RISKS-LIST: Risks-Forum Digest Weds 3 December 2003 Volume 23 : Issue 05 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/23.05.html The current issue can be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Two loose screws killed Disneyland rider (PGN) US railroad uses Wi-Fi to run 'driverless' trains (Lars Kongshem) Nuclear plan shut down by lightning strike (Fuzzy Gorilla) Tanker Truck Shutdown Via Satellite (Fuzzy Gorilla) Microsoft Windows, Auto Edition (Andrew Whitby) What Bill Gates Says About Security (from InformIT) (Dawn Cohen) Another large gas bill (Amos Shapir) UK MoD scraps 120-million-pound computer project (Fuzzy Gorilla) How Much Is Privacy Worth? (Monty Solomon) Government e-mails apparently sent to hairdresser (Neil Youngman) 'Master' and 'slave' computer labels unacceptable, LA officials say (Henry Baker) Security subtleties (identity withheld by request) Man trapped for hours by payphone (Mark Brader) Debian security breach and forensic analysis (Gerrit Muller) Re: Security patching: a story from the trenches (Walter Dnes) Dangerous looking e-mail from quickbooks (Kyle York) Re: In-Security clearance (Peter H. Coffin) Re: Amber Alert, Coming to the Inbox Nearest You (Timothy Knox) Re: Cehck tihs out! (Rodney Hoffman) ANNOUNCE: New mailing list for secure application development, SC-L (Kenneth R. van Wyk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 26 Nov 2003 15:17:15 -0800 (PST) From: Peter G Neumann <neumann@private> Subject: Two loose screws killed Disneyland rider Improper maintenance and inadequate operator training are being blamed for the death of the rider of the Big Thunder Mountain Railroad roller coaster at Disneyland on 5 Sep 2003. The lead car lost its rear-wheel assembly and hit the tunnel roof, causing the following passenger car to go underneath it. The train had just been returned to service after routine maintenance three days earlier. Unusual noises were noted on the first 12 trips of the day, and operators had planned to take the train off line after the 13th ride -- which never finished. Subsequent analysis showed that two screws had not been properly tightened. [PGN-ed from cnn.com] http://www.cnn.com/2003/US/West/11/26/disneyland.accident.ap/index.html ------------------------------ Date: Fri, 21 Nov 2003 11:52:30 -0800 From: Lars Kongshem <lars.kongshem@private> Subject: US railroad uses Wi-Fi to run 'driverless' trains "The Burlington Northern and Santa Fe Railway Company (BNSF) has found a novel use for Wi-Fi. It has started using the wireless networking technology to control trains remotely. BNSF locomotives carry freight across the continental US. However, it is using wireless technology to move units around its rail yards.... (Drivers) operate a control panel that mirrors what they'd see if they were sitting in the cab. Their instructions are relayed to each loco via the 'industrial strength' WLAN." Given Wi-Fi's security problems, this novel use of 802.11 certainly gives a new meaning to the word "loco"! [Source: *The Register*, Nov 20 2003] http://www.theregister.co.uk/content/69/34101.html Lars Kongshem, 2220 Taylor St. Suite D, San Francisco, CA 94133 1-415.606.5277 lars.kongshem@private + http://www.kongshem.com [Of course, if they were carrying fruit, it would be PLUM LOCO. PGN] ------------------------------ Date: Sun, 16 Nov 2003 21:30:42 -0500 From: Fuzzy Gorilla <fuzzygorilla@private> Subject: Nuclear plan shut down by lightning strike A 15 Sep 2003 lightning strike in Chester County, Pennsylvania, shut down a pair of nuclear reactors 36 miles away at the Peach Bottom Atomic Power Station. Early that morning, lightning struck a PECO power line in East Bradford Township, near West Chester. A circuit breaker failed to isolate the damaged power line, cutting off electricity to more than 100,000 PECO customers and three PECO/Exelon plants -- Peach Bottom, Conowingo (Md.) Hydroelectric Station and Muddy Run Pumped Storage Facility in Holtwood. ... At least two complications occurred at Peach Bottom as the reactors were shutting down, according to a preliminary report issued by the NRC. One of four emergency generators failed, and a safety relief valve used to control steam pressure initially stuck open. The NRC has decided to penalize Exelon because the September shutdown was the fourth at Unit 2 in less than a year. The reactor tripped off unexpectedly 21 Dec 2002, when a computer failure caused steam isolation valves to close. On 21 Apr, the valves closed and shut the reactor again because of instrument problems on an air