RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 22.62

From: RISKS List Owner <risko () csl sri com>
Date: Mon, 10 Mar 2003 14:51:59 PST
RISKS-LIST: Risks-Forum Digest  Monday 10 March 2003  Volume 22 : Issue 62

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at
  http://catless.ncl.ac.uk/Risks/22.62.html
and by anonymous ftp at ftp.sri.com, cd risks .

  Contents:
Identity mixup: NZ teacher identified as prostitute (Ruth Berry via Max Power)
The darkest side of ID theft (Bob Sullivan via Monty Solomon)
Wrong man arrested after identity theft (Neil Youngman)
Microsoft speaks, site goes dark (Joe Wilcox via Monty Solomon)
Computer crashes threaten hospital operations (Monty Solomon)
Toronto public health computer accidentally erases records (Chris Smith)
Inappropriate HMI on medical device (Erling Kristiansen)
Security firm shuttered by sabotage (Andrew Colley via Keith Rhodes)
Sendmail flaw tests Homeland Security (Robert Lemos via Monty Solomon)
Hackers access University of Texas database (Mike Swaim)
You might just be a hacker if... (Andrew Orlowski via Tim Finin)
Kevin Poulsen: Windows root kits a stealthy threat (Monty Solomon)
FirstUSA/BankOne sends login ID & PW as clear text (Ric Cohen)
Nigerian scams continue to thrive (Monty Solomon)
Traffic lights don't work in the snow (Bob Copeland)
Re: Computer error means 2.3-trillion-pound electricity bill (Michael Bacon)
Re: Someone protecting patient data well (Edwin Culver)
Re: BSA Accuses OpenOffice ftp sites of piracy (Fuzzy Gorilla)
Re: Visa moves to improve customers' privacy (Brett Glass, Margie Wylie)
New article on critical infrastructure risks (Fred Cohen)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 6 Mar 2003 18:14:45 -0800 (PST)
From: Max Power <mikehack () u washington edu>
Subject: Identity mixup: NZ teacher identified as prostitute

Michelle Garforth (Dunedin, NZ) applied to be registered as a teacher, after
finishing four years of training.  She was notified that she was "likely" to
be a prostitute convicted on four charges, including two assaults, based on
a computer match of her maiden name and birthdate.  Despite going to the
police and submitting to fingerprinting that demonstrated she was not the
person in question, she was not cleared until weeks later -- after her local
Member of Parliament had intervened.  [Source: Prostitute mix-up shocks
teacher, by Ruth Berry, 06 March 2003; PGN-ed]
  http://www.stuff.co.nz/stuff/0,2106,2309649a7694,00.html

------------------------------

Date: Mon, 10 Mar 2003 09:49:24 -0500
From: Monty Solomon <monty () roscom com>
Subject: The darkest side of ID theft

Malcolm Byrd was confronted at home by three Rock County, Wisconsin,
sheriff's officers with a warrant for Byrd's arrest for cocaine possession,
with intent to distribute.  He tried to tell them that he was a victim of
identity theft.  So, he was handcuffed and taken away.  Again!

"This is the worst-case scenario for identity theft victims.  Losing your
clean credit history is one thing; losing your freedom is another.  And
victims of America's fastest-growing crime are discovering they often have
much more to worry about than the hundreds of hours of paperwork necessary
to clean up the financial mess associated with ID theft.  Sometimes, they
have to worry about ending up in jail - again and again."  [Source: ... When
impostors are arrested, victims get criminal records, Bob Sullivan, MSNBC, 9
Mar 2003; PGN-ed]
  http://www.msnbc.com/news/877978.asp

------------------------------

Date: Sun, 9 Mar 2003 19:55:25 +0000
From: Neil Youngman <n.youngman () ntlworld com>
Subject: Wrong man arrested after identity theft

A British man was arrested in South Africa and held for 2 weeks on an FBI
warrant after his identity was stolen by a fraudster. He was only released
after the real suspect was picked up in the U.S.
  http://news.bbc.co.uk/1/hi/england/2806827.stm

------------------------------

Date: Sat, 8 Mar 2003 17:28:46 -0500
From: Monty Solomon <monty () roscom com>
Subject: Microsoft speaks, site goes dark

Microsoft speaks, site goes dark, by Joe Wilcox, CNET News.com, 7 Mar 2003

In an uncommonly harsh application of a widely used Internet enforcement
tool, a Windows news site was taken offline for nearly 24 hours this week
after Microsoft accused the site of infringing its copyrights.

