[1890] in RISKS Forum
Risks Digest 22.77
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Wed Jun 18 13:42:09 2003
From: RISKS List Owner <risko@csl.sri.com>
Date: Wed, 18 Jun 2003 10:41:46 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Wednesday 18 June 2003 Volume 22 : Issue 77
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at http://www.risks.org as
http://catless.ncl.ac.uk/Risks/22.77.html
The current issue can be found at
http://www.csl.sri.com/users/risko/risks.txt
Contents:
Cyberterrorists in the U.S. Senate (Curt Sampson)
Digital mobile phones can phreak pacemakers (George Michaelson)
United Airlines to offer e-mail on domestic flights (NewsScan)
$24-million spreadsheet "boo-boo" (Jonathan Levine)
Crash loses names of Canadian firearms registrants (Derek K. Miller)
Scotland Yard outage chaos (Dave Austin)
eBay fraud (John Reinke)
Tiny tracking chips surface in retail use (Monty Solomon)
Smart cellphone would spend your money (Steve Holzworth)
Virginia grievance system online - with a slight problem (Jeremy Epstein)
Sign someone up to be an organ donor! (Giles Todd)
Continental Airlines check-in computer foul-up (Steve Bellovin)
Downloading data can turn your computer into a server (greep)
Re: U of Calgary to teach virus writing (Crispin Cowan)
Computer bugs and believing reliable sources (Mark Brader)
Re: Slade's Review of Mission Critical Security Planner (Eric Greenberg)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Wed, 18 Jun 2003 14:56:12 +0900 (JST)
From: Curt Sampson <cjs@cynic.net>
Subject: Cyberterrorists in the U.S. Senate
The chairman of the Senate Judiciary Committee [Sen. Orrin Hatch, R-Utah]
said Tuesday he favors developing new technology to remotely destroy the
computers of people who illegally download music from the Internet.
http://www.salon.com/tech/wire/2003/06/17/hatch_download/
I don't know that there's much more to be said.
Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org
[There's lots more to be said. For example, some software vendors would
like to do that to their competitors, not just to their customers. PGN]
------------------------------
Date: Thu, 12 Jun 2003 10:02:57 +1000
From: George Michaelson <ggm@apnic.net>
Subject: Digital mobile phones can phreak pacemakers
http://www.newsfactor.com/perl/story/21695.html
The new generation of digital mobile phones can interfere with many types of
heart pacemakers, claims a new study in the Institute of Physics journal
Physics in Medicine and Biology. Pacemakers can confuse mobile-phone signals
with the heart's own electrical signals, causing a malfunction.
George Michaelson, APNIC, PO Box 2131 Milton QLD 4064, Australia
+61 7 3367 0490 http://www.apnic.net ggm@apnic.net
------------------------------
Date: Wed, 18 Jun 2003 08:35:11 -0700
From: "NewsScan" <newsscan@newsscan.com>
Subject: United Airlines to offer e-mail on domestic flights
By the end of the year, United Airlines will become the first domestic
airline to offer e-mail on all of its domestic flights. Industry analyst
Jonathan Gaw of IDC says the service will be a good attraction for business
users, who both need their e-mail and who can expense it." For $15.98 a
flight, a passenger will be able to send and receive e-mail and attachments,
by connecting a laptop computer to a jack on the Verizon Airfone handset
available throughout the plane. [*Baltimore Sun*, 18 Jun 2003; NewsScan
Daily, 18 June 2003]
http://www.sunspot.net/technology/bal-bz.email18jun18,0,7414783.story
?coll=bal-technology-headlines
[And I presume first-class passengers will be offered a plate of Spam as
an appetizer, with Monterey Jack. (And why is Jack always female in this
context?) What about people SENDING spam from the plane? What about spam
filters for incoming e-mail? Nothing like sitting on a 6-hour flight and
watching your spam pile up. PGN]
------------------------------
Date: Wed, 4 Jun 2003 17:08:10 -0600
From: Victor the Cleaner <jonathan@canuck.com>
Subject: $24-million spreadsheet "boo-boo"
From *The Calgary Sun*, 4 Jun 2003:
TransAlta Corp said yesterday a "clerical error" was a costly one for the
power producer -- $24 million US to be exact. The Calgary-based company
said a spreadsheet goof by an employee last April caused the company to
pay higher than intended rates to ship power in New York. CEO Steve
Snyder told a conference call yesterday a "cut-and-paste" foul-up in an
Excel spreadsheet on a bid to New York's power grid operator led TransAlta
to secure 15 times the capacity of power lines at 10 times the price. The
costly human error couldn't be reversed by the grid operator and while
TransAlta has since tried to recoup the mammoth losses, it was left with a
$24-million US lesson. [...]
The RISKS? Jeez, where do you start? This sort of thing is becoming so
depressingly common that it barely makes print. Enormously complicated and
powerful tools that are capable of simultaneously magnifying minor errors
and burying from sight the megabuck consequences? The apparent "we're
terribly sorry, but our computers aren't programmed to issue refunds"
response of the "New York power grid operator"?
Jonathan Levine, Middle Digital Inc. http://www.realweasel.com
[Also noted by Morty Ovits.
http://reddeeradvocate.com/editorials/radB948F.htm
and George N. White III. PGN]
------------------------------
Date: Wed, 04 Jun 2003 15:29:19 -0700
From: "Derek K. Miller" <dkmiller@pobox.com>
Subject: Crash loses names of Canadian firearms registrants
A database crash now threatens to turn people trying to comply with an
unpopular law into lawbreakers instead.
The Canadian government has been attempting to implement a nationwide
firearms registry for several years now. What was originally supposed to
cost at most a few million dollars to document every previously undocumented
rifle or shotgun in the country has now ballooned into a $1 billion-plus
megaproject that appears not to work.
http://www.cbc.ca/news/features/firearms_act.html
Even those, like me, who are firmly for Canada's strong gun-control laws
find the way this project has been put together to be laughable (and that's
a charitable assessment). In many rural parts of Canada, a long gun is a
necessity, at least to hunt for food or as protection against potentially
dangerous wildlife (everything from polar bears to moose and wolverines,
depending on where you are) for people living or working in the bush, from
native communities to petroleum exploration teams.
The latest registry mishap to come to light is that the database software,
overloaded before the registration deadline was extended several months from
its original 1 January 2003 date, crashed, and apparently took some
registrants' names with it. No one seems to know how many, and I haven't
been able to track down any details of the kinds of software or platforms
that were in use.
http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1054726691584_31/
To add to the federal government's trouble, a number of provinces have now
said they will refuse to prosecute people who flout the act by not
registering their guns -- and there are many such scofflaws.
>From the CTV article above:
> The federal Firearms Act and the Criminal Code state that anyone possessing a
> firearm as defined in Section 2 of the Code must hold a valid firearms
> registration certificate. The new legislation requires that owners of
> long-guns such as rifles and shotguns, register their weapons by July 1 or
> face legal action.
>
> Critics of the gun registry have argued that the legislation is nothing more
> than a costly waste of time.
>
> The auditor general has projected it could end up costing more than $1
> billion by 2005 rather than the net $2 million over 10 years projected
> when it was established in 1995. And many say people who would use their
> firearms for violent offences aren't likely to register their guns anyway.
Aside from the direct risks of setting up a database without the bandwidth
or computational headroom for large increases of traffic before a deadline,
lacking proper file journaling, and insufficiently backed up, there is the
additional risk that the predictable failure of such a system will cast
further bad light on a project already suffering from a reputation for
inefficiency and poor planning.
Derek K. Miller - dkmiller@pobox.com
[Also noted by Dan Haggarty. PGN]
------------------------------
Date: Fri, 6 Jun 2003 11:01:37 +0100
From: "Dave Austin" <dave.austin@insight.co.uk>
Subject: Scotland Yard outage chaos
I thought that this was of interest, an old risk but surprising to find such
a high profile building vulnerable:
Yard crisis as power fails , 4 Jun 2003
Scotland Yard was plunged into crisis today by a massive power and
communications failure. All phones in the building were cut off as all
lines to the Yard were down, while the central system for handling 999 calls
also failed and had to be switched to local police stations. Computers
which log emergency and other calls to police in London - known as the CAD
system - failed, along with a second system to Hendon which was supposed to
provide an emergency back-up. Emergency generators restored power to the
building, but officers had to resort to using mobile phones. A group of
senior officers was called together to handle the crisis. One police source
said the meeting had examined the possibility that the power failure was a
terrorist or a criminal act, though this had been ruled out. The failure
showed the vulnerability of the Yard's communications network at a time when
London is on alert for a possible terrorist outrage. The phones and
electricity crashed at about 9.30am and were still out of action two hours
later. A Yard spokesman said the crisis was caused by a single workman
cutting through an electricity cable in the Victoria area, and that the
company's chief executive had personally apologised to senior officers. As
engineers from the Yard and outside companies were working flat-out to solve
the problem, the police spokesman emphasised that officers were still
responding to 999 calls which had been routed through the main London police
stations. "We have contingency plans in place which are working well,"
added the spokesman. "We are still able to provide emergency cover for
London. "This is a serious matter and we are seeking to bring the building
back on-line as quickly as possible." One employee at the building said:
"We're in the hands of the engineers." Asked if it was causing huge
problems, he said: "You could say that." Visitors to the Yard's reception
who had fixed appointments were told they couldn't be seen today because of
"internal communication problems". Staff at reception were unable to make
internal phone calls and unless visitors had the mobile phone numbers of
staff they were due to meet, they were told they would not be able to see
them. Other buildings in the area were also affected by the blackout.
London Ambulance said its 999 service was still operational but calls were
being handled on paper for about an hour and a half while the power was
disrupted. Scotland Yard has contingency plans to relocate its emergency
systems and senior officers in the event of a massive crisis such as a
terrorist attack. However, this did not happen this morning. Another
police source said: "This could come from the plot of a film. "One wonders
whether there is a massive criminal heist going on somewhere in London.
"The fact that someone can bring the building to a halt by cutting a single
cable is a little alarming. "I am sure there will be a few internal
inquiries about this."
Police chiefs told to explain blackout
5 June 2003
Police chiefs have been ordered to provide a full report into the power
failure which led to computers and telephones at Scotland Yard crashing for
more than seven hours. Toby Harris, chair of the Metropolitan Police
Authority, said there were "grave concerns" after an engineer blacked out
the HQ yesterday by accidentally cutting a single cable in the street. He
added it called into question the Met's ability to cope in a crisis.
Source: (London) Evening Standard - also covered in The Times et al.
Dave Austin <dave.austin@insight.co.uk> www.insight.co.uk
------------------------------
Date: Fri, 13 Jun 2003 09:14:12 -0400
From: "John Reinke" <reinke@att.net>
Subject: eBay fraud
Police in South Salt Lake, Utah, are working with eBay to determine just how
many people were victimized by what authorities say was one of the biggest
frauds in the auction site's history. Police arrested 31-year-old Russell
Dana Smith last weekend after hundreds of auction winners complained that
they sent $1,000 or more to a company named Liquidation Universe for laptop
computers they never received. Police say the firm appears to have raked in
$1 million from about 1,000 victims in just a few weeks. [...] [Source: Bob
Sullivan, MSNBC, Man arrested in huge eBay fraud; Buyers criticize auction
site's seller verification service]
http://www.msnbc.com/news/925433.asp?0dm=C12LT
[FJR: Guarantees are only as good as the guarantor. There ain't no free
lunch. When will people take security seriously?]
[This one is a long and ugly story. PGN]
------------------------------
Date: Tue, 10 Jun 2003 01:34:38 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Tiny tracking chips surface in retail use
Tom Pounds waved his overflowing grocery basket at the wall and offered a
glimpse of our shopping future. The coffee cans, razor blades, and other
items in his basket each carried a stowaway -- a tiny chip, the size of a
fleck of black pepper, coupled with an antenna. Each emitted a short burst
of identifying data that streamed via radio waves to a sensor on the wall.
[...] Within fractions of a second, a computer translated those received
signals onto a monitor as images of each product in the basket. [...] In
15 or 20 years, futurists predict, the pervasive RFID tags will link to
massive computer networks, enabling speedy checkout from the grocery store,
medicine cabinets that tell you when to take pills, and milk cartons that
inform your fridge when to add another gallon to the grocery list. [...]
