[risks] Risks Digest 23.01

From: RISKS List Owner (risko@private)
Date: Fri Nov 07 2003 - 19:16:02 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 23.02"

    RISKS-LIST: Risks-Forum Digest  Friday 7 November 2003  Volume 23 : Issue 01
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
    The current issue can be found at
    Credit agencies sending our files abroad (David Lazarus via Paul Saffo)
    Crypto screwup: Sensitive Israeli missile test inadvertently broadcast
      (Craig S. Bell)
    A new risk for electronic voting (Jeremy Epstein)
    California Halts E-Vote Certification (Kim Zetter via Monty Solomon)
    Touch screen voting -- like Web site maintenance? (William Nico)
    Irish Labour Party urges suspension of e-voting until flaws addressed
      (Patrick O'Beirne)
    E-ZPass, UPS, and Newark Airport (Susan Landau)
    Microsoft puts a price on the heads of virus writers (NewsScan)
    Microsoft patches their patched patches (Robert Bruce Thompson
      via Dave Farber)
    Remember those jokes about "if AT&T built cars?" (Daniel P.B. Smith)
    Duh! an electronic signature! (Geoff Kuenning)
    Paying employees is not rocket science (Paul Robinson)
    Another victim of the d__n bad-word filter! (Adam Abrams)
    REVIEW: "High Integrity Software", John Barnes (Rob Slade)
    Abridged info on RISKS (comp.risks)
    Date: Fri, 07 Nov 2003 08:47:57 -0800
    From: Paul Saffo <psaffo@private>
    Subject: Credit agencies sending our files abroad (via Dave Farber's IP)
    David Lazarus <dlazarus@private>,
    *San Francisco Chronicle*, 7 Nov 2003 [PGN-ed]
    IP Archives at: http://www.interesting-people.org/archives/interesting-people/
    Two of the three major credit-reporting agencies (Equifax, Experian and
    TransUnion, each holding detailed files on about 220 million U.S. consumers)
    are in the process of outsourcing sensitive operations abroad, and a third
    may follow suit shortly.  Privacy advocates say the outsourcing of files
    that include Social Security numbers and complete credit histories could
    lead to a surge in identity theft because U.S. laws cannot be enforced
    overseas.  For their part, the credit agencies say the trend is a necessary
    cost-cutting move in light of new legislation that would allow all consumers
    to obtain free copies of their credit reports.  (TransUnion states that
    would cost them as much as $350 million a year.)
    "The application of American law in a foreign country is difficult, if not
    impossible," said Sen. Dianne Feinstein. "Therefore, the more companies move
    overseas, the less American law can control the uses for which personal data
    is put. And this can only represent an increasing threat to the privacy of
    our citizens."
    Sen. Barbara Boxer said she would ensure that the matter was raised as
    senators and House members completed changes to the Fair Credit Reporting
    Act.  "This information is very significant, and I intend to make sure that
    the conferees who are finalizing the bill are aware of the *Chronicle*'s
    investigation in hopes that they will protect Americans from such outrageous
    invasions of privacy," Boxer said.
    Date: Thu, 06 Nov 2003 22:38:47 GMT
    From: "Craig S. Bell" <craig@private>
    Subject: Crypto screwup: Sensitive Israeli missile test inadvertently broadcast
    A security lapse by Israel Aircraft Industries apparently permitted an
    internal screening of a missile test to be accessible by satellite dish,
        [PGN-ed; also
    Date: Thu, 6 Nov 2003 15:56:08 -0500
    From: Jeremy Epstein <jeremy.epstein@private>
    Subject: A new risk for electronic voting
    The RISKS of electronic voting have been discussed often enough in this
    forum that I won't repeat them further (cf. Rebecca Mercuri's piece in
    Last week's election in Fairfax County (Virginia) had a new risk I haven't
    seen covered before.  They use WinVote machines, made by Advanced Voting
    Solutions of Frisco, Tex.  These are essentially Windows laptops with a
    touchscreen and an 802.11 wireless net.  (More about that in another RISKS
    article one of these days.)
