[1474] in RISKS Forum
Risks Digest 20.43
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Jun 4 19:44:39 1999
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 4 Jun 99 16:41:58 PDT
To: risks@MIT.EDU
RISKS-LIST: Risks-Forum Digest Friday 4 June 1999 Volume 20 : Issue 43
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.43.html>
and at ftp.sri.com/risks/ .
Contents:
A THAAD Day in Black Rock (PGN)
Ghost bridge (Meine van der Meulen)
Y2K Test Knocks Out Fiji's Telecommunications (Doneel Edelson)
Hackers take down FBI and Senate Internet sites ... (Keith A Rhodes)
Crackers do for gov't what critical infrastructure report couldn't
(John Gilmore)
Errors in the Cox report on Chinese nuclear spying (PGN)
Hoax takes down country's phone networks (Lloyd Wood)
Symbols silently slip south: it's not Greek to pdf (Bryan O'Sullivan)
John Denver and interfaces (Lindsay Marshall)
Smart Identity Card to debut in Malaysia (Anonymous)
Late-night movie viewing and computerized ticket sales (Steve Fenwick)
Senator Hatch - Trademark (Alan Barclay)
BUGTRAQ may be banned in Australia (Peter Jeremy via Seth David Schoen)
Re: Microsoft "fixes" the MS Office ... vulnerability (David Mediavilla)
We don't care, we don't have to, we're the phone company! (John Pettitt)
Firewall risks (Robert David Graham)
Re: Allaire defects are nobody's fault? (Adam Shostack)
A Problem with Biometrics (Andrew J Klossner)
Re: Biometric risks (Ron Ruble)
California will sell confidential wage data (PGN)
Privacy Digests (PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 26 May 99 11:22:54 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: A THAAD Day in Black Rock
The Pentagon halted a test of the Theater High-Altitude Area Defense (THAAD)
missile-defense system, when a Hera target rocket malfunctioned. THAAD is
under scrutiny after seven consecutive failed tests. [Source: Reuters item,
26 May 1999, seen in the *San Francisco Chronicle*.]
[Maybe this renewed attempt to develop the Star Wars technology should be
left to George Lukas, who seems to do it much better. Perhaps animating
the system without ever building it would be the most cost-effective
strategy. PGN]
------------------------------
Date: Wed, 2 Jun 1999 16:32:10 +0200
From: Meine van der Meulen <M.van.der.Meulen@simtech.nl>
Subject: Ghost bridge
Kropswolde, Monday. The bridge on the Meerweg in the village Kropswolde
manifested itself as a ghost bridge during the weekend. A car driver was
trapped when he passed the bridge and both barriers suddenly closed. The
police managed to rescue the man. Just after this rescue action, the bridge
suddenly opened and closed without apparent reason. The village closed the
bridge. [Source: *Algemeen Dagblad*, 1 Jun 1999]
M.J.P. van der Meulen <meine.van.der.meulen@simtech.nl>
------------------------------
Date: Wed, 26 May 1999 13:13:43 -0400
From: "Edelson, Doneel" <doneeledelson@aciins.com>
Subject: Y2K Test Knocks Out Fiji's Telecommunications
Fiji's telecommunications services were completely shut down for several
hours on 24 May 1999 when a Y2K test by Telecom Fiji Ltd. caused the entire
system to crash. [See http://www.tfl.com.fj/. Source: Yahoo Asia News -
Technology, Newsbytes item by Adam Creed, Post-Newsweek Business
Information, Inc., 24 May 1999: PGN-ed.]
------------------------------
Date: Fri, 28 May 1999 13:13:37 -0500
From: "Keith A Rhodes"<rhodesk.aimd@gao.gov>
Subject: Hackers take down FBI and Senate Internet sites ...
Both FBI and Senate Web sites were attacked on 27 May 1999, evidently in
retaliation for the FBI's harassment of certain hacker groups -- including
one that apparently cracked the White House site earlier this month (for
which Eric Burns (Zyklon) was indicted. Both sites were removed from
service, although only the Senate site was penetrated and altered. [Source:
Associated Press item by Ted Bridis, 28 May 1999; PGN-ed.]
