[risks] Risks Digest 23.07

From: RISKS List Owner (risko@private)
Date: Thu Dec 18 2003 - 14:49:42 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 23.08"

    RISKS-LIST: Risks-Forum Digest  Thursday 18 December 2003  Volume 23 : Issue 07
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
    The current issue can be found at
    Remote-controlled trains (Bill Tolle)
    Over-reliance on PowerPoint leads to simplistic thinking (NewsScan)
    Japan's Mars probe goes off course (PGN)
    Risk of a test message: Heated Training Session (Patrick Lincoln)
    Voter information up for grabs (NewsScan)
    Voting machine maker dinged (Lillie Coney)
    Convicted felons worked for electronic voting companies (Susan Marie Weber)
    Re: Diebold ATMs hit by Nachi worm (Drew Dean)
    Re: Why have electronic voting machines at all? (Russ Cooper)
    Proper understanding of "The Human Factor" (Don Norman)
    April Fool's e-mail freed detained kidnapper (Lillie Coney)
    This number's ready for prime time (Mark Brader)
    Correction for RISKS-23.06 (Trevor Zacks)
    Free lunch?  Or double-or-nothing? (Rob Slade)
    REVIEW: "Effective Security Management", Charles A. Sennewald (Rob Slade)
    Abridged info on RISKS (comp.risks)
    Date: Mon, 08 Dec 2003 16:10:19 -0600
    From: Bill Tolle <Bill3849094@A-Buyers-Realty.com>
    Subject: Remote-controlled trains
    A railroad worker was struck and killed by one of the locomotives he was
    operating by remote control from the Union Pacific rail yards in San
    Antonio, TX.  [Source: AP item, *Houston Chronicle*, 8 Dec 2003]
    Date: Mon, 15 Dec 2003 08:42:21 -0700
    From: "NewsScan" <newsscan@private>
    Subject: Over-reliance on PowerPoint leads to simplistic thinking
    NASA's Columbia Accident Investigation Board has fingered the agency's
    over-reliance on Microsoft PowerPoint presentations as one of the elements
    leading to last February's shuttle disaster. The Board's report notes that
    NASA engineers tasked with assessing possible wing damage during the mission
    presented their findings in a confusing PowerPoint slide so crammed with
    bulleted items that it was almost impossible to analyze. "It is easy to
    understand how a senior manager might read this PowerPoint slide and not
    realize that it addresses a life-threatening situation," says the report.
    NASA's findings are echoed in a pamphlet titled "The Cognitive Style of
    PowerPoint," authored by information presentation theorist Edward Tufte, who
    says the software forces users to contort data beyond reasonable
    comprehension. Because only about 40 words fit on each slide, a viewer can
    zip through a series of slides quickly, spending barely 8 seconds on each
    one. And the format encourages bulleted lists -- a "faux analytical"
    technique that sidesteps the presenter's responsibility to link the
    information together in a cohesive argument, according to Tufte, who
    concludes that ultimately, PowerPoint software oozes "an attitude of
    commercialism that turns everything into a sales pitch."  [*The New York 
    Times*, 14 Dec 2003; NewsScan Daily, 15 December 2003]
    Date: Tue, 9 Dec 2003 13:48:28 PST
    From: "Peter G. Neumann" <neumann@private>
    Subject: Japan's Mars probe goes off course
    Nozomi ("hope"), Japan's first interplanetary explorer, went off course in
    attempting to orbit Mars, culminating a five-year journey.  Efforts to
    salvage the mission have failed and the probe has almost run out of fuel,
    although the probability of a collision with Mars has reportedly been
    reduced from 1% to 0%.
    Date: Thu, 18 Dec 2003 07:34:38 -0800
    From: Patrick Lincoln <lincoln@private>
    Subject: Risk of a test message: Heated Training Session 
    According to an advisory issued on 17 Dec 2003 by the National Weather
    Service, "... the Earth has left its orbit and is hurtling towards the sun."