    Seems that during the election, at least eight of the machines failed (out
    of almost 1000 in use county-wide), and were taken out of the polling places
    to a central repair facility, and then brought back after some form of
    "repair" was made (a reboot at the polling place did not solve the problem).
    The seals were broken, but the voting officials in the precincts were told
    to resume using them.  The result was a lawsuit by the Republican party
    seeking to invalidate the votes from those machines.  There aren't enough
    votes at stake that it would change any of the election results.
    Of course, the real problem is that without any sort of physical (paper)
    record, it's impossible to prove what really happened when the machines were
    being "repaired".
    In addition, the "hi tech" vote counting (which was supposed to occur by
    uploading the results from every precinct to a central computer over a
    dial-up line) overloaded the servers, and "More than half of precinct
    officials resorted to the old-fashioned telephone to call in their numbers
    or even drove the results to headquarters, elections officials said. A
    handful of precincts went back to paper ballots."
    The only thing that's surprising here is that the election officials were
    See http://www.washingtonpost.com/wp-dyn/articles/A1397-2003Nov5.html
    Date: Tue, 4 Nov 2003 19:16:59 -0500
    From: Monty Solomon <monty@private>
    Subject: California Halts E-Vote Certification (Kim Zetter)
    Kim Zetter, Wired.Com, 3 Nov 2003
    SACRAMENTO, California -- Uncertified software may have been installed on
    electronic voting machines used in one California county, according to the
    secretary of state's office.  Marc Carrel, assistant secretary of state for
    policy and planning, told attendees Thursday at a panel on voting systems
    that California was halting the certification process for new voting
    machines manufactured by Diebold Election Systems.  The reason, Carrel said,
    was that his office had recently received "disconcerting information" that
    Diebold may have installed uncertified software on its touch-screen machines
    used in one county.  He did not say which county was involved. However,
    Secretary of State spokesman Douglas Stone later told Wired News that the
    county in question is Alameda.  ...
    Date: Wed, 5 Nov 2003 09:02:54 -0800 (PST)
    From: William Nico <nico@private>
    Subject: Touch screen voting -- like Web site maintenance?
    The 4 Nov 2003 election in Pleasanton, CA had only a School Board choice on
    the ballot.  However, the "Instructions", which comprised the opening page
    on the touch screen voting machine, were wholly focused in detail on the
    gubernatorial recall election of 7 Oct 2003!
    Date: Mon, 03 Nov 2003 19:39:55 +0000
    From: "Patrick O'Beirne" <pob2002@private>
    Subject: Irish Labour Party urges suspension of e-voting until flaws addressed
    Press Release
       Gilmore urges suspension of e-voting until flaws addressed
    Eamon Gilmore TD, Labour Spokesperson on Environment and Local Government
    Issued on Monday 03 November, 2003
    The Labour Party has called for the suspension of plans to extend electronic
    voting until the e-voting system has been changed.
    The call was made today (Monday) by the Labour Party Spokesperson on Local
    Government and the Environment, Eamon Gilmore TD, at a Press Conference to
    launch a study of electronic voting system which was commissioned by the
    Labour Party. The report was prepared by two Labour Party members, Shane
    Hogan and Robert Cochran who are both experienced IT specialists.
    Deputy Gilmore said:
    "The report identifies a number of major flaws and deficiencies in the
    electronic voting system which the Government plans to extend to all areas
    of the country for the Local and European Elections next year.
    The major defects are:-
    * No integrated end-to-end test of the entire system has been conducted to
      date. The testing of the Integrated Election Software (IES) software was
      carried out by the UK based Electoral Reform Society in 2002. However for
      this test the random mix feature of the IES was disabled. An integrated
      end-to-end test would generally be considered a key part of the
      implementation of any new technology.
    * Formal Methods were not used to prove the accuracy of the software.