[The Department of Interior and a Govt facility at Idaho Falls
were also hit on 31 May 1999. Other attacks were reported
subsequently. PGN]
------------------------------
Date: Thu, 03 Jun 1999 19:05:50 -0700
From: John Gilmore <gnu@toad.com>
Subject: Crackers do for gov't what critical infrastructure report couldn't
"There's a government-wide effort to make sure that our computer systems
remain secure," White House Press Secretary Joe Lockhart said in a briefing.
http://www.zdnet.com/zdnn/stories/news/0,4586,2268574,00.html
As usual, the computer underground is doing a service to the country by
making it clear just how shallow the government's understanding of computer
security is. They are quite curiously refraining from damaging anything in
their intrusions but the egos of the bureaucracies involved. As usual, the
first response of the Feds is to threaten dire punishment for the
messengers. But they are being prodded into actually attempting to keep
serious attackers out, a novel idea somewhat overdue for consideration.
Perhaps this is heresy, but has the computer underground considered
demonstrating that it can break into electrical power distribution
computers, and the phone network, so those will get secured too?
John
------------------------------
Date: Fri, 4 Jun 1999 16:35:12 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Errors in the Cox report on Chinese nuclear spying
An article by James Oberg on the ABC News Science website documents
many misstatements in the Cox report.
http://www.abcnews.go.com/sections/science/DailyNews/oberg990602.html
------------------------------
Date: Tue, 11 May 1999 00:16:27 +0100 (BST)
From: Lloyd Wood <L.Wood@surrey.ac.uk>
Subject: Hoax takes down country's phone networks
http://news.bbc.co.uk/hi/english/world/middle_east/newsid_340000/340104.stm
Article claiming:
1. Lebanese radio station broadcasts hoax claiming cellular networks
are affected by Chernobyl virus (the current popular student excuse
for tardy wordprocessed reports, if my experience is at all typical).
2. Lebanese immediately stop using popular cellular networks,
and switch to landline networks to warn each other of anticipated
cellular problems. (Israel's also known for its heavy cellular use.)
3. Landline networks are promptly overloaded due to normally-large
and now-displaced cellular use and warnings of problems. The radio
broadcast has prompted a flash crowd and service outages result.
4. Conspiracy theorists suspect underlying motives in finger-pointing
wake, while ignoring the risks of behaving rationally when armed
with false information and not having meme countermeasures in place.
Handling and selectively discarding the majority of calls from flash crowds
caused by e.g. television phone-ins is trivial; it's arranged in advance (if
the media people know their jobs...) and you know where the flash calls are
going. But how do you effectively deal with a many-to-many surge like this?
Dimensioning telco switch capacity for expected use doesn't lead to graceful
degradation under heavy load, but hey, that's Erlang for you.
Legacy local loop is the real constraint/problem; degrading the quality of
digitised voice traffic in the pleisynchronous backbone and restoring at the
other end to increase capacity is a trivial codec application, and just a
minor step up from silence suppression.
I think this is something like the sinister inverse of the oft-cited
disaster scenario, where network damage is suffered and any remaining
functional cellular and landline capacity would be immediately overwhelmed
by people trying to locate loved ones. The callers are behaving rationally
and selfishly; the networks can't cope effectively. I'd say 'tragedy of the
commons' if it wasn't for the fact you pay for phone service.
This is far more impressive than that "if someone tells you to dial #91,
don't" meme, which got through multiple countries to users of all types of
mobile networks recently. But the "withdraw money from banks for Y2K to
avoid the financial crash the withdrawals contribute to" and the "don't
purchase Iridium handsets because Iridium are in trouble" memes may yet have
far more impressive results as self-fulfilling prophecies.
<L.Wood@surrey.ac.uk>PGP<http://www.ee.surrey.ac.uk/Personal/L.Wood/>
------------------------------
Date: Wed, 2 Jun 1999 20:00:07 -0700 (PDT)
From: "Bryan O'Sullivan" <bos@serpentine.com>
Subject: Symbols silently slip south: it's not Greek to pdf
In the course of some exploratory work I am doing, I recently
downloaded a technical paper in Adobe's Portable Document Format:
http://research.microsoft.com/copyright/accept.asp?path=http://research.microsoft.com/~hoppe/siggraph96pm.pdf&pub=acm
[SPLIT FOR THOSE FOR WHOM IT IS OFF THE PAGE:
http://research.microsoft.com/copyright/accept.asp?path=http://
research.microsoft.com/~hoppe/siggraph96pm.pdf&pub=acm]
After a brief perusal of the abstract using Adobe's free Acrobat Reader for
Linux, I decided that the paper was interesting enough to print out, and
squirreled the hardcopy away for later perusal.