Neowin was shut down late Thursday and came back online Friday afternoon.

Microsoft's Internet investigator sent a takedown notice on Tuesday,
alleging the site was infringing the company's copyrights relating to its
recently released Windows XP Peer-to-Peer Software Development Kit (SDK),
apparently due to a message posted by a reader in an online feedback forum.

Such legal filings are routine. But in this case, the request turned into a
nightmare for Neowin when it was sent not to the site but to the upstream
Internet service provider responsible for Neowin's Web connection. That
provider responded by pulling the entire site offline. Neowin declined to
name the ISP, but a traceroute on the Neowin.net address showed Williams
Communications Group, now known as WillTel Communications, as its furthest
upstream provider. Sources later confirmed that Microsoft contacted the
closer upstream provider, Hurricane Electric Internet Services of Fremont,
Calif.

Neowin and its Web host, Invision Power Services Hosting (IPS), blamed
Microsoft for the incident, saying the software giant gave them no chance to
fix the problem before referring it to the ISP for more draconian measures.
[...]

http://news.com.com/2100-1025-991624.html

------------------------------

Date: Sun, 9 Mar 2003 00:28:12 -0500
From: Monty Solomon <monty () roscom com>
Subject: Computer crashes threaten hospital operations

Beth Israel Deaconess Medical Center was paralyzed for four days by a
computer crash in November 2003.  Dr. Peter Kilbridge, an independent
consultant who reviewed the incident at Beth Israel at the request of the
*New England Journal of Medicine* editor, Dr. Jeffrey Drazen, said even if
hospitals have policies in place to encourage the appropriate use of
computers, those policies are often are ignored.  [Source: Associated Press,
7 Mar 2003]
  http://www.boston.com/dailynews/066/
  region/Computer_crashes_threaten_hosp:.shtml

------------------------------

Date: Mon, 10 Mar 2003 08:52:26 -0500 (Eastern Standard Time)
From: Chris Smith <smith () interlog com>
Subject: Toronto public health computer accidentally erases records

As reported 10 Mar 2003 *Toronto Star*, GTA section, page B5:

  "Health records feared erased"

  A computer fault may have accidentally erased the immunization records of
  thousands of Toronto school children, the city's public health department
  fears.  Last April, the department discovered that its immunization
  records information system was erasing files from among 425,000 student
  records, Dr. Barbara Yaffe, associate medical officer of health, said.
  "It appears it was randomly erasing files - and we don't know how many,"
  Yaffe said.

  The department tried to get technical help from the provincial health
  ministry, but its technicians were among the 45,000 Ontario civil servants
  taking part in a 54-day strike last spring.

I suppose this is better than the traditional health info problem of
accidental privacy breaches, but not by much. The department will have to
contact parents to have them supply -- again -- the immunization status of
their children in the above cases.

This is especially important since failure to ensure appropriate
immunizations can possibly result in suspension of children from school.

Article is online at...
  
http://thestar.ca/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_PrintFriendly&c=Article&cid=1035778928098&call_pageid=968350130169

------------------------------

Date: Sat, 08 Mar 2003 20:38:46 +0100
From: Erling Kristiansen <erling.kristiansen () xs4all nl>
Subject: Inappropriate HMI on medical device

I spent some time in a hospital recently. The patient next to me, a woman in
her late seventies, was being treated with a suction pump to remove fluid
from an infected operation wound.

This pump was a very neat, portable, lightweight device that allowed the
patient to move around relatively freely. After a few days, the patient was
sent home. A short instruction course was given to her and her husband, who
was about the same age.

The next day, she was back. In tears and very depressed. Her husband did
not accompany her: He had had a nervous breakdown.
 
They had been unable to figure out how to operate the pump.

