[risks] Risks Digest 22.78

From: RISKS List Owner (riskoat_private)
Date: Sat Jun 28 2003 - 11:36:29 PDT


RISKS-LIST: Risks-Forum Digest  Saturday 17 June 2003  Volume 22 : Issue 78

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at http://www.risks.org as
  http://catless.ncl.ac.uk/Risks/22.78.html
The current issue can be found at
  http://www.csl.sri.com/users/risko/risks.txt

  Contents:
Cancer therapy missed tumor sites (John Colville)
Fear of flying?  You just might be a terrorist! (Dawn Cohen)
How Hulk Crushed the Online Pirate (P.J. Huffstutter via Monty Solomon)
E-Mail Swindle Uses False Report About a Swindle (Hafner-Flynn via Monty)
New bill injects FBI into P2P battle (David Becker via Monty Solomon)
RFID Chips Are Here (Scott Granneman via Monty Solomon)
Cell-phone tracking (David Lesher)
Student arrested for allegedly derailing election (John Reinke)
ISP's DHCP servers infiltrated (Tom Van Vleck)
Wireless gives poorer nations chance to catch up ... (NewsScan)
Big sites hoard links (Monty Solomon)
Crossing Dateline a navigational risk (John Elsbury)
More erroneous arrests over erroneous ATM clocks (David Lesher)
Re: Soyuz landing problem caused by software? (Peter B. Ladkin)
Virgin Mobile makes the oldest mistake in the book (Jay R. Ashworth)
PayPal fraud, and the importance of grammar (Geoffrey Brent)
When spam filters go bad (Laura Miller via Monty Solomon)
New State Laws on Privacy (Robert Ellis Smith)
Monty Solomon <montyat_private>
Secure Coding Principles and Practices, Graff/van Wyk (Monty Solomon)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 23 Jun 2003 11:55:00 +1000
From: colvilleat_private
Subject: Cancer therapy missed tumor sites

Ten critically ill patients with advanced lung or esophagus cancer
were given radiation therapy to the wrong spot in the past four years,
doctors from Prince of Wales Hospital admitted.  Eight of those
patients (who were all at the end stages of their illness) have died,
although none of them reportedly died as a result of the mistake.  The
rare treatment (1% of the therapy cases) delivers radiation via a
flexible catheter to the tumor site and was reportedly off by
millimeters -- although centimeter adjustments may be expected to
compensate for breathing variances.  Two other patients had the same
incorrect treatment in 1993 and 1995.  (This treatment is apparently
used only for incurable cases, to relieve symptoms.)  An investigation
is under way to determine the extent of the error, which occurred when
the wrong details were entered into a computer used to control the
delivery of the therapy.  [Source: Ruth Pollard, *Sydney Morning
Herald*, 21 Jun 2003; PGN-ed, with American spelling]
  http://smh.com.au/text/articles/2003/06/20/1055828490830.htm

John Colville, Department of Computer Systems, University of Technology, Sydney
PO Box 123, Broadway NSW Australia 2007 +61-2-9514-1854 colvilleat_private

------------------------------

Date: Mon, 23 Jun 2003 15:06:00 -0400
From: "Dawn Cohen" <COHENDat_private>
Subject: Fear of flying?  You just might be a terrorist!

It was reported this morning on Public Radio International's
Marketplace program that a company called QinetiQ is trying to market
an "intelligent" airplane seat that would detect nervousness in
passengers and alert airline staff.  Essentially, it sounded like a
motion detector and profiler.

QinetiQ appears to be a spin-off for Britain's Defense Evaluation
Research Agency (sounded like the British DARPA or some kind of
government lab, from the story.)

I found it interesting that the first half of the story focused on the
terrorism potential for this technology, but the rest of the story went
on to outline how helpful it could be for personalizing your flying
experience.  From the report, it sounded like if you squirmed around a
lot or shook for some reason, you might be brought to the attention of
the crew, as a potential terrorist.   Of course, there would be health
benefits, as well:  if you sat still for too long the crew could warn
you to move around a little to avoid blood clots in your legs.  And by
the way, the intelligent seat would have some kind of card reader that
would let the passenger swipe their personal card to pick a movie to see
or to specify other flight options.

I'm not sure if this is a marketing ploy wrapped as an anti-terrorism
product or an anti-terrorism ploy wrapped as a marketing product.
Either way, it seems like it has good potential for mis-use.