When I went to read the paper today, I was a little surprised to find that
it had not reproduced very well. In particular, much of the mathematical
notation in the paper was garbled or missing; Greek characters and curly
braces were notable by their absence. All of this information was
represented correctly on-screen by Acrobat Reader; it was silently mangled
when I printed the document out.
Worried, I did a little more experimentation. The free gv viewer had no
trouble displaying the paper on my screen (but I didn't try printing it
out). The free xpdf viewer dropped most of the mathematical notation, but
the author at least documented this shortcoming (relating to embedded
fonts).
As I am not near a printer at the moment, I am going through my hardcopy of
the paper with a pen, adding the missing characters. Most disturbingly of
all, as I began to make these corrections, I found that the mathematical
symbol for inequality (an "equals" symbol with a slash through it) was
misrendered on paper as that for equality.
The RISK seems clear - technical papers presented for downloading in PDF can
be arbitrarily garbled by viewers in ways that may be difficult to spot.
------------------------------
Date: Tue, 1 Jun 1999 13:55:50 +0100 (GMT)
From: Lindsay.Marshall@newcastle.ac.uk
Subject: John Denver and interfaces
<http://www.asktog.com/columns/027InterfacesThatKill.html> describes
how John Denver was killed because of a modified interface in the plane
he was flying.
http://catless.ncl.ac.uk/Lindsay
[The builder had changed the designer's plans, placing the fuel-tank
selector controls rather weirdly over the pilot's shoulder, unlabelled,
with up for off, down for the right tank, and to the right for the left
tank. There are more curiosities in the NTSB report, at www.ntsb.gov.
PGN]
------------------------------
Date: Tue, 1 Jun 1999 09:29:15 +0100 (BST)
From: [Identity anonymized]
Subject: Smart Identity Card to debut in Malaysia
Malaysia's compulsory National Registration Identity Card (NRIC), required
for doing anything official or semi-official (such as banking, buying a car,
etc) is to become SMART and include financial and health data, driving and
travel rights and criminal offences in addition to the residence address and
thumbprints on the current laminated paper version.
The thumbprint, currently underused, is set to become the standard
computerised ID biometric used by government agencies.
The new NRIC may also become the national payment system.
NRIC numbers are issued at birth (on the birth certificate) but the card
itself is issued at the age of 12, and must thereafter be carried at all
times.
I have no information about the private company that has won the contract to
supply the new smart cards. Nor have I heard of any public scrutiny
mechanism to ensure that the technology does not contain flaws that will
enable this data to fall into the wrong hands.
[Source: article by Philip Golingai, Your smart IC Card with personal data
of holder expected out in August next year, The Star, 1 Jun 1999.]
------------------------------
Date: Thu, 20 May 1999 19:43:20 -0700
From: Steve Fenwick <scf@w0x0f.com>
Subject: Late-night movie viewing and computerized ticket sales
If you're an after-midnight movie-goer, check your tickets!
I bought tickets last weekend for "Phantom Menace", dated Wednesday, May
19th, 12:15AM. Bright RISKS readers can guess what's coming next...
The theatre's computer apparently does not recognize midnight as the break
between two days, it uses the normal box office opening time (11AM) as the
break. So their 12:15AM 5/19 show was really on 5/20 at 12:15AM.
Oops.
So I wound up seeing the show on 5/18 (according to their computer), a full
day before the movie officially opened. Take *that*, Darth Vader!
Steve Fenwick <scf@w0x0f.com> http://www.w0x0f.com
[Star Warps? PGN]
------------------------------
Date: Thu, 27 May 1999 12:55:40 -0400
From: Alan Barclay <gorilla@elaine.drink.com>
Subject: Senator Hatch - Trademark
ABC News apparently thinks that Senator Orin Hatch has registered
his name as a trademark, in
http://www.abcnews.go.com/sections/tech/DailyNews/netbombs990525.html
"The amendment, sponsored by Sens. Orrin Hatch [*R*] of
Utah and Dianne Feinstein (D) of California, does not make
it illegal to simply provide the information, However."
