Loading ...
Sorry, an error occurred while loading the content.

[risks] Risks Digest 22.71

Expand Messages
  • RISKS List Owner
    RISKS-LIST: Risks-Forum Digest Saturday 3 May 2003 Volume 22 : Issue 71 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM
    Message 1 of 1 , May 3, 2003
      RISKS-LIST: Risks-Forum Digest Saturday 3 May 2003 Volume 22 : Issue 71

      ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

      ***** See last item for further information, disclaimers, caveats, etc. *****
      This issue is archived at
      and by anonymous ftp at ftp.sri.com, cd risks .

      OpenBSD release protects against buffer-overflow attacks (SANS via
      Monty Solomon)
      Prescription error (Monty Solomon)
      Spelling checker renames Amritsar to AmriCzar (David J. Aronson)
      Kellogg's American Airlines online sweepstakes swept away (PGN)
      Pilots fail exams (Jill Treu)
      Inside Cisco's eavesdropping apparatus (Declan McCullagh via Monty Solomon)
      Internet fraud complaints triple (NewsScan)
      Bogus Internet domain-name renewal offers (Network Solutions via PGN)
      Spammers use viruses to hijack computers (NewsScan)
      Breastfeeding mothers, avoid Continental (Meng Weng Wong via Dave Farber)
      Re: NCIC database accuracy requirements (John Beattie)
      Re: Friendly Fire (Jan C. Vorbrueggen)
      REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin (Rob Slade)
      REVIEW: "Inside the Security Mind", Kevin Day (Rob Slade)
      Abridged info on RISKS (comp.risks)


      Date: Sun, 20 Apr 2003 22:28:52 -0400
      From: Monty Solomon <monty@...>
      Subject: OpenBSD release protects against buffer-overflow attacks (SANS)

      Excerpt from
      SANS NewsBites April 16, 2003 Vol. 5, Num. 15

      The most recent release of OpenBSD should eliminate buffer overflows,
      according to the group's project leader. The group took three approaches to
      hardening the software. First, the location of the stack in memory is
      randomized. Second, the team added a tag to the memory structure that will
      detect address modifications. Finally, they managed to divide the main
      memory into two sections: writable and executable; the pieces of data and
      programs, called "pages", would be stored in one or the other section,
      ensuring that no page is writable and executable at the same time.

      [Editor's Note (Gene Schultz): Many kudos are in order here. If what the
      OpenBSD people are doing really works, they will put considerable pressure
      on other vendors and developers to do the same. Buffer overflow problems
      continue to plague operating systems and applications. Eliminating this
      category of vulnerabilities would be a major victory for the information
      security arena.

      (Schneier): It's great to see this kind of approach to buffer
      overflows. This is an example of building in security instead of trying to
      patch it afterwards.

      (Ranum): It's GREAT to see that at least a few people are smart enough to
      try to attack problems like this systemically, rather than keeping stuck in
      the fruitless "penetrate and patch" while loop. This is how to make progress
      in security: fundamental protections.

      (Shpantzer): Initiatives like this should be taught as case studies
      in computer science courses at the undergraduate level.


      Date: Tue, 8 Apr 2003 02:57:07 -0400
      From: Monty Solomon <monty@...>
      Subject: Prescription error

      I recently had a prescription filled that was written for 60 pills with 4
      refills. The pharmacist made a data-entry mistake, and the prescription was
      entered for 60 pills with 60 refills!

      Because prescriptions are valid for a year, the pharmacy computer could have
      detected the error and alerted the pharmacist. But, in this case, the
      prescription was printed by my doctor's computer so the issue of reading the
      doctor's handwriting was not an issue.

      The pharmacist may be used to finding the number of refills in a specific
      place on the prescription and the computer generated prescription might have
      the number of refills and quantity of pills in unusual places. The
      prescription was laser printed in the corner of a standard 8.5" x 11" piece
      of paper so the form factor of the prescription was also non-standard.

