of
    etymological history is a trivial error to practically everyone.  But the
    next time you believe what you read, it might not be trivial.
    
    (Of course this sort of problem can happen with non-Internet research
    too.  The Risks relevance is that Web searching makes it so much easier
    to become very sure very fast...)
    
    Mark Brader   |   "I'm a little worried about the bug-eater", she said.
    Toronto       |   "We're embedded in bugs, have you noticed?"
    msbat_private   |                          -- Niven, "The Integral Trees"
    
    ------------------------------
    
    Date: Mon, 16 Jun 2003 09:14:49 -0400
    From: "Eric Greenberg" <ericat_private>
    Subject: Re: Slade's Review of Mission Critical Security Planner
    
    My book titled Mission Critical Security Planner (Wiley, 2003), which 
    Slade has critiqued here, survived full scrutiny and review on 
    slashdot.org, a tough group of folks
    
    http://books.slashdot.org/article.pl?sid=03/02/13/1515257
    
    and has been reviewed by many reviewers, all of which have offered 
    nothing but praise. I encourage you to see the other reviews on 
    Amazon.com and elsewhere on the Internet.
    
    http://www.amazon.com/exec/obidos/ASIN/0471211656
    
    You might also visit the Mission Critical Security Planner companion 
    Web site, where you can download a free electronic copy of the 
    Chapter 1 and the free worksheets used in the book, at 
    
    http://www.CriticalSecurity.com
    
    Judge my commitment to this book, supporting the readers, and security
    planning in general, by that material and the Web site.
    
    Eric Greenberg   http://www.CriticalSecurity.com
    http://www.amazon.com/exec/obidos/ASIN/0471211656
    
    ------------------------------
    
    Date: 30 May 2003 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshallat_private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES: http://www.sri.com/risks
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version 
       of the most recent RISKS issue and a WAP version that works for many but 
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.77
    ************************
    



    This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 11:24:17 PDT