line. The unit also was down from 22 Jul to 1 Aug because of generator problems. [Source: Article by Rebecca J. Ritzel, (Lancaster) *Intelligencer Journal*, date not available, but prior to 19 Nov, anticipating a public meeting of Nuclear Regulatory Commission officials; PGN-ed, but URL no longer valid.] http://www.yorkdispatch.com ------------------------------ Date: Sun, 16 Nov 2003 21:05:12 -0500 From: Fuzzy Gorilla <fuzzygorilla@private> Subject: Tanker Truck Shutdown Via Satellite [The obvious RISKS -- when mandated by law, that a terrorist would be unaware of the need to disable the system; and that no cracker would ever find out the needed signal and shut down a truck for 'fun'; and that no GPS or other systems failure might cause a truck to be shut down incorrectly by law enforcement -- are probably obvious to any RISKS reader.] Satellite Security Systems (S3), in cooperation with the California Highway Patrol (CHP) and InterState Oil Company, dramatically demonstrated the first wireless remote shutdown of a fully loaded moving petrochemical tanker truck. From S3's headquarters in San Diego (530 miles away), "satellite communications were used to disable the truck in seconds, proving S3's GlobalGuard and FleetGuard a viable solution to the challenge of controlling rogue hazardous waste vehicles that could pose a threat to homeland security." While the California state government may be voting as early as January on Assembly Bill (AB) 575 (requiring truck disabling devices, global positioning or other "location reporting systems" on hazardous material haulers), the CHP has been tasked with researching various technologies to support these regulatory initiatives. [PGN-ed from *SpaceDaily*, 4 Nov 2003] http://www.spacedaily.com/news/gps-03zn.html ------------------------------ Date: Tue, 2 Dec 2003 12:44:07 +1000 (GMT+1000) From: Andrew Whitby <s358831@private> Subject: Microsoft Windows, Auto Edition The Associated Press reports: First Microsoft set out to put a computer in every home. Now the software giant hopes to put one in every vehicle, too. "We'd like to have one of our operating systems in every car on Earth," said Dick Brass, the vice-president of Microsoft's automotive business unit. "It's a lofty goal." Cars with the Microsoft software will speak up when it's time for an oil change. They'll warn drivers about wrecks on the road ahead and scout alternative routes. They will pay freeway tolls automatically. The software running their brakes will upgrade itself wirelessly. I can see it now. "A security update is available for your braking system. Press okay to begin installation." Apparently the RISKS are not obvious to everyone. ------------------------------ Date: Mon, 17 Nov 2003 11:48:34 -0500 From: "Dawn Cohen" <COHEND@private> Subject: What Bill Gates Says About Security (from InformIT) InformIT, 13 Nov 2003: What Bill Gates Says About Security "You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling, and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way * when I say firewall I include scanning E-mail and scanning file transfer -- you wouldn't have had a problem. "But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn't have it. "The second is just the updating thing. Anybody who kept their software up to date didn't run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we've had the fix out before the exploit.".... "Actually, all the forms of Unix (as well as Linux) have had more vulnerabilities per line of code. They don't propagate as much because they're not as dense as our system is, so the things that prevent the propagation are particularly important for our world." http://www.informit.com/content/index.asp ?product_id=3D%7BEF1DDC0F-F7BB-47F2-A1AC-00FCB4BCCC39%7D&111603 ------------------------------ Date: Mon, 1 Dec 2003 13:31:32 +0200 From: amos083@private Subject: Another large gas bill Commenting on a complaint from a Mr Arthur Purdey about a large gas bill, a spokesman for North Westgas said, "We agree it was rather high for the time of year. It's possible Mr Purdey has been charged for the gas used up during the explosion that destroyed his house." (*The Daily Telegraph*) ------------------------------ Date: Sun, 16 Nov 2003 20:46:03 -0500 From: Fuzzy Gorilla <fuzzygorilla@private> Subject: UK MoD scraps 120-million-pound computer project Sources: John Leyden, 6 Nov 2003, The Register, http://www.theregister.co.uk/content/7/33831.html Sara Arnott, 5 Nov 2003, http://www.computing.co.uk/News/1147382 Also http://www.femail.co.uk/pages/standard/article.html ?in_article_id=201440&in_page_id=2 Britain's Ministry of Defence squandered 118 million pounds on a computer system that was axed before ever being used. The Defence Stores Management Solution was designed to modernise the MoD's inventories of equipment. (Hardware valued at 12.2 million pounds was salvaged and not included in the 118M figure.) The system had been expected to save 650 million pounds in its first ten years. A report on the collapse of the project (begun in 1999) was released in mid-November. Reasons given included "developments in defence logistics" had rendered the project obsolete, but also indicated management weaknesses at every level: "The MoD had no framework to assess and manage deliverability once projects were launched; the DLO lacked effective change management support and co-ordination; and the BCP suffered from poor financial governance, weak benefits management, poor communications and a failure to establish an effective programme management organisation. ... The review also noted weaknesses in the scrutiny and approvals process. Although BCP projects, including the DSMS, did not meet the Department's requirements in important areas -- especially on affordability and benefits management -- the projects were not rejected," ------------------------------ Date: Wed, 3 Dec 2003 09:01:22 -0500 From: Monty Solomon <monty@private> Subject: How Much Is Privacy Worth? The Supreme Court will hear oral arguments today over whether the federal government should reimburse individuals whose sensitive data was disclosed illegally, even if no harm can be proven. The Privacy Act of 1974 prohibits the government from disclosing private information intentionally, without the individual's consent, and provides for a $1,000 minimum fine if the individual is "adversely affected." In the case, known as Doe v. Chao, the Department of Labor distributed the Social Security number of a coal miner who was appealing for black lung benefits. Since 1969, the Labor Department has used miners' Social Security numbers as their case numbers on documents shared with coal companies, insurance companies and lawyers for all sides. Those documents also were published in court filings that later ended up in legal databases. [Ryan Singel, wired.com, 3 Dec 2003; PGN-ed] http://www.wired.com/news/privacy/0,1848,61439,00.html ------------------------------ Date: Sun, 16 Nov 2003 21:21:40 +0000 From: Neil Youngman <n.youngman@private> Subject: Government e-mails apparently sent to hairdresser According to this BBC article, a hairdresser called Ronnie Campbell received e-mails apparently intended for a Member of Parliament (MP), called Ronnie Campbell. Usual RISKS apply. http://news.bbc.co.uk/1/hi/uk/3267221.stm ------------------------------ Date: Thu, 27 Nov 2003 23:09:22 -0800 From: Henry Baker <hbaker1@private> Subject: 'Master' and 'slave' computer labels unacceptable, LA officials say FYI -- In Tinseltown, bus 'slaves' must go to the end of the line... This gives a whole new meaning to 'PC' language. Please update your cable labels. Los Angeles officials have asked that manufacturers, suppliers, and contractors stop using the terms "master" and "slave" on computer equipment, saying such terms are unacceptable and offensive -- after someone had filed a discrimination complaint with LA County's Office of Affirmative Action Compliance. "Based on the cultural diversity and sensitivity of Los Angeles County, this is not an acceptable identification label," Joe Sandoval, division manager of purchasing and contract services, said in a memo sent to County vendors. [PGN-ed from Reuters item] http://www.cnn.com/2003/TECH/ptech/11/26/master.term.reut ------------------------------ Date: Thu, 9 Jan 2003 From: [identity withheld by request] Subject: Security subtleties I work at a large institution which shall remain nameless. I was recently involved in the evaluation of a product from a company which I will call Company X. The product consists of a Linux server that is sealed in a way that it is impossible to open the box without leaving evidence of tampering. During the course of the normal operation of the product it was installed behind our firewall, and it made copies of sensitive data accessible on our intranet. The loan agreement stipulated that before the box could be returned, our sensitive data had to be deleted from the disks. The box had a built-in "self-destruct" feature that was supposed to accomplish this. Unfortunately, self-destruct was a little too thorough: it not only erased all the data, but it