      Formal Methods refer to a set of mathematically based techniques that are
      used in the development of safety-critical software such as airplane
      navigation or life support machines. The Department of the Environment has
      not made the actual source code publicly available but it is clear from
      the technology used and source code review that formal methods were not
      used and that therefore there are bugs in the software.
    * It is possible that the data-base on the Count Centre PC which is
      Microsoft access, could be overridden by a replacement pre-prepared data
      base, which could be designed to give a specific result by a single "copy"
      command. In addition vote information is transferred between PCs at the
      Count Centre on floppy discs. It would not be difficult to exchange discs.
    * Unauthorised persons could produce a version of the NEDAP voting machine
      software and/or the IES which could be designed to give an election result
      biased in favour of a particular Party or Candidate.
    "These threats are possible because the proposed electronic voting system
    lacks the transparency of the current paper ballot system. The voter has no
    way of being certain that the vote which he/she casts is accurately recorded
    by the voting machine and software and is thereafter not overridden by a
    corruption of the Count Centre software. The voter is expected to have blind
    trust in the technology.
    "The Labour Party is proposing a number of reforms which will be necessary
    if the proposed electronic voting system is to be reliable, free from
    interference and if it is to enjoy the confidence of the public.
    "The reforms proposed by the Labour Party are as follows:-
    1. The introduction of a Voter Verifiable Audit Trail (VVAT) which would
    create a parallel paper record of votes cast which could be stored and
    checked in the event of a dispute over an election outcome.
    2. The use of Formal Methods to ensure that the software used in both the
    election machines and in the vote counting is totally reliable.
    3. The adoption of formal procedures to prevent interference either with the
    machines software or counting process.
    4. The carrying out of an integrated end-to-end test of the entire system.
    5. The establishment of an independent audit and supervisory role over
    electronic voting for the Standards In Public Office Commission.
    "The complete changeover to electronic voting next June will be the biggest
    single change in the country's electoral practice since Independence.
    "It is essential that electronic voting has the confidence of the public and
    of the participants in elections. The system which the Government intends to
    use next June is seriously flawed. No democracy should proceed with a new
    electoral system which opposition Parties fear may lead to election rigging.
    "It is essential for continuing confidence in the electoral system that the
    proposed electronic voting be changed. The Government should suspend plans
    for the extension of electronic voting until the reforms proposed by the
    Labour Party have been implemented."
    Date: Mon,  3 Nov 2003 10:16:03 -0400
    From: Susan Landau <susan.landau@private>
    Subject: E-ZPass, UPS, and Newark Airport
      [This appeared in the Metropolitan Diary section of *The New York Times*,
      3 Nov 2003.  It is yet another example of what can happen when perfectly
      plausible actions are combined in unexpected ways.  Fortunately this one
      is humurous.  Susan Landau]
    Dear Diary:
    After moving to Nashville from New York recently, it occurred to me that I
    no longer had a pressing use for my E-ZPass. Following the E-ZPass
    instructions, I filled out a few forms and dropped my pass off at United
    Parcel Service, destination Staten Island service center.
    Two weeks passed, and I received my normal E-ZPass e-mail statement. I
    entered my account and, lo and behold, my recently surrendered pass had been
    used by someone to go from Newark Airport to Exit 18 on the New Jersey
    I was incensed.
    I immediately called E-ZPass and informed them that someone had stolen my
    pass. I explained that I had mailed the pass and that now someone was
    running up and down the turnpike using it.
    Very calmly, the E-ZPass representative said, "Sir, your E-ZPass was not
    stolen, it is in the UPS truck, and every time that truck goes through an
    E-Z Pass toll booth, it is going to register another toll."