[Source: Chris Gaither, Radio Frequency Identification Tiny tracking chips
surface in retail use Retail uses for ID chips surfacing, *The Boston
Globe*, 9 Jun 2003]
http://www.boston.com/dailyglobe2/160/business/
Tiny_tracking_chips_surface_in_retail_use+.shtml
------------------------------
Date: Tue, 17 Jun 2003 11:32:52 -0400
From: Steve Holzworth <sch@unx.sas.com>
Subject: Smart cellphone would spend your money
"A consortium of the world's top consumer electronics firms, mobile
networks and broadcasters are funding the development of cellphones that
will spend money on your behalf. The consortium, called Mobile VCE,
includes Nokia, Sony, Vodafone and the BBC. It might sound like a
bankruptcy waiting to happen, but software engineer Nick Jennings is
supremely confident the phones will not mess up anybody's life. [...]
The cellphone agents only offer help if triggered by a diary event or if a
definite pattern of behaviour, such as going to the movies every Friday,
has been established." [Source: New Scientist]
http://www.newscientist.com/news/news.jsp?id=ns99993818
[SCH - how many "supremely confident" software engineers have watched
as their rocket booster exploded, their online store got hacked, etc.?]
What mechanisms will be in place to dispute or refuse purchases that your
cellphone agent makes on your behalf? Be *sure* that you always want to go
to the movies every Friday...
I own a DirecTivo video recorder, which has a similar agent-like process
that automatically records "suggested" programs for you, based on analyzing
your previous viewing habits. I'm still often amused by some of the
"suggestions" it makes, which have no obvious relevance whatsoever to my
typical viewing habits.
I suppose that if your life runs on a rigid schedule, this might be useful.
My life certainly doesn't...
Steve Holzworth Senior Systems Developer SAS Institute - Open Systems R&D
VMS/MAC/UNIX, Cary, N.C. sch@unx.sas.com
------------------------------
Date: Fri, 6 Jun 2003 11:10:44 -0400
From: Jeremy Epstein <jeremy.epstein@webmethods.com>
Subject: Virginia grievance system online - with a slight problem
Virginia put its workplace grievance system online as a way of improving
responsiveness (the old system typically took a year to process), according
to *The Washington Post* Expected savings are $100,000/year, possibly more.
As a Virginia taxpayer, that's good.... every little bit helps.
[http://www.washingtonpost.com/wp-dyn/articles/A10481-2003Jun3.html]
"The system is secure from prying eyes, yet those who need to know a case
history can view an entire file by using the employee's Social Security
number." So... yet another new system that uses the employee's SSN as the
key. That's bad. [And we won't even get into how they know that "the
system is secure from prying eyes".]
------------------------------
Date: Fri, 13 Jun 2003 22:22:23 +0200
From: Giles Todd <g@todd.nu>
Subject: Sign someone up to be an organ donor!
Add anyone you like to the UK's NHS Organ Donor Register at:
https://www.uktransplant.org.uk/odronline/servlet/mydetailsservlet
Apart from trivial address validity checks, the sole attempt to ensure that
the person being signed up is really who he or she says he or she is is an
e-mail message sent to the e-mail address supplied.
Date: Fri, 13 Jun 2003 21:11:12 +0100 (BST)
From: odr@uktransplant.nhs.uk
Subject: I want to be a donor
Thank you for joining the NHS Organ Donor Register. Your new record will
now be downloaded directly to the register.
If you wish to amend the personal information held on the register at any
time you can do so through this website, or by contacting:
The Organ Donor Line (0845 60 60 400) between 7am and 11pm seven days a
week for a form, or by writing to:
The NHS Organ Donor Register, UK Transplant, PO Box 14, FREEPOST
Patchway, BRISTOL BS34 8ZZ UK
------------------------------
Date: Sat, 14 Jun 2003 13:35:54 -0400
From: Steve Bellovin <smb@research.att.com>
Subject: Continental Airlines check-in computer foul-up
This morning, I tried to check in for a Continental flight from Newark to
Seattle. But all of the self-service check-in kiosks and all of the
domestic check-in computers were down. It seems that they'd done a software
upgrade at 0200, and when things got busy the system died. One of the
customer service managers was muttering that they should have installed the
upgrade on a Sunday morning instead.