erased the operating system as well, leaving the box unbootable. The problem with this is no doubt immediately obvious to long-time Risks readers: if the box is unbootable then we have no way of verifying that the data is in fact gone. For all we know, self-destruct only erases the boot sector. I raised this objection with representatives of Company X. They suggested that instead of running self-destruct that I use the standard Web-based control interface to erase the data. No, this wouldn't work either, I explained, because again there is no way to verify that the data has actually been erased. For all we know, the only thing that is actually erased is a symlink. They suggested "running a big magnet over the box." Same problem of course. I pointed out that the only way for us to verify that the data was in fact gone would be to examine the disk, which meant one way or another obtaining either root or physical access. They refused to allow this because (they said) they were concerned about us stealing the software. We went back and forth about this literally for months, and I was astonished how hard it was for people to grasp the concept that just because you can't see the data through an HTTP interface doesn't mean it's not there. We finally arrived at the following compromise: Company X would send a representative to our site where the rep would witness the invocation of the self-destruct feature, after which we would open the box, remove the disks, and install them on another machine where they could be examined and/or further wiped. The big day finally arrived, and we ran self-destruct according to the directions. Oddly, there was no indication when the process was finished. We waited five minutes (the prescribed amount of time). At that point the company rep said he wanted to log in to the machine to make sure that it had worked properly. I was shocked, shocked! to discover that in fact self-destruct seemed to have done absolutely nothing. All the files were still there, both our data and those of Company X. At that point the rep typed "rm -rf /". He then proceeded to open the box, take out the disk (turned out there was only one), and give it to me. He then took the box (sans disk) with him and left. This story is fraught with subtle ironies, not least of which is the amount of trouble Company X went through to prevent us from stealing their software, only to leave it with us in a pretty easily recoverable form (to say nothing of the fact that in the interim we had actually purchased the product, so if we wanted to open it up and steal their software nothing would have prevented us from doing so). But the most worrisome aspect of this story is that apparently, among many dozens of customers who evaluated the product, I was the only one to raise any security concerns. Company X's attitude throughout the whole affair was, essentially, "Gee, we never thought of that. No one else ever complained." (And Company X has a reputation for technical savvy.) So I'm off to go through Company X's dumpsters. I expect to be able to retire off what I find there. ------------------------------ Date: Tue, 18 Nov 2003 14:36:33 -0500 (EST) From: msb@private (Mark Brader) Subject: Man trapped for hours by payphone A man in East St. Louis got his middle finger stuck in a payphone's coin-return slot. Fortunately, this also meant that when he realized he needed to call 911, there was a payphone conveniently... *at hand*. Eventually the phone was removed and taken, with the victim, to a hospital emergency room where doctors managed to pry them apart. See e.g. <http://www.guardian.co.uk/uslatest/story/0,1282,-3402400,00.html>. [This is known as giving him the finger back. An overzealous knee-jerk response to this episode might be to get rid of the few payphones that remain. PGN] ------------------------------ Date: Wed, 03 Dec 2003 12:41:24 +0100 From: Gerrit Muller <gerrit.muller@private> Subject: Debian security breach and forensic analysis The text below was send to me by Auke Jilderda. The original e-mail is from the debian mailing list. This is a very readable and interesting case description of an intrusion of a software repository. The Debian Project http://www.debian.org/ Debian Investigation Report press@private December 2nd, 2003 Debian Investigation Report after Server Compromises The Debian administration team and security experts are finally able to pinpoint the method used to break-in into four project machines. However, the person who did this has not yet been uncovered. The package archives were not