[risks] Risks Digest 22.98

From: RISKS List Owner (risko@private)
Date: Mon Oct 27 2003 - 16:42:22 PST


RISKS-LIST: Risks-Forum Digest  Monday 27 October 2003  Volume 22 : Issue 98

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at http://www.risks.org as
  http://catless.ncl.ac.uk/Risks/22.98.html
The current issue can be found at
  http://www.csl.sri.com/users/risko/risks.txt

  Contents:
Internet fraud update (NewsScan)
Casino barcode forgery (Steve Dunbar)
Air Traffic Control vulnerable to fire! (Paul Cox)
South Carolina DMV software glitch costs Sumter County $164,000 (Frank Carey)
New risk of leaving devices OFF (Walter Roberson)
Mississippi liquor stores and restaurants risk going dry (Ben Moore)
RFID friend and foe, with a note on biometric passports (Markus Kuhn)
Amazon's new 'search inside the book' feature (NewsScan)
Amazon's new text search service (Drew Dean)
Google Stumbles? (Monty Solomon)
Unwanted e-mail turns into a "chain of stupidity" (William Colburn)
Re: Recent London power outage (Martin Ward)
Re: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE! (Amos Shapir)
Yet Another eBay-Spoofing Scam (David Graham)
Self-inflicted phishing (Andrew Yeomans)
SNAFU at the bank (Walter Regan)
Re: Top 10 data disasters (Merlyn Kline)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 24 Oct 2003 08:17:15 -0700
From: "NewsScan" <newsscan@private>
Subject: Internet fraud update 

The Federal Trade Commission says that complaints of Internet-related
identity theft more than tripled last year, to 2,352 last year from the year
before.  Jay Foley of the Identity Theft Resource Center says, "Online fraud
is becoming as big an issue for eBay and AOL as security is for Microsoft."
Typically, eBay covers buyers or sellers for up to $200 (or $500 for some
listings) if an item is not delivered or is in bad condition, though there
is a $25 processing fee.  Posting safety tips for eBay transactions are
listed at at www.ebay.com/securitycenter.  [*USA Today*, 24 Oct 2003;
NewsScan Daily, 24 Oct 2003]
  http://www.usatoday.com/tech/news/2003-10-23-fraud_x.htm

------------------------------

Date: Sat, 18 Oct 2003 12:06:20 -0700
From: Steve Dunbar <stvdnb@private>
Subject: Casino barcode forgery

The Kalispel Indian Tribe's Northern Quest Casino near Spokane, Washington,
lost around $100,000 to forgers who printed copies of barcoded payout
tickets.

  http://www.registerguard.com/news/Wire/N1620WA--CasinoScam.html

------------------------------

Date: Mon, 27 Oct 2003 00:51:34 -0800
From: "Paul Cox" <pcox@private>
Subject:  Air Traffic Control vulnerable to fire!

I work as an air traffic controller at Seattle Air Route Traffic Control
Center.  We were less busy than usual today, because nearly all of the
flights to/from southern California were severely delayed or canceled.

Not only did the fires in the SoCal area generate large volumes of smoke
(reducing visibility and slowing traffic in general) but the fires
threatened the physical structure of the main Southern California Terminal
Radar Control (SoCal TRACON) facility.

From the controllers' union regional vice president, Bob Marks...

  "SCT structurally received minimal damage, but the pine trees at the
  entrance caught fire and the Fire Department chopped them down so they
  wouldn't fall into the building.  The field next to the facility burned
  completely.

  The facility was full of smoke, and we estimate a minimum of two days
  before it reopens.  The FAA has been great, and honored our request for
  air sampling prior to having controllers come back."

The RISK here should be obvious; you've got a facility that is designed and
intended to be in operation 24X7, no matter what.  They have power backup
systems there that can run the TRACON for at least a week on the on-site
diesel fuel.

But if the air outside is too smoky from fires in the immediate vicinity,
and people cannot work inside the building (apparently it was so smoky
inside people were coughing up hunks of lungs... well, not quite, but really
bad) then the precautions don't do much good.