They told people to go upstairs to the International check-in area, which
hadn't been "upgraded". But they didn't allocate enough desks -- or enough
people from the non-functional domestic check-in -- to handle the crowd.
Nor, despite assurances from Customer Service, did they hold any flights.
The system wouldn't let me check in 10 minutes prior to flight time, of
course, which is reasonable under normal circumstances but not when their
own software has fouled things up. They also didn't have any priority
procedure for folks on earlier flights.
But it turns out that they did hold the flight, or so it seems -- checking
the Continental Web site when I got home, I found that my flight took off 25
minutes late.
In possibly-unrelated computer confusion, one of the arrival status monitors
at EWR was displaying the Internet Explorer "this page is not available"
screen, while one of the departure monitors was showing a typical Windows
desktop. Hmm -- looking at the pictures I took, I see that it has Winzip
installed....
Steve Bellovin, http://www.research.att.com/~smb
------------------------------
Date: Fri, 6 Jun 2003 12:49:02 -0700
From: greep <greep@mindspring.com>
Subject: Downloading data can turn your computer into a server
The Register reports
(<http://www.theregister.co.uk/content/6/31080.html>) that Joltid is
using "content distribution technology that utilises users' own PCs to
disseminate content for publishers." According to the article, when
someone loads content (such as software) using the Joltid system, the
computer loading the data then becomes a server for that same data.
There seem to be a number of potential risks to users of such a system:
They could held liable for "publishing" information over which they have no
control. This liability could include copyright and patent infringement.
If the content is found to contain viruses or material which is illegal, the
liability could be even more severe.
Bugs in the Joltid software could expose their personal files to the outside
world, even if their computers run no other server software.
Their own network throughput, or other computer resources, might be affected
by having their computers act as servers.
They may be subject to additional ISP charges for excessive outbound
traffic.
People who retrieve data from another customer's computer (not from the
original publisher) need to consider the possibility that the data has been
altered. The article does say: "All files are digitally signed to prevent
tampering, the company claims", but no details are provided.
------------------------------
Date: Sat, 14 Jun 2003 14:53:10 -0700
From: Crispin Cowan <crispin@immunix.com>
Subject: Re: U of Calgary to teach virus writing (Weaver, RISKS-22.76)
How is it that worms specifically, or malicious code in general, is a
legitimate area of research, but not a legitimate study topic for
students in a class? How are we to obtain more defensive experts such as
Weaver if we do not train young people in the area.
Techniques to write viruses and worms are evidently already very well known
in the black hat community, as evidenced by the proliferation of such
worms. It is only in the defensive community where ignorance is relatively
common, as evidenced by the naive defenses that are proposed over and over
again. In light of that, how is the suppression of malicious coding
techniques in the education system any different from the suppression of how
to sharpen a pointed stick with which to murder one's neighbor?
I'm sorry, but the cat is clearly out of the bag, and there is little
benefit in attempting to suppress knowledge of how to write a worm. IMHO,
all the hand-wringing over this course is badly misplaced.
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
------------------------------
Date: Fri, 13 Jun 2003 17:13:52 -0400 (EDT)
From: msb@vex.net (Mark Brader)
Subject: Computer bugs and believing reliable sources
Back in comp.risks 22.73, Monty Solomon quoted
<http://finance.lycos.com/home/news/story.asp?story=34131541>:
| Computer bugs have been around since malfunctions in a 1945
| [Harvard] Mark II were blamed (facetiously) on a moth trapped
| in a relay.
In fact, the malfunction in question *was* caused by the moth trapped in a
relay -- the facetious part was the association of this event with the
existing slang term for a problem, i.e. "bug". As
<http://americanhistory.si.edu/csr/comphist/objects/bug.htm> shows, the moth
was preserved along with the annotation, "First actual case of bug being
found". (Note the word "actual".)
