Risks Digest 20.85

From risks@csl.sri.com
Date Fri, 24 Mar 2000 16:42:39 -0800 (PST)

[: hacktivism :]

RISKS-LIST: Risks-Forum Digest  Friday 24 March 2000  Volume 20 : Issue 85

   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/20.85.html>
and by anonymous ftp at ftp.sri.com, cd risks .

Northwest grounded for 3.5 hours after cable cut (Tim Dixon)
Patriot fails again (Lord Wodehouse)
Iridium insidium (PGN)
Leap-day banking ALERT! (Harlan Rosenthal)
Weather.com leaves visitors in the cold (Jay D. Dyson)
Cybercrime losses double to $10 billion (NewsScan)
Massive credit-card theft exposed (NewsScan)
Hacking credit cards is preposterously easy (Martin Minow)
Laptop Security (Steve Loughran)
Risks of Microsoft Passport (Avi Rubin)
Actor sues eBay for causing identity theft (Jim Griffith)
Re: MIT grade spreadsheet problem (Wm. Randolph Franklin)
There *still* ain't no such thing as a free lunch (Malcolm Pack)
Re: Hackers sued by software-filtering company (Bear Giles)
Re: Internet voting (Adam Shostack)
Report raises online privacy concerns (NewsScan)
TWA includes e-mail others' addresses in bulk mailing (RA Downes)
Re: Overdue Railtrack calls in the Army (Mark Nelson)
Abridged info on RISKS (comp.risks)


Date: Wed, 22 Mar 2000 19:14:26 GMT
From: tdixon.no@spam.fwi.com (Tim Dixon)
Subject: Northwest grounded for 3.5 hours after cable cut

When will people learn?  Computerworld reports that Northwest Airlines had
to cancel about 130 flights during a 3.5-hour outage at their Twin Cities
hub.  It seems a contractor accidentally bored into the cable cluster
containing both main and redundant fibre lines.

When will people learn they need to know where their redundancy lies?
Cables run through the same conduit are only partially redundant, as events
like this will happily take out all the cables in a conduit, making the
conduit itself a single point of failure.

  [It sure is a common thread in RISKS!  Thanks to the others of you
  who noted this case also.  PGN]


Date: Fri, 24 Mar 2000 16:38:04 +0000
From: Lord Wodehouse <w0400@ggr.co.uk>
Subject: Patriot fails again

>From the BBC:

Yet again the Patriot missile has hit the news.  Again units on high alert
status for long periods have developed problems.

  Tests have shown that missiles kept constantly on high
  alert have developed problems in receiving a radio
  frequency downlink, which guides the missiles in flight.

  General Kern said the Patriot's manufacturer,
  Raytheon Co., had guaranteed that the missiles would
  work properly if on high alert for a maximum of six

The full article provides ore details. However the risks are 1) the missile
fails when required to work (seen before in the Gulf War) and 2) people
believe that the missile works, when it may not. The former means it is a
less reliable form of defence and the latter means people might assume they
are safe.

  [Of course checking the Raytheon web site shows nothing about this on the
  top page.  A search of their site does not seem to feature the story
  either.  Another risk here: absence of information.  John]

Global Research Information Systems, Glaxo Wellcome, Gunnels Wood Road, 
Stevenage SG1 2NY UK  +44 1438 76 3222 http://ds.dial.pipex.com/lordjohn/


Date: Thu, 23 Mar 2000 7:55:01 PST
From: "Peter G. Neumann" <neumann@csl.sri.com>
Subject: Iridium insidium

Jo Le Guen, the Frenchman who is rowing solo across the Pacific, six weeks
into a four-month trip from NZ to Cape Horn in Chile, in hopes of raising
awareness of the plight of our oceans.

Rune Gjeldnes and Torry Larsen, two Norwegians, are attempting to be the
first known to ski from Russia to Canada over the North Pole.

What do they have in common?  Both efforts may lose their communications
lifelines when the plug is pulled on the Iridium satellite network at
midnight on 24 Mar 2000, after Iridium LLC failed to be rescued from
bankruptcy.  However, Motorola will attempt to keep the network running in
remote areas "for a limited period of time."  Le Guen gets his weather
forecasts from France, and talks with his doctor.  (He has some alternative
modes of communication, but with practical restrictions.)

  [Thanks to Mark Brader and George Mannes for the source material.]