I did not want to interfere directly, but tried to figure out from
conversations, events and casual inspection what the HMI of the pump looked
like. It was a menu-driven interface with a small LCD display and at least 4
push-keys. Activating the pump seemed to require at least 4 key-pushes, as
did resetting the alarm that went off if the device was not operating
properly for more than a given time. As far as i could figure out, some of
the 4 steps were actually going through menus that allowed to re-configure
the operating parameters, so a real risk existed of accidentally changing
the setup.

A scenario that played out several times, was: The patient wanted to go to
the bathroom at night; she disconnected mains power (switching from mains to
battery and back seemed to require operator intervention); after some 15
menus, the alarm went off; pushing any key seemed to reset the alarm, that
then went off again 15 minutes later. And so on. The poor lady was so
embarrassed keeping other patients awake that she even tried to wrap the
device in towels to subdue the alarm!  Most of the medical staff did not
know how to operate the pump, either, so much confusion ensued, often
resulting in a trial-and-error scenario.

My remarks:

- A medical device designed to be operated by patients, and in particular
elderly patients, should have a very clear separation between configuration
HMI and routine operation HMI. The configuration HMI should be lockable or
mechanically shielded to prevent accidental operation.

- The patient HMI should be as simple as at all possible, preferably a
single on/off or enable/disable switch and a very clear indication whether
the device is operating.

- Alarm handling, if needed, should be simple and clear. In particular,
reacting on an alarm, it should be immediately obvious whether the alarm
condition had been solved or persisted. A design where the alarm is reset,
just to re-appear after a time-out, because the underlying cause was not
resolved, is confusing.

- Switching between mains and battery power should be fully transparent to
the user.

------------------------------

Date: Tue, 4 Mar 2003 04:09:21 -0800 (PST)
From: Keith Rhodes <rhodesk () gao gov>
Subject: Security firm shuttered by sabotage

The enemy could be sitting next to you.  An Australian security firm was
forced to close due to a major internal security breach -- reportedly caused
by a disgruntled employee.  [Andrew Colley, ZDNet Australia, 3 Mar 2003]
  http://zdnet.com.com/2100-1105-990747.html

------------------------------

Date: Wed, 5 Mar 2003 16:19:31 -0500
From: Monty Solomon <monty () roscom com>
Subject: Sendmail flaw tests Homeland Security

A critical flaw in Sendmail, the Internet's most popular e-mail server, has
become the first test for the newly minted Department of Homeland Security
and its cyberdefense arm.  The agency's Directorate of Information Analysis
and Infrastructure Protection (IAIP) worked with security company Internet
Security Systems, which discovered the flaw, and Sendmail Inc. to create a
patch while keeping news of the issue from leaking to those who might
exploit the vulnerability.  "Working with the private sector, we alerted key
owners of the vulnerable software and got them talking," said David Wray,
spokesman for the IAIP Directorate. "We think this is a great example of how
this should, and does, work."

Word of the vulnerability, which would let an attacker take control of a
Sendmail server and execute a malicious program, was more widely
disseminated Monday.  The Department of Homeland Security got high marks
from the security community for giving companies the necessary time to
create the patch and for synchronizing its release.  [...]

Robert Lemos, CNET News.com, 3 Mar 2003
  http://news.com.com/2100-1009-990879.html

------------------------------

Date: Thu, 06 Mar 2003 21:09:04 -0600
From: Mike Swaim <swaim () hal-pc org>
Subject: Hackers access University of Texas database

According to the *Houston Chronicle*, hackers were able to obtain
information, including Social Security numbers on 59,000 former and current
students, staff and faculty members between 26 Feb and 1 Mar 2003.  "The
theft was discovered Sunday evening by university computer systems employees
performing routine maintenance, Updegrove said. They immediately
disconnected the compromised database from the Internet, later hooking up a
database of useless information.  Computer logs indicate the information was
taken by a computer in Austin on Wednesday, Thursday and Friday last week
and by a computer in Houston on Saturday and Sunday, Updegrove said. He said
the intrusions were likely done by the same person or persons, he added."
The obvious risk is having a production system directly accessible from the
Internet.
  http://www.chron.com/cs/CDA/ssistory.mpl/front/1806724

