Risks Digest 21.68

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Monday 8 October 2001  Volume 21 : Issue 68

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.68.html>
and by anonymous ftp at ftp.sri.com, cd risks .

  Contents:
Rocket plunges into Indian Ocean (PGN)
New interest in network security (NewsScan)
Another unitary transformation (Rodney Polkinghorne)
AOPA's TurboMedicalsm eases medical application process (Richard Glover)
Ham radios in the aftermath of 11 September 2001 (Richard Murnane)
11 Sep 2001: Risks of electronic surveillance (Gisle Hannemyr)
Re: "The Risks Are Obvious" (Amos  Shapir)
Risks of bogus e-mail addresses "FROM: ObL" (Peter Wayner)
Remote control of airliners (Steve Bellovin)
Re: Oxygen tank kills MRI exam subject (Leonard X. Finegold)
MS Front Page 2002 Licence Agreement (Alistair McDonald)
Re: Creator of Kournikova virus gets 150 hours ... (Gene Berkowitz)
Re: Hacker re-writes Yahoo! (Mark Hull-Richter)
Trusted Computing, and Embedded and Hybrid Systems - new NSF programs 
  (Wm Randolph Franklin)
Computer Security Applications Conference + Advance Program (Jay Kahn)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 22 Sep 2001 09:01:03 -0700 (PDT)
From: "Peter G. Neumann" <neumann () CSL sri com>
Subject: Rocket plunges into Indian Ocean 

On 21 Sep 2001, a Taurus rocket went off-course 83 seconds after launch.
Carrying an Orbital Imaging satellite, a NASA ozone-monitoring QuikTOMS
satellite, and the cremated remains of 50 people ($5300 each), the rocket
failed to reach its intended altitude and velocity despite an attempted
correction, resulting in loss of the payloads.  NASA's share of the cost was
estimated at $50M.  It was the second Orbital Sciences rocket lost in less
than four months.  [Source: AP item in Newsday.com, 22 Sep 2001, PGN-ed]

------------------------------

Date: Tue, 02 Oct 2001 08:39:44 -0700
From: "NewsScan" <newsscan () newsscan com>
Subject: New interest in network security

Security companies are being deluged with business opportunities, and CEO
Peggy Weigle of the Internet security firm Sanctum explains, "Network
security used to be a necessary evil, but now it's a core value of
companies."  Doing security audits commissioned by 300 organizations, Weigle
found the results "scary" and said, "We could have stolen flight manifests,
personnel files, sensitive data... We could have easily gotten onto a flight
illegally."  Research firms Gartner and IDC predict that the network
security market in the U.S. will grow 20% to 24% a year between now and
2005.  [USA Today 2 Oct 2001; NewsScan Daily, 2 Oct 2001]
http://www.usatoday.com/life/cyber/tech/2001/10/2/network-security.htm

------------------------------

Date: Mon, 08 Oct 2001 10:14:17 +1000
From: Rodney Polkinghorne <rodneyp () raman physics uq edu au>
Subject: Another unitary transformation

Nature, the journal that told us about cold fusion, posts summaries of
recent physics papers at <http://www.nature.com/physics/>.  One of
these, "Bose, Einstein and chips," reads:

    On the atom chip, the magnetic potential minimum that confines
    the atoms is barely a millimetre or so wide, and it holds the 
    condensate an ultracold cloud of around 1,600 rubidium atoms 
    about 70-440 mm above the chip surface.

Or, as a read-source-ful scientist might discover:

    about 70&#150;440 <span class="symbol">m</span>m above the chip surface.

The online version of the article they are summarising [W. Hansel et al.,
Nature 413 p498 (2001)], gives the correct height of 70-440 micrometres.
The micro symbol is included in ISO 8859-1.

Unlike the ohm/watt confusion reported earlier (Rolph, RISKS-21.29 and
Peuhkuri, RISKS-21.33), millimetres and micrometres have the same
dimensions.  At least with SI you are always out by a factor of 1000 or
more, which readers of Nature should notice.  But given what you would have
to pay to see that page for yourself, you would think they could afford a
proof reader.