altered by the intruder. The Debian administration and security teams have checked these archives (security, us, non-us) quite early on in the investigation and re-installation process. That's why the project was able to open up the security archive again and confirm that the stable update (3.0r2) wasn't compromised. [Truncated for RISKS. See <http://www.debian.org/> for the complete report. PGN] ------------------------------ Date: Sat, 15 Nov 2003 16:49:17 -0500 From: Walter Dnes <waltdnes@private> Subject: Re: Security patching: a story from the trenches (Rex Black, R-23.03) A more accurate subject would be "Risks of updating Internet-insecure computers via the Internet". Rex Black had a computer that was not secure to connect to the Internet. So he connected to the Internet in order to download patches secure the computer; what's wrong with this picture ? Browsing through my router logs, I see approximately 3 hits per minute on port 135 today, i.e. approximately one every 20 seconds. The Blaster patch is 918576 bytes, which would take 3 minutes to download on a v90 dialup. A 33.6 dialup will take approximately 4 minutes. During this timespan he would get 9 to 12 hits on port 135, and be COM-promised (sorry) long before the download was complete. This is prime example of why he needed yet another computer, preferably with a different enough OS that it is not vulnerable at the same moment. I downloaded the Blaster patch from Microsoft's website using Mozilla Firebird on a linux Machine. A Mac running Safari would probably have worked just as well. The patch is small enough to fit on a floppy and could have been moved to the laptop that way. Even if the patch was too large for a floppy, he could've used another computer to check Norton's and/or Microsoft's website, and find out which ports to block to temporarily protect himself whilst downloading the patch. So much for criticism, what solution do I offer? I suggest a "safe mode" Internet connection option be available for these situations. It would require stateful firewalling that would, by default, reject *ANY* packets from IP addresses and ports that the machine had not initiated a connection with. Actually, it wouldn't be a bad idea for the average home user 100% of the time. The only holes normally necessary to allow in the firewall would be for... * NETBEUI for other *LOCAL* machines; *NOT* including machines on the Internet side of the connection * Active-mode mode FTP initiates a second connection back to the client. Stateful firewalling can handle this. Other exceptions would be to allow file-sharing over a VPN. If the user feels *REALLY* confident and adventurous, allow external connections for P2P applications. ------------------------------ Date: Wed, 19 Nov 2003 16:00:46 -0800 From: Kyle York <kyork@private> Subject: Dangerous looking e-mail from quickbooks I just received an e-mail from quickbooks that my credit card information was soon to expire and I should immediately call a toll-free number to renew it. A quick look at the headers made me immediatly suspicious: Received: from mta1.primary.ddc.dartmail.net ([146.82.220.34]) by **my machine** with esmtp (Exim 3.35 #1 (Debian)) id 1ALnfP-0005xu-00 for <**me**>; Mon, 17 Nov 2003 10:00:03 -0800 X-MID: <Kilauea73191-16006-99081021-3@private> Date: Mon, 17 Nov 2003 13:01:21 -0500 (EST) Message-Id: <Kilauea73191-16006-99081021-3@private> From: QuickBooks Payroll Services <quickbookspayrollservices@private> To: **me** Subject: QuickBooks Critical Notice - Credit Card Expiration Reminder Note the two relays, and how the From: line doesn't match the Message-Id. Both flonetwork.com an ddartmail.net are aliases for doubleclick.net which made me even more suspicious. In the body of the e-mail was a toll-free number that doesn't appear anywhere on www.quickbooks.com. It turns out this was legitimate e-mail, but given the number of scams how many people would really pay attention if it wasn't? And how many spam filters would have kicked it out due to the problems noted? ------------------------------ Date: Fri, 28 Nov 2003 19:50:32 -0600 From: hellsop@private (Peter H. Coffin) Subject: Re: In-Security clearance (RISKS-23.04) I would be greatly interested to learn if this installer referenced by the unknown submitter is the same "Netopsystems FEAD Recomposer" which is used to package Adobe Acrobat Reader version 6. There are a nontrivial number of reports (both on the web and on USENET) of the installer failing to work on many Windows 2000 machines, usually with the same "hourglass then nothing