Date: Wed, 22 Mar 2000 09:37:17 -0500
From: Harlan Rosenthal <H.Rosenthal@Dialogic.com>
Subject: Leap-day banking ALERT!

This came from one of my staff. - harlan

> Check the bank statements carefully this month!!!
> My bank missed a posting made 29 Feb 2000.
> I was about to panic when I checked with the company to be paid - they did
> have the payment, received 29 Feb.  My bank account statement went from 28
> Feb to 1 Mar, the payment wasn't shown, and it looks like the amount was
> not accounted for.


Date: Mon, 20 Mar 2000 08:09:52 -0800 (PST)
From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
Subject: Weather.com leaves visitors in the cold

The risk here?  Total reliance on a website.  Fortunately, my reality check
(an open window) gave me the 0day info on the genuine weather conditions.

This morning, I was told by my sweetie to go look at http://www.weather.com/
to see what the daily forecast is.  You can only imagine my surprise when I
saw this week's forecast for ZIP code 91109!


	TODAY	Windy		hi 18F
				lo 7F
	TUE	Partly cloudy	hi 19F
				lo 9F
	WED	Partly Cloudy	hi 21F
				lo 9F
	THU	Partly Cloudy	hi 22F
				lo 9F
	FRI	Mostly Cloudy	hi 22F
				lo 9F
	SAT	Showers		hi 19F	*
				lo 8F
	SUN	Partly Cloudy	hi 22F
				lo 46F

	* I'd like to know how we're going to have "showers" when it's
	  19 degrees F, too.

Now either I'm re-acclimated to Iowa-like weather very darn quick, or the
database is mixed up between Celsius and Fahrenheit.  This parka of mine is
just too darn warm, I tell ya!

Thanks go to my sweetie for mentioning this to me this morning, otherwise
I'd have froze to death!  ;)


Date: Wed, 22 Mar 2000 08:25:15 -0700
From: "NewsScan" <newsscan@newsscan.com>
Subject: Cybercrime losses double to $10 billion

Financial losses attributed to malicious hacking, online corporate espionage
and other computer crimes probably doubled last year, according to a survey
by the Computer Security Institute.  The survey covered 643 major
corporations and public agencies that estimated their computer crime losses
at $266 million in 1999.  Based on that number, CSI estimates that total
losses attributable to computer crime are around $10 billion annually,
mostly from financial fraud and proprietary information theft.  However,
only one company in four surveyed reported the crimes in 1999, down 32% from
1998.  Suspected reasons for the decline are fear of bad publicity and
distrust of the FBI.  Based on the survey responses, 59% of the companies
said the computer attacks initiated from the Internet, while 38% said they
initiated from internal company computers.  [*Los Angeles Times*, 22 Mar
2000, http://www.latimes.com/business/20000322/t000027053.html, NewsScan
Daily, 22 Mar 2000]


Date: Fri, 17 Mar 2000 09:43:17 -0700
From: "NewsScan" <newsscan@newsscan.com>
Subject: Massive credit-card theft exposed

In Jan 1999, a computer vandal stole information on 485,000 credit cards
from an e-commerce site and then secretly stored them in a database on a
U.S. government agency's Web site.  Although the theft was discovered in
March 1999 when a government administrator noticed that "a lot of the memory
(on the Web site) was chewed up for no reason, so he checked and found the
file (containing the stolen data)," many of the credit cards remain in use
today because credit-card companies and card-issuing credit unions decided
that it would be too much trouble to shut down the accounts and issue new
numbers, according to an unnamed source.  There is no evidence that the any
of the cards have been used to commit fraud, and Secret Service spokesman
Jim Macken says investigations point to an Eastern European perpetrator.
It's unclear why the data was deposited on a government Web site, although
Macken suggests that it may be the online equivalent of thumbing one's nose
at U.S. authorities. [MSNBC 17 Mar 2000 http://www.msnbc.com/news/382561.asp
NewsScan Daily, 17 Mar 2000]


Date: Fri, 24 Mar 2000 08:39:16 -0800
From: "Minow, Martin" <martin.minow@thinklinkinc.com>
Subject: Hacking credit cards is preposterously easy

The Register <http://www.theregister.co.uk/000324-000017.html> reports that
is is "preposterously easy" to hack many sites that collect credit card

  One computer enthusiast well known to The Register, who goes by the alias
  'Ksoze' (as in Kayser [Kaiser?] Soze), shows particular contempt for the
  security of the popular CGI log-in forms which enable consumers to enter
  their credit details when making a purchase on line. These Perl scripts
  are ripe for exploitation -- the real low-hanging fruit of the IP jungle.

  ... It's all too easy: "Just hit 'update account' and you get
  the form as filled in by customers," he says. 

  ``**** are thieves, OK, but they're morons too. They supply a CGI to their
  customers named ccbill-local.cgi by default. Site administrators need that
  CGI to add users, update accounts, and so on; but **** supplies the CGI
  chmod-ed as world-readable, in a world-readable directory! Aren't they
  totally lame?''

Transcribed (with the CGI vendor name removed) by 
Martin Minow, minow@pobox.com

  [Credit-card fraud worldwide is reportedly just under $1 billon a year,
  at about .7 percent of gross, but that represents only about 2% of banking
  losses.  Private communication.  PGN]


Date: Fri, 24 Mar 2000 14:03:25 -0000
From: "Steve Loughran" <slo2@iseran.com>
Subject: Laptop Security

The BBC on line news, 24/March/00 covers an embarrassing laptop theft

  MI5 laptop snatched
  Special Branch detectives are searching for a computer containing
  sensitive information on Northern Ireland after it was stolen from an MI5
  agent.  The 2,000-pound laptop was snatched as the agent stopped to help a
  passer-by at Paddington Underground station in central London.  Its data
  was encrypted and security officials are thought to be confident it could
  not be accessed.

The article continues with some opinions on how there is no such thing as a
``completely safe encryption system'', and the implications of the loss.

One must hope that the ``hibernate'' partition and swap file of the notebook
is also suitably encrypted, and that in the unlikely event that they are
using Windows 2000's encrypting file system, that all the files have
innocuous names.

As a recent Microsoft knowledge base article describes:
http://support.microsoft.com/support/kb/articles/Q248/7/23.ASP , their
encrypting file system only encrypts the contents of files, not the file
names.  Whereas an encrypted file ``secret plan to subvert the
government.html'' would not be readable, the fact that you had a secret plan
would be widely known...



Date: Tue, 21 Mar 2000 14:33:05 GMT
From: rubin@research.att.com (Avi Rubin)
Subject: Risks of Microsoft Passport

Dave Kormann and I took a look at Microsoft's Passport protocol and
examined the risks. Our full paper is available at


Here is the abstract:

Passport is a protocol that enables users to sign onto many different
merchants' web pages by authenticating themselves only once to a common
server. This is important because users tend to pick poor (guessable) user
names and passwords and to repeat them at different sites.  Passport is
notable as it is being very widely deployed by Microsoft.  At the time of
this writing, Passport boasts 40 million consumers and more than 400
authentications per second on average. We examine the Passport single signon
protocol, and identify several risks and attacks.  We discuss a flaw that we
discovered in the interaction of Passport and Netscape browsers that leaves
a user logged in while informing him that he has successfully logged
out. Finally, we suggest several areas of improvement.



Date: Tue, 21 Mar 2000 14:17:58 -0800 (PST)
From: Jim Griffith <griffith@netcom.com>
Subject: Actor sues eBay for causing identity theft

Jerry Orbach ("Law and Order", _DIRTY DANCING_, _FX_, and many others) is
suing eBay for allegedly allowing a user to auction two of his old acting
contracts.  Reportedly, the scanned images of the contracts showed his
Social Security number, which allegedly resulted in credit card fraud.



Date: Tue, 21 Mar 2000 17:38:49 -0500
From: wrf+risk@mab.ecse.rpi.edu (Wm. Randolph Franklin)
Subject: Re: MIT grade spreadsheet problem (Lutton, RISKS-20.84)

That sort of problem is a constant worry to large-course coordinators, who
have to assemble grades submitted by various graders into one database,
while adding and deleting students from the classlist.  As students are
added, formulae must be copied, relatively, and summation ranges must be
extended.  One wrong mouse click can invisibly drag a cell somewhere else.

One obvious check, which was not made, is to sample a few students, and
check for reasonableness.  An after-the-fact check is to give the students
complete info about the inputs and outputs for their individual grades.
However, that's not so easy.  At times, I've used nested shell scripts to
e-mail each student.  At other times, I've created a separate AFS directory
for each student, permitted to only that person.