      [I suppose Monty was lucky the fields were not transposed.
      Imagine having a prescription for 60 refills of 4 pills each. PGN]


      Date: Tue, 29 Apr 2003 11:53:15 -0400
      From: "David J. Aronson" <postmaster@...>
      Subject: Spelling checker renames Amritsar to AmriCzar

      A Reuters news story written yesterday ("Revenge Behind Air India Bombing,
      Court Told", by Allan Dowd) included mention of "the Golden Temple in the
      city of AmriCzar". Google-ing AmriCzar revealed eight hits, compared to the
      about 141,000 of the correct spelling. (That, as you may have guessed, is
      Amritsar.) The six shown (two other similar hits were omitted) are:

      http://www.washingtonpost.com/wp-dyn/ articles/A58594-2003Mar7.html
      http://cndyorks.gn.apc.org/news/articles/ asia/itemsonconflict.htm

      (Note that some of these are quoting Reuters articles!)

      At a guess, the cause seems to have been blind string-matching without
      regard for context, including whether the string was part of a larger word.

      The RISK? Fortunately, just mild embarrassment in this case, and even that
      is assuming that the IT folks at Reuters ever catch wind of this. However,
      we've seen worse consequences reported here before due to similar "help",
      even when the "correction" is limited to spelling....

      David J. Aronson, Software Engineer for hire in Washington DC area.
      See http://destined.to/program/ for online resume, references, etc.

      [Roto-reuters strike again. PGN]


      Date: Wed, 30 Apr 2003 16:07:58 PDT
      From: "Peter G. Neumann" <neumann@...>
      Subject: Kellogg's American Airlines online sweepstakes swept away

      The Kellogg Company ("cereal giant") began a two-month sweepstake intended
      to give away one grand prize of 25,000 American Airlines' AAdvantage miles
      each day for 60 days. Unfortunately, due to a "computer glitch", several
      thousand people were erroneously notified by e-mail that they were winners
      -- and then later notified that the earlier e-mail was in error but that
      they would receive 500 miles as a goodwill gesture. [Source: AP item, 29
      Apr 2003; PGN-ed]


      Date: Wed, 23 Apr 2003 11:10:42 -0400
      From: "Treu, Jill" <Jill.Treu@...>
      Subject: Pilots fail exams

      [For those readers who wonder about why this item is relevant to RISKS,
      please remember that technology usually depends on a lot of people. PGN]

      The pilots couldn't pass the psychological and physical tests to be allowed
      to carry a firearm --- but flying huge planes full of people is OK. Oh, this
      makes so much sense! The risks should be obvious.

      Four pilots did not finish gun training. Four of the 48 veteran airline
      pilots who began the government's first training course for pilots wishing
      to carry guns in the cockpit were rejected after they failed at least one
      of the battery of required background checks, psychological exams and
      firearms tests. Officials said the four rejections showed that the
      government was serious about providing guns only to pilots who were
      psychologically and physically fit to carry firearms in flight and defend
      their planes against attackers. The bill permitting airline pilots to
      carry guns was passed by Congress last year, a legacy of the hijackings on
      11 Sep 2001, over the serious objections of senior members of the Bush
      administration and some members of Congress. [Source: *The New York
      Times*, 22 Apr 2003]


      Date: Tue, 22 Apr 2003 02:26:16 -0400
      From: Monty Solomon <monty@...>
      Subject: Inside Cisco's eavesdropping apparatus (from Declan McCullagh)

      By Declan McCullagh, 21 Apr 2003

      Cisco Systems has created a more efficient and targeted way for police and
      intelligence agencies to eavesdrop on people whose Internet service provider
      uses their company's routers.

      The company recently published a proposal that describes how it plans to
      embed "lawful interception" capability into its products. Among the
      highlights: Eavesdropping "must be undetectable," and multiple apolice
      agencies conducting simultaneous wiretaps must not learn of one another. If
      an Internet provider uses encryption to preserve its customers' privacy and
      has access to the encryption keys, it must turn over the intercepted
      communications to police in a descrambled form.

      Cisco's decision to begin offering "lawful interception" capability as an
      option to its customers could turn out to be either good or bad news for

      Because Cisco's routers currently aren't designed to target an individual,
      it's easy for an Internet service provider (ISP) to comply with a police
      request today by turning over all the traffic that flows through a router or
      switch. Cisco's "lawful interception" capability thus might help limit the
      amount of data that gets scooped up in the process.