Here "[*R*]" designates the \256 code that prints as the circle-R
registered-trademark symbol. Obviously we're seeing some sort of
translation between (R) and the circle-R, even though in this case the
(R) is the correct text. An old story of over-enthusiastic substitution.
[By the time I checked it out the next day, it had been fixed. PGN]
------------------------------
Date: Thu, 27 May 1999 08:21:26 +1000
From: Peter Jeremy <peter.jeremy@AUSS2.ALCATEL.COM.AU>
Subject: BUGTRAQ may be banned in Australia
To: BUGTRAQ@netspace.org
[Forwarded to RISKS by Seth David Schoen <schoen@loyalty.org>. PGN]
This message is intended as a call-to-arms for BUGTRAQ subscribers as
well as a warning to subscribers in other countries.
Yesterday, the Australian Senate (Upper House of the Federal Government)
passed legislation to censor the Internet (I don't have a URL for the final
legislation at present). This legislation mandates the censorship of
Internet content (which includes mailing lists) as if it was a film. All
Australian ISPs are required filter overseas content that would be rated X
or RC under the Australian classification guidelines (see
http://www.oflc.gov.au/PDFs/Film%20&%20Video%20Guidelines.pdf).
The RC (Refused Classification) category states:
"The Classification Code sets out the criteria for refusing to classify
a film or video. The criteria fall into three categories. These include
films that: ... promote, incite or instruct in matters of crime or
violence."
and later
"Films and videos will be refused classification: or if they contain:
... detailed instruction in: matters of crime or violence,"
BUGTRAQ is a full-disclosure list and regularly contains detailed
descriptions of how to break into computers. Breaking into computers is
a crime in Australia. It is therefore possible that BUGTRAQ could be
classified "RC" and hence banned in Australian.
Refer to http://www.efa.org.au/ for further information.
Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St Phone: +61 2 9690 5019
ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982
----- End forwarded message -----
Seth David Schoen <schoen@loyalty.org>
http://ishmael.geecs.org/~sigma/ (personal) http://www.loyalty.org/ (CAF)
[Ah, yes, and Linux source code contains some dirty words. PGN]
------------------------------
Date: Thu, 27 May 1999 14:59:53 +0200
From: Mediavilla David <davidme.Forum@BigFootNOSPAM.com>
Subject: Re: Microsoft "fixes" the MS Office ... vulnerability (R 20 42)
After reading RISKS 20.42, it came to my mind a combination of risks. Paul
Walker mentioned the Microsoft plan to sign Office 2000 macros. In "German
government criticizes own style in Word documents", Debora Weber-Wulff
mentions that Office automatically fills author and organization information
from the current machine.
I am not sure if this means Microsoft may have enabled that every macro that
came to my system without signing, say an Office 97 virus that I
inadvertently loaded, will come out as signed by me. Then, everybody who
trusts me will become infected (and I will be blamed).
I asked Paul Walker (the original poster to RISKS). According to the MS
document, with security settings as 'high' unsigned macros are silently
disabled. Set to 'low', Office 2000 will silently run them. Set to 'medium',
Office 2000 will ask the user.
<PAUL WALKER>
Reading the document further does not explicitly state what happens to the
macro when it is opened under low security settings. It would appear that
the macro will run, but it will not be signed. Signing a macro appears to
be something that you have to do yourself.
It would appear that this won't be a danger, but...
Can you have an untrusted vb code make a function call that would sign the
macro? In current versions of word, almost every menu function (maybe all,
I have not checked) can be done through the vb macros. Until I get a copy
of the software in my hands, I won't be able to confirm this...
</PAUL WALKER>
David Mediavilla Ezquibela <davidme.forum@bigfootNOSPAM.com>
[ES/EN/EO/EU] (Lan)
------------------------------
Date: Tue, 25 May 1999 16:47:14 -0700
From: John Pettitt <jpp@cloudview.com>
Subject: We don't care, we don't have to, we're the phone company!
I recently made a couple of trips to the UK on business and not wishing to
spend the entire US GDP on phone bills (UK hotels phones should be avoided
at all costs) I used my MCI card to call home and check e-mail.