One deep reason for the problem is as follows.  It's hard to destroy or
mutilate info on paper.  It's easy to delete info from a computer file.
This sort of user interface and metaphor problem is one of the areas in
which Computer Science has not advanced in decades.

Does anyone remember the Florida contractor who used Lotus to prepare a bid,
which was too small since his summation range was too small?  He won the
bid, then sued Lotus, leading to a cover story in (I think) Business Week.

Wm. Randolph Franklin  	    wrf+risk@mab.ecse.rpi.edu (PGP available)

  [WRF is undoubtedly referring to the SYMPHONY case:
    Lawsuit vs Lotus' Symphony dropped (omitted General Costs
    proposal section)(ACM Softw.Eng.Notes 11, 5, RISKS section,   
    pp.11-12, October 1986, and SEN 12 1, January 1987.  PGN]


Date: Sun, 19 Mar 2000 08:05:19 +0000
From: Malcolm Pack <mpack@email.com>
Subject: There *still* ain't no such thing as a free lunch

On 14 Mar 2000, Stephen King's latest Novella, published only as an
Electronic Book, was made available "free of charge" by Barnes and Noble on
the company's web site.  Thanks to recent upheavals in the UK Telco/ISP
marketplace, for once this truly was a "free" offer, since I would be able
to download the book without incurring metered telephone call charges.

The book was available in three formats:

o RocketBook
  Only for owners of a NuvoMedia's physical Rocket Book device.
  Those of us in possession of the eBook software were SOL.

o GlassBook
  A new (to me) format that required the download of a
  free-of-charge reader that includes Adobe PDF technology,

o Adobe PDF
  To be sent by e-mail.

Having discovered that the Rocket edition was not available to me, I
requested an e-mail copy (for which I am still waiting) and decided to
download the free GlassBook version with its free viewer.

I won't go into the length of time it took to connect to clearly- overloaded
servers at bn.com and glassbook.com.  Needless to say, I was not permitted
to get the book until I had finished downloading the 7MB reader, which I
eventually managed to do, and installing it.

The reader installed, and asked me to reboot my Windoze NT4 SP6a PC to
enable it, which I did.  The PC restarted, got to the "blue startup screen",
restarted itself, got to the "blue startup screen", restarted itself, got to
the "blue startup screen", restarted itself, got to the "blue startup
screen", restarted itself...

Two hours, and much detective work later (thanks to my being able to
dual-boot into SuSE Linux and see my NT partition outside its crippled OS
host), the culprits turned out to be a SYS and a VXD (tpkd.*) that the
software had installed.  Both were "InterLok(R)" files created by "PACE
Anti-piracy, Inc".  My PC had been crippled by anti-piracy measures applied
to a "free" software product I'd installed to read a "free" book.  It is
entirely feasible that others were locked out of their systems for good by
this software.


Fortunately, some things in life *are* free (if one owns the right
Advertisement-blocking software ^-^), so I was able to use dialpad.com to
telephone the US-based support desk for Glassbook using my PC as a
telephone. After a 30 minute hold, I was put through to a technician, and
explained the problem.  While sympathetic, the response boiled down to "This
is Beta software.  I'll log the report for action."

I've heard nothing since, and I still haven't got a copy of the book.

Malcolm Pack <mpack@email.com>


Date: Mon, 20 Mar 2000 09:25:32 -0700 (MST)
From: Bear Giles <bear@coyotesong.com>
Subject: Re: Hackers sued by software-filtering company (RISKS-20.84)

There is *far* more going on here than meets the eyes.  Those programmers
are involved in the Peacefire anti-censorship group
(http://www.peacefire.org).  The site has had detailed instructions for
getting around censorware software for months, without any legal action from
the companies.

But for some odd reason Symantec (I-Gear) threatened legal action only after
Peacefire cracked their encrypted blacklist and determined that 76% of the
sites in a quick sample (the first 50 .edu sites) were erroneously blocked.

Likewise Mattel (CyberPatrol) sued only after Peacefire cracked their
encrypted blacklist and published the results.

To a critical mind, several questions scream out:

 - why are the blacklists encrypted?  Is this to block access by 
   competitors, or is it really to prevent parents and libraries from 
   performing their own quality checks?  (If it's an anticompetitive
   measure, why are the companies treating it as a "hackers, kids and 
   porn" case?)