Additionally, the physical building itself was threatened with fire damage.

The controllers at the enroute facility (like I work at) in Los Angeles were
able to take over the airspace that SoCal TRACON works, but at
greatly-reduced traffic rates.  Again, from Bob Marks...

  "ZLA took over TRACON ops.  My deepest gratitude and thanks to the good
  members at my old facility for dealing with this emergency.  The news is
  not all good, however, as it appears there is pressure to try and run the
  system "nominally" when the busiest TRACON on the planet is ATC-Zero.  A
  center cannot safely run a significant percentage of approach traffic
  during a sustained period for several reasons:

  Technical: Finals, MVAs, and other map items are not displayed.  Mosaic
  requires 5-mile minimum separation.  Radar ID is more cumbersome, since
  usually the a/c is more than a mile from the departure end of the runway
  before tag-up.

  Training: Most center controllers don't do approach control work, or
  haven't for years.

  Proficiency: When was the last time you got a thorough briefing and
  training on ATC-Zero procedures?"

Basically, to maintain the minimum level of safety, controllers had to
drastically reduce the numbers of flights from what the TRACON would
ordinarily handle.

More RISKS... lack of training, lack of forethought in planning video maps,
keeping copies of routes and procedures handy, and some other technical
issues (facilities that had a need to talk to one another had to rely on
regular commercial telephones, or cellphones, because the FAA doesn't have
the proper 24X7 dedicated circuits between all of them).

In the end?  Kept the skies safe, as always, but the monster delays (several
flights that I personally knew of from Portland, Oregon, and from Seattle,
Washington, were delayed by 10+ hours) showed that lack of good contingency
planning- and drills on contingency plans- severely hampered the FAA's
ability to react to the problems.

------------------------------

Date: Sat, 25 Oct 2003 20:56:49 EDT
From: Frank Carey <Carey1938@private>
Subject: South Carolina DMV software glitch costs Sumter County $164,000

The South Carolina Department of Motor Vehicles says it has sent Sumter
County officials a list of nearly 1,000 automobile tax records that were
possibly left off the county's tax rolls because of problems with their
Project Phoenix software which had been installed last year.  In August of
this year Sumter County officials discovered they were missing a large
number of car tax records and that the missing records had cost the county
$164,000.  When first confronted with the situation in August, DMV officials
said they were unaware of any problems with the software.  After looking
into the Sumter County complaint, the state DMV officials recognized that
records might have been omitted but also that the software glitches caused
billing problems.  Other South Carolina counties have also reported the same
problems.  [*The Item*, Sumter, SC, front page, 24 Oct 2003]

------------------------------

Date: Wed, 22 Oct 2003 13:32:12 -0500 (CDT)
From: Walter Roberson <roberson@private>
Subject: New risk of leaving devices OFF

Cisco recently announced an unusual problem with leaving some of its devices
*off*. It seems that a particular lot of electrolytic capacitors in some of
its 2900XL and 3500XL switches undergo chemical degradation when the devices
are powered off for extended periods.  This can lead to Cyclic Redundancy
Check (CRC) and Frame Check Sequence (FCS) errors in the switches.
  http://www.cisco.com/warp/public/770/fn26174.shtml

[Somehow I never expected quite this form of "bit rot"!]

------------------------------

Date: Mon, 27 Oct 2003 01:39:35 GMT
From: Ben Moore <ben.moore@private>
Subject: Mississippi liquor stores and restaurants risk going dry

Mississippi's Alcohol Beverage Control division shut down the warehouse last
week for an indefinite amount of time to fix computer problems, with an
estimated outage of at least one week.  (Most establishments do not keep
more than a week's backlog.)    [Source: AP item, PGN-ed]
  http://www.godesoto.com/modules.php
  ?op=modload&name=News&file=article&sid=2313&mode=thread&order=0&thold=0

------------------------------

Date: Sun, 26 Oct 2003 22:28:47 +0000
From: Markus Kuhn <Markus.Kuhn@private>
Subject: RFID friend and foe, with a note on biometric passports

One is tempted to think of the planned RFID tagging of all US DoD supplies
as a major step forward. This will finally enable the design of a new and
far safer generation of mines that detonate only near people carrying DoD
equipment.