When I got back my MCI bill was full of "operator assisted" calls from the
UK to the US (billed at more than $2 per min). I called MCI and after they
dialed the number and confirmed that it was indeed a modem and that no their
operators could not speak V.90 I got a credit for $200 or so.
My next MCI bill was for $4000+ - with exactly the same problem (in this
case close to $3000 in over billing). This time they would not issue a
credit (they can't tell me why - I'm not allowed to talk to the people who
decide these things).
There are a whole bunch of risks here:
1) Systems that are wrongly configured and over bill even when used
according to the instructions (and still do it a month after first
reported)
2) Customer service systems that prevent customers from talking
to decisionmakers.
3) No exception system to allow issues to be escalated.
I'm reminded of the well know phrase "We don't care, we don't have to, we're
the phone company".
John Pettitt (ex MCI customer, about to hand the whole mess to the lawyers)
------------------------------
Date: Tue, 1 Jun 1999 19:49:15 -0700
From: "Robert David Graham" <rob-risks@netice.com>
Subject: Allaire firewall RISKS
In the past couple months, hundreds (if not thousands) of web sites using
Allaire's ColdFusion have been hacked (their web pages have been defaced).
When interviewed by the press, one site administrator said, "We are
installing a firewall so that this won't happen again".
However, firewalls do not protect against this particular hack.
Explanation: Firewall technology is based on "port filters". The average web
server has many ports open for a variety of reasons, but needs only port 80
in order to serve web pages. However, ColdFusion runs as part of the web
server reachable at port 80. QED, placing a firewall in front of web server
provides no protection against the ColdFusion hack.
Firewalls do not "prevent" hacks, as most people believe. They simply reduce
RISKS by reducing the number of ports or IP addresses that may be exposed
inadvertently on the Internet. The remaining ports (such as e-mail, web, and
FTP servers) can often be hacked.
In practice, firewalls probably increase RISKS overall. Consider a study of
Berlin taxi drivers who were given anti-lock breaks: the taxi drivers
started driving more aggressively, and had more accidents. Therefore, the
study concluded that anti-lock actually INCREASES RISKS. What is really
going on is that firewalls/ABS only decrease RISKS if behavior is left
unchanged, but the added security encourages RISKy behavior.
The ColdFusion bug was not really Allaire's fault -- the bug was in a sample
script that Allaire recommends be removed from a production web server.
Almost every web-site creation package like ColdFusion has the same problem,
including Microsoft's ASP scripting, FrontPage web hosting, and sample CGI
programs. Administrators feel safe behind firewalls and do not diligently
check their web servers for these problems. For the most part, crackers who
intend to deface web pages or steal credit card information from web servers
do not care about firewalls that might protect the target servers.
Robert Graham
http://www.networkice.com/advice
------------------------------
Date: Thu, 3 Jun 1999 12:31:20 -0400
From: Adam Shostack <adam@homeport.org>
Subject: Re: Allaire defects are nobody's fault? (Graham, RISKS-20.43)
Robert David Graham wrote:
| The ColdFusion bug was not really Allaire's fault -- the bug was in a
| sample script that Allaire recommends be removed from a production web
| server. Almost every web-site creation package like ColdFusion has the
| same problem, including Microsoft's ASP scripting, FrontPage web
| hosting, and sample CGI programs. Administrators feel safe behind
I'm sorry, but thats not the case. The ColdFusion bug was Allaire's fault.
They wrote and shipped crap sample code that has security flaws in it. That
code has probably been modified into other vulnerable programs. There are a
reasonably large number of secure programming FAQs available; Matt Bishop
has one, there's one in Garfinkel and Spafford, there's one I wrote.
I've seen academic references in 1976 or so that programs that don't
validate their input are vulnerable to attack. To absolve a company of
blame for shipping bogus code is wrong. They screwed up. They got lots of
people in trouble. They wasted lots of people's time.
If you don't have time to do the sample code right, don't ship it. Its been
a long time since a problem like this was found in Apache; NCSA had a slew,
and the web folks learned. You can read the history of it in the bugtraq
archives.
------------------------------
Date: Thu, 27 May 1999 13:37:07 -0700
From: Andrew J Klossner <andrew@pogo.WV.TEK.COM>
Subject: A Problem with Biometrics
Unlike account numbers and PINs, biometrics suffer from the Universal
Identifier problem. I can use a different account number and password at
each of several institutions, and can change them at need. Switching to
iris scan would have me use the same immutable password everywhere.