  [Also noted by David Newman from the *Austin American-Statesman*:
    http://www.austin360.com/aas/metro/030603/0306uthack.html
    http://www.austin360.com/aas/metro/030603/0306uthack_update.html
  citing 55,200 SSN/Name pairs; David added
    "I admire the willingness of the VP to admit to a failure in his 
    department. His honesty is refreshing in the Age of the Lawyers."
  Also noted by Fuzzy Gorilla from the same news account, from slashdot:
    http://slashdot.org/articles/03/03/06/1720224.shtml
  which again used the 59,000 number.  PGN]

------------------------------

Date: Mon, 10 Mar 2003 01:30:25 -0500
From: Tim Finin <finin () cs umbc edu>
Subject: You might just be a hacker if...

... you vote the wrong way in Senate Majority Frist's poll.  That 60% of the
Internet voters were against a pre-emptive invasion of Iraq doesn't seem
like evidence of hacking. Frist's site claimed that only one vote per person
was counted. I assume they had implemented a trivial "One IP address, one
vote" check, which, while subject to subversion, was probably more ok than
not.

  Senate Leader scraps Web site war poll, blaming hackers
  Andrew Orlowski, 7 Mar 2003
  http://www.theregister.co.uk/content/55/29654.html

Senate majority leader Bill Frist has yanked a "Bomb Iraq" poll from his Web
site.

Frist's office told The Register that "tampering" was to blame for the
removal of the poll, which asked "Should the United States use force to
remove Saddam Hussein from power? Your opinion is important to Senator
Frist."

"Clever computer programmers created a program that generated 8,700
votes in a day," a spokesperson told us. Which is where the mystery
really begins.

The spokesperson couldn't say whether the software was running inside
the firewall, representing a major breach of the Senate IT security,
or was a robot-style vote generator run by netizens.

The curious thing is that Frist's poll page already banned robots -
including the Wayback Machine, archive.org - from the
site. Respondents could vote once and then return to the site later to
change their vote; only the latest response would be counted.

"As you know government computers are constantly being attacked by
hackers," he suggested.

Nor could Frist's office explain why the Web site administrators simply
didn't exclude the votes they didn't want to count - Florida-style.

One correspondent has noted the increasing tally of No votes:-

"At 1:35 pm Washington DC time on March 6, the Frist site reported
31,118 responses to the war poll. Anti-war respondents (55%) had
gained a clear majority over pro-war respondents (44.6%). (These
figures do not quite add up to 100%, apparently because of the
rounding method used by Senator Frist's staff.)

"Within the hour, at 2:23 pm, the anti-war fever had risen, with 56.9%
anti-war, 42.9% pro-war. By 4:29 pm, according a snapshot of the Frist
site, with 37, 742 total responses, the anti-war vote registered
59.5%, with the pro-war vote ebbing at 39.8%."

The Senate site has been defaced before. Whether this represents a new
and more serious breach - as Frist's office suggests - we don't know.

But our enquiries continue.

------------------------------

Date: Mon, 10 Mar 2003 09:16:00 -0500
From: Monty Solomon <monty () roscom com>
Subject: Kevin Poulsen: Windows root kits a stealthy threat

Hackers are using vastly more sophisticated techniques to secretly control
the machines they've cracked, and experts say it's just the beginning.

By Kevin Poulsen, SecurityFocus Mar 5 2003 5:12AM

Barron Mertens admits to being puzzled last January when a cluster of
Windows 2000 servers he runs at an Ontario university began crashing at
random. The only clue to the cause was an identical epitaph carved into each
Blue Screen of Death, a message pointing the blame at a system component
called "ierk8243.sys." He hadn't heard of it, and when he contacted
Microsoft, he found they hadn't either. "We were pretty baffled," Mertens
recalls. "I don't think that cluster had bluescreened since it was put into
production two years ago."

