[risks] Risks Digest 22.84

From: RISKS List Owner (riskoat_private)
Date: Mon Aug 11 2003 - 15:06:02 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 22.85"

    RISKS-LIST: Risks-Forum Digest  Monday 11 August 2003  Volume 22 : Issue 84
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
      http://catless.ncl.ac.uk/Risks/22.84.html
    The current issue can be found at
      http://www.csl.sri.com/users/risko/risks.txt
    
      Contents:
    Identity Crisis, article by Robert O'Harrow Jr. (PGN)
    Man proves he was victimized by network vandals (NewsScan)
    Dutch price index wrong due to software error (Erling Kristiansen)
    Worker deletes herself out of job (M Taylor)
    UCITA support fading fast (NewsScan)
    Judge throws out RIAA subpoenas (NewsScan)
    Who profits from spam? Surprise! (Bob Sullivan via Monty Solomon)
    Ticketmaster privacy policy slammed (Paul Festa via Monty Solomon)
    Hacker gets Acxiom customer information (Caryn Rousseau via Monty Solomon)
    Acxiom's FTP Server compromised by /now former/ client (Randy Holcomb)
    Software patching gets automated (William Jackson via Lillie Coney)
    How many Windows crashes occur in a year? (John Dvorak via Monty Solomon)
    Company's error sends customers to Massachusetts adult phone line
      (Monty Solomon)
    University library catalogue + security (Richard A. O'Keefe)
    GenCon Registration Woes Blamed on Computer Network (Allan Goodall)
    Re: Metadata in Photoshop files (Sidney Markowitz)
    Re: New online futures market bets on next White House scandal 
      (Stephen R. Holmes)
    Re: Software violates stock ownership limits (John R. Levine)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Sat, 9 Aug 2003 11:33:27 PDT
    From: "Peter G. Neumann" <neumannat_private>
    Subject: Identity Crisis, article by Robert O'Harrow Jr.
    
    *The Washington Post Magazine* Cover Story:
    Identity Crisis, by Robert O'Harrow Jr.
    http://www.washingtonpost.com/wp-dyn/articles/A25358-2003Aug6.html
    
    Caption on pair of photos:
    LEFT: 
    Meet Michael Berry: political activist, cancer survivor, creditor's dream.  
    RIGHT:
    Meet Michael Berry: scam artist, killer, the real Michael Berry's worst 
    nightmare ...
    
      [This is an extraordinary article.  MUST READING for all of us
      victims-in-waiting.  PLEASE dig it out while it is still on-line.  PGN]
    
    ------------------------------
    
    Date: Mon, 11 Aug 2003 09:16:20 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Man proves he was victimized by network vandals
    
    In the U.K., a man has been acquitted in Exeter Crown Court after
    successfully arguing that child pornography found on his personal computer
    had been placed there without his knowledge by network vandals who had used
    a "Trojan horse" program to infect his machine. The case creates two
    worries: one, that actual child pornographers now have a new alibi that
    would be difficult to disprove; two, that innocent Web surfers might find
    themselves charged with possessing illegal material planted on their
    computers by malicious invaders. Former U.S. federal computer crime
    prosecutor Mark Rasch says, "The scary thing is not that the defense might
    work. The scary thing is that the defense might be right. The nightmare
    scenario is somebody might go to jail for something he didn't do because he
    was set up."  [*The New York Times*, 11 Aug 2003; NewsScan Daily, 11 Aug
    2003] http://partners.nytimes.com/2003/08/11/technology/11PORN.html
    
    ------------------------------
    
    Date: Thu, 07 Aug 2003 22:13:23 +0200
    From: Erling Kristiansen <erling.kristiansenat_private>
    Subject: Dutch price index wrong due to software error
    
    The Dutch Central Bureau of Statistics (CBS) published an incorrect price
    index due to "an error in a computer program", according to the newspaper
    Trouw (7 August). The published index was too high by "a few tenths of a
    percent". No further explanation is given as to the nature of the error, why
    it was not discovered before publication, or how it was discovered later.
    
    This may have an impact on salary adjustments as well as pensions and
    various social benefits that are linked to the inflation rate.
    
    This is yet another example of how dependent we have become on "the computer
    says so, so it must be right". A few tenths of a percent on a country-wide
    basis, even in a small country, adds up to a lot of money.
    
    ------------------------------
    
    Date: Thu, 7 Aug 2003 21:31:17 +0100
    From: M Taylor <mctaylorat_private>
    Subject: Worker deletes herself out of job
    
    A Nova Scotia [Canada] government employee has been fired for deleting her 
    own speeding ticket from a computer database. ... The unidentified woman will 
    not face criminal charges.
    
    Now the kicker is she was found by an audit conducted after another employee
    had also altered entries in the database of driver's records.  Why can
    people delete records from such a database?  Shouldn't it operate like the
    accountant's double-entry ledger?  Where mistakes are not deleted, but a
    correction entry is appended.
    
    http://novascotia.cbc.ca/regional/servlet/View?filename=ns_firedwork20030806
    
    M Taylor  http://www.mctaylor.com/
    
    ------------------------------
    
    Date: Fri, 08 Aug 2003 11:08:16 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: UCITA support fading fast
    
    Key backers of the Uniform Computer Information Transactions Act (UCITA)
    have bowed to pressure from opposition groups and will stop lobbying for the
    bill's passage. The bill was intended to protect software developers from
    intellectual property theft by bringing into conformity conflicting software
    licensing laws in various states, but critics, including the American Bar
    Association and the American Library Association, said the legislation would
    grant software makers too much power over their products at the expense of
    consumers. So far, UCITA has been enacted in only two states, Maryland and
    Virginia, and now that the effort has lost the support of the National
    Conference of Commissioners on Uniform State Laws (NCCUSL), UCITA is
    unlikely to gain further consideration from other states, says an NCCUSL
    spokeswoman. Opponents of the bill commended NCCUSL for its decision: "It is
    heartening to see NCCUSL backing away from a very flawed statute, but it
    will never be able to write sound law for the information economy until it
    takes to heart the criticisms of the user sector," said Jean Braucher, a law
    professor at the University of Arizona and a member of AFFECT -- Americans
    For Fair Electronic Commerce Transactions.  [CNet News.com 7 Aug 2003;
    NewsScan Daily, 8 August 2003]
    
    http://news.com.com/2100-1028_3-5061061.html?tag=fd_top
    
    ------------------------------
    
    Date: Mon, 11 Aug 2003 09:16:20 -0700
    From: "NewsScan" <newsscanat_private>
    Subject: Judge throws out RIAA subpoenas
    
    A federal judge in Boston has rejected subpoenas filed by the Recording
    Industry Association of America last month as part of its nationwide
    crackdown on digital music file-sharing. The subpoenas targeted students at
    Boston College and the Massachusetts Institute of Technology who used
    various screen names to share songs online. In his ruling, Judge Joseph L.
    Tauro said that under federal rules, subpoenas issued in Washington cannot
    be served in Massachusetts. The RIAA called the ruling "a minor procedural
    issue" but declined to say whether it would refile in Boston.  pAP 8 Aug
    2003; NewsScan Daily, 11 Aug 2003]
      http://apnews.excite.com/article/20030809/D7SQ5LC80.html
    
    ------------------------------
    
    Date: Sun, 10 Aug 2003 12:27:27 -0400
    From: Monty Solomon <montyat_private>
    Subject: Who profits from spam? Surprise! (Bob Sullivan)
    
    Many companies with names you know are benefiting 	 
    Bob Sullivan, MSNBC, 8 Aug 2003
    
    There wouldn't be spam if there wasn't money in spam. So to understand what
    primes the spam economy, MSNBC.com answered a single unsolicited commercial
    e-mail. Following this one spam trail led us from Alabama to Argentina, from
    a tiny Birmingham-based firm and someone named "Erp" past a notorious
    spammer named Super-Zonda - and right through big-name companies like
    Ameriquest, Quicken, and LoanWeb. And that's just the beginning. The truth
    about spam is this: While the dirty work is done by secretive, faceless
    computer jockeys who are constantly evading authorities, lots of companies
    with names you know profit, at least tangentially, from their efforts.  ...
      http://www.msnbc.com/news/940490.asp
    
    ------------------------------
    
    Date: Fri, 8 Aug 2003 01:30:04 -0400
    From: Monty Solomon <montyat_private>
    Subject: Ticketmaster privacy policy slammed (Paul Festa)
    
    By Paul Festa, CNET News.com, 6 Aug 2003
    
    People buying tickets online through Ticketmaster may be surprised to find
    themselves receiving spam as an encore.  The ticket service, which holds a
    lock on advance ticket sales for most major entertainment events, is taking
    heat from consumers for a privacy policy that does not let online ticket
    buyers opt out of receiving e-mail pitches from an event's producers and
    other businesses associated with it.  That, Ticketmaster critics say, means
    that the company has made receiving spam part of the price of admission.
    
    "I have only bought a single ticket from Ticketmaster, many years ago,"
    wrote one customer on an online discussion board devoted to the privacy
    policy. "Since that purchase, I have received tons of 'targeted' e-mail
    personalized with my full name, the city, etc...For now, I do everything I
    can to avoid ticket purchases from Ticketmaster (and have been successful)."
    
    The Ticketmaster privacy policy under fire states that customers may "opt
    out" of getting e-mail from Ticketmaster itself, but cannot refuse to share
    their personal information with "event partners" -- defined as "the venues,
    promoters, artists, teams, leagues and other third parties associated with
    that concert, game or other event."  ...
      http://news.com.com/2100-1026-5060827.html
    
    ------------------------------
    
    Date: Fri, 8 Aug 2003 02:20:18 -0400
    From: Monty Solomon <montyat_private>
    Subject: Hacker gets Acxiom customer information (Caryn Rousseau)
    
    By Caryn Rousseau, Associated Press, 7 Aug 2003
    
    A computer hacker gained access to private files at Acxiom Corp., one of the
    world's largest consumer database companies, and was able to download
    sensitive information about some customers of the company's clients, the
    company said Thursday.  "The data on the servers was a wide variety of
    information, some of which was personal, some of which was not," Jennifer
    Barrett, the company's chief privacy officer, said in an interview with The
    Associated Press on Thursday. The AP was notified of the intrusion by an
    anonymous caller who would not identify himself or his connection with the
    company.  Barrett said the company did not know about the breach until a law
    enforcement agency from Ohio contacted it last week.  Barrett said both the
    hacker and the stolen information are in police custody. She said about 10
    percent of the company's customers were affected and that, "it would include
    some of our larger customers."  ...
      http://finance.lycos.com/home/news/story.asp?story=35190673
    
    ------------------------------
    
    Date: Fri, 8 Aug 2003 21:31:18 -0500
    From: "Randy Holcomb" <rholcombat_private>
    Subject: Acxiom's FTP Server compromised by /now former/ client
    
    "... The breach involved one external FTP server outside Acxiom's firewall
    that is used to transfer files back and forth between Acxiom and its
    clients.  The company said no internal databases were accessed and no breach
    penetrated its firewall. Additionally, the firm said only a small percentage
    of its clients' data was involved in the incident.
    
    Acxiom's client list includes a number of Fortune 500 companies, like
    Microsoft, IBM, AT&T, and Blockbuster. The company says it services 14 of
    the top 15 credit card companies, 7 of the top 10 auto makers, 7 of the top
    10 media entertainment companies, 6 of the top 10 magazine publishing
    companies, 4 of the top 5 telecom companies, 5 of the top 6 retail banks and
    3 of the top 5 retailers. ..."
      <http://www.internetnews.com/article.php/2246461>
    
    ------------------------------
    
    Date: Fri, 08 Aug 2003 15:09:26 -0400
    From: Lillie Coney <lillie.coneyat_private>
    Subject: Software patching gets automated (William Jackson)
    
    By William Jackson, GCN Staff
    
    Whenever the Defense Department's Computer Emergency Response Team
    Coordination Center sends out a vulnerability alert, each DoD systems
    administrator must acknowledge it and respond with a plan for closing the
    hole.  The notification and response is becoming more automated, said a
    security manager at a DoD software development shop, who contacted GCN and
    asked that neither he nor his agency be named in print.  The problem is that
    the remediation is manual.  When you get two or three alerts an hour, it
    gets out of control.  The DoD security manager said he uses the Hercules
    automated remediation tool from Citadel Security Software Inc. of Dallas to
    cut the time for fixing flaws in multiple machines from weeks to days or
    hours.  [...]
    
      [And when it is *fully* automated, think of how wonderful it will be to
      have new Trojan horses and security flaws installed instantaneously,
      without having to require human intervention.  Perhaps someday we might
      have systems that do not require continual patching, but I'm not holding
      my breath.  PGN]
    
    ------------------------------
    
    Date: Sat, 9 Aug 2003 00:26:44 -0400
    From: Monty Solomon <montyat_private>
    Subject: How many Windows crashes occur in a year? (John C. Dvorak)
    
    Magic Number: 30 Billion
    By John C. Dvorak, 4 Aug 2003
    
    So what actually happens when your Windows XP machine crashes and asks if
    you want to send a report? The reports obviously accumulate in some
    database, and I can only assume that when one bin piles up with similar
    crash memos, the coders get to work. Exactly how many notifications does
    Microsoft get? Nobody knows for sure, but based on comments Bill Gates made
    at a recent meeting for analysts, the number must be astronomical.
    
    Gates said that 5 percent of Windows machines crash, on average, twice
    daily. Put another way, this means that 10 percent of Windows machines crash
    every day, or any given machine will crash about three times a month. Since
    Bill is a math junkie, I have to assume this number is real and based on
    something other than a phone survey.  Those reports seem like the obvious
    source.
    
    Now according to StatMarket.com, as of March 2003, Windows XP had 33.41
    percent global market share among operating systems. Let's give Microsoft
    the benefit of the doubt and make Windows XP's share an even 35 percent at
    this point. How many computers are in use?  According to the Computer
    Industry Almanac, there were 603 million worldwide in 2001, and the growth
    rate seems to be around 10 to 15 percent per year. Let's be relatively
    conservative, and add just under 100 million to get a round number of 700
    million PCs. With 10 percent of them crashing daily, we have 70 million
    crashes every 24 hours. And since only 35 percent are XP machines, 24.5
    million reports a day accumulate in Redmond-nearly 9 billion per year. I
    doubt this number will go down anytime soon.  ...
      http://www.pcmag.com/article2/0,4149,1210067,00.asp
    
      [Wonderful article.  John goes on to estimate that this works out to a
      minimum of 30 billion Windows system crashes per year.  He points out that
      this magic number is also the number of gallons of fresh water California
      wastes because of mismanagement, the dollar total for the Enron scam, and
      a few other nice examples.  But he concludes that he is partial to the
      number ZERO, and thinks maybe that should be the target for Microsoft.
      PGN]
    
    ------------------------------
    
    Date: Fri, 8 Aug 2003 01:01:44 -0400
    From: Monty Solomon <montyat_private>
    Subject: Company's error sends customers to Massachusetts adult phone line
    
    Associated Press, 6 Aug 2003
    
    Some unsuspecting Verizon customers trying to pick a new long-distance plan
    were offered ''sexy introductions'' and a chance to ''continue the fun'' on
    an adult phone line.  A letter sent to thousands of Verizon long-distance
    customers across the country last week listed a number for ''Intimate
    Connections'' as a Verizon customer service number, Verizon officials said
    Tuesday.  ...
    http://www.boston.com/dailynews/218/region/Company_s_error_sends_customer:.shtml
    
    ------------------------------
    
    Date: Mon, 11 Aug 2003 15:25:32 +1200
    From: "Dr Richard A. O'Keefe" <okat_private>
    Subject: University library catalogue + security
    
    Until recently, our university library used a DYNIX catalogue.
    That had a Telnet interface and a Web interface; I always used
    the Telnet interface because that way I could get things done quicker.
    
    We now have a new catalogue, called Conzulsys, which you may be able
    to view at https://otago.conzulsys.ac.nz.
    It's described as the "New Zealand Universities' Shared Library System",
    and indeed one can look up things in (a few) other libraries as well.
    
    Problems.
    (1) There isn't a Telnet interface any more.  This means that I can no
        longer use 'expect' to drive queries.  Chizz.
    (2) The interface isn't really designed for any of the machines I use (a
        SunBlade100 and a G3 PowerMac).  For example, quite a lot of buttons
        have black text on a dark blue background, so that I cannot see what
        the buttons actually are.  The navigation links at the top of the page
        are images, even though they are just plain text, and they're a little
        too small to read comfortably on a 90dpi screen.
    (3) The ***** thing keeps timing out.  For example, just now I started a
        multisite search for a particular author; it popped up a window showing
        me that the searches had started, and then a second later, before
        delivering any results, said "Restart Web Voy&aacute;ge
        Your Catalogue session timed out due to inactivity."  How can that be
        when I've just entered a query?  And now that's happened, it doesn't
        matter _what_ I click, I get the same stupid timeout page.
    (4) When new books come into the library, they are put on a rack of
        "New Arrivals" shelves.  It used to be that you could take them over
        to a terminal and book them.  Now you have to fill out a paper form and
        hand it to the librarians, and at the end of the week they have to spend
        several hours sorting these things out by hand.  (Literally sorting to
        get priority right; you have to fill out the time you put the form in.)
    (5) You might not have predicted (3) or (4), but you probably *could* have
        predicted this one.  The HTML they generate is systematically bad.
        A <LINK> element is used to connect a page to its style sheet, BUT
        it is put in the <BODY> instead of the <HEAD> where it belongs.  In
        fact, it's worse than that.  Sometimes the <LINK> is before the
        <!DOCTYPE>.  In addition, ampersands in URIs are *not* escaped as &amp;.
        The pages are sufficiently garbled to give even HTML Tidy a headache,
        which makes it difficult to replace expect queries with wget queries.
    (6) Nowhere in any of the pages is there the slightest mention of Javascript
        or that you must turn off security features to use the pages.  But
        Javascript there is.  You can imagine how thrilled I am at having to
        enable Javascript on the machine where I write exams...
    
    But here's the really cute thing.  Under the old system, if I wanted to
    reserve a book, I had to enter my library card barcode and a password.  As
    far as I know, the library card barcode wasn't used for anything else, and
    if someone intercepted the barcode and password, it didn't actually let
    anybody *do* anything to me except reserve books, which would have been
    nuisance value.  Now all the staff have been assigned a user code and a
    password.  The user code has the form
      <3 letters of last name> <2 letters of first name> <2 digits> <1 letter>
    I don't yet know how the final digits and letter are assigned.  This user
    code is printed on the library cards, so at least all the library staff can
    see them.  The password is not.
    
    This is where social engineering comes in.  Because these user codes and
    passwords are new, many staff members don't have them or don't know them.
    So you ring up a certain phone number, and they tell you what your password
    is or let you assign one.  When I assigned my password last week, there was
    NO check that I was who I said I was.
    
    Why is this a problem?  After all, all you can do with this is reserve
    books and renew ones, plus see what someone has out, and I've always
    regarded what I have out as pretty much public information anyway.
    
    The government here is introducing something called Performance Based
    Research Funding.  Sounds good, except that the data are going in now and
    won't be updated until 2006, so it's really (*Former* Performance) Based
    Research Funding.  Most academic staff have to use a web browser to enter a
    lot of information (much of which the university should have anyway, but
    that's another story) into a PBRF database.  How do they know you have a
    right to enter this information?  Why, from your user code and password, of
    course.  The same user code that is printed on your library card and the
    same password which is set/reported without any checks on who you are.
    
    After that, I don't suppose I need to tell you that the courseware system
    uses the same user code and password as the other system.
    
      [I somewhat reluctantly fixed a typo above: "bardcode" sounded
      appropriately Shakespearean for a library system.  PGN]
    
    ------------------------------
    
    Date: Mon, 11 Aug 2003 09:06:53 -0500
    From: Allan Goodall <agoodallat_private>
    Subject: GenCon Registration Woes Blamed on Computer Network
    
    GenCon is a large, annual game convention and trade show held at the end of
    July or early August. Although it was held in Milwaukee, Wisconsin for many
    years, this was its first year in Indianapolis, Indiana, with a record
    attendance figure of 28,000 people over the four days of the convention.
    
    The wait in line to register has always been a point of complaint, but this
    year that wait was particularly excessive, peaking at four hours on the
    Saturday. In an open letter to various message boards and newsgroups, GenCon
    CEO/owner Peter Adkison blamed most of the problem on the convention's
    computer network. A copy of the open letter can be found here:
    http://www.gamingreport.com/article.php?sid=9515
    
    In summary:
    - The computers used for registration were on the same network as the
    computers that allowed convention attendees to freely access the Internet.
    Apparently there were no restrictions on the use of these public access
    computers.
    - By the first day of the convention 216 computers on the network were
    infected by a worm. The source of the infection was one of the public access
    computers, which also contained downloaded p*rn files.
    - The network wasn't sufficient to handle the traffic even without the worm
    problem. The worm amplified the problem.
    - Each attendee received a badge with their name printed on it. Badges were
    printed at a limited number of printers, 6 badges to a sheet. At times, the
    printers would time out due to the excessive network traffic. Sometimes the
    printed sheets would get lost. The badge printers were a major bottleneck in
    the system.
    
    The RISKS here should be obvious. 
    
    This isn't the first time GenCon has had public access terminals on their
    network. The registration process doesn't appear to be much different from
    when I last attended (August 2000). Either the convention organizers were
    unusually lucky in previous years, or the problems weren't deemed sufficiently
    bad to warrant (in the minds of the organizers) stronger security and
    procedural changes. Adkison doesn't state whether or not the change in venue
    this year was a contributing factor.
    
    ------------------------------
    
    Date: Fri, 08 Aug 2003 10:35:25 +1200
    From: Sidney Markowitz <sidneyat_private>
    Subject: Re: Metadata in Photoshop files (RISKS-22.83)
    
    Photoshop may not be to blame and the RISK may be broader than a single
    software product being the Microsoft Word of photography.
    
    According to Sue Chastain at
    http://graphicssoft.about.com/b/a/2003_07_26.htm 
    the revealing thumbnails mentioned in RISKS-22.83 were not likely to be
    placed by Photoshop. Thumbnail previews, part of the EXIF metadata standard
    used by all digital cameras, may be created automatically when the picture
    is taken. She says "EXIF information and metadata is increasingly becoming a
    concern for professional photographers working in digital because it can
    potentially expose information [...]". Photoshop, rather than being the
    culprit, has a "Save for Web" command that strips out metadata including
    thumbnail previews.
    
    ------------------------------
    
    Date: Fri, 8 Aug 2003 17:04:27 -0400
    From: "Stephen R. Holmes" <srhat_private>
    Subject: Re: New online futures market bets on next White House scandal
    
    Having just re-read John Brunner's 1975 novel "The Shockwave Rider", I was,
    umm, shocked to open RISKS 22.83 and find "New online futures market bets on
    next White House scandal" and "Pentagon's online trading market plan draws
    fire".
    
    In Brunner's future world (circa 200x), citizens gamble on the "Delphi" odds
    that such-and-so (everything from war and famine to soap opera events) will
    come to pass, in exactly the same fashion. Both schemes mentioned in RISKS
    could have been taken directly from the novel.
    
    Life imitating art?
    
    ------------------------------
    
    Date: 8 Aug 2003 04:33:56 -0000
    From: johnlat_private (John R. Levine)
    Subject: Re: Software violates stock ownership limits (RISKS-22.83)
    
    About 25 years ago, someone had a computer hooked up to a Telex line and
    programmed it to trade commodities futures, sending telex orders to his
    broker.  But it wasn't programmed to take into account the size of the
    various markets, some of which aren't all that big, and one day he got a
    phone call from the CFTC and they were not at all pleased that he had
    cornered the market in a thinly traded commodity, potatoes or something like
    that.  He unwound his position and adjusted the program so it never traded
    that particular commodity again.  I know this sounds like an urban legend,
    but I personally know the guy.
    
    > For companies, the RISKs are less clear.  It's not clear whether
    > they had any way of finding out who was actually buying their stock, ...
    
    Not really.  Stock held in accounts at brokers or banks (most of it these
    days), is nominally owned by one of a handful of specialist companies such
    as Cede & Co.  There is a way that the broker can tell the company who the
    beneficial owner is so they can send out annual reports and proxy
    statements, but that takes a while, so that companies have only a vague idea
    of who owns their stock on any given day.  That's one of the reasons you
    have to file notices with the SEC if you plan to buy a substantial amount of
    a company's stock.
    
    John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
    Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
    
    ------------------------------
    
    Date: 30 May 2003 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-requestat_private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoat_private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshallat_private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES: http://www.sri.com/risks
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version 
       of the most recent RISKS issue and a WAP version that works for many but 
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 22.84
    ************************
    



    This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 15:47:04 PDT