This will also lead to unwanted pooling of data by commercial and
government interests. Dig out any article on the evils of the
U.S. Social Security Number as identifier and change "SSN" to "iris
scan" throughout.
-=- Andrew Klossner (andrew@pogo.wv.tek.com)
------------------------------
Date: Mon, 24 May 1999 05:33:33 -0400
From: Ron Ruble <raffles1@worldnet.att.net>
Subject: Re: Biometric risks
In RISKS-20.41, Dan Wallach and Paul Lewis Gittins both mentioned risks
involving lack of an alternative to biometric identification. They
identified the risk of not servicing visually impaired individuals whose
irises can't be scanned.
In the US, failure to provide a fallback method of identification may well
place the owners of the system at legal risk.
Not having a fallback may well be considered a violation of the Americans
With Disabilities Act. The ADA does not spell out specific rules or
requirements, but does make the statement that 'reasonable accommodation'
must be made for all persons with disabilities. It would be up to the jury
to decide whether having a card and PIN as a fallback for the biometric
system was reasonable.
Some might argue that many visually impaired people would go to the human
tellers anyway, and during banking hours, this may be an acceptable
accommodation. But it does not provide the 24-hour availability of the ATM.
In addition, the manufacturers of the devices may be at risk if they
install or recommend installing the devices without fallback options.
I seem to recall that several European nations have similar laws that
require similar accommodations for the disabled. I hope some of the
Europeans who frequent this forum will comment on that.
Ron Ruble, Raffles Software Development, Inc.
------------------------------
Date: Fri, 4 Jun 1999 16:33:19 PDT
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: California will sell confidential wage data
California will begin selling confidential wage data of 14 million of its
residents to private information companies, car dealers and creditors
wanting to check an individual's annual income. [...] No data would be
shared without the written permission of the individual, state officials
said. However, private companies that are deemed qualified to access the
data would operate on an honor system and would not be required to show
proof of each individual's written permission before accessing the
information. [Do you believe this one? See nandotimes, 3 Jun 1999,
http://www.nandotimes.com/noframes/story/0,2107,55865-89293-634754-0,00.html]
------------------------------
Date: 17 Apr 1997
From: RISKS moderator
Subject: Privacy Digests
Periodically I remind you of TWO useful digests related to privacy, both of
which are siphoning off some of the material that would otherwise appear in
RISKS, but which should be read by those of you vitally interested in
privacy problems. RISKS will continue to carry general discussions in which
risks to privacy are a concern.
* The PRIVACY Forum is run by Lauren Weinstein. It includes a digest (which
he moderates quite selectively), archive, and other features, such as
PRIVACY Forum Radio interviews. It is somewhat akin to RISKS; it spans
the full range of both technological and nontechnological privacy-related
issues (with an emphasis on the former). For information regarding the
PRIVACY Forum, please send the exact line:
information privacy
as the BODY of a message to "privacy-request@vortex.com"; you will receive
a response from an automated listserv system. To submit contributions,
send to "privacy@vortex.com".
PRIVACY Forum materials, including archive access/searching, additional
information, and all other facets, are available on the Web via:
http://www.vortex.com
* The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is
run by Leonard P. Levine. It is gatewayed to the USENET newsgroup
comp.society.privacy. It is a relatively open (i.e., less tightly moderated)
forum, and was established to provide a forum for discussion on the
effect of technology on privacy. All too often technology is way ahead of
the law and society as it presents us with new devices and applications.
Technology can enhance and detract from privacy. Submissions should go to
comp-privacy@uwm.edu and administrative requests to
comp-privacy-request@uwm.edu.
There is clearly much potential for overlap between the two digests,
although contributions tend not to appear in both places. If you are very
short of time and can scan only one, you might want to try the former. If
you are interested in ongoing discussions, try the latter. Otherwise, it
may well be appropriate for you to read both, depending on the strength of
your interests and time available. PGN
------------------------------
Date: 23 Sep 1998 (LAST-MODIFIED)
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <risks-request@csl.sri.com> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <risks-request@pica.army.mil> (Dennis Rears).
.UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 20.43
************************