      On the other hand, the argument that it hinders privacy goes like this: By
      making wiretapping more efficient, Cisco will permit governments in other
      countries -- where court oversight of police eavesdropping is even more
      limited than in the United States -- snoop on far more communications than
      they could have otherwise.

      Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I
      don't see why the technical community should hardwire surveillance standards
      and not also hardwire accountability standards like audit logs and public
      reporting. The laws that permit 'lawful interception' typically incorporate
      both components -- the (interception) authority and the means of
      oversight -- but the (Cisco) implementation seems to have only the
      surveillance component. That is no guarantee that the authority will be used
      in a 'lawful' manner."

      U.S. history provides many examples of government and police agencies
      conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt,
      Martin Luther King Jr., feminists, gay rights leaders and Catholic
      priests. During its dark days, the bureau used secret files and hidden
      microphones to blackmail the Kennedy brothers, sway the Supreme Court and
      influence presidential elections. Cisco's Internet draft may be titled
      "lawful interception," but there's no guarantee that the capability will
      always be used legally.

      Still, if you don't like Cisco's decision, remember that they're not the
      ones doing the snooping. Cisco is responding to its customers' requests, and
      if they don't, other hardware vendors will.

      If you're looking for someone to blame, consider Attorney General John
      Ashcroft, who asked for and received sweeping surveillance powers in the USA
      Patriot Act, along with your elected representatives in Congress, who gave
      those powers to him with virtually no debate.

      I talked with Fred Baker, a Cisco fellow and former chairman of the Internet
      Engineering Task Force (IETF), about his work on the "lawful interception"
      draft. ...



      Date: Thu, 10 Apr 2003 08:15:43 -0700
      From: "NewsScan" <newsscan@...>
      Subject: Internet fraud complaints triple

      Complaints about fraudulent schemes perpetrated over the Internet tripled in
      2002 from the previous year, with the most common grievance being auction
      fraud, followed by non-delivery of promised merchandise, credit card fraud
      and fake investments. According to a report from the Internet Fraud
      Complaint Center, which is run by the FBI and the National White Collar
      Crime Center, the 48,252 complaints referred for prosecution in 2002
      represent only a fraction of the crimes authorities believe are occurring.
      The center also received almost 37,000 other complaints that did not
      constitute fraud, but involved such things as spam, illegal child
      pornography and computer intrusions. The report says 80% of known fraud
      perpetrators and about 71% of complainants are male. Fraud complaints
      originated in all parts of the country, with a third coming from California,
      Florida, Texas and New York. One of the most persistent scams described in
      the report is the infamous "Nigerian letter," which urges victims to pay an
      upfront fee (characterized as a bribe to the government) in order to receive
      non-existent funds from the "Government of Nigeria." There were 16,000
      complaints related to that scam in 2002, up from 2,600 in 2001. [AP, 9 Apr
      2003; NewsScan Daily, 10 Apr 2003]


      Date: Wed 23 Apr 2003
      From: neumann@...
      Subject: Bogus Internet domain-name renewal offers

      The following CUSTOMER SERVICE ANNOUNCEMENT warns of bogus e-mail offering
      domain renewals.

      > Date: Tue, 22 Apr 2003 19:51:59 -0400
      > From: "Network Solutions, Inc." [...]
      > Subject: Customer Renewal Warning

      > Dear Network Solutions(R) Customer,

      > We recently learned that our customers are receiving domain name renewal
      > notices from companies falsely representing themselves as Network
      > Solutions. These notices inform customers that their domain name
      > registration is due to expire and provides instructions on how to renew.

      > If you receive a renewal notice you do not believe is from Network
      > Solutions or if you have an unauthorized vendor listed on your credit card
      > statement for 'domain name renewal,' please contact us immediately [...].