Rodney Polkinghorne

------------------------------

Date: Tue, 04 Sep 2001 09:50:24 -0700
From: Richard Glover <rglover () lunarpoodle com>
Subject: AOPA's TurboMedical(sm) eases medical application process

From: http://www.aopa.org/whatsnew/newsitems/2001/01-3-042.html

AOPA's TurboMedicalsm eases medical application process, 24 Aug 2001

AOPA has launched a new, Web-based tool to help pilots prepare to obtain
their medical certificates. AOPA's TurboMedicalsm is the first of a series
of "intelligent" online forms to come from AOPA.  Pilots who use
TurboMedicalsm will be less likely to have FAA delay or deny the issuance of
their medical certificate.

"AOPA's Web site (www.aopa.org) offers more resources to pilots than any 
other aviation site on the Internet," said AOPA President Phil Boyer. 
"TurboMedicalsm is an innovative way to use the Web to remove some of the 
uncertainty of applying for a medical."

The innovative online form "interviews" the pilot to ensure that all of the 
information on FAA's Form 8500-8 (application for an airman medical 
certificate or student pilot certificate) is filled in correctly.

TurboMedicalsm checks the pilot's answers, and flags anything that might 
cause problems in issuing a medical certificate.

"FAA's Aeromedical Certification Division is currently taking up to three 
months to review medical applications," said Gary Crump, AOPA director of 
medical certification. "Some 30 percent of those delays are caused by 
simple errors on the application form."

TurboMedicalsm checks for those errors.

The online form takes pilots step-by-step through the 20 question areas on 
the medical application form. For each question, the form explains exactly 
what FAA is looking for and why it is asking the question. And there are 
links to AOPA's expansive online medical data for more information.

The form provides advice on the best way to answer each question. For 
example, TurboMedicalsm tells a pilot that it is usually best to apply for 
the lowest class of medical that you actually need. Under FAA regulations, 
even CFIs need just a Third-Class medical certificate to provide flight 
instruction for compensation, although employers may require a higher class 
of medical.

TurboMedicalsm is particularly useful in helping the pilot answer the 
medication, medical history and medical visit questions.

When a pilot answers the question, "Do you currently use any medications?" 
TurboMedicalsm checks the answer against AOPA's list of FAA-accepted drugs. 
For example, TurboMedicalsm will tell a pilot that the popular 
over-the-counter drug Benadryl is acceptable to FAA as long as the pilot 
waits 24 hours after taking it before flying.

But if the drug isn't on the list, TurboMedicalsm will flag it and provide 
links to more information. There is even a direct email link to AOPA's 
medical experts so the pilot can ask specific questions.

If a pilot answers "yes" to one of the medical history questions, 
TurboMedicalsm will search for key words in the explanation to be able to 
provide more information to the pilot.

A pilot can skip a question and return to it later. TurboMedicalsm will 
temporarily store the answers. A pilot can choose how long TurboMedicalsm 
will store the answers.

Once a pilot has completed all of the questions, TurboMedicalsm will review 
the form for completeness and accuracy. The pilot can then print out a copy 
to take to the medical examiners office. Pilots should also keep a copy in 
their personal records.

"TurboMedicalsm is an educational, self-help tool to help pilots prepare to 
complete the medical form in the doctor's office," said Crump. "But for the 
future, we're working on an 'FAA-approved' version of TurboMedicalsm that 
you can complete online and email to your FAA designated medical examiner 
prior to the examination."

The 375,000-member Aircraft Owners and Pilots Association is the world's 
largest civil aviation organization. More than one-half of the nation's 
pilots are AOPA members.

RISKS Comments:

1. I am no expert, but I question the assertion "All of a pilot's answers 
on the TurboMedical(sm) form remain absolutely confidential. No one but the 
pilot will ever have access to the medical information. Data is stored on a 
secured server and data transmissions are encrypted." We have been told 
*many times* in other contexts that certain medical data is confidential, 
but absent a doctor-patient relationship, I think this is generally a very 
tenuous assertion. I am pretty sure there is no doctor-patient relationship 
created with this form.

2. "[D]ata *transmissions* are encrypted...." (emphasis added) is not 
synonymous with "the data is encrypted." If the data is stored on a secure 
server without encryption, it is still readable by anyone with access to 
the machine. If the data is encrypted where it is stored, only the person 
(with well-publicized exceptions) with the "keys" can access it. There is a 
world of difference.