I wonder how many false positives it will take to have the staff turn
the system off altogether.  I imagine it would be kind of irritating to
the crew to have to investigate squirming 2 year olds, people with ADD,
people who have various anxiety conditions, people flying to high stakes
business presentations, oh yeah, and people who look like they might be
from the Middle East, who might just be a little nervous because they've
been profiled before.

------------------------------

Date: Thu, 26 Jun 2003 23:57:05 -0400
From: Monty Solomon <montyat_private>
Subject: How Hulk Crushed the Online Pirate
 
On 25 Jun 2003, Kerry Gonzalez, a 24-year-old New Jersey insurance
underwriter, pleaded guilty in a Manhattan federal court to criminal
charges of posting a bootlegged early non-final copy of the new movie
"The Hulk" on the Internet.  He could face a maximum sentence of three
years in prison and a fine of $250,000 when he is sentenced Sept. 26
in U.S. District Court for the Southern District of New York.
[Source: P.J. Huffstutter, *Los Angeles Times*, 26 Jun 2003]
  http://www.latimes.com/business/la-fi-hulk26jun26224419,1,1391001.story

------------------------------

Date: Sat, 21 Jun 2003 22:12:36 -0400
From: Monty Solomon <montyat_private>
Subject: E-Mail Swindle Uses False Report About a Swindle

By KATIE HAFNER and LAURIE J. FLYNN, *The New York Times*, 21 Jun 2003

SAN FRANCISCO, June 20 - It was a clever, if not entirely flawless 
ruse. Many of its potential victims saw through it immediately. 
Others were less skeptical and were caught in its snare.

On Wednesday, starting in the early afternoon, people around the 
country began receiving an e-mail message with "Fraud Alert" in the 
subject line. In the guise of concern about a purchase from Best Buy 
and possible credit card misuse, the message urged recipients to go 
to a "special" BestBuy.com Web site and correct the problem by 
entering their credit card and Social Security numbers.

E-mail posing as a fraud notice to carry out a fraud - indeed preying 
on a consumer's fear of being defrauded - is an illegal form of spam, 
the much-loathed tide of random, unsolicited messages that pours into 
computer inboxes every day. ...

  http://www.nytimes.com/2003/06/21/technology/21CARD.html

------------------------------

Date: Sat, 21 Jun 2003 23:45:18 -0400
From: Monty Solomon <montyat_private>
Subject: New bill injects FBI into P2P battle

David Becker, CNET News.com, 20 Jun 2003

A bill introduced in Congress on Thursday would put federal agents in
the business of investigating and prosecuting copyright violations,
including online swapping of copyrighted works.  HR-2517, the Piracy
Deterrence and Education Act of 2003, instructs the FBI to develop a
program to deter online traffic of copyrighted material. The bureau
would also develop a warning, with the FBI seal, that copyright
holders could issue to suspected violators. And the bureau would
encourage sharing of information on suspected copyright violations
among law enforcement, copyright owners and ISPs (Internet service
providers).

The bill bears the names of two legislators who have been prominent 
on intellectual property and copyright issues--Reps. Lamar Smith, 
R-Texas, and Howard Berman, D-Calif. Berman gained attention last 
year with a bill that would have allowed copyright holders to hack 
into peer-to-peer networks believed to be distributing protected 
materials.

The new bill also calls for the Department of Justice to hire agents 
trained to deal with computer hacking and intellectual-property 
issues, and it requires the Attorney General, in conjunction with the 
departments of Education and Commerce, to develop programs to educate 
the public on copyright issues.

A lawyer with the Electronic Frontier Foundation said the bill
includes a number of troubling aspects, particularly the blurring of
distinctions between official prosecution of criminal acts and civil
enforcement of copyright provisions. ...
  http://news.com.com/2100-1028-1019811.html

------------------------------

Date: Fri, 27 Jun 2003 17:49:36 -0400
From: "monty solomon" <montyat_private>
Subject: RFID Chips Are Here

RFID chips are being embedded in everything from jeans to paper money, and 
your privacy is at stake.  [Scott Granneman, Security Focus, 26 Jun 2003]
  http://www.securityfocus.com/columnists/169

------------------------------

Date: Sun, 22 Jun 2003 12:05:26 -0400 (EDT)
From: David Lesher <wb8fozat_private>
Subject: Cell-phone tracking

IRS Headquarters employee LaToya Taylor vanished after meeting
her ex-BF for lunch. Police searching in Southern MD, an hour+
away from DC recovered a body that may be hers. Why look there?