  Defense Department drafts RFID policy

  Matthew Broersma, CNET News.com

  The U.S. Department of Defense will give radio frequency identification
  technology a massive boost with a new policy requiring its suppliers to
  use RFID chips. [...]

  RFID chips, or tags, contain identification information that can be
  wirelessly passed on to a reader, allowing, for example, the contents of
  a shipping container to be identified without opening it. This promises
  huge improvements in supply-chain efficiency, but also raises the
  prospect of remote tracking of consumers via RFID chips embedded in
  their clothes or the cards in their wallets.

  The Defense Department's policy requires that by January 2005 all
  suppliers embed passive RFID chips in each individual product if
  possible, or otherwise at the level of cases or pallets. [...]
  http://news.com.com/2100-1008-5097050.html

But progress will not stop there. With the "US PATRIOT Act" requiring
contactless ID chips to be embedded in passports from October 2004, mines
and booby-traps will soon also be able to read out remotely the victim's
name, age, height, sex and nationality right before triggering, providing an
unprecedented reduction in the RISK of killing the wrong person in your next
local invasion, terror, anti-terror, or genocide campaign.

A related and more serious note on passport security:

The ICAO radio transmitters about to be added to new passports from later
next year on will enable every country on the planet to query the chip's
data at a few meters distance (with suitably constructed
antennas). Representatives of two German government agencies (BSI, BKA)
expressed serious concerns about the security and privacy implications of
this in the relevant standards committee. They suggested to use the data on
the existing optical character recognition (OCR) stripes in each passport as
a code for enabling access to the chip. This way, the passport could only be
read by anyone who had already seen its written content before. The idea
would be perfectly practical, as the RFID readers at border stations would
normally be integrated in the optical readers needed for existing
machine-readable travel documents. US representatives, however, have already
rejected this quite elegant suggestion in the relevant standards committee.

I suggested at an ISO/ICAO meeting last July in London to add a small metal
shield to the front cover page of the passport, such that the RFID coil
antenna in the back cover page can work effectively only while the passport
booklet is open. Again, this idea was quickly rejected by some of those
driving the project as a privacy concern and therefore "of little interest
here". But as it is not dependent on any provisions in the chip's
internationally standardized protocol, it can still be hoped that
responsible passport issuers will implement something along these lines
anyway.
  http://www.icao.int/mrtd/

Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain

------------------------------

Date: Fri, 24 Oct 2003 08:17:15 -0700
From: "NewsScan" <newsscan@private>
Subject: Amazon's new 'search inside the book' feature

Amazon.com has announced a new feature called "Search Inside the Book" that
is making the text of 120,000 books (more than 33 million pages) fully
searchable at no charge. The feature makes it possible to scan a database
for the word or phrase entered by a visitor to Amazon's site for each
relevant portion of a searchable book. The pages that are found can be read
onscreen and printed but not copied or downloaded. University of Washington
computer scientist Oren Etzioni says: "It's an impressive feat -- a bold
concept, coupled with nice execution and clear business thinking. This
really shows Amazon is a technology company, not innovating just with things
like free shipping but putting something out there that's brand
new."  [Seattle Post-Intelligencer 24 Oct 2003; NewsScan Daily, 24 Oct 2003]
  http://www.siliconvalley.com/mld/mercurynews/business/7092377.htm

------------------------------

Date: Fri, 24 Oct 2003 16:12:01 -0700 (PDT)
From: Drew Dean <ddean@private>
Subject: Amazon's new text search service

Amazon recently announced a new full text search service of 120,000 books:
  http://www.siliconvalley.com/mld/mercurynews/business/7092377.htm
I decided to try a random search.  As "To be or not to be" is a really bad
search string (it consists entirely of stop words, that is, words to be
ignored by text indexers), I decided on "Call me Ishmael."  [For RISKS'
international audience, this is the opening line of Herman Melville's Moby
Dick, quite possibly the most famous opening line in all of American
literature.]

The results are interesting: 2704 books are found, the 1st is "Call me
Ishmael," the 2nd is "Call Me Ishmael Tonight: A Book of Ghazals," the 3rd
is "The First Five Pages: A Writer's Guide to Staying Out of the Rejection
Pile," and the 4th is "Programming Windows with C# (Core Reference)" !!

The highest rated match that directly relates to Moby Dick is the
Cliffs Notes at #15.  Moby Dick itself isn't in the top 20.  <sigh>

Drew Dean, Computer Science Laboratory, SRI International

------------------------------

Date: Sun, 19 Oct 2003 01:00:43 -0400
From: Monty Solomon <monty@private>
Subject: Google Stumbles?

Is Google starting to show signs of strain against spammers and Web
scammers?

  Chatters at the geek news site Slashdot observed this week that using the
  search engine to track down certain oddball series of words, such as
  "speaker bracelet" or "candle truck," turned up strangely low results.
  Instead of finding only the expected handful of sites, Google reported
  that none could be found.  Cambridge, Mass., computer programmer Seth
  Finkelstein, an expert on Internet filters, thinks he's figured out the
  reason.  "The Google search results are crashing, presumably as a result
  of a bug in the spam-filtering measures."  (See www.sethf.com)

The explanation involves dummy Web sites with long lists of words that
are intended to provide matches and then link to Web scammer sites.
[Source: Mike Musgrove, Google Stumbles? Web Watch, 12 Oct 2003, F07; PGN-ed]
  http://www.washingtonpost.com/wp-dyn/articles/A11461-2003Oct11.html

------------------------------

Date: Mon, 20 Oct 2003 13:50:39 -0600
From: "Schlake (William Colburn)" <schlake@private>
Subject: Unwanted e-mail turns into a "chain of stupidity"

Several years ago I wrote a print accounting filter for LPRng.  In case of a
problem it sent e-mail to a list of people here at work.  Another department
on campus wanted it, so I sent the filter to them.  I later remembered (when
I started getting e-mail) that there was a hard coded address in it.
Attempts to get them to remove or change it proved fruitless, so I just made
a procmailrc script to mail the error back to them.  Today, after a good two
years of my sending the e-mail back to them, that department apparently got
fed up, and set up a procmail script of their own which mails me back a
thank you for each of these messages I forward to them.  I added their thank
you to my spam filter, and I'm blocking them now.

The risk here is a chain of stupidity.  I gave out some software that meant
for in house use.  They are using it but are unable or unwilling to change
an e-mail address in it.  I use procmail to push the problem back to them.
They use procmail to push the problem back to me.  I use a Sendmail milter
to block their e-mail.  Another escalation like this and I'll be hoarding my
precious bodily fluids and calling for Wing Attack Plan R.

------------------------------

Date: Fri, 24 Oct 2003 09:47:59 +0100
From: Martin Ward <Martin.Ward@private>
Subject: Re: Recent London power outage (Amey, RISKS-22.97)

It is irrelevant *when* the transformer was switched out.  Transformers are
expected to be switched out occasionally (for either routine maintenance, or
emergency maintenance).  The circuits are designed to take the extra load
when one or two transformers are switched out. In this case, one circuit
experienced an extra load which was still well within its design capacity,
but a relay with the wrong rating (1,020 amps instead of 5,100 amps) had
been installed on the circuit which tripped while the cable was well within
its operating capacity of 4,450 amps.

The point is that the accident was waiting to happen from the time the relay
was fitted: "basic preventive maintenance" of fixing the leak as soon as it
was found would have necessitated switching out the transformer and would
also have triggered the power outage.

Martin.Ward@private http://www.cse.dmu.ac.uk/~mward/

------------------------------

Date: Sat, 25 Oct 2003 12:35:40 +0200
From: amos083@private
Subject: Re: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE! 