apparently has happened" symptoms, but has also various other reported issues, such as leaking memory and creating CPU loops sufficient to require hardware resets of the computers running the installer, in addition to more trivial assumptions like listing Windows 2000 as supported but only actually supporting Service Pack 2 of Windows 2000. If it is this same installer, this would be extremely interesting for use as an installer for a security clearance application submitter for the US. The FEAD system is published by Netopsystems AG, Berlin, Germany. http://www.netopsystems.com/site/english/fead_e.html ------------------------------ Date: Fri, 28 Nov 2003 15:55:54 -0800 From: Timothy Knox <tdk@private> Subject: Re: Amber Alert, Coming to the Inbox Nearest You (Mercuri, R-23.04) One other response, that I have used to some good effect, is to find the hoax details on an urban legends website (I personally recommend <http://www.snopes.com/>) and reply-to-all with the URL. It may not stop them all (there are none so blind as those who will not see), but it does help some. At least one person wrote me back, thanking me for pointing them to the site. ------------------------------ Date: Fri, 28 Nov 2003 14:59:16 -0800 From: "Rodney Hoffman" <rodney@private> Subject: Re: Cehck tihs out! (RISKS-22.91) Matt Davis at Cambridge has posted a response to this: "Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, ..." See http://www.mrc-cbu.cam.ac.uk/~matt.davis/Cmabrigde/ where Davis says, "I've written this page, to try to explain the science behind this meme. There are elements of truth in this, but also some things which scientists studying the psychology of language (psycholinguists) know to be incorrect. ... To my knowledge, there's no-one in Cambridge UK who is currently doing research on this topic." The page also includes samples in many other languages. ------------------------------ Date: Sun, 30 Nov 2003 16:22:57 -0500 From: "Kenneth R. van Wyk" <Ken@private> Subject: ANNOUNCE: New mailing list for secure application development, SC-L I would like to announce the availability of a new and free resource to the software security community, the SC-L e-mail discussion forum. The moderated forum is open to the public. The group's purpose is, "to further the state of the practice of developing secure software, by providing a free and open, objectively moderated, forum for the discussion of issues related to secure coding practices throughout a software development lifecycle process (including architecture, requirements and specifications, design, implementation, deployment, and operations)." (The complete text of the group's charter, including its acceptable and unacceptable usage policies, can be found at http://www.securecoding.org/list/charter.php.) To subscribe to the list, simply connect to http://www.securecoding.org/list and follow the directions on the form. Submissions should be sent (by subscribers only) to sc-l@private Ken van Wyk, Moderator, SC-L mailing list ken@private ------------------------------ Date: 7 Oct 2003 (LAST-MODIFIED) From: RISKS-request@private Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, send e-mail requests to <risks-request@private> with one-line body subscribe [OR unsubscribe] which requires your ANSWERing confirmation to majordomo@private . If Majordomo balks when you send your accept, please forward to risks. [If E-mail address differs from FROM: subscribe "other-address <x@y>" ; this requires PGN's intervention -- but hinders spamming subscriptions, etc.] Lower-case only in address may get around a confirmation match glitch. INFO [for unabridged version of RISKS information] There seems to be an occasional glitch in the confirmation process, in which case send mail to RISKS with a suitable SUBJECT and we'll do it manually. .UK users should contact <Lindsay.Marshall@private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@private with meaningful SUBJECT: line. *** NEW: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: http://www.sri.com/risks http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r http://the.wiretapped.net/security/info/textfiles/risks-digest/ . http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/ ==> PGN's comprehensive historical Illustrative Risks summary of one liners: http://www.csl.sri.com/illustrative.html for browsing, http://www.csl.sri.com/illustrative.pdf or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.05 ************************
This archive was generated by hypermail 2b30 : Wed Dec 03 2003 - 15:52:41 PST