      Date: Wed, 30 Apr 2003 08:46:57 -0700
      From: "NewsScan" <newsscan@...>
      Subject: Spammers use viruses to hijack computers

      As efforts to tackle junk e-mail ramp up, unscrupulous spammers increasingly
      are hiding their identities by taking over innocent users' accounts using
      e-mail messages that resemble computer viruses. Like many other viruses,
      these programs exploit weaknesses in Microsoft's popular Outlook e-mail
      package. One of the first hijacking programs to emerge was called "Jeem,"
      which contained a hidden e-mail engine that enabled it to route messages via
      the infected computer. Another, called Proxy-Guzu, comes as a spam message
      with an attachment. When the unsuspecting recipient clicks on the
      attachment, the computer contacts a Hotmail account and transmits
      information about the infected machine, making it possible to route e-mail
      through that machine. "Spammers are beginning to use virus-like techniques
      to cover themselves," says Larry Bridwell, content security programs manager
      at ICSA Labs. "Spam is one of the two things that the security industry is
      going to be asked to deal with. The other is adware or spyware." [BBC News
      30 Apr 2003; NewsScan Daily, 30 Apr 2003]


      Date: Tue, 22 Apr 2003 10:50:54 -0400
      From: Meng Weng Wong <mengwong@...>
      Subject: Breastfeeding mothers, avoid Continental (via Dave Farber's IP)

      Deborah Wolfe, a Canadian citizen who was just breast-feeding her son and
      changing his diaper while en route between Houston and Vancouver, says her
      "subversive" actions led to her being threatened with detainment, RCMP
      involvement and legal charges for terrorist action against a U.S. citizen in
      international airspace while on an American flight during a time of war.
      ... Wolfe says she refused a flight attendant's offer of an airline blanket
      to hide herself because it hadn't been sealed and, given the SARS scare,
      she'd rather use her own things. Thus, unbeknownst to her, a "Level 1" crew
      complaint was filed. ... She says the flight attendants also began to call
      her and her travelling party "foreign nationals in international airspace on
      an international flight during a time of war." And she was informed both of
      the complaint and that it could be upgraded to a Level 3, which meant
      possible mandatory detainment by U.S. authorities for 24 hours, RCMP
      involvement and criminal charges for an act of war upon an American.

      IP archives at: http://www.interesting-people.org/archives/interesting-people/


      Date: Mon, 21 Apr 2003 11:01:55 +0100
      From: John Beattie <JKB@...>
      Subject: Re: NCIC database accuracy requirements

      As reported in RISKS-22.65, etc., the accuracy requirements for the FBI's
      National Crime Information Center have been reduced or eliminated. Also
      discussed in the April 2003 Cryptogram:

      At first sight this is bad. But the other point of view may be worth noting:
      a widely used database which is "accurate" but has a high false positive
      rate may provide a useful widespread learning experience. Most users of
      databases regard "the computer" as infallible. A 100-to-1 false positive
      rate would be salutary! :-)

      It isn't enough that engineers and computer scientists understand accuracy
      requirements; the end-users, as represented by lawyers, have to have a
      feeling for it as well. Bad databases already do damage -- it may be that
      what is needed is a really high-profile failure.

      You can argue probabilities as much as you like; the thing will only hit
      home when almost everyone who's had contact with the database has actual
      knowledge of a failure.

      [Perhaps if a few Senators, Representatives, Justice Department folks,
      and other government officials were mistakenly apprehended, that might
      help. PGN]


      Date: Mon, 28 Apr 2003 15:58:19 +0200
      From: "Jan C. =?iso-8859-1?Q?Vorbr=FCggen?=" <jvorbrueggen@...>
      Subject: Re: Friendly Fire (Ladkin, RISKS-22.68)

      I believe a technical contribution to this organizational problem was the
      fact that Aegis computed/computes the first and second derivatives of
      measured target height to derive sink/climb rate and acceleration. These
      values, derived as they are from noisy measurements, are notoriously
      unreliable. The crew seems to have treated these "measurements" at face
      value, deriving a threat from the fact that they indicated a high sink rate
      directed at the Vincennes, when in reality the aircraft was flying level. So
      in this case the misinterpretation (at least in part) resulted in the
      ability of computers to provide processed but unreliable data, very likely
      without an indication of its unreliability (ever seen error bars on such

      Jan Vorbr|ggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
      Research & Development - Tel. +49 201 437 52 52 http://www.mediasec.com


      Date: Fri, 25 Apr 2003 08:36:55 -0800
      From: Rob Slade <rslade@...>
      Subject: REVIEW: "Firewalls and Internet Security", Cheswick/Bellovin/Rubin

      BKFRINSC.RVW 20030321

      "Firewalls and Internet Security", William R. Cheswick/Steven M.
      Bellovin/Aviel D. Rubin, 2003, 0-201-63466-X, U$49.99/C$77.99
      %A William R. Cheswick ches@...
      %A Steven M. Bellovin smb@...
      %A Aviel D. Rubin avi@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2003
      %G 0-201-63466-X
      %I Addison-Wesley Publishing Company
      %O U$49.99/C$77.99 416-447-5101 fax: 416-443-0948
      %O http://www.amazon.com/exec/obidos/ASIN/020163466X/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/020163466X/robsladesin03-20
      %P 433 p.
      %T "Firewalls and Internet Security: Repelling the Wily Hacker,
      Second Edition"

      As the first work to deal seriously and completely with the topic, the first
      edition of "Firewalls and Internet Security" was one of those classics that
      get known only by the last names of the authors, so as not to leave any
      possibility of confusion with books whose titles may be similar.

      When such a long time has elapsed between editions of a work such as this,
      it is more than possible that the field has moved on far enough that a minor
      updating of the material is simply not feasible. The authors are quite well
      aware of the new territory: where useful, the original structure has been
      retained, but otherwise, the book has essentially been rewritten. A huge
      undertaking, but the only practical course, in the circumstances.

      Part one establishes a starting point. Chapter one, an introduction,
      presents a number of basic, but worthwhile, security concepts. The
      operations of various components of the TCP/IP protocol suite are discussed,
      with the most serious security vulnerabilities helpfully highlighted, in
      chapters two (lower layers) and three (upper layers). The authors' thoughts
      on the security of the Web are amply expressed in the title of chapter four:
      "The Web: Threat or Menace?"

      Part two outlines the threats to networked machines. Chapter five describes
      a number of different types of attacks. A variety of tools for determining
      security weaknesses are listed in chapter six, alongside discussions of the
      relative costs/benefits of disclosure versus security by obscurity.

      Part three details security tools and utilities. Chapter seven reviews
      authentication concepts and techniques. Various network security systems
      are described in chapter eight.

      Part four gets us to firewalls and virtual private networks (VPNs)
      themselves. Chapter nine outlines the different types of firewalls. Basic
      filtering concepts are examined in chapter ten. Considerations for
      constructing and tuning your firewall are in chapter eleven. Tunnelling and
      VPNs are discussed in chapter twelve.

      Part five extends the isolated technology of firewalls into the application
      of protecting an organization. Network layout, and the implications
      thereof, is reviewed in chapter thirteen. Chapter fourteen deals with
      hardening of hosts. Chapter fifteen is a rather terse look at intrusion

      Part six is entitled "Lessons Learned." The detection and tracing of
      "berferd" is described in chapter sixteen, along with the taking of the
      "CLARK" machine in chapter seventeen. In chapter eighteen, Kerberos and
      IPSec are used as examples of approaches to security of insecure networks.
      Chapter nineteen finishes with some ideas for work that yet needs to be done
      to help with the security of the Internet.

      The place of firewalls in regard to network security has broadened
      considerably in the past decade. This book does reflect that reality.
      Unfortunately, that breadth of topic has come at the expense of some depth
      in coverage. The result is a book that is definitely worthwhile as an
      introduction to the field, but which may no longer be suitable as a working
      reference. I must admit that, for some time, I have been recommending
      Chapman and Zwicky (cf. BKBUINFI.RVW) over Cheswick and Bellovin's original
      text, since "Building Internet Firewalls" seems to have the edge in terms of
      practicality. Upon reviewing this new edition of the classic, I would have
      to stick to that recommendation.

      copyright Robert M. Slade, 1994, 2003 BKFRINSC.RVW 20030321
      rslade@... rslade@... slade@... p1@...


      Date: Fri, 2 May 2003 08:21:11 -0800
      From: Rob Slade <rslade@...>
      Subject: REVIEW: "Inside the Security Mind", Kevin Day

      BKINSCMI.RVW 20030321

      "Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3,
      %A Kevin Day
      %C One Lake St., Upper Saddle River, NJ 07458
      %D 2003
      %G 0-13-111829-3
      %I Prentice Hall
      %O U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131
      %O http://www.amazon.com/exec/obidos/ASIN/0131118293/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0131118293/robsladesin03-20
      %P 309 p.
      %T "Inside the Security Mind: Making the Tough Decisions"

      I am quite sympathetic to the idea that the realization of a security
      mindset or attitude (I frequently refer to it as professional paranoia) is
      more important to attaining security than isolated technical skills. I'm
      sorry to say that this work is not likely to help you find, attain, or
      assess that protection perspective.

      Right from the beginning of the book, readers will find a flavour of eastern
      philosophy, and even mysticism, to it. There are four virtues, an
      eight-fold path, and even repeated injunctions for the reader to keep an
      "open mind"--a phrase which those who have conversed with devotees of the
      Buddhist faith will find rather familiar.

      Unfortunately, chapter one seems to demonstrate that Day is bringing us only
      a newage vagueness in his description of the security mind. We are to rid
      ourselves of negative thoughts, and follow fundamental virtues, which we
      haven't been given yet. Computer security is only a decade old, we are told
      in chapter two, and constantly changing, and expensive, and there are few
      practitioners, and lots of bad guys out there, and we are paralyzed by
      fear--but we have nothing to fear but fear itself! Chapter three finally
      lists the four virtues for us: security is ongoing, a group effort, requires
      a generic approach, and is dependent upon education. I don't disagree with
      any of these points (other than the philological debate about whether they
      should be called virtues), and neither would any other security
      professional. However, they don't really provide us with much in the way of
      help. Eight security "rules," in chapter four, list principles such as
      "least privilege," which are also commonly known in security work.

      Chapter five is supposed to tell us how to develop a security mind, but
      actually seems to be an exercise in wishful thinking. If the world were
      neatly divided into safe and unsafe zones, and if our systems all worked
      perfectly and in correspondence with our users' known requirements, and if
      everyone that we trusted were completely competent in regard to their own
      defence, security would be much easier. Decision-making is likewise
      simplisticly seen to be supported by the virtues and rules, in chapter six.
      There is a superficial overview of blackhats and vulnerabilities in chapter
      seven. Chapter eight has a standard review of risk analysis. Vague ideas
      on hiring security, and some thoughts on outsourcing, are in chapter nine.
      The author gives his opinion on some security tools in chapter ten. Chapter
      eleven is another attempt to prove that the rules can be used. We are given
      a final adjuration to change our attitudes in chapter twelve.

      Basically, this book is yet another attempt to write a general security
      guide, without first ensuring that the material is structured, sound,
      complete, or useful.

      copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321
      rslade@... rslade@... slade@... p1@...


      Date: 29 Mar 2002 (LAST-MODIFIED)
      From: RISKS-request@...
      Subject: Abridged info on RISKS (comp.risks)

      The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
      => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
      if possible and convenient for you. Alternatively, via majordomo,
      send e-mail requests to <risks-request@...> with one-line body
      subscribe [OR unsubscribe]
      which requires your ANSWERing confirmation to majordomo@... .
      If Majordomo balks when you send your accept, please forward to risks.
      [If E-mail address differs from FROM: subscribe "other-address <x@y>" ;
      this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
      Lower-case only in address may get around a confirmation match glitch.
      INFO [for unabridged version of RISKS information]
      There seems to be an occasional glitch in the confirmation process, in which
      case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
      .UK users should contact <Lindsay.Marshall@...>.
      => The INFO file (submissions, default disclaimers, archive sites,
      copyright policy, PRIVACY digests, etc.) is also obtainable from
      http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
      The full info file will appear now and then in future issues. *** All
      contributors are assumed to have read the full info file for guidelines. ***
      => SUBMISSIONS: to risks@... with meaningful SUBJECT: line.
      => ARCHIVES are available: ftp://ftp.sri.com/risks or
      ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
      [volume-summary issues are in risks-*.00]
      [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
      http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
      Lindsay Marshall has also added to the Newcastle catless site a
      palmtop version of the most recent RISKS issue and a WAP version that
      works for many but not all telephones: http://catless.ncl.ac.uk/w/r
      http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
      http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
      ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
      http://www.csl.sri.com/illustrative.html for browsing,
      http://www.csl.sri.com/illustrative.pdf or .ps for printing


      End of RISKS-FORUM Digest 22.71
    Your message has been successfully submitted and would be delivered to recipients shortly.