    The post on the National Oceanic & Atmospheric Administration's Web site
    continued: "Unusually hot weather will occur for at least the next several
    days as the Earth draws ever nearer to the sun.  Therefore, an excessive
    heat watch has been posted."  The release was a test message, erroneously
    posted by during a training session.  The statement has since been removed.
    Date: Thu, 11 Dec 2003 10:23:45 -0700
    From: "NewsScan" <newsscan@private>
    Subject: Voter information up for grabs
    Unbeknownst to most citizens, state officials are selling their
    voter-registration information to political candidates, nonprofit groups and
    data collectors who then combine it with census data, purchasing histories,
    credit reports and magazine subscription lists in order to fine-tune their
    messages or marketing pitches to specific constituencies, such as pickup
    truck drivers who subscribe to "Soldier of Fortune" or SUV drivers who buy
    lacy underwear at Victoria's Secret. And while some states limit sales to
    political groups, 22 states lack any criteria restricting who may purchase
    the information. "Voters fill out these forms in good faith, thinking the
    information they're providing is needed for the purpose of administering
    elections," says California Voter Foundation founder Kim Alexander. "Then
    they get phone calls or a knock on the door from campaign strangers who have
    a list of their personal data." Alexander says the information requested by
    many states, such as Social Security numbers and mother's maiden names,
    could easily be used for identity theft. The situation has become especially
    troubling since Congress passed the Help America Vote Act last year, which
    required that states develop a centralized, statewide voter-registration
    database, making it possible for third parties to collect huge amounts of
    data very easily. Alexander says the reason there's been no outcry against
    the practice is that "the people who ultimately decide how voter data should
    be allowed to be used are the politicians… Politicians need to rein in
    the laws, yet they're the biggest consumers of data."  [Wired.com, 11 Dec
    2003; NewsScan Daily, 11 Dec 2003]
    Date: Thu, 18 Dec 2003 09:53:56 -0500
    From: Lillie Coney <lillie.coney@private>
    Subject: Voting machine maker dinged
    California Secretary of State Kevin Shelley has said that Diebold Elections
    Systems could lose the right to sell electronic voting machines in
    California.  State auditors found that Diebold distributed software versions
    in 17 counties that had not been certified by the state, and that in 3 of
    those counties (including Los Angeles County) the systems had not been
    approved by the Federal Election Commission.  [Source: Voting machine maker
    dinged, Auditor says software wasn't approved Elise Ackerman, *San Jose
    Mercury News*, 17 Dec 2003; PGN-ed]
      [And as noted here on various occasions, the FEC standards are very weak
      to begin with.  Even the California certification process does not require
      any MEANINGFUL assurance that electronic machines record cast votes
      correctly.  PGN]
    Date: Tue, 16 Dec 2003 22:30:58 -0800
    From: "SusanMarieWeber" <susanmarieweber@private>
    Subject: Convicted felons worked for electronic voting companies
    Voter advocate Bev Harris alleged Tuesday that managers of a voting-machine
    subsidiary of Diebold Inc. included at least five convicted felons, among
    them a cocaine trafficker, a man who conducted fraudulent stock
    transactions, and a programmer jailed for falsifying computer records.  The
    programmer, Jeffrey Dean, wrote and maintained a proprietary code used to
    count hundreds of thousands of votes as senior vice president of Global
    Election Systems Inc.  Ohio-based Diebold purchased GES in January 2002.
    According to a court document released before GES hired him, Dean served
    time in a Washington correctional facility for stealing money and tampering
    with computer files in a scheme that "involved a high degree of
    sophistication and planning."
    In January, Senator Barbara Boxer, D-Calif., will submit a bill requiring
    stringent background checks on all electronic voting company employees who
    work with voting software. The bill, which Boxer plans to introduce in
    January, would toughen security standards for voting software and hardware,
    and require touch-screen terminals to include printers and produce paper
    backups of vote counts by the 2004 presidential election.
      [Source: Critics: Convicted felons worked for electronic voting companies
      Rachel Konrad, Associated Press, 16 Dec 2003; PGN-ed]
      Also see
        [And this story does not even mention Phil Foster, employee of Sequoia
        Pacific, indicted for vote fraud, who was working in the back rooms
        during the elections of Riverside County, November, 2000.  smw]
          [... or a bunch of other felony convictions related to voting.  Of
          course the risks of undetected errors and malicious misdeeds in voting
          machines have been discussed for years in RISKS.  It is encouraging
          that more people are beginning to understand the risks. PGN]
    Date: Tue, 09 Dec 2003 15:50:42 -0800 (PST)
    From: Drew Dean <ddean@private>
    Subject: Re: Diebold ATMs hit by Nachi worm (Cooper, RISKS-23.06)
    I find Russ Cooper's contribution to be symptomatic of the security
    community's world view: security über alles.  Yes, it may be more secure
    if an ATM always initiates contact with the outside world, but it has major
    impacts in manageability, and also opens up new threats.
    Consider the following scenario: There's an ATM, indirectly connected to the
    Internet, sitting in a shopping mall.  It's 3am (local time -- always true
    somewhere in the world), the mall is locked up tight, and there's a worm on
    the loose.  Said worm is programmed to look for vulnerable ATMs, and cause
    them to dispense all the cash they hold.  It would be a Bad Thing(tm) if the
    mall opens the next morning with cash scattered all over the floor.  Observe
    that sending a service technician out is extremely expensive, and
    logistically difficult/impossible.  It's both faster and cheaper for the
    bank's data center to remotely patch the ATMs from a central location.
    Now, you can argue that the ATM should be polling the data center for
    patches, but that opens up an equivalent vulnerability: once the polled
    machine is compromised, it sends the patch(es) of the attacker's choice to
    the ATM, and we end up in the same situation.  Of course, if the ATM is
    compromised, it might stop listening for updates.  Partial failure of
    systems is always difficult to design for, and this example is no different.
    I think a fair summary is that the real world is a messy place, with many
    different threats, and while sound bites may be satisfying to pronounce,
    they rarely solve the problem.
    Drew Dean, Computer Science Laboratory, SRI International
      [Similar comment from Ray Blaak.  PGN]
    Date: Wed, 10 Dec 2003 05:09:05 -0500
    From: "Russ" <Russ.Cooper@private>
    Subject: Re: Why have electronic voting machines at all? (RISKS-23.06)
    Maybe I missed the comment, but it seems to me that one of the most
    compelling reasons for e-voting, getting more people out to vote, is being
    missed in these threads. Maybe voter turnout in the States is always >50%,
    it isn't here (Canada).
    If an eligible voter can sit at home, take a couple of minutes, and register
    their preference in an election, there's a belief that a lot more people
    will vote. I fail to see how anything else could be as likely to increase
    voter participation.
    I'm not minimizing the risks or cost involved in making such a scheme work
    securely, but in a country such as ours where people are broadly
    distributed, reducing the need for people to go to a polling station is
    highly desired.
    Russ - NTBugtraq Editor
    Date: Thu, 11 Dec 2003 12:15:00 -0600
    From: "Don Norman" <don@private>
    Subject: Proper understanding of "The Human Factor"
      [Warning: This is not a posting of some news item. It is an essay -- well,
      a lecture -- triggered by two recent RISKS postings, particularly because
      the second posting completely misunderstood the purpose of the first and
      didn't bother to read the book which was being recommended. And exhibited
      an attitude on the part of designers that is the biggest risk of all risks
      -- because it is the kind of attitude that causes the very problems the
      RISKS group is designed to eliminate.  DN]
    If we assume that the people who use technology are stupid ("Bubbas") then
    we will continue to design poorly conceived equipment, procedures, and
    software, thus leading to more and more accidents, all of which can be
    blamed upon the hapless users rather than the root cause -- ill-conceived
    software, ill-conceived procedural requirements, ill-conceived business
    practices, and ill-conceived design in general. This appears to be a lesson
    that must be repeated frequently, even to the supposedly sophisticated
    reader/contributor to RISKS.