 - how would knowing that a site is on the blacklist permit a kid
   to access the blocked site?  How many kids have the technical 
   knowledge to edit the blacklist... and how hard would it be to
   check an MD5 checksum every so often?  (Since the blocking software
   only works when the computer is on the 'net, it is trivial to
   automatically download the checksum every Nth request.  If they
   don't match, download a new copy of the blacklist.)

 - why would the legitimately blocked sites have a problem with this?
   AFAIK most legitimate porn sites are more than willing to cooperate
   with censorware companies because it reduces their legal exposure -
   they can demonstrate a good-faith effort to prevent access by minors.
   The only sites that have a beef with this issue are ones that are
   blocked due to judgement calls, e.g., the pro-censorware Christian 
   group that was was shocked to discover itself on a blacklist because 
   of its firm, principled stand against homosexuals and heathens.

Further complicating the issue is the apparent attempts to invoke the DMCA
(essentially criminalizing political debate if one party uses even trivial
encryption of key evidence; it brings to mind the 80's fad of putting a
lawyer into every meeting so the company could claim lawyer-client
confidentiality) and the pending UCITA legislation (which would explicitly
criminalize badmouthing software).  And we must never forget the absurdity
of a U.S. judge telling a Swedish ISP that it can't host material for two
Canadian residents - do all courts have worldwide jurisdiction in the
prenatal millennium?

I strongly recommend anyone interested in this topic review the Censorware
Project's report on an analysis of the logs of all Utah schools and
libraries. (http://censorware.org/reports/utah/) This report has been widely
misquoted as proving that censorware works.  The 0.0006% (or "1-in-6
million," as was allegedly misquoted at one point in the Bush-McCain
slugfest) error rate is a total fiction; any sane analysis shows that about
1-in-20 blocked sites are blocked in error in practice.

*** Late update: according to Slashdot
(http://slashdot.org/article.pl?sid=00/03/20/0845236) Mattel (CyberPatrol)
has not only sent mass mailings to all mirrors of the the critical webpages,
they have allegedly added these mirror sites (and the author's homepages) to
their blacklist *under all categories.* Slashdot also reports that Declan
McCullagh, respected journalist for _Wired_ who has never hosted the essay
in question has also received legal threats.

This means there is an excellent chance that this issue of comp.risks will
be unavailable to school children nationwide due to its shocking content of
nudity, explicit sexual depictions, violence, drug use, satanic acts,
gambling activities, etc.

The RISKS created by an "informed public debate" on the merits of
censorware, where the library patrons are quietly "protected" from
legitimate criticisms of one side of the debate should be obvious to
everyone.  This is *not* an example pulled out of thin air -- another recent
Slashdot discussion covered the Holland, Mich. debate on whether to mandate
this type of censorware in their libraries.  One can only shudder in
anticipation of the glorious day when nobody is even aware of this problem
as DMCA and UCITA ensure that no software, anywhere, ever has any
publishable defects of any kind.

On the bright side, this one petulant act may be enough to raise serious
constitutional issues of whether it will *ever* be legal for a government to
mandate the use of censorware on publicly access systems.  If this nonsense
is allowed to stand, we might as well appoint the CEO of Mattel Lord High
Emperor because he(?) will have demonstrated the ability to stifle the free
political debate that lies at the heart of our democracy.

(The preceding political screed was brought to you by the Drug-Running Child
Pornography Terrorists of America.)

Bear Giles <bgiles@coyotesong.com>

P.S., some people are already calling for a Barbie-Q to protest this.  I am
seriously torn between the attraction of torching a little Mattel
CEO-in-drag effigy on the steps of the state capitol (and passing out flyers
explaining the situation to passing legislators) and the horrid fact that
that means Mattel would get even one thin dime from me.