Now that's not Risks-worthy, but I think the other error in the quoted
sentence is: the Lycos writer gave the date of the incident as 1945. As the
web page I just cited shows, the logbook with the moth now belongs to the
Smithsonian Institution's National Museum of American History, and *they*
say that the correct date is 1947. Since the illustrated page does not show
the year, I e-mailed info@si.edu to query the point. They replied to say
that 1947 is correct and that "The year does not appear on the page, but it
does appear elsewhere in the logbook."
Now try a google search for the phrase "first computer bug" and each of the
years 1945 and 1947. Go ahead, I'll wait... But here are the counts I get
when I do it.
"first computer bug" 1945 388
"first computer bug" 1947 140
Of course, some of these will be false hits -- the year being mentioned in
another context on the same web page -- but it's easy to see from the google
synopses that many of the 388 hits do give the wrong date. Among these are:
http://www.history.navy.mil/photos/images/h96000/h96566kc.htm
http://www.computer.org/history/development/1945.htm
and a *large* number of university sites. Obviously sources that you would
expect things to be right, aren't they? I even found one page (but I lost
it again, so no cite) that seems to show Grace Murray Hopper, who was part
of the group working on the computer, herself saying that the incident was
in 1945.
And it's actually even worse than the above numbers suggest. Of the 140
hits in the second (1947) search, many *are* false. If you search for the
phrase together with *both* years, there are 103 hits, and many of these are
pages that date the incident to 1945 and then mention 1947 in another
context.
Everyone learns quickly enough that you can't believe everything you
read on the Web. But in this case there are enough pages at enough
reliable-seeming sites that it's hard to believe that they're all
wrong -- and yet (unless my correspondent at the Smithsonian, where
the actual logbook is, was lying or mistaken) they are.
The difference between a 1945 and 1947 date for a minor piece of
etymological history is a trivial error to practically everyone. But the
next time you believe what you read, it might not be trivial.
(Of course this sort of problem can happen with non-Internet research
too. The Risks relevance is that Web searching makes it so much easier
to become very sure very fast...)
Mark Brader | "I'm a little worried about the bug-eater", she said.
Toronto | "We're embedded in bugs, have you noticed?"
msb@vex.net | -- Niven, "The Integral Trees"
------------------------------
Date: Mon, 16 Jun 2003 09:14:49 -0400
From: "Eric Greenberg" <eric@netframeworks.com>
Subject: Re: Slade's Review of Mission Critical Security Planner
My book titled Mission Critical Security Planner (Wiley, 2003), which
Slade has critiqued here, survived full scrutiny and review on
slashdot.org, a tough group of folks
http://books.slashdot.org/article.pl?sid=03/02/13/1515257
and has been reviewed by many reviewers, all of which have offered
nothing but praise. I encourage you to see the other reviews on
Amazon.com and elsewhere on the Internet.
http://www.amazon.com/exec/obidos/ASIN/0471211656
You might also visit the Mission Critical Security Planner companion
Web site, where you can download a free electronic copy of the
Chapter 1 and the free worksheets used in the book, at
http://www.CriticalSecurity.com
Judge my commitment to this book, supporting the readers, and security
planning in general, by that material and the Web site.
Eric Greenberg http://www.CriticalSecurity.com
http://www.amazon.com/exec/obidos/ASIN/0471211656
------------------------------
Date: 30 May 2003 (LAST-MODIFIED)
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
send e-mail requests to <risks-request@csl.sri.com> with one-line body
subscribe [OR unsubscribe]
which requires your ANSWERing confirmation to majordomo@CSL.sri.com .
If Majordomo balks when you send your accept, please forward to risks.
[If E-mail address differs from FROM: subscribe "other-address <x@y>" ;
this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
Lower-case only in address may get around a confirmation match glitch.
INFO [for unabridged version of RISKS information]
There seems to be an occasional glitch in the confirmation process, in which
case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
.UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES: http://www.sri.com/risks
http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]
Lindsay has also added to the Newcastle catless site a palmtop version
of the most recent RISKS issue and a WAP version that works for many but
not all telephones: http://catless.ncl.ac.uk/w/r
http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
http://www.csl.sri.com/illustrative.html for browsing,
http://www.csl.sri.com/illustrative.pdf or .ps for printing
------------------------------
End of RISKS-FORUM Digest 22.77
************************