    Date: Thu, 06 Nov 2003 08:58:12 -0700
    From: "NewsScan" <newsscan@private>
    Subject: Microsoft puts a price on the heads of virus writers
    Microsoft is using an old-fashioned tactic to fight new-fangled viruses --
    it's created a $5-million Anti-Virus Reward Program and is offering $250,000
    bounties for information leading to the arrest and conviction of the people
    behind last summer's Blaster worm and Sobig virus.  Together, those attacks
    are blamed for $2 billion in losses by businesses and consumers, according
    to consulting firm Computer Economics Inc.  Security experts are split on
    whether the new initiative will prove successful, but Microsoft senior
    security strategist Philip Reitinger says, "What we hope to accomplish is to
    give people an incentive to do the right thing." [*Los Angeles Times*, 6 Nov
    2003; NewsScan Daily, 6 Nov 2003]
      [The sad part is that for $5M, MS cannot fix its deeper computer security
      problems, so that expenditure will not solve their problems.  On the other
      hand, if MS spent $2B rearchitecting and reimplementing their software,
      think what might be done!  (On the other hand, I recall the period in the
      1970s when IBM reportedly spent $40M on improving its mainframe computer
      security.  The old joke at the time was that they spent $39M on public
      relations and $1M on travel.)  PGN]
    Date: Mon, 03 Nov 2003 11:34:47 -0500
    From: Robert Bruce Thompson
    Subject: Microsoft patches their patched patches (IP)
      (via Dave Farber's IP, with an addition forward from Mark Luntzel)
    For years, the conventional wisdom has been that one can't trust Microsoft
    software until version 3.0, and that apparently is true for their security
    patches as well.
    The middle of last month, with much fanfare, Microsoft went to their new
    scheme of releasing patches in batches once a month. A week or so later,
    they released batches of patches to those batches of patches. Now, they're
    releasing batches of patches to the batches of patches to the batches of
    For details, see:
    These batches and batches of patched patched patches are critical, so
    don't ignore them. And, the way things are going, look for batches and
    batches of patched patched patched patches sometime next week.
    Robert Bruce Thompson <thompson@private>
    http://www.ttgnet.com/thisweek.html  http://forums.ttgnet.com/ikonboard.cgi
    Date: Sat, 01 Nov 2003 14:38:40 -0500
    From: "Daniel P.B. Smith" <dpbsmith@private>
    Subject: Remember those jokes about "if AT&T built cars?"
    ... those humorous pieces that point out the ludicrous unusability of
    computer user interfaces by speculating on what a car with a similar user
    interface might be like?  Well, don't laugh too hard...  *The Boston Globe*
    auto writer Royal Ford just published an article headed: "For drivers,
    electronic overload."
    *The Boston Globe*, 1 Nov 2003
      "To start the heater or air conditioning in the [a 2-year old Acura] MDX,
      you start with the dashboard navigation screen, then make your way through
      a series of baffling electronic menus, through climate control and
      beyond.... 'It's a distraction while you're driving,' [owner Stuart
      Schneiderman] said....  The system in the [BMW] 7 Series... remains a
      landmark in complexity, using a dial between the front seats to reach
      eight "points" of control. Each point then controls a multilayered system
      of options that many drivers have found to be like peeling an electronic
      onion....  the system proved so complicated that Web sites have offered
      "cheats," hidden shortcuts like those used by video gamers.... the Lexus
      LS430 [has] one of the most manageable electronic... but the manual for
      the system runs to 178 pages."
    To anyone who's ever had the window of a rental car frost up in traffic,
    while leaving an airport, with no place to pull over and no companion handy
    to dig out the owner's manual and locate the right button... the RISKS
    should be obvious.
    Daniel P. B. Smith, dpbsmith@private alternate: dpbsmith@private
    Date: Mon,  3 Nov 2003 23:39:07 -0800 (PST)
    From: Geoff Kuenning <geoff@private>
    Subject: Duh! an electronic signature!
    I just finished submitting a reference letter to the Hertz Foundation for a
    student.  This process is done through a Web form.  The foundation requires
    an electronic signature on the recommendation.  The signature is collected
    by presenting the recommender with a Web page reading something like this:
        I certify that I am the person named below:
        (type name in box)
    Even my wife, who is a musician by profession, reacted with "Oh, yeah,
    *that's* real secure!"
    I suggest that instead, the foundation should simplify my life by
    simply providing a check box labeled "This recommendation is forged."
    Geoff Kuenning   geoff@private   http://www.cs.hmc.edu/~geoff/
    Date: Tue, 28 Oct 2003 23:31:25 GMT
    From: Paul Robinson <postmaster@private>
    Subject: Paying employees is not rocket science
    WBIG radio reported Friday that there was a protest by employees of the
    Prince George's County [Maryland] School District over payroll problems.
    The School District has installed a new computer system and apparently is
    unable to generate payroll checks for quite a number of employees including
    school bus drivers.  This is also causing problems with their health
    insurance as well.  Some of the employees report that they have not been
    paid since the start of the school year.  A School District spokesperson
    reportedly said they are working with Oracle to find where the problem is.
    My own comment is that something is really strange here.  I used to do
    payrolls myself, by hand.  Generally you do them by computer because it's
    cheaper than using lots of clerks and because it scales better.  But as this
    article's title noted, payrolls are not some arcane subject, the method to
    do them is pretty much cut and dried and has been probably since the 1970s
    or 1980s with the standard accounting rules in effect.  The only issue is
    for the number of employees that the computer system will scale properly.
    Let's presume PG county has perhaps 30,000 employees at the school district.
    If it takes an average of 10 seconds - obviously more than it actually takes
    - to do all required calculations for each check, such as what deductions,
    what payments, and how salary is computed, then they need 300,000 seconds to
    calculate payroll, or roughly about 84 hours.  Split this onto 10 PCs and it
    takes 1 day. Probably 4 hours on a mainframe.
    Basically the most labor intensive part of this is keeping the laser
    printers full of check stock.  There's something wrong with the picture
    Date: Mon, 03 Nov 2003 11:04:59 -0800
    From: Adam Abrams <adamabrams@private>
    Subject: Another victim of the d__n bad-word filter!
    I tried to register as a user at collectorcartraderonline.com in order to
    save a search. Filled out everything, clicked "submit", and got this odd
    message: "This e-mail address has been flagged as inadmissible and you are
    unable to place an ad."
    This could mean any number of things ranging from benign (I'd already
    registered and forgotten about it) to downright unsettling (I'm on some
    secret government hit list). OK, maybe the second one is unlikely, but it
    was still disturbing...
    An e-mail cleared it all up: I'm the latest victim of the "bad word filter".
    As they put it: "The reason that you are unable to create an account is due
    to your e-mail address containing a vulgar word that has been flagged by our
    bad word table."
    I had to call their toll free line to have an actual human sign me up. While
    on hold, I studied my e-mail address with fresh and suspicious eyes. It's my
    full name + provider, "adamabrams@shaw(dot)ca". Even before the days of
    e-mail, I'd never noticed anything even slightly vulgar about my name. Could
    it be "bra"? They might have me flagged as a ladies-undergarment fetishist.
    "rams"? Maybe the L.A. football team has had an obscenely bad season. No, it
    was "dam". That's right, even _misspelled_ bad words set off the alarm. So
    I'm also being punished for other people's illiteracy.
    I guess the RISK is mainly that they'll lose customers due to an overzealous
    data filter that flags letter combinations that appear in many everyday
    (Turns out the rep entered part of my address incorrectly, but when I logged
    in to correct my profile, my e-mail triggered the same bad-language flag
    again! OK... I give up.)
    Date: Mon, 3 Nov 2003 07:08:12 -0800
    From: Rob Slade <rslade@private>
    Subject: REVIEW: "High Integrity Software", John Barnes
    BKHISTSA.RVW   20030913
    "High Integrity Software", John Barnes, 2003, 0-321-13616-0
    %A   John Barnes
    %C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
    %D   2003
    %G   0-321-13616-0
    %I   Addison-Wesley Publishing Co.
    %O   416-447-5101 fax: 416-443-0948 800-822-6339 bkexpress@private
    %O  http://www.amazon.com/exec/obidos/ASIN/0321136160/robsladesinterne
    %O   http://www.amazon.ca/exec/obidos/ASIN/0321136160/robsladesin03-20
    %P   430 p. + CD-ROM
    %T   "High Integrity Software: The SPARK Approach to Safety and
    Once upon a time, a group set out to build a language which would allow you
    to write programs that could be formally verified.  Formal analysis and
    proof can be used to determine that a program will work the way you want it
    to, and not do something very weird (usually at an inopportune time).  First
    came the attempt to build the Southampton Program Analysis Development
    Environment (or SPADE) using a subset of the Pascal programming language.
    When it was determined that Pascal wasn't really suitable, research was
    directed to Ada, and the SPADE Ada Kernel, or (with a little poetic licence)
    SPARK, was the result.
    SPARK can be considered both a subset and extension to Ada, but is best seen
    as a separate language in its own right.  SPARK forbids language structures
    such as the infamous GOTO statement of Fortran and BASIC (which cannot be
    formally verified).  Support for some object- oriented features has been
    included in SPARK, but not for aspects like polymorphism which would make
    formal proof problematic.  A great deal of the security of SPARK lies in the
    idea of contracts and the use of data specifications (usually referred to as
    interfaces) that prevent problems such as the unfortunately
    all-too-ubiquitous buffer overflow.
    Part one is an overview of the background and features of SPARK.  Chapter
    one reviews some of the problems of unproven software, and the major
    components of SPARK.  Support for the formal proof functions, such as
    abstraction (the elimination of details not essential to the fundamental
    operation of the concept or function) are discussed in chapter two.  The
    various analysis tools are listed in chapter three.
    Part two outlines the SPARK language itself.  Chapter four describes the
    structure of SPARK and the lexical items it contains.  Language elements are
    covered in chapters five, six, and seven, successively dealing with the type
    model and operators, control and data flow, and packages and visibility
    (local, global, etc.) which also reviews the object-oriented aspects of
    SPARK.  Interfacing of the various parts of SPARK, and also of SPARK and
    other languages, is in chapter eight.
    Part three looks at the various analytical utilities in SPARK and the proof
    process.  Chapter nine concentrates on the main Examiner tool.  A
    mathematical discussion of data flow analysis, in chapter ten, is not
    necessary to the operation of SPARK, but provides background and
    explanation.  Verification, and the instruments that support it, are
    reviewed in chapter eleven.  Chapter twelve examines the rather vague
    practice of design, and proposes the INFORMED (INformation Flow Oriented
    MEthod of Design) process, although it seems to be limited to some
    admittedly useful principles.  A list of similar precepts makes up the
    eponymous programming "Techniques" of chapter thirteen.  Chapter fourteen
    retails a number of case studies of the possible use of SPARK for various
    applications: the simpler ones also contain source code.
    Both the writing in the book, and the explanations of SPARK, are clear.
    Formal methods of architecture and programming are not well understood, and
    this text does provide some justification for the exercise, although more
    evidence and support would be welcome.  I recommend this work not only to
    those interested in more secure applications development, but also to those
    needing more information about formal methods in composition and system
    copyright Robert M. Slade, 2003   BKHISTSA.RVW   20030913
    rslade@private      slade@private      rslade@private
    victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm
    Date: 30 May 2003 (LAST-MODIFIED)
    From: RISKS-request@private
    Subject: Abridged info on RISKS (comp.risks)
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-request@private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomo@private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshall@private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
     *** NEW: Including the string "notsp" at the beginning or end of the subject
     *** line will be very helpful in separating real contributions from spam.
     *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: http://www.sri.com/risks
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version 
       of the most recent RISKS issue and a WAP version that works for many but 
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    End of RISKS-FORUM Digest 23.01

    This archive was generated by hypermail 2b30 : Fri Nov 07 2003 - 19:54:10 PST