Mertens didn't know it at the time, but the university network had been
compromised, and the mysterious crashes were actually a lucky break -- they
gave away the presence of an until-then unknown tool that can render an
intruder nearly undetectable on a hacked system.  Now dubbed "Slanret",
"IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a
rare example of a Windows "root kit" -- an assembly of programs that
subverts the Windows operating system at the lowest levels, and, once in
place, cannot be detected by conventional means.  [...]
  http://www.securityfocus.com/news/2879

------------------------------

Date: Thu, 6 Mar 2003 22:20:08 -0700
From: Ric Cohen <cohen () aros net>
Subject: FirstUSA/BankOne sends login ID & PW as clear text

This afternoon, I attempted to review my credit card account by logging in
at: http://cardmemberservices.firstusa.com/index.jsp as I have for several
years.  My security software stopped the login and warned me that the Web
page was attempting to send my password as clear text. I phoned the number
on the Web page to report this, and eventually got to a low level
tech. After he said that no one in the company had changed the Web page
software for a long time, I pointed out this implied the Web site was
hacked. He said he would report the problem.  After an hour, I concluded
that this person didn't appreciate the fact that a hacker reading the login
information would also have access to credit card numbers.  I attempted to
access the same Web site, and was redirected to:
http://online.firstusa.com/bolHOME.aspx 
-- which presented a Web page identical to that on the first Web site.  The
same problem appeared when I attempted to login.

The problem centers upon a risk I have wondered about for years. None of
BankOne's (or its' subsidiaries) login Web pages begin on a secure https
page. They require you to enter your user ID and password on an insecure
http page, and this information is supposed to be encrypted immediately
prior to submission. They even have a friendly 'security help' page which
describes how this *should* work without problem.  I never trusted this
approach which is used on several Web sites, and that is why I use software
which monitors for passwords.

Because my software always stopped the login process as the password was
about to be sent, I decided to experiment.  I chose a nonsense login ID and
password, and set my software to look for them both (but allow them to be
sent to FirstUSA).  What I observed was both the ID and password text being
sent several times by TCP port 80, to the bank's IP 159.53.21.247.  Only
then, did the Web page change to a secure page using port 443, and tell me
that it did not know me.

After this happened, I called a local bank branch just before closing time,
described the problem, and got a phone number for the 'Office of the
Chairman'.  I talked with someone who seemed intelligent, who seemed to
understand that credit card numbers could be stolen if someone were to make
use of customer's login information, and who seemed to agree that the
Web site should be shut down.  However, 6 hours later, I write this as the
Web site is still (dys)functioning as before.

The last time I logged into FirstUSA was Feb. 27 (without a problem).
Somewhere between then and today, their Web site was altered and who knows
what problems will eventually come of this.  FWIW, I attempted earlier to
login at http://www.bankone.com with my nonsense ID and PW.  They were
encrypted properly, and nothing at all was sent clear text. I have not
tried their other subsidiary's Web sites.

  [Added by Ric 7 Mar 2003:]

There is now a new Web site that requires login in a secure environment:
  https://online.firstusa.com/bank/bolLogin.aspx
However, the same Web site mentioned in the last note (which has existed for
years) still exists today and continues to transmit user login info as
clear text.

------------------------------

Date: Sun, 9 Mar 2003 14:56:37 -0500
From: Monty Solomon <monty () roscom com>
Subject: Nigerian scams continue to thrive

Cashier's checks, Iraqi plea add two new flavors to old story
By Bob Sullivan, MSNBC, 5 Mar 2003

Two new flavors of the age-old Nigerian e-mail scam are making the rounds,
and at least one of them appears to be gaining traction. Hundreds of victims
have recently fallen for a variation that plays upon people's
misunderstanding about how bank cashier's checks work. Meanwhile, other
scammers are trying to take advantage of heightened interest in Iraq, posing
as frightened Iraqis trying to move money out of that country before
hostilities begin. The scam also took a deadly turn last month, when a
victim in the Czech Republic allegedly shot and killed a Nigerian diplomat
after losing his life savings to the scam.  [...]
  http://www.msnbc.com/news/881169.asp

------------------------------

Date: Mon, 3 Mar 2003 21:43:03 -0500
From: Bob Copeland <bobc () ieee org>
Subject: Traffic lights don't work in the snow

In my area, northern Virginia, nearly every intersection is outfitted
with inductance loops -- sensors for detecting when a large metal 
object (often, a car) sidles up to a traffic light.  Ideally, this is
so it turns green more quickly for you, but of course in practice, 
it usually turns green more quickly for the other guy.  Most of these 
intersections operate in normal turn-based fashion but speed up or slow 
down when cars are present.  