3. The data is stored on a secure server, but I really don't know what that 
means. I think my IRS data is on a "secured server," but how many stories 
do we see where that data has leaked out? Medical data is *far* more 
sensitive to release than financial data, and I am less concerned with 
interception in transit than I am with security breaches from the server 
where the data is.

4. If data is stored "on a secured server" for a specific period of time, 
what becomes of the routine backups made? Are they periodically destroyed? 
If not, this information is probably obtainable indefinitely.

5. Are the links to the medications database stored? If I check on a 
medication, is the fact I did so recorded? It probably is on my client, and 
I wonder what "cookies" are employed.

6. I have not used the system (nor am I likely to), but I wonder what 
"disclaimers" are associated with using it. This kind of information might 
fall under the Fair Credit Reporting Act (which can have a very broad 
reach), and a user might have to authorize far more than what is advertised.

The RISKS of this system far outweigh its usefulness. We need a machine to 
tell us how to fill out a form? If you have medical issues, you discuss 
them with your *doctor*, and he fills out a form. For a fee, of course, but 
I for one, am willing to pay a reasonable fee for privacy.

------------------------------

Date: Tue, 2 Oct 2001 11:25:10 +1000 
From: Richard Murnane <RichardM () AttacheSoftware com>
Subject: Ham radios in the aftermath of 11 September 2001

As others have noted, the terrorist attacks of 11th September caused major
disruption to land-line and cellular phone communications. What hasn't been
widely reported is that 570 Amateur (ham) Radio operators from 35 states and
two Canadian provinces provided auxiliary radio communications to relief
agencies operating in the affected areas.

The lesson is that even the most modern communications technology can fail,
and that there is still value in having an independent communications
infrastructure, especially when it costs the community little or nothing to
maintain it.

Richard Murnane, Australian Amateur Radio station VK2SKY

------------------------------

Date: Thu, 04 Oct 2001 12:34:35 +0200
From: Gisle Hannemyr <gisle () hannemyr no>
Subject: 11 Sep 2001: Risks of electronic surveillance

In the aftermath of the September 11 terrorist attacks on the USA, a special
feature on automatic electronic surveillance (i.e. Echelon, Carnivore, spy
satellites, and all that) was broadcast by the BBC ClickOnline, hosted by
Stephen Cole, Sep. 22).

The feature included a lengthy interview with Dr. Kevin O'Brian of RAND
Europe about the failure of US intelligence to gather enough information to
pre-empt the attacks. Of particular interest to RISKS readers is the
following quote from Dr. O'Brian:

   "We've seen reports that they may have actually been spoofing or
    misdirecting intelligence services quite knowingly, and that they
    are aware of the fact that they could use the technology against
    the intelligence services by sending out false signals by sending
    out false reports and rumours, by using technology such as mobile
    phone communications or Internet messages to actually misdirect
    the intelligence services' gaze away from their attacks."

The risks are obvious: The over-reliance on massive computer-based automatic
systems for scanning and filtering that has characterised much of US
intelligence gathering in the post-soviet era can only be effective as long
as the bad guys are not aware of what you are doing. The simple fact that
computers systems are rule-based (and AI-systems exceedingly so) permit
enemy agents to play clever counter-intelligence games, where plotting the
response to certain stimuli can be used to "map out" in detail how an
automatic surveillance system will respond to diverse inputs and hence
"learn" how to misdirect the system on a massive scale.

A human-based intelligence system, in particularly a highly organized one,
is of course also vulnerable to this type of attack, but the rule-based
nature of an AI-based system makes the attack easier and more reliable

- gisle hannemyr ( gisle () hannemyr no - http://hjem.sol.no/gisle/ ) 

------------------------------

Date: Thu, 20 Sep 2001 11:08:04 +0300
From: Amos  Shapir <amos () sela co il>
Subject: Re: "The Risks Are Obvious"

I first learned of the event by connecting to a local news site here, at
about 4 p.m. local time (which was 9 a.m. EDT).  At first try, the site was
down; when I finally got in and looked at the headline "Two Airliners crash
on NY's WTC" my first reaction (probably the result of reading too many
RISKS issues) was "they let their test page leak out as if it were real
news"...

It seems that this "this isn't happening" initial reaction was shared by
many, even some to whom this was actually happening.  This had never
happened before, and even though technically possible, the perceived risk of
its realization was considered unreal.

The main risk is, IMHO, of evaluating the relative costs and benefits of
preparing for an eventuality which, by our common sense, is very improbable;
while the perpetrators seem to be making their evaluations by a completely
different set of priorities and morals.  How do we apply "crazy logic" to
risk assessment?  When do we apply it, and how crazy can we get before
making the very notion of assessment senseless?

Amos Shapir, Sela Software Labs, Ltd.  14 Baruch Hirsch st., Bnei Brak
51202 ISRAEL  Tel: +972 3 6176037

------------------------------

Date: Wed, 3 Oct 2001 14:11:16 -0400
From: Peter Wayner <pcw () flyzone com>
Subject: Risks of bogus e-mail addresses "FROM: ObL"

Sincerely yours, *Not* Osama bin Laden?

A Filipino in Belgium ended up in jail after *receiving* a joke e-mail
seemingly from Osama bin Laden (but apparently from one of his friends),
asking to "stay with you for a couple of days."  The man was freed only
after a Catholic priest vouched for him as a regular attendee each Sunday.
[http://www.vnunet.com/News/1125822]

  Ah, there's nothing like putting faith in identity, keyword scanning 
  surveillance, and data stored in computers.

------------------------------

Date: Mon, 01 Oct 2001 22:25:03 -0400
From: Steve Bellovin <smb () research att com>
Subject: Remote control of airliners

The Associated Press reported on a test of a remotely-piloted 727.  The 
utility of such a scheme is clear, in the wake of the recent attacks; 
to the reporter's credit, the article spent most of its space 
discussing whether or not this would actually be an improvement.  The 
major focus of the doubters was on security:

        But other experts suggested privately that they would be
        more concerned about terrorists' ability to gain control
        of planes from the ground than to hijack them in the air.

I'm sure RISKS readers can think of many other concerns, including the
accuracy of the GPS system the tested scheme used for navigation (the
vulnerabilities of GPS were discussed recently in RISKS), and the
reliability of the computer programs that would manage such remote control.

------------------------------

Date: Mon, 1 Oct 2001 23:29:14 -0400
From: "Leonard X. Finegold" <L () drexel edu>
Subject: Re: Oxygen tank kills MRI exam subject (RISKS-21.67)

  [Leonard X. Finegold, Physics, Drexel University (3141 Chestnut Street)
  Philadelphia PA 19104 U.S.A.  (215) 895-2740 (allow 5 rings)]

Volume 345:1000-1001, 27 Sep 2001, Number 13
Preventable Deaths and Injuries during Magnetic Resonance Imaging

To the Editor: In July, a six-year-old child undergoing magnetic resonance
imaging (MRI) in New York suffered a skull fracture and intracranial
hemorrhage after an oxygen tank that had been brought into the room was
pulled into the machine at high speed. He died two days later [1].
Undetected or misplaced metal objects have caused numerous injuries during
MRI. Twenty-four of 46 MRI facilities responding to a survey in 1999 (52
percent) reported the occurrence of MRI-related accidents [2].  Large
objects involved in such incidents included an intravenous-drug pole, a
toolbox, a sandbag containing metal filings, a vacuum cleaner, mop buckets,
a defibrillator, and a wheelchair, among others. Five incidents involving
oxygen or nitrous oxide tanks, one of which caused facial fractures, have
recently been reported [3].

To prevent such incidents, most imaging facilities currently provide safety
training to employees and administer patients a standardized questionnaire
about implants and other embedded foreign bodies before an MRI examination
is performed. Although these efforts prevent many injuries, they are
inherently limited. System-wide strategies to decrease the incidence of
serious errors are important.4 Safety interventions that work continuously
and automatically are generally far more effective than efforts to train
large numbers of employees or to enlist the assistance of large numbers of
patients.

The use of metal detectors over the doors of MRI examination rooms could
have prevented every one of the large metal objects listed above from being
brought into the MRI rooms and would have prevented the recent death in New
York. Highly sensitive walk-through metal detectors, such as those used in
airports, are available commercially for about $2,000 to $5,500 and require
minimal maintenance. By comparison, a typical MRI unit costs approximately
$1.3 million annually to operate and generates net revenues of $1.8 million
during use in more than 3000 patients, resulting in an annual net profit of
approximately $500,000 [5].  The cost of installing a metal detector could
thus easily be paid for with operating revenues. Factoring in liability
savings would further decrease real costs.

Metal detectors should not replace the screening protocols currently in use,
since the detectors may be insufficiently sensitive to detect small
implanted metal objects, such as aneurysm clips or cardiac pacemakers. Their
installation would, however, be an inexpensive, simple, and potentially
life-saving addition to current practice.

Christopher Landrigan, M.D., M.P.H. 
Children's Hospital, Boston, MA 02115
landrigan_c () hub tch harvard edu 

1. Chen DW. Boy, 6, dies of skull injury during M.R.I. The New York
   Times. July 31, 2001:B1, B5.

2. Chaljub G, vanSonnenberg E, Johnson RF Jr. Accidents and
   incidents in MRI: a questionnaire. AJR Am J Roentgenol
   1999;172:Suppl:14-14.abstract 

3. Chaljub G, Kramer LA, Johnson RF III, Johnson RF Jr, Singh H, Crow
   WN. Projectile cylinder accidents resulting from the presence of
   ferromagnetic nitrous oxide or oxygen tanks in the MR suite. AJR Am J
   Roentgenol 2001;177:27-30. [Abstract/Full Text]

4. Kaushal R, Bates DW, Landrigan C, et al. Medication errors and adverse
   drug events in pediatric in-patients. JAMA 2001;285:2114-2120. [Medline]

5. Evens RG, Evens RG Jr. Analysis of economics and use of MR imaging units
   in the United States in 1990. AJR Am J Roentgenol, 1991;157:603-607.
   [Abstract]

------------------------------

Date: Fri, 21 Sep 2001 09:58:22 +0100
From: Alistair McDonald <alistair () bacchusconsultancy com>
Subject: MS Front Page 2002 Licence Agreement

Slashdot http://slashdot.org/article.pl?sid=01/09/20/1443226 reports that
the latest MS Front Page licence agreement prevents you from any
anti-microsoft Web content with it:

  "You may not use the Software in connection with any site that disparages
  Microsoft, MSN, MSNBC, Expedia, or their products or services ..."

I always click through licences these days, so I wouldn't have read it (not
that I'd install Front Page anyway), but what is the world coming to! Is
this legal in _your_ country?

Alistair McDonald       Bacchus Consultancy     www.bacchusconsultancy.com

  [UCITA (RISKS-21.27,45,41) seems to make this legal in those states in
  which UCITA has passed (at least Virginia and Maryland).  Incidentally,
  The Risks Forum tries to be an equal-disparager forum, but it is worth
  noting for the record that each issue is prepared using Gnu-emacs on
  Linux.  PGN]

------------------------------

Date: Tue, 02 Oct 2001 00:15:41 -0400
From: "Gene Berkowitz" <geneb () ma ultranet com>
Subject: Re: Creator of Kournikova virus gets 150 hours ... (RISKS-21.67)

  "... The American investigation service FBI reported an amount of $166.827
  in damages."  [Translation from Dutch]

Needless to say, I don't think the FBI calculated the damages to the nearest
tenth of a cent.  As is European custom, the period (.) is used as a thousands
separator, while the comma (,) is used as the decimal point.
So, is one hundred and sixty-six thousand dollars ($166,827) limited damage?

If so, Mr. De W.'s time is apparently worth over one thousand dollars per
hour...

--Gene Berkowitz

------------------------------

Date: Tue, 2 Oct 2001 11:56:13 -0700 
From: Mark Hull-Richter <Mark.Hull-Richter () quest com>
Subject: Re: Hacker re-writes Yahoo! (Stock, RISKS-21.67)

Respected news outlets?  Respected by whom?  And since when does Yahoo! rate?

RISK: Assuming that there is such a thing as a "respected news outlet" and
that the "news" presented has some resemblance to news (i.e., unbiased
information) instead of the usual propaganda.

P.S.: Remember, the "liberal press" myth is dead and buried.

Mark Hull-Richter, Senior Programmer, Quest Software

------------------------------

Date: Fri, 14 Sep 2001 16:05:21 -0400 
From: "Franklin, Wm Randolph" <wfrankli () nsf gov>
Subject: Trusted Computing, and Embedded and Hybrid Systems - new NSF programs

The Computer-Communications Research Division (C-CR) of the Computer and
Information Sciences and Engineering Directorate (CISE) of the US National
Science Foundation (NSF) is pleased to announce two new programs whose goal
is reducing the number of submissions to this valuable newsgroup,
comp.risks.  For each, the due date is 5 Dec 2001, and $4M-$6M may be
available to support 20-25 awards, subject to the usual caveats.

** Trusted Computing (TC), NSF 01-160,
http://www.nsf.gov/cgi-bin/getpub?nsf01160 

TC seeks to establish a sound scientific foundation and technological basis
for managing privacy and security in a world linked through computing and
communication technology. This research is necessary to build the secure and
reliable systems required for today's and tomorrow's highly interconnected,
information technology enabled society. The program funds innovative
research in all aspects of secure, reliable information systems, including
methods for assessing the trustworthiness of systems.

** Embedded and Hybrid Systems (EHS), NSF-01-161,
http://www.nsf.gov/pubs/2001/nsf01161/nsf01161.html 

Past research in embedded systems has focused primarily on
resource-impoverished computational environments: algorithms and software
that must execute on memory-, processing-, and power-constrained
processors. The computational design was simple and synchronous to maximize
effective operating rates, and a great deal of design effort went into
optimizing performance under these conditions. As processing speed and data
capacity have increased and demands for automation have expanded, the nature
of the problem has changed. Now, hard and soft real-time processes must
interact, and they may be required to share the same resources. Applications
such as distributed control demand communication, which introduces
variability in operation. A scientific foundation currently is lacking for
systematic development and integration of physical and computational
components in embedded systems. This lack is particularly severe for
increasingly complex, distributed embedded systems. Empirical reports show
that relying on brute-force testing for verification and validation of
software for modern embedded systems can push certification costs to at
least half the total cost of the software.  Scientific principles and
supporting technology are needed to assure that requirements are met during
development of software-based systems, in order to reduce the cost of
evaluating dependability and certifying that a system is fit for
operation. NSF investment is critical to sustain, adapt, and expand the
National research and development capacity in embedded systems.

I am your humble scribe for the programs' officers, who are:

* Dr. Helen Gill,  Program Director, CISE, C-CR, 1145, 
  1-703-202-8910, hgill () nsf gov

* Ms. Carmen Whitson, Associate Program Director, CISE, C-CR, 1145,
  1-703-292-8910, cwhitson () nsf gov

Please contact them for more info.

Wm Randolph Franklin, Program Director
Numeric, Symbolic, and Geometric Computation, CISE/C-CR. Room 1145
National Science Foundation, 4201 Wilson Blvd, Arlington VA  22230
  1-703-292-8912, fax: 703-292-9059  email: WFRANKLI () NSF GOV

Relevant due dates:, FY02: Regular NSG:  Nov 5.
Large ITR preproposals: Nov 9, Medium ITR: Nov 13, Small ITR: Feb 7.

------------------------------

Date: Sun, 30 Sep 2001 22:20:49 -0400
From: Jay Kahn <jkahn () mitre org>
Subject: Computer Security Applications Conference + Advance Program

17th ACSAC, 10-14 Dec 2001, New Orleans, Louisiana, USA.

The 17th ACSAC Committee is pleased to announce the availability of the
Advance Program for the 17th Annual Computer Security Applications
Conference (ACSAC) on our web site at http://www.acsac.org.  The Advance
Program is available in HTML for web viewing and also in PDF format for
downloading and printing.  If you need a hard copy of the Advance Program,
please send your name and mailing address to Publicity_Chair () acsac org, and
we'll mail you a copy.

------------------------------

Date: 12 Feb 2001 (LAST-MODIFIED)
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
 if possible and convenient for you.  Alternatively, via majordomo, 
 send e-mail requests to <risks-request () csl sri com> with one-line body
   subscribe [OR unsubscribe] 
 which requires your ANSWERing confirmation to majordomo () CSL sri com .  
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .MIL users should contact <risks-request () pica army mil> (Dennis Rears).
   .UK users should contact <Lindsay.Marshall () newcastle ac uk>.
=> The INFO file (submissions, default disclaimers, archive sites, 
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All 
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
   Lindsay Marshall has also added to the Newcastle catless site a 
   palmtop version of the most recent RISKS issue and a WAP version that
   works for many but not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing, 
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 21.68
************************