RISKS-LIST: Risks-Forum Digest Thursday 23 October 2003 Volume 22 : Issue 97 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/22.97.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Computers may be bad for your health (NewsScan) Recent London power outage (Peter Amey) Justice Department e-censorship error (Kevin Poulsen via jones-gill) RISKS Offshore: A tough lesson on medical privacy (David Lazarus via Scott Miller) "Victoria's Secret Reaches a Data Privacy Settlement" (Drew Dean) First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE! (Mark Brader) Discover cancels 60,000 accounts (Charlie Shub) Nokia and mobile-phone battery explosions (Monty Solomon) Teen rides Trojan Horse defense (Keith Rhodes) Feds admit error in hacking conviction (Robert Lemos via ikanal) Digital signatures: When will they learn? (Jeremy Epstein) Senate votes to can spam (NewsScan) Re: Difficulties with Census Bureau income data (Patrick J. Kobly) Re: Fun with stolen credit-card numbers (Dimitri Maziuk) Re: And I thought I had it bad... (Anthony W Youngman) Re: The Joy of Good Design (Debora Weber-Wulff) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 23 Oct 2003 09:39:21 -0700 From: "NewsScan" <newsscan@private> Subject: Computers may be bad for your health Nine out of 10 computer users are stressed out by such regular occurrences as performance slowdown, spam overload and lost files, and the time wasted fixing problems just makes it worse, according to security firm Symantec. Anger management experts say computer stress must be alleviated before it affects productivity and human-to-human interactions. "If you are suffering from stress, the best thing to do is to breathe deeply, and remind yourself to keep your cool," says Mike Fisher, of the British Association of Anger Management. The top five stress triggers, according to Symantec, are: 1) Slow performance and system crashes; 2) Spam, scams and e-mail overload; 3) Pop-up ads; 4) Viruses; and 5) Lost or deleted files. Men tend to freak out over viruses, spam and general information pollution, while crashing systems and sluggish performance really irk women. More than a third of both sexes will resort to extreme behavior during computer-related meltdown, including violence, swearing, showing and desperately hitting random keys. The good news is that 40% will actually try to fix the problem, often asking someone else for help. Symantec's Kevin Chapman suggests a few ways to reduce the potential for problems: "For example, don't download lots of large files and applications, and remove the clutter left behind by long periods on the Internet. To avoid spam, don't sign up for lots of mailing lists, and if you do receive spam-mail, never reply to it asking to be removed from the list as this will confirm your e-mail address." [Eds. Note: NewsScan never, ever shares your e-mail addresses with *anyone*, so we hope you'll stay on *our* list.] [BBC News 23 Oct 2003; NewsScan Daily, 23 Oct 2003] http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/3204719.stm ------------------------------ Date: Mon, 20 Oct 2003 09:49:36 +0100 From: "Peter Amey" <peter.amey@praxis-cs.co.uk> Subject: Recent London power outage The London power cut that followed shortly after the great New York blackout, was quickly blamed on an unforeseeable chain of events including the fitting of an incorrect valued relay (widely reported as a "fuse"). It has now emerged that the root cause, the one which led to reliance on the incorrect relay and the power loss, was simple, old-fashioned poor maintenance. The chain of events started when a sub-station transformer alarm sounded. The problem at this transformer turns out to have been an oil leak which had been noticed and reported but not dealt with. A power company spokesman said on the BBC news that they couldn't necessarily take a transformer out of service as soon as a problem like this was found but, instead, had a system of managing the leak until it was convenient to correct the problem permanently. The problem in this case was that the leak wasn't managed (the request having passed into a planning centre described by one contributor as a "black hole"), the oil ran out, the alarm sounded, the transformer was switched out and the incorrect relay failed. The risk I think is the rush to blame unforeseeable chains of events and freak failures rather than to admit to failures of basic preventive maintenance. http://news.bbc.co.uk/1/hi/england/london/3199594.stm http://news.bbc.co.uk/1/hi/england/london/3199784.stm Peter Amey, Principal Consultant, Praxis Critical Systems, 20, Manvers St. Bath, BA1 1PX UK +44 (0)1225 466991 www.praxis-cs.co.uk www.sparkada.com ------------------------------ Date: Thu, 23 Oct 2003 06:19:33 -0000 (GMT) From: <jonesgill@jones-gill.co.uk> Subject: Justice Department e-censorship error (Kevin Poulsen) Justice e-censorship gaffe sparks controversy By Kevin Poulsen, SecurityFocus Posted: 23/10/2003 at 09:37 GMT Taken from www.theregister.co.uk (http://www.theregister.co.uk/content/55/33549.html) A government watchdog group Wednesday accused the Justice Department of improperly censoring portions of a key report on internal workplace diversity, after online activists successfully unmasked the blacked-out portions of an electronic copy of the document. The 186-page report was released to the public under the Freedom of Information Act last week and posted to Justice Department's Web site in Adobe's "Portable Document File" (PDF) format. But the department blacked out vast portions of the document's text, citing an exemption to FOIA that permits agencies to keep internal policy deliberations private. The text didn't stay concealed for long. On Tuesday a Web site called the Memory Hole, dedicated to preserving endangered documents, published a complete version of the report, with the opaque black rectangles that once covered half of it completely removed. Memory Hole publisher Russ Kick won't say how he unmasked it, but experimentation shows that the concealed text could be selected and copied using nothing more than Adobe's free Acrobat Reader. Once copied, the text is easily pasted into another document and read. It turns out the report began its life as a Microsoft Word document, and whoever was in charge of sanitizing it for public release did so by using Word's highlight tool, with the highlight color set to black, according to an analysis by Tim Sullivan, CEO of activePDF, a maker of server-side PDF tools. The simple and convenient technique would have been perfectly effective had the end product been a printed document, but it was all but useless for an electronic one. "Using Acrobat, I'm actually able to move the black boxes around," says Sullivan. "The text is still there." In 2000, *The New York Times* made a similar error in publishing on its Web site a classified CIA file documenting American and British officials' engineering of the 1953 coup that overthrew Iran's elected leadership. Before releasing the document as a PDF file, the paper blacked out the names of Iranians who helped with the plot. But online intelligence archivist John Young published an unsanitized version of the report after discovering that the opaque black lines and boxes concealing the names could easily be removed. Both cases demonstrate that what you see is not always what you get in electronic documents. Censors could have more effectively eliminated the text by deleting it, rather than painting it over. Additionally, commercial software is available that's designed specifically to help government agencies redact PDF files for release under FOIA and the Privacy Act. Pennsylvania-based Appligent even sells its "Redax" Acrobat plug-in to the Justice Department. "The amazing thing is that there are different divisions in the Department of Justice that are using our software, so it's a little shocking that they would do this in Word," says company president Virginia Gavin. Denuded of its censorious kludgework, the report -- produced last year by KPMG -- reveals much about the Justice Department's gender and ethnic diversity issues. But, significantly, it also shows that the department is overly aggressive in cutting documents for public release, according to the Federation of American Scientists (FAS). On Wednesday FAS wrote a letter to the Justice Department's Office of the Inspector General -- the DoJ's internal investigators -- urging a full investigation into officials' "unauthorized withholding of information." "Too much information was withheld," says FAS's Steven Aftergood. "Information that was purely factual was censored as if it were deliberative... We want agencies to be able to discuss different policy options and to make recommendations outside of a charged political environment, and the deliberative exemption allows them to do that. But the exemption does not apply to factual material." For example, a section of the text notes, "sexual harassment is not perceived by attorneys to be a problem in the Department, but racial harassment is." That should never have been cut from the public version, says Aftergood. "That's something that ought to be made publicly available." Much, if not most, of the scores of blacked out pages should have been released under law, Aftergood says. He credits the PDF blunder with exposing a systemic problem in the Justice Department's FOIA compliance, and he hopes an internal review will result in an overhaul of the system. A Justice Department spokesman declined to comment on the matter, and the almost-censored document disappeared from the department's Web site Wednesday afternoon. oops! ------------------------------ Date: Thu, 23 Oct 2003 11:56:32 -0400 From: Scott Miller <SMiller@private> Subject: RISKS Offshore: A tough lesson on medical privacy (David Lazarus) "Lazarus at large", David Lazarus, *San Francisco Chronicle*, 22 Oct 2003 "Your patient records are out in the open... so you better track that person and make him pay my dues." A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center threatened to post patients' confidential files on the Internet unless she was paid more money.To show she was serious, the woman sent UCSF an e-mail earlier this month with actual patients' records attached. http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTL [Just one of the risks of outsourcing. PGN] ------------------------------ Date: Tue, 21 Oct 2003 14:37:41 -0700 (PDT) From: Drew Dean <ddean@private> Subject: "Victoria's Secret Reaches a Data Privacy Settlement" That fabulous headline appeared in *The New York Times* online. Quick summary: Their Web site had a security problem where by anyone could check on the status of anyone else's order, although they could _not_ get credit card information. Given the nature of the store, this is even more problematic than usual. Victoria's Secret paid a fine ($50K) without admitting guilt. Interestingly enough, this happened under consumer protection laws, because Victoria's Secret violated their own privacy policy. Two good quotes -- the opening line: "There's private, and then there's private." and "'The core of it is, what do people expect will be kept secret? And of course when you're dealing with Victoria's Secret, you expect that a lot will be kept secret.'" Full story: http://www.nytimes.com/2003/10/21/technology/21priv.html ------------------------------ Date: Fri, 17 Oct 2003 16:57:06 -0400 (EDT) From: msb@private (Mark Brader) Subject: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE! The morning after the New York Yankees beat the Boston Red Sox to win the 2003 American League baseball pennant, early editions of the *New York Post* included an editorial bemoaning that the Yankees had lost. Apparently TWO versions of the editorial had been prepared, one for each eventuality, and the wrong one was published -- reportedly because someone hit "the wrong button." The AP item in the *NYTimes* began with ``The curse of the Bambino [Babe Ruth, erstwhile Red Sox pitcher, for non-baseball fans!] struck the *New York Post*, too.'' ["NY Post Editorial Says Yankees Lost", 17 Oct 2003; PGN-ed] http://www.nytimes.com/aponline/national/AP-Post-Yankees-Editorial.html ?ex=1067422908&ei=1&en=97f6f670437f48ef ------------------------------ Date: Wed, 22 Oct 2003 13:07:19 -0600 (MDT) From: Charlie Shub <cdash@private> Subject: Discover cancels 60,000 accounts On 15 Oct 2003, I received an e-mail from discover saying Your Discover(R) Card account is part of a group of accounts whose information may have been illegally obtained by unauthorized persons. As a protective measure, we will be issuing you a new account number. We believe this proactive step is necessary to protect your account from potential fraud activity. After a heated conversation with the people at the other end of their 800 number, they agreed to keep my particular card active through the weekend as I was leaving on a trip early the following morning. They also assured me that in the interval between when the account was turned off and the new cards arrived, they would be able to authorize individual purchases via a manual override process. That statement proved to be false. charlie shub University of Colorado at Colorado Springs cdash@private http://cs.uccs.edu/~cdash 1-719-262-3492 ------------------------------ Date: Fri, 17 Oct 2003 08:00:47 -0400 From: Monty Solomon <monty@private> Subject: Nokia and mobile-phone battery explosions Nokia Recommends Using Only Original Batteries with Nokia Products; All Investigated Mobile Phone Battery Explosions Caused by Non-Original Batteries - Oct 17, 2003 07:23 AM (BusinessWire) Recently, in the Netherlands a battery used in a Nokia 7210 mobile phone exploded. An investigation by Nokia experts clearly proved that the battery involved in the incident was not a Nokia battery. Over the past months, cases have been reported of non-original mobile-phone batteries exploding, causing damage to both batteries and phones. In all the reported cases, the battery has been a non-original battery. Nokia offers its cooperation to authorities in taking legal measures available against those who sell and distribute poor quality non-original mobile phone enhancements compatible to Nokia products. In general, the reported incidents are due to an internal short circuit. An internal short circuit can be caused by careless design, an uncontrolled production process or a combination of both. Original Nokia batteries and chargers are designed and manufactured adhering to stringent safety and quality measures. These include very strict requirements regarding the materials and insulation used inside the batteries as well as continuous production control and intensive product testing. ... http://finance.lycos.com/home/news/story.asp?story=36124379 ------------------------------ Date: Fri, 17 Oct 2003 09:28:31 -0700 (PDT) From: rhodesk@private Subject: Teen rides Trojan Horse defense A UK teen, accused of launching a DDoS attack, was acquitted as a jury apparently believed his explanation that a hacker had exploited his computer with a Trojan Horse. [Source: Munir Kotadia, zdnet] http://zdnet.com.com/2100-1105-5092745.html?tag=sas_email ------------------------------ Date: Fri, 17 Oct 2003 06:35:26 -0700 (PDT) From: notsp_ikinal@private Subject: Feds admit error in hacking conviction Federal prosecutors asked an appeals court to reverse a computer-crime conviction that punished a California man for notifying a company's customers of a flaw in its e-mail service. Bret McDanel had already served his 16-month sentence, and is on supervised release with curtailed computer access. The original conviction resulted from McDanel having notified customers of Tornado Development (subsequently defunct) that their e-mail was susceptible to attack. An appeal was filed by Jennifer Granick in Stanford's Law School. [Source: Robert Lemos, zdnet, 16 Oct 2003; PGN-ed] http://zdnet.com.com/2100-1105-5092697.html?tag=sas_email ------------------------------ Date: Thu, 23 Oct 2003 14:20:25 -0700 From: Jeremy Epstein <jeremy.epstein@private> Subject: Digital signatures: When will they learn? Microsoft has a deal with the US Postal Service for Office 2003 where USPS will store a permanent record of a document, so anyone can validate the document for the next seven years. The goal is "to sign and secure documents in a way that is legally binding". The record (which is presumably a signed hash) includes "a unique time- and date-stamped record based on the file's exact content". Sounds good... an unbiased third party is part of what you need. However, there are problems: * WYSMNBWYS: What You Sign May Not Be What You See. Small fonts, hidden data, bits & pieces of deleted stuff lying around, etc. 'nuff said, especially given the legacy of examples in RISKS. * Incompatibility: How often has Microsoft introduced a version of Office that was compatible with any other version? Never! So why should we believe you'll be able to verify one of these signed documents... especially for the next seven years? Or that it'll look like the document that was "signed"? C'mon! * What safeguards this repository against tampering? If I can modify the document and the repository's view of what was signed, I can change history. http://www.computerworld.com/securitytopics/security/story/ 0,10801,86300,00.html?nas=SEC2-86300 ------------------------------ Date: Thu, 23 Oct 2003 09:39:21 -0700 From: "NewsScan" <newsscan@private> Subject: Senate votes to can spam The U.S. Senate has unanimously approved the "Can Spam" bill, sponsored by Sens. Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), which would ban the sleaziest techniques used by spammers to spew out millions of junk e-mail messages each day. Under the provisions of the bill, senders of unsolicited e-mail would be prohibited from disguising their purpose by using a fake return address or misleading subject line, and would no longer be allowed to harvest e-mail addresses off the Web to bulk up their lists. In addition, junk e-mail would be required to include a legitimate "opt out" function that recipients could use to get off lists. A provision proposed by Sen. Charles Schumer (D-N.Y.) authorizes the Federal Trade Commission to establish a "do-not-spam" list, similar to the recently implemented "do-not-call" list that blocks telemarketing calls. "Kingpin spammers who send out e-mail by the millions are threatening to drown the Internet in a sea of trash, and the American people want it stopped," said Wyden, who urged foreign countries to adopt similar measures. [AP 23 Oct 2003; NewsScan Daily, 23 Oct 2003] http://apnews.excite.com/article/2031023/D7UBQISG0.html ------------------------------ Date: Tue, 14 Oct 2003 17:31:34 -0600 From: "Patrick J. Kobly" <patrick@private> Subject: Re: Difficulties with Census Bureau income data (Lima, RISKS-22.95) Tony Lima <TonyLima2@private> relayed comments from Dr. Nan Maxwell that: > The census has always capped income figures (as the article notes) for > reasons of confidentiality.--if there are 26 people in the us making > over $1 million and you know their gender, race, place of residence, > industry, occupation, etc. you can pretty much guess who they are. This is a red herring. There really is no (or minimal) privacy risk at the data-collection side of things. These privacy concerns (while very real) shouldn't be dealt with with this kind of gross clipping at collection-time, but rather with reasoned bucketing schemes at aggregation and reporting time. Once the data is collected, the census bureau then can do bucketing based on the character of the data - there is plenty of academic work on this subject and market researchers have been doing this for years -- such that we don't report on buckets small enough to individually identify people. There are issues that arise, including methods to infer numbers in an intersection of two aggregation queries where just requesting the intersection yields unreportable (for privacy reasons) numbers, but these issues can be addressed with careful analysis. Even if the data is reported in unaggregated form (ie. some complete individual surveys are shown), bucketing of answers can still have an anonymizing effect... There are a number of ways of dealing with confidentiality issues without killing the quality of your data. ------------------------------ Date: Fri, 10 Oct 2003 14:33:33 -0500 From: Dimitri Maziuk <dmaziuk@private> Subject: Re: Fun with stolen credit-card numbers (Maziuk, RISKS-22.94) I received a few e-mail replies to my post and since I'm not subscribed to the list I don't know how many replies went there. Or how many bounced because you didn't check my Reply-To address before sending (sorry, too much spam). I think I should clarify a couple of points. Simplified transaction I described comes from personal experience. I worked at a place that had an EFT server supplied by the bank (vendor approved by the bank, actually). It talked to the bank via leased line and generally worked like an ATM -- sans magnetic card reader. I wrote the software that talked to EFT server so I know exactly what information my software supplied to it: card number and transaction amount. Different banks/clearing houses mey have different rules, but unless you know exactly what the rules are in every particular case, there's no reason to assume a particular vendor makes use of anything other than card number. (Obviously, they need an address to ship the goods to, but that has nothing to do with credit card payment.) My other point was that none of the other information can be used as 100% reliable fraud indicator. Even the signature: I could take my wife's credit card, put my signature on the slip, and -- (in theory) our bank should honour that transaction. Even though my signature doesn't match the one on the back of the card, it's still valid for our joint account. Ergo, if the vendor decides to do fraud detection they have to deal with false positives. Vendor who makes the living from selling stuff has financial incentive to assume that the positive was, indeed, false. The form you signed probably said (in a very small print) that it's your, not someone else's, responsibility to check your statement for transactions you didn't authorize. So the vendor doesn't have to bother with fraud detection at all. (Aside: we ended up building a database of "known offenders" and analysing the logs for usage patterns. And I spent more time on the phone to fraud agencies than I ever wanted to.) So the system is insecure by design. As for secure alternatives (and that's what keeps coming up in RISKS): there are two ways to authenticate you (credit card user, airplane passenger, computer user). It's either something you know (PIN, password), or for something you have (fingerprint, barcode tattooed into your forearm, face on the photograph on your driver's license). For either way to work reliably, two conditions must be met: 1. Authentication token must be established beforehand using trusted channel. (cf. e-mailing passwords unencrypted. (It's not clear if encrypting them does that much good here, as there's no reason to believe joe@private account really belongs to John A. Doe of 123 Beltway, Washington, DC, but still...)) (Do you want to have to travel to Amazon's head office with your driver's license, birth certificate, and two reliable witnesses to leave your thumbprint there before they let you buy anything?) (Do you want your fingerprints to be instantly available to (potentialy) anyone who declares themselves "an on-line vendor"?) 2. Token must be transmitted via trusted channel during the transaction. (cf. Web sites that accept your credit card information via non-encrypted HTTP connection.) (With biometrics you have to also verify operation of the scanner device and make sure the finger, eye, or what have you is actually attached to a living body -- naturally attached, not surgically.) Of course for a bad guy ther isn't much difference between torturing you to learn your PIN and chopping off your thumb to take it to thumbprint reader. If they want it bad enough, they'll figure out how defeat the system. Given a choice between having $1000 stolen and having my thumb chopped off, I think maybe existing system is not that bad after all. ------------------------------ Date: Tue, 21 Oct 2003 10:30:32 +0100 From: "Anthony W Youngman" <Anthony.Youngman@eca-international.com> Subject: Re: And I thought I had it bad... (RISKS-22.96) Take a look at the guff about Demon's mail screwup ... (demon.co.uk, demon.net). They upgraded their mail systems to cope with the ever-increasing tide of spam etc. Unfortunately, due to a config mistake, this made the problem worse (I'm guessing their SMTP kick for dial-ups got screwed). As a result, they ended up backing up and deleting all pending mail on their servers, correcting the config blunder, and then feeding it all back in over the next few days. I very nearly got badly stuffed -- I e-mailed some personal work home on the Monday to work on. As an exam assignment, it HAD to be delivered to Uni for marking by the Friday. The e-mail arrived home Friday evening -- past the deadline! Fortunately I didn't need it to be able to carry on working. ------------------------------ Date: Sun, 19 Oct 2003 23:19:31 +0200 From: Debora Weber-Wulff <weberwu@fhtw-berlin.de> Subject: Re: The Joy of Good Design (Don Norman in NewsScan, RISKS-22.96) > Design guru Don Norman says the way a device looks, feels and gives > pleasure is just as important as how it works, and that good design can > make up for some -- though not all -- shortcomings. [...] Good emotional > design must incorporate all three levels, and Norman cites Apple and Sony > as two companies that have managed to do that well. > <http://news.bbc.co.uk/1/hi/technology/3175506.stm> Yes, but. It doesn't cover all shortcomings. At least in Europe, Sony has just as bad a "hotline service" as the rest of the lot. I'm planning on purchasing a new laptop, and I just realized that my Sony Camera wouldn't talk to my Sony laptop (and the service center couldn't help) and my Sony PDA has flaky battery problems (and the service center couldn't help) that seemed to be linked to the Sony Memory Stick (if I take it out, it is less flaky). So I asked myself: do I really want another Sony? Of course, they are beautiful. My answer: no. Since all of the service centers tested "D" or "F" on a school grading scale (4 or 5 on the German scale), why pay more just for design? Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin Tel: +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/ ------------------------------ Date: 30 May 2003 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 22.97 ************************
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 15:59:05 PDT