A similar error, but much more embarrassing (*) had happened on Ynet,
Israel's largest news site (www.ynet.co.il): on the day the Columbia shuttle
was lost, at 16:09 local time (09:09 EST) -- the time it was due to land --
an item was released bearing the title COLUMBIA LANDED SAFELY, with some
details of what Israel's first astronaut Ilan Ramon was supposed to be doing
oafter landing.  The item was removed after a few minutes, but apparently not
soon enough to be copied and spread around the net for infamy.

  * For those of us who consider matters of life and death more important
    than baseball...

------------------------------

Date: Sun, 19 Oct 2003 13:20:39 -0400
From: David Graham <davidg1@private>
Subject: Yet Another eBay-Spoofing Scam

I received an unsolicited e-mail yesterday (one of the hundred or so 
unsolicited e-mails a day that I am up to now), with this link:

http://scgi.ebay.com%69%6E%64%65%78%75%70%64%61%74%65%79%6F%75%72%69%6E%66%6F%72%6D%61%74%69%6F%6E%73%65%63%75%72%65@%32%31%31%2E%31%34%32%2E%32%32%36%2E%31%36%37:%34%39%38%37/%69%6E%64%65%78%2E%68%74%6D

followed by several lines of semi-nonsense.  The link resolves to 
211.142.226.167:34/index.htm

The e-mail included a GIF which, if loaded inline, would display what looks
like a completely legitimate account verification message from eBay,
together with a faked link to a (legitimate looking) eBay URL.  The real URL
above would not be disabled, however; only covered up.  I did not try this,
but I *think* that clicking the faked link would actually load the real one
hidden underneath.

  [The attached GIF was deleted.  Vastly too long for RISKS.  PGN]

I tried to notify eBay but eventually gave that up as too much trouble.

(1) Simply forwarding suspect e-mail to abuse@private no longer works; 
all I got was a bounce directing me to a notification URL.

(2)  As always, I had to login to eBay insecurely, just to try to tell 
them about this new scam.

(3) The notification page, once I got to it, would only accept text.  No 
way to send eBay the "faked text" GIF which made this scam noteworthy 
(and potentially very effective).

Risks:
1.  Letting your browser autoload anything other than plain text.
2.  Trusting eBay not to be clueless about security.

  [Furthermore, this was the first legitimate message to RISKS among
  the week's more than 7000 spams.  It was the "notsp" that enabled me
  to spot it.  TNX!  PGN]

------------------------------

Date: Mon, 27 Oct 2003 22:21:07 -0000
From: "Andrew Yeomans" <andrew_yeomans@private>
Subject: Self-inflicted phishing

In September I received a newsletter from BT Openworld, which very kindly
warned me about "e-mails titled 'From your ISP'. You're asked to download
'new' dial-up software* - this may result in high connection charges". Later
on they helpfully offer "if you're worried that you've installed a 'fake'
dialer, simply download BT Openworld's ICM dialer to replace it. To do this,
click here...".

But the URL provided is
  http://www.digitaldataanalysis.com/btopenworld/r.emt?h=www.btopenworld.com/
  business/help/sections/0,,1_23_2_0,.html&t=IEiFHQ&e=QJmXtQtyJPQ
The headers of the message also indicate it was sent from
"BT Openworld Business Team" <btopenworld@private>

I tried asking BT Openworld whether
a) This was a "phishing" scam, or
b) They were incapable of running URL click tracking themselves.
Unfortunately their help desk was unable to give me a definitive answer, as
e-mail bounced ("mailbox full") when I tried to forward the original e-mail.

Not to be outdone, Smile on-line bank in their October newsletter say "To
find out more about the recent e-mail scam affecting various UK banks, visit
http://www.smile.co.uk". But the URL at the end is actually
  http://www.foretelsystems.com/eventmonitor/monitor.aspx
  ?cn=76&id=6936&ev=12&rd=http://www.smile.co.uk
This had Return-Path: <bounce@private>

At least their help desk could assure me "The e-mail that you attached is a
genuine e-mail, and has not been spoofed.  Fortel systems handle the smile
marketing e-mails."

So how can I tell whether future e-mails are genuine?

A case of "Give a man a phish; you might catch account details today.  
Teach a man to phish; and you have been caught for a lifetime".

Andrew Yeomans, 65 Grove Road, Tring, Herts, HP23 5PB, UK 
andrew_yeomans@private

------------------------------

Date: Thu, 23 Oct 2003 21:51:50 -0400
From: "Walter Regan" <regan@private>
Subject: SNAFU at the bank

On my way to work this (Thursday) morning, I heard a news item on the radio
concerning a drive-thru ATM machine at a bank. It was reported that, over
the last weekend, at least one customer had had his bank account drained by
someone who had installed a 'skimmer' over top of the card reader to copy
customers' ATM cards and a pinhole camera to capture customers'
P.I.N. numbers.

I found this story of particular interest because my wife had used that very
ATM machine on Sunday morning. So I decided to call the bank to see if my
wife's ATM card had been compromised. I dialed the number for what is
laughably called 'customer service'. An automated voice read a menu to me
detailing what information I could obtain by selecting one, two and three
and then went on to say that, if I really wanted to talk to a customer
service representative, I should select zero. I selected zero and, after a
short pause, I got a busy signal.

I decided to try again. This time I thought I might be able to pre-empt the
menu by selecting zero before it was finished. No such luck. As soon as I
selected zero, an automated voice, (which sounded very disappointed with
me), told me that I had made an invalid selection and the menu spiel
restarted from the beginning. So I waited until it had finished, selected
zero and got a busy signal again.

As it appeared that it would involve a long and frustrating ordeal to
contact the bank in question, I instead phoned the main branch of the same
bank. Surprisingly, a very obliging human being answered and, after I had
explained the problem, gave me the unlisted phone number of the manager at
the bank in question. I phoned this number, which got me to an answering
machine. I left my phone number and a brief description of the problem.

Hours later, I received a phone call from someone (not the manager) at the
bank in question. She said that my account did not seem to have been
tampered with. I asked if they could tell from the surveillance cameras when
the skimmer had been removed. She told me that the surveillance cameras
transmit the pictures directly to a central location in another city so that
they had no way to tell how long the skimmer had been installed. She said
that, for my own peace of mind, I could replace the ATM card or change the
P.I.N. number.

Several RISKS present themselves here - the vulnerability of the ATM
machines to the skimmer , the poorly designed automated answering system,
the bureaucracy that centralizes the capture of data but apparently cannot
analyze it in a timely fashion, the lackadaisical attitude.

------------------------------

Date: Mon, 20 Oct 2003 10:24:42 +0100
From: "Merlyn Kline" <merlyn@private>
Subject: Re: Top 10 data disasters (RISKS-22.96)

> This could be a result of the rush to complete work and leave early for
> the weekend on Friday afternoons, as well as a lack of staff concentration
> on Monday mornings,"

Or perhaps it could be a result of the fact that many of these cases are
precisely *not* those where human error is to blame -- computer failure
often occurs in machines running 24x7 so, given a reasonably even
distribution, around 35% of such failures will occur at the weekend and not
be discovered until Monday morning when the users arrive to discover their
data loss and ask for assistance with recovery. This will obviously give
rise to a peak in recovery activity on Mondays. Recovery "experts" should be
very familiar with this.

[...] Recovery "experts" should not be amazed by the fact that a physically
damaged computer often does not contain a completely destroyed hard drive.

RISKS readers should not be amazed to see yet another marketing
press-release reproduced as "news", even on the BBC site.  For the same to
make it into RISKS is another thing altogether...

------------------------------

Date: 30 May 2003 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-request@private> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomo@private .
 If Majordomo balks when you send your accept, please forward to risks.
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative 
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NEW: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: http://www.sri.com/risks
 http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
   Lindsay has also added to the Newcastle catless site a palmtop version 
   of the most recent RISKS issue and a WAP version that works for many but 
   not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing,
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 22.98
************************



This archive was generated by hypermail 2b30 : Mon Oct 27 2003 - 17:29:29 PST