However, at least one such light refuses to turn green unless there is 
a car present.  Recently, a 24 inch snowfall and a snow plow conspired
to bury the sensor at that light under a mountain of ice, so when I 
approached it last weekend, the car ahead of me and I had to stop in the 
left turn lane.  After sitting at red for 2 cycles, we gave up and ran 
it.  One more risk of driving in the snow!

------------------------------

Date: Sat, 8 Mar 2003 05:40:15 -0000
From: michael_bacon () synigystic com
Subject: Re: Computer error means 2.3-trillion-pound electricity bill
  (RISKS-22.61)

Two things in particular surprise me about this.  The first is that
apparently someone designed a system that would accommodate a consumer bill
reaching into the trillions of pounds.  The second is that there were
seemingly no validity (or common sense if the letter was hand-typed) checks
that detected a consumer bill many times the UK National Debt!

Of course this could be the same sort of "clerical error" that led Civil
Servants recently to claim that they had frozen a 'Bin Laden' bank account
containing =A323.19 million.  The true figure was just 23 pounds and 19
pence!

------------------------------

Date: Fri, 07 Mar 2003 13:27:27 -0500
From: Edwin Culver <emculver () snet net>
Subject: Re: Someone protecting patient data well (RISKS-22.60)

In a similar story to Dr O'Keefe's:

When I was working in the aerospace industry, the method we had chosen for
making sure magnetic media no longer contained classified data was very
simple: remove the platters from the disk drives (or the floppies from their
sleeves or the tape from its reel) and sand blast the magnetic coating off.
We all thought this was a mite drastic, as a degausser should scramble all
the bits.

Sandblasting may be more subtle than the sysadmin at his university's
medical research group, but probably quite as effective.

The mistake trying to recover the residual value of the disk drives.

------------------------------

Date: Thu, 06 Mar 2003 17:19:41 -0500
From: "Fuzzy Gorilla" <fuzzygorilla () euroseek com>
Subject: Re: BSA Accuses OpenOffice ftp sites of piracy (RISKS-22.61)

Unfortunately, they are not claiming, under penalty of perjury, that the
notification is accurate, only that they are authorized to "act in this
matter on behalf of the copyright owners listed above. [Microsoft]"

Basically, they cannot legally act on behalf of someone who has not given
them that authority.

------------------------------

Date: Thu, 06 Mar 2003 13:29:44 -0700
From: Brett Glass <brett () lariat org>
Subject: Re: Visa moves to improve customers' privacy (RISKS-22.61)

[Blanking out part of the credit-card number and the expiration date] has
already been the law in California for more than a year.  It would actually
cost them more not to have a uniform policy nationwide.

------------------------------

Date: Thu, 06 Mar 2003 12:51:00 -0800
From: Margie Wylie <mwylie () earthlink net>
Subject: Re: Visa moves to improve customers' privacy (RISKS-22.61)

[...] Many businesses are already complying, but the final deadline for
implementing the change is Jan. 1, 2004.
  http://www.bankrate.com/brm/news/cc/20010129a.asp

------------------------------

Date: Thu, 6 Mar 2003 18:34:23 -0800 (PST)
From: Fred Cohen <fc () all net>
Subject: New article on critical infrastructure risks

Your readers may be interested in:
http://all.net/
        => InfoSec Baseline Studies 
                => Cyber-Risks and Critical Infrastructures 

Fred Cohen - http://all.net/  fc () all net  fc () unhca com tel/fax: 925-454-0171
Fred Cohen & Associates - University of New Haven - Security Posture

------------------------------

Date: 29 Mar 2002 (LAST-MODIFIED)
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-request () csl sri com> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomo () CSL sri com .
 If Majordomo balks when you send your accept, please forward to risks.
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .UK users should contact <Lindsay.Marshall () newcastle ac uk>.
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
   Lindsay Marshall has also added to the Newcastle catless site a
   palmtop version of the most recent RISKS issue and a WAP version that
   works for many but not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing,
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 22.62
************************
Previous By Date Next
Previous By Thread Next

Current thread: