Risks Digest 23.05

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Weds 3 December 2003  Volume 23 : Issue 05

   FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at http://www.risks.org as
  http://catless.ncl.ac.uk/Risks/23.05.html
The current issue can be found at
  http://www.csl.sri.com/users/risko/risks.txt

  Contents:
Two loose screws killed Disneyland rider (PGN)
US railroad uses Wi-Fi to run 'driverless' trains (Lars Kongshem)
Nuclear plan shut down by lightning strike (Fuzzy Gorilla)
Tanker Truck Shutdown Via Satellite (Fuzzy Gorilla)
Microsoft Windows, Auto Edition (Andrew Whitby)
What Bill Gates Says About Security (from InformIT) (Dawn Cohen)
Another large gas bill (Amos Shapir)
UK MoD scraps 120-million-pound computer project (Fuzzy Gorilla)
How Much Is Privacy Worth? (Monty Solomon)
Government e-mails apparently sent to hairdresser (Neil Youngman)
'Master' and 'slave' computer labels unacceptable, LA officials say
  (Henry Baker)
Security subtleties (identity withheld by request)
Man trapped for hours by payphone (Mark Brader)
Debian security breach and forensic analysis (Gerrit Muller)
Re: Security patching: a story from the trenches (Walter Dnes)
Dangerous looking e-mail from quickbooks (Kyle York)
Re: In-Security clearance (Peter H. Coffin)
Re: Amber Alert, Coming to the Inbox Nearest You (Timothy Knox)
Re: Cehck tihs out! (Rodney Hoffman)
ANNOUNCE: New mailing list for secure application development, SC-L 
  (Kenneth R. van Wyk)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 26 Nov 2003 15:17:15 -0800 (PST)
From: Peter G Neumann <neumann () CSL sri com>
Subject: Two loose screws killed Disneyland rider

Improper maintenance and inadequate operator training are being blamed for
the death of the rider of the Big Thunder Mountain Railroad roller coaster
at Disneyland on 5 Sep 2003.  The lead car lost its rear-wheel assembly and
hit the tunnel roof, causing the following passenger car to go underneath
it.  The train had just been returned to service after routine maintenance
three days earlier.  Unusual noises were noted on the first 12 trips of the
day, and operators had planned to take the train off line after the 13th
ride -- which never finished.  Subsequent analysis showed that two screws
had not been properly tightened.  [PGN-ed from cnn.com]
  http://www.cnn.com/2003/US/West/11/26/disneyland.accident.ap/index.html

------------------------------

Date: Fri, 21 Nov 2003 11:52:30 -0800
From: Lars Kongshem <lars.kongshem () kongshem com>
Subject: US railroad uses Wi-Fi to run 'driverless' trains

"The Burlington Northern and Santa Fe Railway Company (BNSF) has found a
novel use for Wi-Fi.  It has started using the wireless networking
technology to control trains remotely. BNSF locomotives carry freight across
the continental US.  However, it is using wireless technology to move units
around its rail yards....  (Drivers) operate a control panel that mirrors
what they'd see if they were sitting in the cab.  Their instructions are
relayed to each loco via the 'industrial strength' WLAN."

Given Wi-Fi's security problems, this novel use of 802.11 certainly gives a
new meaning to the word "loco"!

[Source: *The Register*, Nov 20 2003]
  http://www.theregister.co.uk/content/69/34101.html

Lars Kongshem, 2220 Taylor St. Suite D, San Francisco, CA 94133
1-415.606.5277 lars.kongshem () kongshem com + http://www.kongshem.com

  [Of course, if they were carrying fruit, it would be PLUM LOCO.  PGN]

------------------------------

Date: Sun, 16 Nov 2003 21:30:42 -0500
From: Fuzzy Gorilla <fuzzygorilla () SoftHome net>
Subject: Nuclear plan shut down by lightning strike

A 15 Sep 2003 lightning strike in Chester County, Pennsylvania, shut down a
pair of nuclear reactors 36 miles away at the Peach Bottom Atomic Power
Station.  Early that morning, lightning struck a PECO power line in East
Bradford Township, near West Chester.  A circuit breaker failed to isolate
the damaged power line, cutting off electricity to more than 100,000 PECO
customers and three PECO/Exelon plants -- Peach Bottom, Conowingo (Md.)
Hydroelectric Station and Muddy Run Pumped Storage Facility in Holtwood.
...  At least two complications occurred at Peach Bottom as the reactors
were shutting down, according to a preliminary report issued by the NRC.
One of four emergency generators failed, and a safety relief valve used to
control steam pressure initially stuck open.  The NRC has decided to
penalize Exelon because the September shutdown was the fourth at Unit 2 in
less than a year.

The reactor tripped off unexpectedly 21 Dec 2002, when a computer failure
caused steam isolation valves to close. On 21 Apr, the valves closed and
shut the reactor again because of instrument problems on an air line.  The
unit also was down from 22 Jul to 1 Aug because of generator problems.
[Source: Article by Rebecca J. Ritzel, (Lancaster) *Intelligencer Journal*,
date not available, but prior to 19 Nov, anticipating a public meeting of
Nuclear Regulatory Commission officials; PGN-ed, but URL no longer valid.]
http://www.yorkdispatch.com

------------------------------

Date: Sun, 16 Nov 2003 21:05:12 -0500
From: Fuzzy Gorilla <fuzzygorilla () SoftHome net>
Subject: Tanker Truck Shutdown Via Satellite

[The obvious RISKS -- when mandated by law, that a terrorist would be
unaware of the need to disable the system; and that no cracker would ever
find out the needed signal and shut down a truck for 'fun'; and that no GPS
or other systems failure might cause a truck to be shut down incorrectly by
law enforcement -- are probably obvious to any RISKS reader.]

Satellite Security Systems (S3), in cooperation with the California Highway
Patrol (CHP) and InterState Oil Company, dramatically demonstrated the first
wireless remote shutdown of a fully loaded moving petrochemical tanker
truck.  From S3's headquarters in San Diego (530 miles away), "satellite
communications were used to disable the truck in seconds, proving S3's
GlobalGuard and FleetGuard a viable solution to the challenge of controlling
rogue hazardous waste vehicles that could pose a threat to homeland
security."

While the California state government may be voting as early as January on
Assembly Bill (AB) 575 (requiring truck disabling devices, global
positioning or other "location reporting systems" on hazardous material
haulers), the CHP has been tasked with researching various technologies to
support these regulatory initiatives.  [PGN-ed from *SpaceDaily*, 4 Nov 2003]
  http://www.spacedaily.com/news/gps-03zn.html

------------------------------

Date: Tue, 2 Dec 2003 12:44:07 +1000 (GMT+1000)
From: Andrew Whitby <s358831 () student uq edu au>
Subject: Microsoft Windows, Auto Edition

The Associated Press reports:

  First Microsoft set out to put a computer in every home. Now the software
  giant hopes to put one in every vehicle, too.  "We'd like to have one of
  our operating systems in every car on Earth," said Dick Brass, the
  vice-president of Microsoft's automotive business unit. "It's a lofty
  goal."  Cars with the Microsoft software will speak up when it's time for
  an oil change. They'll warn drivers about wrecks on the road ahead and
  scout alternative routes. They will pay freeway tolls automatically. The
  software running their brakes will upgrade itself wirelessly.

I can see it now. "A security update is available for your braking system.
Press okay to begin installation."

Apparently the RISKS are not obvious to everyone.

------------------------------

Date: Mon, 17 Nov 2003 11:48:34 -0500
From: "Dawn Cohen" <COHEND () wyeth com>
Subject: What Bill Gates Says About Security (from InformIT)

InformIT, 13 Nov 2003: What Bill Gates Says About Security

"You don't need perfect code to avoid security problems. There are things
we're doing that are making code closer to perfect, in terms of tools and
security audits and things like that. But there are two other techniques:
one is called firewalling, and the other is called keeping the software up
to date. None of these problems (viruses and worms) happened to people who
did either one of those things. If you had your firewall set up the right
way * when I say firewall I include scanning E-mail and scanning file
transfer -- you wouldn't have had a problem.

"But did we have the tools that made that easy and automatic and that you
could really audit that you had done it? No. Microsoft in particular and the
industry in general didn't have it.  "The second is just the updating
thing. Anybody who kept their software up to date didn't run into any of
those problems, because the fixes preceded the exploit. Now the times
between when the vulnerability was published and when somebody has exploited
it, those have been going down, but in every case at this stage we've had
the fix out before the exploit."....  "Actually, all the forms of Unix (as
well as Linux) have had more vulnerabilities per line of code. They don't
propagate as much because they're not as dense as our system is, so the
things that prevent the propagation are particularly important for our
world."
  http://www.informit.com/content/index.asp
  ?product_id=3D%7BEF1DDC0F-F7BB-47F2-A1AC-00FCB4BCCC39%7D&111603

------------------------------

Date: Mon, 1 Dec 2003 13:31:32 +0200
From: amos083 () walla co il
Subject: Another large gas bill

Commenting on a complaint from a Mr Arthur Purdey about a large gas bill,
a spokesman for North Westgas said, "We agree it was rather high for the
time of year. It's possible Mr Purdey has been charged for the gas used up
during the explosion that destroyed his house."  (*The Daily Telegraph*)

------------------------------

Date: Sun, 16 Nov 2003 20:46:03 -0500
From: Fuzzy Gorilla <fuzzygorilla () SoftHome net>
Subject: UK MoD scraps 120-million-pound computer project

Sources: John Leyden, 6 Nov 2003, The Register,
  http://www.theregister.co.uk/content/7/33831.html
Sara Arnott, 5 Nov 2003,
  http://www.computing.co.uk/News/1147382
Also
  http://www.femail.co.uk/pages/standard/article.html
  ?in_article_id=201440&in_page_id=2

Britain's Ministry of Defence squandered 118 million pounds on a computer
system that was axed before ever being used.  The Defence Stores Management
Solution was designed to modernise the MoD's inventories of equipment.
(Hardware valued at 12.2 million pounds was salvaged and not included in the
118M figure.)  The system had been expected to save 650 million pounds in
its first ten years.  A report on the collapse of the project (begun in
1999) was released in mid-November.  Reasons given included "developments in
defence logistics" had rendered the project obsolete, but also indicated
management weaknesses at every level: "The MoD had no framework to assess
and manage deliverability once projects were launched; the DLO lacked
effective change management support and co-ordination; and the BCP suffered
from poor financial governance, weak benefits management, poor
communications and a failure to establish an effective programme management
organisation.  ... The review also noted weaknesses in the scrutiny and
approvals process.  Although BCP projects, including the DSMS, did not meet
the Department's requirements in important areas -- especially on
affordability and benefits management -- the projects were not rejected,"

------------------------------

Date: Wed, 3 Dec 2003 09:01:22 -0500
From: Monty Solomon <monty () roscom com>
Subject: How Much Is Privacy Worth?

The Supreme Court will hear oral arguments today over whether the federal
government should reimburse individuals whose sensitive data was disclosed
illegally, even if no harm can be proven.  The Privacy Act of 1974 prohibits
the government from disclosing private information intentionally, without
the individual's consent, and provides for a $1,000 minimum fine if the
individual is "adversely affected."  In the case, known as Doe v. Chao, the
Department of Labor distributed the Social Security number of a coal miner
who was appealing for black lung benefits.  Since 1969, the Labor Department
has used miners' Social Security numbers as their case numbers on documents
shared with coal companies, insurance companies and lawyers for all
sides. Those documents also were published in court filings that later ended
up in legal databases.  [Ryan Singel, wired.com, 3 Dec 2003; PGN-ed] 
  http://www.wired.com/news/privacy/0,1848,61439,00.html

------------------------------

Date: Sun, 16 Nov 2003 21:21:40 +0000
From: Neil Youngman <n.youngman () ntlworld com>
Subject: Government e-mails apparently sent to hairdresser

According to this BBC article, a hairdresser called Ronnie Campbell received
e-mails apparently intended for a Member of Parliament (MP), called Ronnie
Campbell. Usual RISKS apply.

http://news.bbc.co.uk/1/hi/uk/3267221.stm

------------------------------

Date: Thu, 27 Nov 2003 23:09:22 -0800
From: Henry Baker <hbaker1 () pipeline com>
Subject: 'Master' and 'slave' computer labels unacceptable, LA officials say

FYI -- In Tinseltown, bus 'slaves' must go to the end of the line...  This
gives a whole new meaning to 'PC' language.  Please update your cable labels.

Los Angeles officials have asked that manufacturers, suppliers, and
contractors stop using the terms "master" and "slave" on computer equipment,
saying such terms are unacceptable and offensive -- after someone had filed
a discrimination complaint with LA County's Office of Affirmative Action
Compliance.  "Based on the cultural diversity and sensitivity of Los Angeles
County, this is not an acceptable identification label," Joe Sandoval,
division manager of purchasing and contract services, said in a memo sent to
County vendors.  [PGN-ed from Reuters item]
  http://www.cnn.com/2003/TECH/ptech/11/26/master.term.reut

------------------------------

Date: Thu, 9 Jan 2003
From: [identity withheld by request]
Subject: Security subtleties

I work at a large institution which shall remain nameless.  I was recently
involved in the evaluation of a product from a company which I will call
Company X.  The product consists of a Linux server that is sealed in a way
that it is impossible to open the box without leaving evidence of tampering.
During the course of the normal operation of the product it was installed
behind our firewall, and it made copies of sensitive data accessible on our
intranet.

The loan agreement stipulated that before the box could be returned, our
sensitive data had to be deleted from the disks.  The box had a built-in
"self-destruct" feature that was supposed to accomplish this.
Unfortunately, self-destruct was a little too thorough: it not only erased
all the data, but it erased the operating system as well, leaving the box
unbootable.

The problem with this is no doubt immediately obvious to long-time Risks
readers: if the box is unbootable then we have no way of verifying that the
data is in fact gone.  For all we know, self-destruct only erases the boot
sector.

I raised this objection with representatives of Company X.  They suggested
that instead of running self-destruct that I use the standard Web-based
control interface to erase the data.  No, this wouldn't work either, I
explained, because again there is no way to verify that the data has
actually been erased.  For all we know, the only thing that is actually
erased is a symlink.

They suggested "running a big magnet over the box."  Same problem of course.

I pointed out that the only way for us to verify that the data was in fact
gone would be to examine the disk, which meant one way or another obtaining
either root or physical access.  They refused to allow this because (they
said) they were concerned about us stealing the software.

We went back and forth about this literally for months, and I was astonished
how hard it was for people to grasp the concept that just because you can't
see the data through an HTTP interface doesn't mean it's not there. We
finally arrived at the following compromise: Company X would send a
representative to our site where the rep would witness the invocation of the
self-destruct feature, after which we would open the box, remove the disks,
and install them on another machine where they could be examined and/or
further wiped.

The big day finally arrived, and we ran self-destruct according to the
directions.  Oddly, there was no indication when the process was finished.
We waited five minutes (the prescribed amount of time).  At that point the
company rep said he wanted to log in to the machine to make sure that it had
worked properly.  I was shocked, shocked! to discover that in fact
self-destruct seemed to have done absolutely nothing.  All the files were
still there, both our data and those of Company X.

At that point the rep typed "rm -rf /".  He then proceeded to open the box,
take out the disk (turned out there was only one), and give it to me.  He
then took the box (sans disk) with him and left.

This story is fraught with subtle ironies, not least of which is the amount
of trouble Company X went through to prevent us from stealing their
software, only to leave it with us in a pretty easily recoverable form (to
say nothing of the fact that in the interim we had actually purchased the
product, so if we wanted to open it up and steal their software nothing
would have prevented us from doing so).

But the most worrisome aspect of this story is that apparently, among many
dozens of customers who evaluated the product, I was the only one to raise
any security concerns.  Company X's attitude throughout the whole affair
was, essentially, "Gee, we never thought of that.  No one else ever
complained."  (And Company X has a reputation for technical savvy.)

So I'm off to go through Company X's dumpsters.  I expect to be able to
retire off what I find there.

------------------------------

Date: Tue, 18 Nov 2003 14:36:33 -0500 (EST)
From: msb () vex net (Mark Brader)
Subject: Man trapped for hours by payphone

A man in East St. Louis got his middle finger stuck in a payphone's
coin-return slot.  Fortunately, this also meant that when he realized
he needed to call 911, there was a payphone conveniently... *at hand*.
Eventually the phone was removed and taken, with the victim, to a
hospital emergency room where doctors managed to pry them apart.

See e.g. <http://www.guardian.co.uk/uslatest/story/0,1282,-3402400,00.html>.

  [This is known as giving him the finger back.  An overzealous knee-jerk
  response to this episode might be to get rid of the few payphones that
  remain.  PGN]

------------------------------

Date: Wed, 03 Dec 2003 12:41:24 +0100
From: Gerrit Muller <gerrit.muller () embeddedsystems nl>
Subject: Debian security breach and forensic analysis

The text below was send to me by Auke Jilderda. The original e-mail is
from the debian mailing list.

This is a very readable and interesting case description of an intrusion
of a software repository.

The Debian Project                                http://www.debian.org/
Debian Investigation Report                             press () debian org
December 2nd, 2003

Debian Investigation Report after Server Compromises

The Debian administration team and security experts are finally able to
pinpoint the method used to break-in into four project machines.  However,
the person who did this has not yet been uncovered.  The package archives
were not altered by the intruder.

The Debian administration and security teams have checked these archives
(security, us, non-us) quite early on in the investigation and
re-installation process.  That's why the project was able to open up the
security archive again and confirm that the stable update (3.0r2) wasn't
compromised.

 [Truncated for RISKS.  See <http://www.debian.org/> for the complete
 report.  PGN]

------------------------------

Date: Sat, 15 Nov 2003 16:49:17 -0500
From: Walter Dnes <waltdnes () waltdnes org>
Subject: Re: Security patching: a story from the trenches (Rex Black, R-23.03)

A more accurate subject would be "Risks of updating Internet-insecure
computers via the Internet".  Rex Black had a computer that was not secure
to connect to the Internet.  So he connected to the Internet in order to
download patches secure the computer; what's wrong with this picture ?
Browsing through my router logs, I see approximately 3 hits per minute on
port 135 today, i.e. approximately one every 20 seconds.  The Blaster patch
is 918576 bytes, which would take 3 minutes to download on a v90 dialup.  A
33.6 dialup will take approximately 4 minutes.  During this timespan he
would get 9 to 12 hits on port 135, and be COM-promised (sorry) long before
the download was complete.

This is prime example of why he needed yet another computer, preferably with
a different enough OS that it is not vulnerable at the same moment.  I
downloaded the Blaster patch from Microsoft's website using Mozilla Firebird
on a linux Machine.  A Mac running Safari would probably have worked just as
well.  The patch is small enough to fit on a floppy and could have been
moved to the laptop that way.

Even if the patch was too large for a floppy, he could've used another
computer to check Norton's and/or Microsoft's website, and find out which
ports to block to temporarily protect himself whilst downloading the patch.

So much for criticism, what solution do I offer?  I suggest a "safe mode"
Internet connection option be available for these situations.  It would
require stateful firewalling that would, by default, reject *ANY* packets
from IP addresses and ports that the machine had not initiated a connection
with.  Actually, it wouldn't be a bad idea for the average home user 100% of
the time.  The only holes normally necessary to allow in the firewall would
be for...

 * NETBEUI for other *LOCAL* machines; *NOT* including machines on the
   Internet side of the connection
 * Active-mode mode FTP initiates a second connection back to the
   client.  Stateful firewalling can handle this.

Other exceptions would be to allow file-sharing over a VPN.  If the
user feels *REALLY* confident and adventurous, allow external
connections for P2P applications.

------------------------------

Date: Wed, 19 Nov 2003 16:00:46 -0800
From: Kyle York <kyork () cisco com>
Subject: Dangerous looking e-mail from quickbooks

I just received an e-mail from quickbooks that my credit card information
was soon to expire and I should immediately call a toll-free number to
renew it. A quick look at the headers made me immediatly suspicious:

  Received: from mta1.primary.ddc.dartmail.net ([146.82.220.34])
     by **my machine** with esmtp (Exim 3.35 #1 (Debian))
     id 1ALnfP-0005xu-00
     for <**me**>; Mon, 17 Nov 2003 10:00:03 -0800
  X-MID: <Kilauea73191-16006-99081021-3 () flonetwork com>
  Date: Mon, 17 Nov 2003 13:01:21 -0500 (EST)
  Message-Id: <Kilauea73191-16006-99081021-3 () flonetwork com>
  From: QuickBooks Payroll Services 
  <quickbookspayrollservices () offers quickbooks com>
  To: **me**
  Subject: QuickBooks Critical Notice - Credit Card Expiration Reminder

Note the two relays, and how the From: line doesn't match the Message-Id.
Both flonetwork.com an ddartmail.net are aliases for doubleclick.net which
made me even more suspicious. In the body of the e-mail was a toll-free
number that doesn't appear anywhere on www.quickbooks.com.

It turns out this was legitimate e-mail, but given the number of scams how
many people would really pay attention if it wasn't?  And how many spam
filters would have kicked it out due to the problems noted?

------------------------------

Date: Fri, 28 Nov 2003 19:50:32 -0600
From: hellsop () ninehells com (Peter H. Coffin)
Subject: Re: In-Security clearance (RISKS-23.04)

I would be greatly interested to learn if this installer referenced by the
unknown submitter is the same "Netopsystems FEAD Recomposer" which is used
to package Adobe Acrobat Reader version 6. There are a nontrivial number of
reports (both on the web and on USENET) of the installer failing to work on
many Windows 2000 machines, usually with the same "hourglass then nothing
apparently has happened" symptoms, but has also various other reported
issues, such as leaking memory and creating CPU loops sufficient to require
hardware resets of the computers running the installer, in addition to more
trivial assumptions like listing Windows 2000 as supported but only actually
supporting Service Pack 2 of Windows 2000.

If it is this same installer, this would be extremely interesting for use as
an installer for a security clearance application submitter for the US. The
FEAD system is published by Netopsystems AG, Berlin, Germany.

http://www.netopsystems.com/site/english/fead_e.html

------------------------------

Date: Fri, 28 Nov 2003 15:55:54 -0800
From: Timothy Knox <tdk () thelbane com>
Subject: Re: Amber Alert, Coming to the Inbox Nearest You (Mercuri, R-23.04)

One other response, that I have used to some good effect, is to find the
hoax details on an urban legends website (I personally recommend
<http://www.snopes.com/>) and reply-to-all with the URL. It may not stop
them all (there are none so blind as those who will not see), but it does
help some. At least one person wrote me back, thanking me for pointing them
to the site.

------------------------------

Date: Fri, 28 Nov 2003 14:59:16 -0800
From: "Rodney Hoffman" <rodney () oxy edu>
Subject: Re: Cehck tihs out! (RISKS-22.91)

Matt Davis at Cambridge has posted a response to this:
   "Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't
    mttaer in waht oredr the ltteers in a wrod are, ..."

See http://www.mrc-cbu.cam.ac.uk/~matt.davis/Cmabrigde/
where Davis says, "I've written this page, to try to explain the science
behind this meme. There are elements of truth in this, but also some things
which scientists studying the psychology of language (psycholinguists) know
to be incorrect. ... To my knowledge, there's no-one in Cambridge UK who is
currently doing research on this topic."
 
The page also includes samples in many other languages.

------------------------------

Date: Sun, 30 Nov 2003 16:22:57 -0500
From: "Kenneth R. van Wyk" <Ken () KRvW com>
Subject: ANNOUNCE: New mailing list for secure application development, SC-L

I would like to announce the availability of a new and free resource to the 
software security community, the SC-L e-mail discussion forum.  The moderated 
forum is open to the public.  The group's purpose is, "to further the state 
of the practice of developing secure software, by providing a free and open, 
objectively moderated, forum for the discussion of issues related to secure 
coding practices throughout a software development lifecycle process 
(including architecture, requirements and specifications, design, 
implementation, deployment, and operations)."  (The complete text of the 
group's charter, including its acceptable and unacceptable usage policies, 
can be found at http://www.securecoding.org/list/charter.php.)

To subscribe to the list, simply connect to http://www.securecoding.org/list 
and follow the directions on the form.  Submissions should be sent (by 
subscribers only) to sc-l () securecoding org.

Ken van Wyk, Moderator, SC-L mailing list  ken () securecoding org

------------------------------

Date: 7 Oct 2003 (LAST-MODIFIED)
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  Alternatively, via majordomo,
 send e-mail requests to <risks-request () csl sri com> with one-line body
   subscribe [OR unsubscribe]
 which requires your ANSWERing confirmation to majordomo () CSL sri com .
 If Majordomo balks when you send your accept, please forward to risks.
 [If E-mail address differs from FROM:  subscribe "other-address <x@y>" ;
 this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
 Lower-case only in address may get around a confirmation match glitch.
   INFO     [for unabridged version of RISKS information]
 There seems to be an occasional glitch in the confirmation process, in which
 case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
   .UK users should contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative 
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NEW: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: http://www.sri.com/risks
 http://www.risks.org redirects you to the Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue]
   Lindsay has also added to the Newcastle catless site a palmtop version 
   of the most recent RISKS issue and a WAP version that works for many but 
   not all telephones: http://catless.ncl.ac.uk/w/r
 http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
 http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    http://www.csl.sri.com/illustrative.html for browsing,
    http://www.csl.sri.com/illustrative.pdf or .ps for printing

------------------------------

End of RISKS-FORUM Digest 23.05
************************