[risks] Risks Digest 23.09

From: RISKS List Owner (risko@private)
Date: Tue Dec 23 2003 - 15:17:51 PST

  • Next message: RISKS List Owner: "[risks] Risks Digest 23.10"

    RISKS-LIST: Risks-Forum Digest  Tuesday 23 December 2003  Volume 23 : Issue 09
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at http://www.risks.org as
      http://catless.ncl.ac.uk/Risks/23.09.html
    The current issue can be found at
      http://www.csl.sri.com/users/risko/risks.txt
    
      Contents:
    Rotorouted New Year's greeting? (PGN)
    Loss of bus braking due to nearby illegally modified transceivers 
      (Chiaki Ishikawa)
    "Openness" in Government (Identity withheld by request)
    GuineTel seeks ways of clamping down on scam fraud (Patrick O'Beirne)
    AOL now filtering based on whether they like embedded URLs (Stever Robbins)
    Guilt by technology (Dawn Cohen)
    Murphy's Law (Mark Brader)
    Important article on origins of Murphy's Law (Doug Mink)
    Re: Railroad accident results from deactivated crossing gates (Geoff Kuenning)
    Re: Proper understanding of "The Human Factor" (Merlyn Kline)
    Poor writing is the problem, not PowerPoint (Paul A.S. Ward)
    Re: Diebold ATMs & Nachi worm; you ain't seen nuttin' yet! (Richard I Cook)
    Re: Diebold ATMs hit by Nachi worm (Tim Panton)
    Re: Voter information up for grabs (David E. Ross)
    Re: Online issue of civil claims (Robin Crorie)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 23 Dec 2003 14:07:42 PST
    From: "Peter G. Neumann" <neumann@private>
    Subject: Rotorouted New Year's greeting?
    
    Yesterday I decided to schedule in advance our annual home sewer cleanout
    derootification for 8 Jan 2004, to get the first call in the morning on the
    day that our yearly guarantee expires.  The dispatcher assured me that would
    be fine and that they would call the day before to confirm.  An hour later I
    received a call from the plumber saying that he would arrive in 10 minutes,
    and apologizing for taking so long!
    
    You probably guessed what happened.  The dispatcher put the order in for 8
    Jan assuming that their scheduling system would infer 2004.  But the system
    coerced the year to 2003, and it was treated as an urgent request (that had
    not been filled in 11.5 months).
    
    Happy New Year!
    
    ------------------------------
    
    Date: Sun, 21 Dec 2003 09:51:41 +0900
    From: Chiaki <ishikawa@private>
    Subject: Loss of bus braking due to nearby illegally modified transceivers
    
    It has been reported widely in the Japanese press that electromagnetic
    interference caused by illegally modified transceivers on trucks is
    suspected of causing two accidents by disabling the braking system of
    commuter buses.
    
    Mitsubishi Fuso Truck & Bus Corporation announced that two models of its
    buses are adversely affected by high-powered EMI from short distance and its
    braking system may not function properly under such conditions.
    Specifically, its breaking system that detects the wheel-locking condition
    falsely triggers due to the EMI and thus the brake doesn't work as intended.
    
    Two accidents were reported last year where the bus drivers reported that
    the brake suddenly stopped working. However, after the police investigation,
    no visible malfunction was found.
    
    The manufacturer continued investigation and found that high-powered radio
    signals emitted by a nearby transceiver (illegally modified and thus
    1,000-10,000 as strong as permitted by law for such transceivers) can
    interfere with its braking control unit, resulting in false information that
    the wheels locked due to braking.  Upon this false information, it seems (my
    interpretation from what I read various reports) that the control unit
    decided to release the brakes, and thus caused unintended loss of braking.
    
    It is not known whether such illegally modified transceivers were present
    nearby in two accident cases.  But in other two instances where loss of
    braking was observed, the bus drivers saw suspicious trucks nearby.
    
    The company could reproduce the condition in live experiments, and it will
    refit the 2200+ cars by replacing the control unit, sensors, pipes, circuit
    harness, etc.  I think the company should be commended for its continued
    investigation after the accidents.
    