    It is far too easy to blame people when systems fail. The result is that
    over 75% of all accidents are blamed on human error.  Wake up people! When
    the percentage is that high, it is a signal that something else is at fault
    -- namely, the systems are poorly designed from a human point of view. As I
    have said many times before (even within these RISKS mailings), if a valve
    failed 75% of the time, would you get angry with the valve and simply
    continual to replace it? No, you might reconsider the design specs. Yo would
    try to figure out why the valve failed and solve the root cause of the
    problem. Maybe it is underspecified, maybe there shouldn't be a valve there,
    maybe some change needs to be made in the systems that feed into the valve.
    Whatever the cause, you would find it and fix it. The same philosophy must
    apply to people.
    Item. I predict that the municipal water and wastewater treatment industry
    is in for a series of serious accidents. Why? Because of postings like that
    of Dave Brunberg (RISKS-23.06). He was triggered by Mike Smith's
    recommendation for the book "The Human Factor" (RISKS-23.04), but without
    bothering to read the book. So he tells us of the "Bubba factor" in his
    industry, namely, the belief that operators (named "Bubba") are
    characterized by stupidity, laziness, and general ineptness. Brunberg
    complains that he must make his software work despite the incompetence of
    his operators: "you walk a very fine line between making the plant so
    inflexible that operators cannot respond to unforeseen problems and giving
    Bubba a little too much latitude."
    No wonder we continue to have problems. It is this attitude of developers
    that cause the very problems they complain about. The book, the Human
    Factor, is in fact an excellent argument against Brunberg's point of view.
    In it, the author (Kim Vicente) points out that procedural demands, business
    practices that reward productivity and punish safety, and the inability of
    system designers to understand the real requirements on the plat operators
    are what leads to failure. Poor Bubba is yelled at by his bosses for slowing
    up production, penalized if he raises questions about safety. If he follows
    procedures, he can't meet production requirements. If he violates them --
    which is what everyone is forced to do -- he is punished if an accident
    occurs. No matter that lots of other Bubbas have warned about that
    Let me also recommend the excellent "Field Guide to Human Error
    Investigations." Here, the author (Sidney Dekker) points out that the old
    view of human error is that it is the cause of accidents whereas the new
    view is that it is a symptom of trouble deeper inside a system. Alas, the
    "old" view is in actuality the current view, whereas the "new" view is still
    seldom understood. (The "new" view has only been around for 50 years, so I
    suppose we need to give it more time.). The Field Guide is about aviation,
    but it is very applicable to the waste industry as well -- and to hospitals,
    and emergency crews, and manufacturing plants, and any situation where
    accidents are being blamed on people.
    The most serious RISK in all this is that people take the easy way out,
    blame the operator for incompetence, and then smile smugly from their
    air-conditioned office, far away from the plant. As long as this attitude
    persists, we will have bigger and bigger accidents.
    DISCLAIMER (MILD). My strong recommendation for "The Human Factor" appears
    on the back jacket of that book and on my website.  My equally strong
    recommendation for the "Field Guide" will appear on my website Real Soon
    Dekker, S. (2002). The field guide to human error investigations. Burlington
    VT: Ashgate. 
    Vicente, K. J. (2003). The human factor: revolutionizing the way people live
    with technology. Toronto: A. A. Knopf Canada. 
    Don Norman, Nielsen Norman Group and Northwestern University
    norman@private    http://www.jnd.org    
    Date: Thu, 04 Dec 2003 12:42:14 -0500
    From: Lillie Coney <lillie.coney@private>
    Subject: April Fool's e-mail freed detained kidnapper
    A Homeland department employee's prank e-mail prompted the release of an
    immigration agency detainee who had been convicted of kidnapping, according
    to the department's Inspector General.  The unidentified detainee turned
    himself in to Immigration and Customs Enforcement deportation officers two
    days after his improper release.  The employee sent an April Fool's e-mail
    to 16 ICE detention officers and supervisors advising them that the
    detainee's citizenship had been established with a Puerto Rican birth
    certificate, which authorized his release.  At the end of the e-mail, the
    employee wrote, "Now about that bridge I'm selling. April Fools!"  Nine
    minutes later, the employee sent a second e-mail that began by saying, "In
    case you didn't get to the end of my previous message, here's what really
    happened today."  The second message said that the detainee had been ordered
    deported to the Dominican Republic.  A homeland officer who read the first
    prank e-mail but did not note the April Fools reference, and did not read
    the second e-mail, processed paperwork that authorized the detainee's
    release from a county jail on 2 Apr.  [Source: Wilson P. Dizard III,
    Government Computer News (gcn.com), 28 Nov 2003; PGN-ed]
    Date: Tue,  9 Dec 2003 20:14:06 -0500 (EST)
    From: msb@private (Mark Brader)
    Subject: This number's ready for prime time (RISKS-23.06)
    Primes of the form 2-to-the-power-of-P would be *exceedingly* rare.
    [Yes, ONLY ONE for P>1.  PGN]
    Fortunately, that's not what the New Scientist article actually says.
      [MINUS ONE was inadvertently omitted from the parenthetical, and
      has been added to the archive copy.  Noted by many of you.  TNX.  PGN]
    Date: 15 Dec 2003
    From: Trevor Zacks
    Subject: Correction for RISKS-23.06 (via Lindsay Marshall)
    New official self-service litigation system available in England/Wales
    link is (now) not
    corrected in the on-line version of the Telegraph at the specified link.
      [Also corrected in RISKS archives.  PGN]
    Date: Mon, 15 Dec 2003 13:11:27 -0800
    From: Rob Slade <rslade@private>
    Subject: Free lunch?  Or double-or-nothing?
    Leave your cards in the car when you walk into McQuickFood, lest you end up
    paying for your neighbour's lunch.  (We've already seen this with SpeedPass,
    have we not?)
    MasterCard and American Express have been testing "contactless" versions of 
    their credit cards that use an embedded RFID chip rather than a magnetic 
    strip to store financial data. The cards can simply be waved in front of a 
    reader to complete the purchase. "In some instances it's faster than cash. 
    You're eliminating the fumble factor," says a MasterCard VP. The company 
    plans to roll out its PayPass system next year, beginning in fast food 
    joints and other venues where customers tend to be in a hurry. Forrester 
    Research predicts it will take several years for the contactless cards to 
    go mainstream, citing consumers' security concerns and unfamiliarity with 
    the technology as impediments to change. (AP/Wired.com 14 Dec 2003)
    rslade@private      slade@private      rslade@private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    Date: Tue, 16 Dec 2003 08:28:19 -0800
    From: Rob Slade <rslade@private>
    Subject: REVIEW: "Effective Security Management", Charles A. Sennewald
    BKEFSCMN.RVW   20031006
    "Effective Security Management", Charles A. Sennewald, 2003,
    0-7506-7454-7, U$49.95/C$72.50
    %A   Charles A. Sennewald
    %C   225 Wildwood Street, Woburn, MA  01801
    %D   2003
    %G   0-7506-7454-7
    %I   Butterworth-Heinemann/CRC Press/Digital Press
    %O   U$49.95/C$72.50 800-366-BOOK fax 800-446-6520 www.bh.com/bh/
    %O  http://www.amazon.com/exec/obidos/ASIN/0750674547/robsladesinterne
    %O  http://www.amazon.ca/exec/obidos/ASIN/0750674547/robsladesin03-20
    %P   395 p.
    %T   "Effective Security Management"
    The preface makes clear that the author's major background is in the field
    of physical security.  This is evident in places throughout the rest of the
    book, but much of the material is more broadly applicable.
    The introduction presents a wonderful statement about management, that it is
    "the ability to create an environment in which other individuals willingly
    participate to achieve objectives."