<http://www.washingtonpost.com/wp-dyn/articles/A14423-2003Jun19.html>

  The search in Southern Maryland came after police reviewed
  the records of Taylor's cell phone. They determined that at least
  one call was made to her cell phone last weekend while it was in the
  Newburg area; the call was unanswered.

This speaks to a level of log retention by cell carriers that has not
been admitted to before. The FCC is requiring [RISKS-22.69] "enhanced
911" but in reality such location-tracking can function whenever the
phone is powered-up. One wonders how long before divorce attorneys
start subpoenaing same, and employers demand access as a condition of
employment.

------------------------------

Date: Tue, 24 Jun 2003 12:14:39 -0400
From: "John Reinke" <reinkeat_private>
Subject: Student arrested for allegedly derailing election

Student arrested for allegedly hacking university computers to derail
election 

Shawn Nematbakhsh, a 21-year-old student at the University of
California at Riverside, was arrested for allegedly hacking into a
university computer system during student elections and casting 800
votes for his own fabricated candidate (American Ninja).  (He told
police he was tring to point out that the UCR network was vulnerable.)
The election will be redone next month.  [Source: Associated Press, 21
Jun 2003; PGN-ed]
  http://famulus.msnbc.com/famulusgen/ap06-21-053420.asp?t=APNEW

Good thing it was a made up candidate. Otherwise they might not even
have known! Computer security is an "art" just like brain surgery.
But, "anybody" can do it.  I just read this and chuckle.  Can
government do any thing "right".  And, some want to run real elections
this way?  John

F. John Reinke, 3 Tyne Court, Kendall Park, NJ 08824
732-821-5850 reinkefjat_private

------------------------------ 

Date: Fri, 20 Jun 2003 15:33:15 -0400
From: Tom Van Vleck <thvvat_private>
Subject: ISP's DHCP servers infiltrated

http://ask.slashdot.org/article.pl?sid=03/06/19/2325235&mode=thread&tid=126&tid=172&tid=95

"... It turns out, Charter Communications' DHCP servers were
infiltrated and were providing p5115.tdko.com as the
'Connection-specific DNS suffix', causing all non-hardened Windows
(whatever that means in a Windows context) machines to get lookups
from a hijacked subdomain DNS server which simply responded to every
query with a set of 3 addresses (66.220.17.45, 66.220.17.46,
66.220.17.47).

On these IPs were some phantom services. There were proxying Web
servers (presumably collecting cookies and username/password combos),
as well as an ssh server where the perpetrators were most likely
hoping people would simply say 'yes' to the key differences and enter
in their username/password..."

Hmm, my cable ISP was down this morning.  Maybe coincidence.

------------------------------

Date: Fri, 27 Jun 2003 08:36:17 -0700
From: "NewsScan" <newsscanat_private>
Subject: Wireless gives poorer nations chance to catch up ...

In a speech prepared for a UN conference on the social implications of
wireless communications technologies, UN Secretary-General Kofi Annan
declared that wireless Internet access has "a key role to play everywhere,
but especially in developing countries and countries with economies in
transition... It is precisely in places where no infrastructure exists that
Wi-Fi can be particularly effective, helping countries to leapfrog
generations of telecommunications technology and infrastructure and empower
their people." (Reuters, 26 Jun 2003)
http://asia.reuters.com/newsArticle.jhtml?type=internetNews&storyID=2998152

... But needs to be watched for security breaches

Using a laptop with a wireless card outside the main office of a Palo Alto,
California school district, a reporter was able to gain access to such data
as grades, home phone numbers and addresses, emergency medical information,
student photos, and psychological evaluations.  Unlike the majority of the
district's information, the documents available on this wireless network
were not password-protected.  Superintendent Mary Frances Callan says: "I
don't see this as such a huge news story." The real story, says Callan, is
the great progress represented by the network itself, which was made
possible by new software purchases, employee training sessions, and
technology-use policies. (*Palo Alto Weekly*, 25 Jun 2003)
http://www.paloaltoonline.com/paw/paonline/weekly/
morgue/2003/2003_06_25.wire25.html

NewsScan Daily, 27 Jun 2003

------------------------------

Date: Mon, 23 Jun 2003 01:52:25 -0400
From: Monty Solomon <montyat_private>
Subject: Big sites hoard links

*Technology Research News*, 23 Jun 2003

The Internet is scale-free, meaning it is made up of a few nodes, or
servers, that have many links, and many nodes with only a few links.
It is also a small-world network -- you can get to any node via only a
few links among adjoining nodes.

University of London researchers have uncovered another clue about the
Internet's structure-the rich-club phenomenon. Large, well-connected
nodes have more links to each other than to smaller nodes, and smaller
nodes have more links to the larger nodes than to each other.  ...

http://www.technologyreview.com/articles/rnb_062303.asp

------------------------------

Date: Mon, 23 Jun 2003 12:26:42 +1200
From: John Elsbury <john.elsburyat_private>
Subject: Crossing Dateline a navigational risk

> Late last week a twin-engined aircraft on a delivery flight from Samoa to
> New Zealand - a course a few degrees west of south - missed NZ due to a
> navigational error and had to be rescued after they set off their ELB.
> They had ended up a long way to the east of New Zealand and, fortunately,
> had enough fuel to get to an airport once they had been located by  a
> samaritan flight.
> 
> The reported cause was "When they crossed the Date Line, they should have
> reconfigured the navigation computer for Western Hemisphere coordinates
> but did not do so".   It seems, then, that on crossing the date line (a
> fair distance north of NZ)  they started heading as many degrees east of
> south as they had hitherto been flying west of south - at least, it looks
> that way on the map.
> 
> They were in bad weather, so I can understand not noticing a fairly sudden
> change in the relative locations of the moon and stars - but that, surely,
> ought to have shown up on the magnetic compass?
> 
> Regards
> John Elsbury

------------------------------

Date: Sun, 22 Jun 2003 11:29:52 -0400 (EDT)
From: David Lesher <wb8fozat_private>
Subject: More erroneous arrests over erroneous ATM clocks (RISKS-22.76)

  <http://www.washingtonpost.com/wp-dyn/articles/A19633-2003Jun21.html
  ?nav=hptop_tb>

By Ruben Castaneda, *The Washington Post*, 22 Jun 2003; Page A01

For nearly a year after Denise Mansfield was strangled in her Prince
George's County home last June, police focused their investigation on
three female suspects whose identities were a mystery. A surveillance
camera videotaped them getting cash from an automated teller machine
where Mansfield's missing debit card was used after her slaying. The
time of the withdrawal from the dead woman's account, recorded by a
bank computer, corresponded to the times stamped on the ATM video of
the suspects.  ...  A SunTrust Bank spokesman declined to comment on
the time discrepancy. But Fredrik Nilsson, director of business
development for Axis Cameras, which provides video surveillance
systems to business and government agencies, said most bank cameras
are not synchronized with ATM transactions. The times are set
separately and can be off by a few minutes, or even an hour if someone
forgets to reset them for daylight saving time, Nilsson said.

{and ANOTHER group of victims...but low-tech}

The arrests of the three Arizona residents were not the only ones to
result from the wrong ATM pictures. Last winter, police charged a pair
of sisters from the District with murdering Mansfield after a third
sister misidentified them in the surveillance images, which were
published in The Post and shown on local TV newscasts. The two were
jailed for several weeks, until DNA tests exonerated one of them and
the other proved that she had been away on a business trip when the
killing occurred.

 - - - - -

This was not the District (RISKS-22.76), rather adjacent Prince
Georges County, but the behaviour of the authorities seems virtually
identical.  [PG is ...noted.. for officer shootings of suspects and
unwitnessed confessions, later found untenable. There were allegedly
going to be locked cameras installed in the interrogation rooms but I
see no mention of same.]

In both cases, there was available evidence that the accused had a
legitimate reason to be at the ATM. Yet the bank/police did not even
LOOK at adjacent transactions in the ATM log? (That would have ID'ed
the AZ women immediately.) This after the publicity over the DC
mis-identification???

The RISK here is not just faulty timestamps, but faulty analysis of
them, and lack of critical thinking by supposedly-expert
investigators, and the prosecutors on the case.

When dangled a "high-tech" bone, Officer McGruff grabbed the bone and
ran, without worrying about other details. Given the growing number of
cameras recording our every move, the concept that mere presence near
the time of a crime is sufficient to establish guilt unless proven
innocent, is downright scary.

------------------------------

Date: Wed, 25 Jun 2003 10:35:56 +0200
From: "Peter B. Ladkin" <ladkinat_private-bielefeld.de>
Subject: Re: Soyuz landing problem caused by software? (Bellovin, Risks 22.74)

In RISKS-22.74, Steve Bellovin summarised an article by James Oberg on
the Soyuz TMA-1 ballistic reentry on 4 May, 2003. The Oberg article
also raised questions of human error.

According to the article "Soyuz probe reveals human errors" by Tim
Furniss in Flight International, 17-23 June, 2003, p39, the ballistic
reentry was caused by a failure in the Busp-M guidance system that
controls the normal reentry. Busp-M reads data from gyroscopes and
accelerometers and outputs commands to the attitude control
system. The yaw control channel "produced undefined readings
indicating a malfunction", which resulted in Busp being taken off-line
by supervisory control, which switched to ballistic reentry.  Busp had
performed 49 "flawless" reentries since 1979. The article does not say
what caused the "undefined readings".

The human errors were unrelated. The crew switched on the Kurs
rendezvous-docking system by mistake during reentry; failed to inform
search aircraft that they were performing a ballistic reentry; and
made mistakes in landing procedures.

An earlier *Flight International* article, 3-9 June 2003, p26,
reported the change to ballistic reentry as having been caused by a
"faulty gyroscope switch".

Peter B. Ladkin, University of Bielefeld, Germany
http://www.rvs.uni-bielefeld.de

------------------------------

Date: Thu, 19 Jun 2003 20:12:37 -0400
From: "Jay R. Ashworth" <jraat_private>
Subject: Virgin Mobile makes the oldest mistake in the book

My sister got a new cellphone the other day.  From Virgin Mobile,
though they're reselling SprintPCS's airtime.

The e-mail that she got read like this:

  - ----- Forwarded message follows -------
Date sent: Thu, 19 Jun 2003 04:19:29 -0700 (PDT)
From:      ourteamat_private
To:        nobodyat_private
Subject:   Virgin Mobile - Your Cell Number and phone programming instructions

Hi CINDY,

Ready for this? 

Your Virgin Mobile Phone Number: (727) 123-4567 
Your Virgin Mobile Phone's Network ID: 007271234567

(Give your friends your phone number, but keep the super secret Network ID
to yourself, you might need it to program your phone… this message may
self-destruct.) 

[ lots of administrivia elided ]

Welcome to Virgin Mobile - It doesn't get any easier than this!

Enjoy!

Virgin Mobile USA

If you need to contact us, please call Central Intelligence on (888)
322-1122 or *VM from your Virgin Mobile cell phone, alternatively visit us
at www.virginmobileusa.com

 - ------ End of forwarded message -------

So, did everyone notice the format and contents of that "super secret
Network ID"?  I've modified it, of course, for this message, but yes,
they're the same.  Central *Intelligence*?  Guess it's just as much of
an oxymoron here...

Does anyone know Richard Branson's cell phone number?

Jay R. Ashworth, Baylink, The Suncoast Freenet, Tampa Bay, Florida
http://baylink.pitas.com  +1 727 647 1274  jraat_private

------------------------------

Date: Wed, 25 Jun 2003 13:28:49 +1000
From: Geoffrey Brent <g.brentat_private>
Subject: PayPal fraud, and the importance of grammar

In the last four days I've received four e-mail messages purporting to
be from PayPal:

  "Your (sic) As part of our continuing commitment to protect your account 
  and to reduce the instance (sic) of fraud on our Web site, we are 
  undertaking a period (sic) review of our member accounts. You are 
  requested to visit our site by following the link given below."

The link is the clickable text 

"https://www.paypal.com/cgi-bin/webscr?cmd=verification 
<http://www.paypal.comat_private/
  %7Eredbarpr/cgi-bin/webscr%3fcmd=verification/>", 
but hovering over it and looking at the URL this produces shows that the 
actual link is 

http://www.paypal.comat_private/~redbarpr/cgi-bin/webscr%3fcmd=verification

Something that could very easily be mistaken for a legitimate PayPal 
site, no doubt set up to steal account details.

I think a very similar fraud has been reported on RISKS before, but the 
text illustrates an interesting point - even when the *technical* side 
of a scam is well-concealed, frauds often give themselves away by other 
signs - in this case, a poor grasp of the language. The flip-side to 
this is that legitimate businesses do well to maintain high standards of 
presentation, because it makes it easier to distinguish them from most 
scammers.

------------------------------

Date: Sun, 22 Jun 2003 01:49:33 -0400
From: Monty Solomon <montyat_private>
Subject: When spam filters go bad

Trying to block junk mail, my cable modem company installed a system 
that prevented me from getting my REAL mail -- and when I complained, 
insisted it was all for the good of the System.

- - - - - - - - - - - -
By Laura Miller, 19 Jun 2003

"The equivalent of treating dandruff by decapitation": That's what
Frank Zappa, testifying before a Senate committee in 1985, called the
censorship plans of the Parents Music Resource Center. In the annals
of overreaction, draconian measures tend to spring from mind-muddling
passions -- in the case of the PMRC, parental desire to protect the
young from nastiness. But when it comes to passion, even our darkest,
most primal instincts can hardly compare to the raw fury that people
have come to feel toward spam. So e-mail users, beware: It's time to
watch your head. I can testify from personal experience that the cure
has finally become worse than the disease.

In June, the company that provides my cable modem service, Road
Runner, installed a superaggressive new set of spam blockers on its
e-mail servers. Late in the first day of the blockers' activation, I
suddenly noticed that I hadn't gotten any e-mail at all in nearly
three hours. No e-mail from Salon colleagues or from friends and, most
puzzling of all, no e-mail from the editor at the New York Times with
whom I'd been corresponding all morning about a freelance piece I was
writing for her. I gave her a call.  ...

http://www.salon.com/tech/feature/2003/06/19/spamblockers/

------------------------------

Date: Thu, 19 Jun 2003 10:52:36 -0400
From: "Robert Ellis Smith" <ellis84at_private>
Subject: New State Laws on Privacy

Privacy Journal has published the latest supplement to its "Compilation of
State and Federal Privacy Laws," showing a huge increase in state anti-spam
laws and do-not-call telemarketing laws. A total of 34 states have passed
new laws limiting bulk electronic-mail advertising, according to Privacy
Journal's new listing, which includes a description and legal citation for
each law. Most states require that "spam" be labeled as advertising and
provide a means to get off an e-mail ad list. Other laws are more stringent,
making some "spam" a crime or requiring an advertiser to consult a
do-not-e-mail list maintained by the state.

The Compilation of State and Federal Privacy Laws 2003 Supplement lists
shows 26 state laws requiring telemarketers to consult a state-maintained
do-not-call list. Some state lists will be merged with a new federal
database beginning in late summer this year.

The book and 2003 supplement are available for $31 plus $4 handling from
Privacy Journal, PO Box 28577, Providence RI 02908, 401/274-7861, fax
401/274-4747, privacyjournalat_private, www.privacyjournal.net. The 2003
supplement alone costs $21 plus $4.

For three years, only the three states with the most intense Internet
activity - California, Virginia, and Washington - had anti-spam laws, but
now nearly three-quarters of the states have enacted some limits.

------------------------------

Date: Fri, 27 Jun 2003 20:33:26 -0400
From: Monty Solomon <montyat_private>
Subject: Secure Coding

Secure Coding: Principles & Practices

By Mark G. Graff, Kenneth R. van Wyk
June 2003 
0-596-00242-4, Order Number: 2424
224 pages, $29.95 US, $46.95 CA, £20.95 UK

Despite their myriad manifestations and different targets, nearly all
attacks on computer systems have one fundamental cause: the code used
to run far too many systems today is not secure. Flaws in its design,
implementation, testing, and operations allow attackers all-too-easy
access. Secure Coding: Principles & Practices looks at the problem of
bad code in a new way. Packed with advice based on the authors'
decades of experience in the computer security field, this concise and
highly readable book explains why so much code today is filled with
vulnerabilities, and tells readers what they must do to avoid writing
code that can be exploited by attackers.

http://www.oreilly.com/catalog/securecdng/
http://www.oreilly.com/catalog/securecdng/desc.html

------------------------------

Date: 30 May 2003 (LAST-MODIFIED)
From: RISKS-requestat_private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-requestat_private> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomoat_private .
 If Majordomo balks when you send your accept, please forward to risks.
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .UK users should contact <Lindsay.Marshallat_private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative 
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
=> ARCHIVES: http://www.sri.com/risks
 http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
   Lindsay has also added to the Newcastle catless site a palmtop version 
   of the most recent RISKS issue and a WAP version that works for many but 
   not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing,
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 22.78
************************



This archive was generated by hypermail 2b30 : Sat Jun 28 2003 - 12:16:31 PDT