    I have personally noticed voices of presumably truck drivers whose
    transceiver must have been modified to generate enormous amount of power
    from my audio equipment over the years. (Remember the CB radio craze of
    1970's?)  But this is the first time such strong emission is linked to
    real-world accidents.  [I don't think so.  We had CB interference knocking
    out cruise controls long ago.  PGN]
    
    The warning that I see and hear on airplanes during landing and take off is
    no longer a remote worry.  I should be glad that most air runways seem to
    have enough distance from the nearby highway.
    
    As we depend on computers and sensors for better control of *everything*
    such as cars, home appliances, the malfunctions due to external EMI must be
    considered carefully, but I suspect that only the military agencies who have
    tried to harden the fighter planes and such against the EMI caused by
    nuclear blasts have the technical knowhow or mentality to cope with such
    problems caused by unusually and possibly illegally high-powered EMI.
    
    (Yes, I know that the FCC regulations and similar usually protect the
    ordinary home appliances against the run-of-the-mill EMI from computers,
    etc.  However, I doubt that electronic home appliance makers are ready to
    tackle the above the normal, high-powered emission caused by illegally
    modified transceivers. And they are a real threat along busy traffic route
    today.  I hate to see various home appliances behave erratically every time
    a truck with such a transceiver passes by.  Or for that matter, a whole
    field filled with tiny sensors blown by a strong zap of an illegally
    modified transmitter.  Illegal or not, such dangers are going to be real and
    may have wide-spread consequences in the future.)
    
    cf. The company web page:
      http://www.mitsubishi-fuso.com
    
    I found the reference to this topic in the Japanese web pages at above URL
    by following links, but am not sure if English pages have the reference.
    The Japanese report appears dated 15 Dec 2003, so the translation may have
    to wait for a few more days.
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 12:09:00 -0500
    From: [Identity withheld by request]
    Subject: "Openness" in Government
    
    A while ago California, with the help of MCI, implemented an Internet based
    system, DROS, by which gun dealers verify that purchasers are eligible to
    own a gun.
    
    While searching for information on this system, I happened across the
    following message 
      http://caag.state.ca.us/firearms/mbw.htm
    which I found somewhat disturbing.  However, looking further, I found the
    DROS users manual
      https://dros.vansis.wcom.com/wpsd/manual.pdf 
    which tells the users to configure their Internet Explorer security settings
    as follows:
    
      The ActiveX controls and plug-ins to Enable are
        Download signed ActiveX controls
        Download unsigned ActiveX controls
        Initialize and script ActiveX controls not marked as safe
        Run ActiveX controls and plug-ins
    
      If these radio buttons are set to Prompt, you will be prompted each time
      you log into the application.  Setting them to Enable is a time saving
      measure.
    
    Although it is only the gun dealers' machines that are at risk, and the DoJ
    system is hopefully secure, I'm not sure that I like the idea that their
    machines are so insecure.
    
    ------------------------------
    
    Date: Sun, 21 Dec 2003 19:37:31 +0000
    From: "Patrick O'Beirne" <mail2@private>
    Subject: GuineTel seeks ways of clamping down on scam fraud
    
    By Brian King, Balancing Act's News Update 188 (21 Dec 2003)
    http://www.balancingact-africa.com
    
    Phantom Calls
    
    In 2003, Terri Lockwood of Indianapolis, Indiana received a phone bill with
    hefty charges for calls to Guinea-Bissau, a West African country she had
    never heard of, and much less had reason to call.  When she disputed the
    charges, the American operator AT&T told her that the calls were genuine,
    and that she or someone in her house must have called, or accessed an adult
    entertainment site on the Internet. The intruder was a program that had
    slipped unnoticed onto the family computer, and reconfigured the connection
    to dial a number in Guinea-Bissau (code 245).
    
    The number, however, does not officially exist. The national operator, the
    regulatory body, and the International Telecommunications Union all agree
    that the number dialed from Terri Lockwood¹s computer is not programmed
    within the territory of Guinea-Bissau. Communications infrastructure of the
    country, furthermore, could not conceivably support the graphic-intensive
    content production and broadcast of many adult entertainment sites.  For the
    last few years the national operator Guine Telecom has been concerned with
    repairing basic telephony infrastructure damaged in a devastating civil war.
    At the beginning of this year Guine Telecom had no new cables to repair its
    network, no wires to install phones for clients, and approximately 50,000
    people on waiting lists.  This is not a company receiving revenue from a
    brisk adult entertainment business, legitimate or not, apparently conducted
    in its name.
    
    The History
    
    In 1989 the Government of Guinea-Bissau cemented a strategic partnership
    with Marconi (now part of the Portugal Telecom group) All international
    traffic to and from Guinea-Bissau would run through Marconi in Portugal.
    Marconi was also given the right to open and maintain bank accounts abroad
    in the name of Guine Telecom.
    
    Critics of the company say that management of the company became
    increasingly chaotic and untransparent.  Around 1996 Portugal Telecom
    managers set up a bank of computers at the earth station to receive
    pornographic calls from abroad. The calls were received at Guine Telecom and
    were immediately transmitted back without entering the national network.
    The practice reportedly generated significant new traffic to Guinea-Bissau,
    and the added revenue funded new investments in infrastructure.
    
    On June 7, 1998 a failed coup d¹etat tipped the country into civil war; key
    infrastructure (such as the earth station) was destroyed and in the midst of
    it the bank of audiotext (read 'phone sex') computers.
    
    After their departure in 1998 Portugal Telecom began withholding settlement
    payments for international calls terminating in Guinea-Bissau, and has
    continued to do so.
    
    A journalist from the major Spanish newspaper El País confirmed a so-called
    ³epidemic² of calls to Guinea-Bissau from Spain, appearing on the bills of
    people who had no relationship with the country. In all these instances the
    Spanish operator Telefonica responded that the calls were genuine.
    
    Around the same time, a dissatisfied Spanish pornography consumer actually
    called Guine Telecom to complain about the service. Technical Director Malam
    Fati was alerted, and so discovered for himself the existence of a number of
    web pages advertising live pornographic video. The pages appear to be
    designed to target particular countries; all are linked to a home page at
    www.sexhotel.com.  The pages offer 'free' access to live pornographic video
    without requiring credit card information. Interested viewers need only to
    call a number on the screen (dialing instructions from each country are
    included), to receive a password. These access numbers bear the (245)
    international code, but the regional codes are not assigned within the
    territory of Guinea-Bissau.
    
    For the rest of this story, go to:
      http://www.balancingact-africa.com
    
    Patrick O'Beirne, Systems Modelling Ltd., Gorey, Co. Wexford, Ireland.
    +353 55 22294
    
    ------------------------------
    
    Date: Fri, 19 Dec 2003 12:02:41 -0500
    From: Stever Robbins <stever@private>
    Subject: AOL now filtering based on whether they like embedded URLs
    
    I just got this bounce message. I was mailing a friend of mine the URL of a
    MOVEON.ORG Web site that's asking people to rate TV ads on effectiveness,
    etc., at conveying the downside of GW Bush's policies. AOL won't even
    deliver the message. Apparently, since the URL has generated complaints
    (presumably from Bush supporters or current Govt. employees), I'm not even
    allowed to tell AOL users about it.
    
    RISKS: AOL can decide they don't like a particular URL, for instance, of a
    topic or candidate or public opinion poll that they disapprove of, and voila
    -- several million people now can't even be told about that page! In this
    particular case, it's hard to imagine who would complain about it other than
    people trying to get the page banned because it doesn't agree with their
    political views.
    
    The offending URL (which I highly recommend) is double-u, double-u, 
    double-u, bush in 30 seconds dot org.
    
    >   ----- The following addresses had permanent fatal errors -----
    ><....@aol.com>
    >     (reason: 554 TRANSACTION FAILED:  (HVU:B1) The URL contained in your 
    > email to AOL members has generated a high volume of complaints.?? Per our 
    > Unsolic)
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 09:28:47 -0500
    From: "Dawn Cohen" <COHEND@private>
    Subject: Guilt by technology
    
    A friend was inspired by his sister, who just got an MP3 player installed in
    her car.  He wanted to do the same.
     
    He called the Mercedes dealer that he normally goes to, and asked if they
    could fit his car up with an MP3 player.  He was politely informed that they
    could not.  Undaunted, he asked whether an MP3 player could be installed if
    he was willing to put in a whole new stereo system.  The gentleman on the
    line patiently explained that No, Mercedes does not make MP3 players
    available in any of their cars, new or old.  As he put it, "MP3s are for
    people who download music.  People who buy Mercedes cars can afford to buy
    their music."
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 00:51:11 -0000
    From: msb@private (Mark Brader)
    Subject: Murphy's Law (Re: ...the Human Factor, Ladkin, RISKS-23.08)
    
    > The classic statement of the "Bubba factor" position is a comment made
    > in 1949 by Edsel Murphy ...
    
    Um, the Edsel was a *different* classic failure.
    
    Edward Murphy's exact words have been forgotten, and credit for the
    term "Murphy's Law" is now disputed.  For a full investigation, or at
    least as good a one as we're likely to see after so many years, see:
    
      http://www.improb.com/airchives/paperair/volume9/v9i5/murphy/murphy0.html
    
    and the four pages linked from it (or substitute 1 through 4 for the 0).
    
    Mark Brader, Toronto, msb@private
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 14:22:49 -0500
    From: Doug Mink <dmink@private>
    Subject: Important article on origins of Murphy's Law (Re: Ladkin, R-23.08)
    
    > The classic statement of the "Bubba factor" position is a
    > comment made in 1949 by Edsel Murphy, ... 
    
    I have seen numerous references to Edsel Murphy as the originator of the
    famous law, but this was the first reference with more details.  "Edsel"
    seemed to me to be too uncommon to be associated with both a humorous
    failure of an automobile (and the scion of major manufacturing family) and a
    humorously successful law, so I looked into the matter on the Web.  After
    several unsuccessful searches, I hit the jackpot with Nick Spark's article,
    "The Fastest Man on Earth", on the September/October Annals of Improbable
    Research, and available on their web site, HOT A.I.R.
      http://www.improb.com/airchives/paperair/volume9/v9i5/murphy/murphy0.html
    
    It gives a very good history of the relationship between Colonel John Paul
    Stapp (once the Fastest Man of the title), Project MX981, Captain *Edward*
    Murphy, and the famous Law, and is must reading for RISKS readers who daily
    do battle with the consequences of Murphy's Law.
    
    Doug Mink, Smithsonian Astrophysical Observatory
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 00:15:36 -0800 (PST)
    From: Geoff Kuenning <geoff@private>
    Subject: Re: Railroad accident results from deactivated crossing gates
    
    A friend once told me that in the Great Plains there are many accidents of
    this sort each year.  Most crossings are completely unguarded, and at night
    a train on an unlit level crossing is almost completely invisible.
    
    The friend pointed out that the cure is both trivial and cheap: all railroad
    cars should be required to have reflectors (or reflective paint) on the
    sides.  But it would cost a lot of money (in aggregate, though very little
    per $100K car) and thus the railroads have steadfastly resisted the passage
    of any such regulation.  Meanwhile, people continue to die.
    
    The funny thing is, that reflective paint could be used for some very
    valuable advertising...
    
    Geoff Kuenning   geoff@private   http://www.cs.hmc.edu/~geoff/
    
      [Ah, another nice low-tech solution.  PGN]
    
    ------------------------------
    
    Date: Fri, 19 Dec 2003 10:28:27 -0000
    From: "Merlyn Kline" <merlyn@private>
    Subject: Re: Proper understanding of "The Human Factor" (Norman, R-23.07)
    
    > No wonder we continue to have problems. It is this attitude of developers
    > that cause the very problems they complain about.
    
    Isn't this a bit reversed? Yes, developers complain that they must devote
    more effort than they would like to ensuring that their software works in
    the face of operator-generated adversity. But in making that complaint they
    are recognising the requirement. And it *is* a requirement.
    
    As if to underline all this, what is the very next story in the digest I am
    responding to?...
    
    > A homeland officer who read the first prank e-mail but did not note the
    > April Fools reference, and did not read the second e-mail, processed
    > paperwork that authorized the detainee's release from a county jail on 2
    > Apr.
    
    Could a system have been devised that would have prevented that? Could such
    a system have been embodied in the administrative software that is
    (presumably) used to run these processes?
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 05:13:55 +0000 (UTC)
    From: pasward@private (Paul A.S. Ward)
    Subject: Poor writing is the problem, not PowerPoint (Garfinkel, Re: R-23.08)
    
    > the problem is that many engineers are simply poor verbal communicators.
    
    Without disagreeing with the above statement (Heaven knows, I've read enough
    poorly-worded documents by students to be firmly convinced of this point), I
    would argue that PowerPoint, and moreso WYSIWYG systems, are a contributing
    factor.  Specifically, WYSIWYG systems lead to a focus by the user on
    appearance, not on structure or content.
    
    ------------------------------
    
    Date: Tue, 23 Dec 2003 06:04:56 -0600
    From: Richard I Cook <ri-cook@private>
    Subject: Re: Diebold ATMs & Nachi worm; you ain't seen nuttin' yet! (R-23.04)
    
    Steve Summit wrote in RISKS-23.04 about "several Diebold Automatic Teller
    machines...built atop Windows XP Embedded...infected by the "Nachi" worm
    last August and his concern about "critical functions [being]implemented
    using less-than-rugged components such as "consumer grade" operating
    systems."
    
    It is interesting that, even at this rather advanced stage, we have so
    little 'feel' for the ways in which creating large, dependent
    socio-technical systems creates new -- and often startlingly large --
    vulnerabilities. To describe an operating system as "consumer grade" implies
    that there are real alternatives available. But there are few such
    alternatives. New applications depend on the rich feature sets found in
    large operating systems and the problems with security and reliability of
    these are well known, albeit not well understood. A good deal of this seems
    to me to be related to version control and maintenance activities and the
    corrosive nature of the cost equation -- we have these systems, after all,
    because they are cheaper, not because they are more reliable!
    
    ATMs are IMHO small potatoes. The U.S. Institute of Medicine has just
    released "Patient Safety: Achieving a New Standard for Care"
    (http://www.iom.edu/report.asp?id=16663) which continues the IOM's theme of
    making safety through the creation of higher orders of computing systems --
    basically an everything-is-connected-to-everything sort of model in which
    the entire process of healthcare delivery is mediated using computers in
    networks -- by outlining the needs for standards for data communications
    between systems. The rosy future is a world where your physician (or some
    robotic analog) 'writes' a prescription into a computer and there is nothing
    human in the way until the pill pops into your open mouth. Comparatively
    little attention has been paid to what the actual operating characteristics
    of a system composed of 106 Windows machines of 10^3 or 10^4 configurations
    running 10^8 to 10^9 lines of code might be.
    
    I foresee an era when this trend is reversed and we deliberately uncouple
    systems into smaller, isolated subsystems; where software change is
    deliberately retarded in the hope of achieving stability; where end-to-end
    automated processes are broken apart and human intermediaries inserted in an
    effort to produce robust behavior of the larger entity; and where security
    and privacy issues drive large parts of the healthcare system completely
    'off-line' so as to make them 'invisible'. Because healthcare reimbursement
    from Federal and insurance sources will be tied directly into on-line record
    keeping and so-called "quality measurement" computing, portions of
    healthcare delivery will be paid for out-of-pocket, essentially dividing the
    system into the "white" (visible, regulated, tabulated, on-line) system and
    the "black" (off-line, cash-and-carry, AMFYOYO) system. In addition, you may
    find springing up a cottage industry of configurators, people capable of
    making your small, independent, unconnected, archaic, but quite useful
    computer nets working without connecting them to the larger world.
    
    "Burning chrome" here we come!
    
    ------------------------------
    
    Date: Fri, 19 Dec 2003 9:00:00 0000
    From: Tim Panton <tpanton@private>
    Subject: Re: Diebold ATMs hit by Nachi worm (Dean, RISKS-23.07)
    
    Drew Dean describes the tendency of 'security professionals' to focus on
    their specialty and not on the what might be called the "bigger picture".
    It seems to me that there are two ways to fix this problem.  The first is to
    spread the awareness of security in the programming community,
    de-specializing it and making it a core competence expected from
    designers. (we have made a small step here in this direction by making risks
    compulsory reading for all software engineers)
    
    The second way is for managers to incorporate computer security into their
    analysis of business risks when developing or adopting a new product (again
    de-mystifying it).
    
    As an aside, I don't quite buy Drew Dean's analysis of the ATM situation.
    ATMs require frequent human intervention, to fill them with cash. This puts
    them in a different category from fully autonomous systems, like weather
    stations or unmanned space craft, where being able to force an upload of
    patches without onsite intervention is clearly "a good thing".
    
    I think the thing that shocks me about the ATM story is the reliance on
    stock protocols with apparently no more security than I apply to my desktop
    systems. I mean, why not configure it to only accept signed updates, or only
    updates from a shortlist of ip addresses?
    
    Yes, the world is a messy place, but I think I like the emerging computing
    monoculture even less.
    
    ------------------------------
    
    Date: Fri, 19 Dec 2003 07:52:32 -0800
    From: "David E. Ross" <david@private>
    Subject: Re: Voter information up for grabs
    
    Selling voter information to candidates is a very old situation.  And it's
    not necessarily bad.  (The lists are sold and not given away only because of
    the cost of printing them; the same is true of lists sold in electronic
    form.)
    
    Early on, the lists were available to anyone.  With the increased concern
    about privacy, they are now available only to legitimate candidates and
    campaign committees.
    
    When I ran for local school board in the late 1970s and through the 1980s, I
    bought voter lists from the Registrar of Voters for 25c a page.  That
    allowed me to focus my door-to-door campaign on homes where actual voters
    lived.
    
    In a neighboring city, a city council candidate used her list to challenge
    illegally registered voters, individuals who registered from their business
    addresses (inside the city) instead of their residential addresses (outside
    the city, some in a different county) as required by California election
    law.  Only persons who registered within the city were eligible to vote in
    the city council election.  Some business owners perceived her as
    anti-business and wanted to vote against her.  (She won anyway, served
    several terms, and is now in the State Legislature.)
    
    At each election, the lists are posted outside the polling places for public
    inspection.  Anyone can review these lists and write down (or photograph)
    their contents.
    
    I can drive to the county recorder's office.  There, I can review the lists
    of property owners and the assessed values of their homes.  I can browse
    through all the recordings of liens, quit-claims, and title changes.  Some of
    those recordings also include wills and other declaratory statements.
    
    The point is: Some records of personal information are indeed public. They
    have been public in paper form for over a century.  The fact that they are
    now public in electronic form is not necessarily bad.  Bad uses of these
    data occurred before computers, and bad uses occur now.  Laws against those
    bad uses may be older than the computer.  While I am very concerned about
    privacy (and upset about the new federal law that invalidates the stronger
    California privacy law), I feel that privacy concerns should not eliminate
    the public availability of what have traditionally been public records.
    
    David E. Ross <http://www.rossde.com/>  
    
    ------------------------------
    
    Date: Fri, 19 Dec 2003 16:33:46 +0000
    From: Robin.Crorie at cheshire.pnn.police.uk
    Subject: Re: Online issue of civil claims (RISKS-23.06)
    
    You are still referring to this service as new...??
    
    Actually, "Money Claim Online" is not at all a new service - I've used it
    twice in the last couple of years, first issuing a summons with it on 22 Feb
    2002.
    
    Whilst the potential risks are worthy of examination, those relating to
    potential use of the service whilst masquerading as a third party need to
    take into account the fact that there are *no identity checks whatsoever*
    when using the existing paper-based system.  To my knowledge, there haven't
    been any related high-profile issues regarding this service yet, over this
    two-year period.
    
    I won't even *dare* mention ID cards... oops I just did...   :-)
    
    ------------------------------
    
    Date: 7 Oct 2003 (LAST-MODIFIED)
    From: RISKS-request@private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you.  Alternatively, via majordomo,
     send e-mail requests to <risks-request@private> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomo@private .
     If Majordomo balks when you send your accept, please forward to risks.
     [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO     [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .UK users should contact <Lindsay.Marshall@private>.
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you NEVER send mail!
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
     *** NEW: Including the string "notsp" at the beginning or end of the subject
     *** line will be very helpful in separating real contributions from spam.
     *** This attention-string may change, so watch this space now and then.
    => ARCHIVES: http://www.sri.com/risks
     http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
       Lindsay has also added to the Newcastle catless site a palmtop version 
       of the most recent RISKS issue and a WAP version that works for many but 
       not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 23.09
    ************************
    



    This archive was generated by hypermail 2b30 : Tue Dec 23 2003 - 15:36:16 PST