    Part one deals with general security management.  Chapter one outlines some
    principles of organization, and provides an excellent overview of the basics
    of management.  The physical security background shows in, for example, the
    assumption that demonstrating a "contribution to profits" is relatively
    straightforward and easy to quantify.  The review questions at the end of
    the chapter are an adequate summary of the material, but provide no more
    than a simple reading check.  Organizational structure, in chapter two, is
    based on the real world rather than theory.  Sennewald notes the difference
    between formal and informal arrangements, as well as both the good and bad
    reasons that the two exist.  Security's role in the organization emphasizes
    physical security, but chapter three also addresses non-traditional
    functions such as training, internal consulting, and executive protection.
    Chapters four, five, and six deal with the roles of, respectively, the
    security director, supervisor (emphasizing the chain of command), and
    employee (mostly stressing personal character and integrity).
    Part two addresses security personnel management.  Chapter seven, on hiring,
    is reasonable, but fails to provide useful guidance on avoiding common
    pitfalls in reviewing resumes and interviewing candidates.  There is, for
    example, a heavy reliance on open-ended questions, which often backfire on
    interviewers since the responses tend to be so different that it makes the
    difficult task of judging between people even harder.  The creation of a job
    description, in chapter eight, provides good pointers and a helpful outline.
    There are more complaints about how training is done poorly than suggestions
    about how to fix the problem in chapter nine.  The material on discipline,
    in chapter ten, is good but not great.  In regard to the motivation of
    employees, Sennewald presents the classic "Theory X and Theory Y" model, but
    chapter eleven is more concerned with pointing out the disadvantages of
    punishment and control (X) than with suggesting how to support employees
    (Y).  Chapter twelve, on promotions, repeats many of the points of chapter
    seven.  The vague look at communications, in chapter thirteen, is not
    necessarily helpful.  The classic debate between employment of, or
    contracting out, security personnel is presented in chapter fourteen.
    Part three considers operational management.  Budgeting, in chapter fifteen,
    is a good start for those without a financial background, but gets bogged
    down in specific forms.  The basics of risk management (albeit limited to
    physical security situations) is introduced in chapter sixteen.  Some
    expansion is given in chapter seventeen, but the content is generally
    duplicated, and I wonder why the chapters were split.  Review and audit,
    renamed the security survey, is important, but chapter eighteen seems to be
    a not-completely-recycled magazine article.  It seems odd to cover office
    administration, in chapter nineteen, but many physical security officers may
    have limited office background, so this might be quite useful.  The
    discussion of policy and procedures, in chapter twenty, primarily deals with
    procedures.  Chapter twenty one, on computers and security management, is
    the longest in the book, but is only a computer literacy article and
    addresses no specific security applications.  Sennewald argues that
    statistics can be useful, but chapter twenty two does not provide much
    direction in their manipulation.
    Part four deals with public relations.  A pedestrian selling job for
    security is in chapter twenty three.  The relationship with law enforcement,
    in chapter twenty four, emphasizes what the police can provide.  Chapter
    twenty five promotes cooperation with those in the same industry and the
    importance of trade groups, as well as community service.  This latter topic
    is expanded in twenty six.  Chapter twenty seven is a very recognizable list
    of thirty two "jackass traits" for managers, pointing out all kinds of
    mistakes people can make.  How to improve your performance gets less space,
    and it is hard to know where to draw the line between opposing problems,
    such as "the Despot" and "The Popularity Kid."
    Despite specific problems, this book provides some extremely valuable advice
    for security managers of all kinds, not just the physical security officers
    at whom it is aimed.
    copyright Robert M. Slade, 2003   BKEFSCMN.RVW   20031006
    rslade@private      slade@private      rslade@private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    Date: 7 Oct 2003 (LAST-MODIFIED)
    From: RISKS-request@private
    Subject: Abridged info on RISKS (comp.risks)
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-request@private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomo@private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshall@private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
     *** NEW: Including the string "notsp" at the beginning or end of the subject
     *** line will be very helpful in separating real contributions from spam.
     *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: http://www.sri.com/risks
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version 
       of the most recent RISKS issue and a WAP version that works for many but 
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    End of RISKS-FORUM Digest 23.07

    This archive was generated by hypermail 2b30 : Thu Dec 18 2003 - 15:19:54 PST