  [Does Barbie have a Mattelephone?  PGN]


Date: Sun, 19 Mar 2000 12:53:10 -0500
From: Adam Shostack <adam@zeroknowledge.com>
Subject: Re: Internet voting (RISKS-20.83-84)

Regarding the question Steve Wildstrom poses in Risks 20.84, "Once you are
authenticated on line, how do you cast a secret ballot?"
One answer lies in a set of technologies called minimal disclosure
credentials.  These were invented by David Chaum, and substantially enhanced
by Stefan Brands.  The core of it is, you authenticate to some server, and
are granted a single-use credential which can not be linked to your
authentication.  The inability to link back to the authentication is
provided by a technique called blinding, where the client takes a set of
actions to prevent the server from knowing what it is signing.  This
technique forms the basis for anonymous electronic cash, and can be used to
create a 'coin' whose value is 'one vote.'  The state can allow each voter
to withdraw one coin, and ensure that each vote is 'paid for' with one valid
coin, thus assuring one person, one ballot, per election.  (This proposal
has a number of flaws, but is useful as a straw man if you understand
electronic cash.)

Schneier's Applied Cryptography, chapter 6, has a long list of electronic
voting protocols and systems which are intended to address these types of


  [Wait until you see Bruce's next book, forthcoming, which takes a less
  sanguine view of good crypto protocols in the presence of flawed
  implementations or weak system embeddings.  

  Incidentally, Lauren Weinstein called to my attention an article on
  Arizona's experience with Internet voting that is of interest here:


Date: Thu, 09 Mar 2000 09:57:08 -0700
From: "NewsScan" <newsscan@newsscan.com>
Subject: Report raises online privacy concerns

A new Justice Department report, titled "The Electronic Frontier: The
Challenge of Unlawful Conduct on the Internet," has put privacy activists on
alert: "What the report amounts to is a law enforcement Internet wish list
of ways in which they can strip away privacy and free-speech protections in
order to get at what they claim is this criminal element online," says an
ACLU spokeswoman. The most controversial part of the report is a passage
that terms anonymous e-mail a "thorny issue": "Given the complexity of this
issue, balancing the need for accountability with the need for anonymity may
be one of the greatest policy challenges in the years ahead." A White House
deputy press secretary attempted to reassure ACLU officials, saying the
administration understands the importance of privacy, including the positive
role anonymity can play in reporting crimes and war atrocities.  [*The
Washington Post*, 9 Mar 2000,
NewsScan Daily, 9 Mar 2000]


Date: Wed, 22 Mar 2000 05:37:51 +0000
From: main@radsoft.net
Subject: TWA includes e-mail others' addresses in bulk mailing

  [TWA accidentally disclosed e-mail addresses of 80% their customers, 
  albeit in alphabetically ordered batches.  Spammers's delight?  
  Advertiser's boon?  Violation of their privacy policy?  PGN]
Again, mice prove to be erratic creatures:

It would seem a standard "Are you really really sure?" would be in order
here so that the mice don't take the day.


Radsoft Laboratories  http://www.radsoft.net


Date: Wed, 22 Mar 2000 11:58:35 -0500
From: "Mark Nelson" <mnelson@fnx.com>
Subject: Re: Overdue Railtrack calls in the Army (Martin, RISKS-20.84)

> An earlier article explains that the cost overrun from 2.2 billion to 5.8
> billion (that's UK pounds and UK billions)

  [We have been around this one before in RISKS.  For quite a few years,
  UK billions and and US billions have been unofficially the same, 
  irrespective of whether OFFICIALLY the UK billion might still be 
  a million million.  I had inteded to take out Ursula's unofficially
  gratuitous parenthetical.  PGN]


Date: 13 Dec 1999 (LAST-MODIFIED)
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
 if possible and convenient for you.  Alternatively, via majordomo, 
 SEND DIRECT E-MAIL REQUESTS to <risks-request@csl.sri.com> with one-line, 
   SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
   INFO     [for unabridged version of RISKS information]
 .MIL users should contact <risks-request@pica.army.mil> (Dennis Rears).
 .UK users should contact <Lindsay.Marshall@newcastle.ac.uk>.
=> The INFO file (submissions, default disclaimers, archive sites, 
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
 The full info file will appear now and then in future issues.  *** All 
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line.
=> ARCHIVES are available: ftp://ftp.sri.com/risks or
 ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
   [volume-summary issues are in risks-*.00]
   [back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
 or http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
 Also, new AUSTRALIAN archives at http://mirror.aarnet.edu.au/risks/ and
   http://the.wiretapped.net/security/textfiles/risks-digest/ .
 PostScript copy of PGN's comprehensive historical summary of one liners:
   illustrative.PS at ftp.sri.com/risks .


End of RISKS-FORUM Digest 20.85

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]