OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: RISKS List Owner (riskocsl.sri.com)
Date: Mon Oct 08 2001 - 14:55:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    RISKS-LIST: Risks-Forum Digest Monday 8 October 2001 Volume 21 : Issue 68

       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.68.html>
    and by anonymous ftp at ftp.sri.com, cd risks .

      Contents:
    Rocket plunges into Indian Ocean (PGN)
    New interest in network security (NewsScan)
    Another unitary transformation (Rodney Polkinghorne)
    AOPA's TurboMedicalsm eases medical application process (Richard Glover)
    Ham radios in the aftermath of 11 September 2001 (Richard Murnane)
    11 Sep 2001: Risks of electronic surveillance (Gisle Hannemyr)
    Re: "The Risks Are Obvious" (Amos Shapir)
    Risks of bogus e-mail addresses "FROM: ObL" (Peter Wayner)
    Remote control of airliners (Steve Bellovin)
    Re: Oxygen tank kills MRI exam subject (Leonard X. Finegold)
    MS Front Page 2002 Licence Agreement (Alistair McDonald)
    Re: Creator of Kournikova virus gets 150 hours ... (Gene Berkowitz)
    Re: Hacker re-writes Yahoo! (Mark Hull-Richter)
    Trusted Computing, and Embedded and Hybrid Systems - new NSF programs
      (Wm Randolph Franklin)
    Computer Security Applications Conference + Advance Program (Jay Kahn)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 22 Sep 2001 09:01:03 -0700 (PDT)
    From: "Peter G. Neumann" <neumannCSL.sri.com>
    Subject: Rocket plunges into Indian Ocean

    On 21 Sep 2001, a Taurus rocket went off-course 83 seconds after launch.
    Carrying an Orbital Imaging satellite, a NASA ozone-monitoring QuikTOMS
    satellite, and the cremated remains of 50 people ($5300 each), the rocket
    failed to reach its intended altitude and velocity despite an attempted
    correction, resulting in loss of the payloads. NASA's share of the cost was
    estimated at $50M. It was the second Orbital Sciences rocket lost in less
    than four months. [Source: AP item in Newsday.com, 22 Sep 2001, PGN-ed]

    ------------------------------

    Date: Tue, 02 Oct 2001 08:39:44 -0700
    From: "NewsScan" <newsscannewsscan.com>
    Subject: New interest in network security

    Security companies are being deluged with business opportunities, and CEO
    Peggy Weigle of the Internet security firm Sanctum explains, "Network
    security used to be a necessary evil, but now it's a core value of
    companies." Doing security audits commissioned by 300 organizations, Weigle
    found the results "scary" and said, "We could have stolen flight manifests,
    personnel files, sensitive data... We could have easily gotten onto a flight
    illegally." Research firms Gartner and IDC predict that the network
    security market in the U.S. will grow 20% to 24% a year between now and
    2005. [USA Today 2 Oct 2001; NewsScan Daily, 2 Oct 2001]
    http://www.usatoday.com/life/cyber/tech/2001/10/2/network-security.htm

    ------------------------------

    Date: Mon, 08 Oct 2001 10:14:17 +1000
    From: Rodney Polkinghorne <rodneypraman.physics.uq.edu.au>
    Subject: Another unitary transformation

    Nature, the journal that told us about cold fusion, posts summaries of
    recent physics papers at <http://www.nature.com/physics/>. One of
    these, "Bose, Einstein and chips," reads:

        On the atom chip, the magnetic potential minimum that confines
        the atoms is barely a millimetre or so wide, and it holds the
        condensate an ultracold cloud of around 1,600 rubidium atoms
        about 70-440 mm above the chip surface.

    Or, as a read-source-ful scientist might discover:

        about 70&#150;440 <span class="symbol">m</span>m above the chip surface.

    The online version of the article they are summarising [W. Hansel et al.,
    Nature 413 p498 (2001)], gives the correct height of 70-440 micrometres.
    The micro symbol is included in ISO 8859-1.

    Unlike the ohm/watt confusion reported earlier (Rolph, RISKS-21.29 and
    Peuhkuri, RISKS-21.33), millimetres and micrometres have the same
    dimensions. At least with SI you are always out by a factor of 1000 or
    more, which readers of Nature should notice. But given what you would have
    to pay to see that page for yourself, you would think they could afford a
    proof reader.

    Rodney Polkinghorne

    ------------------------------

    Date: Tue, 04 Sep 2001 09:50:24 -0700
    From: Richard Glover <rgloverlunarpoodle.com>
    Subject: AOPA's TurboMedical(sm) eases medical application process

    From: http://www.aopa.org/whatsnew/newsitems/2001/01-3-042.html

    AOPA's TurboMedicalsm eases medical application process, 24 Aug 2001

    AOPA has launched a new, Web-based tool to help pilots prepare to obtain
    their medical certificates. AOPA's TurboMedicalsm is the first of a series
    of "intelligent" online forms to come from AOPA. Pilots who use
    TurboMedicalsm will be less likely to have FAA delay or deny the issuance of
    their medical certificate.

    "AOPA's Web site (www.aopa.org) offers more resources to pilots than any
    other aviation site on the Internet," said AOPA President Phil Boyer.
    "TurboMedicalsm is an innovative way to use the Web to remove some of the
    uncertainty of applying for a medical."

    The innovative online form "interviews" the pilot to ensure that all of the
    information on FAA's Form 8500-8 (application for an airman medical
    certificate or student pilot certificate) is filled in correctly.

    TurboMedicalsm checks the pilot's answers, and flags anything that might
    cause problems in issuing a medical certificate.

    "FAA's Aeromedical Certification Division is currently taking up to three
    months to review medical applications," said Gary Crump, AOPA director of
    medical certification. "Some 30 percent of those delays are caused by
    simple errors on the application form."

    TurboMedicalsm checks for those errors.

    The online form takes pilots step-by-step through the 20 question areas on
    the medical application form. For each question, the form explains exactly
    what FAA is looking for and why it is asking the question. And there are
    links to AOPA's expansive online medical data for more information.

    The form provides advice on the best way to answer each question. For
    example, TurboMedicalsm tells a pilot that it is usually best to apply for
    the lowest class of medical that you actually need. Under FAA regulations,
    even CFIs need just a Third-Class medical certificate to provide flight
    instruction for compensation, although employers may require a higher class
    of medical.

    TurboMedicalsm is particularly useful in helping the pilot answer the
    medication, medical history and medical visit questions.

    When a pilot answers the question, "Do you currently use any medications?"
    TurboMedicalsm checks the answer against AOPA's list of FAA-accepted drugs.
    For example, TurboMedicalsm will tell a pilot that the popular
    over-the-counter drug Benadryl is acceptable to FAA as long as the pilot
    waits 24 hours after taking it before flying.

    But if the drug isn't on the list, TurboMedicalsm will flag it and provide
    links to more information. There is even a direct email link to AOPA's
    medical experts so the pilot can ask specific questions.

    If a pilot answers "yes" to one of the medical history questions,
    TurboMedicalsm will search for key words in the explanation to be able to
    provide more information to the pilot.

    A pilot can skip a question and return to it later. TurboMedicalsm will
    temporarily store the answers. A pilot can choose how long TurboMedicalsm
    will store the answers.

    Once a pilot has completed all of the questions, TurboMedicalsm will review
    the form for completeness and accuracy. The pilot can then print out a copy
    to take to the medical examiners office. Pilots should also keep a copy in
    their personal records.

    "TurboMedicalsm is an educational, self-help tool to help pilots prepare to
    complete the medical form in the doctor's office," said Crump. "But for the
    future, we're working on an 'FAA-approved' version of TurboMedicalsm that
    you can complete online and email to your FAA designated medical examiner
    prior to the examination."

    The 375,000-member Aircraft Owners and Pilots Association is the world's
    largest civil aviation organization. More than one-half of the nation's
    pilots are AOPA members.

    RISKS Comments:

    1. I am no expert, but I question the assertion "All of a pilot's answers
    on the TurboMedical(sm) form remain absolutely confidential. No one but the
    pilot will ever have access to the medical information. Data is stored on a
    secured server and data transmissions are encrypted." We have been told
    *many times* in other contexts that certain medical data is confidential,
    but absent a doctor-patient relationship, I think this is generally a very
    tenuous assertion. I am pretty sure there is no doctor-patient relationship
    created with this form.

    2. "[D]ata *transmissions* are encrypted...." (emphasis added) is not
    synonymous with "the data is encrypted." If the data is stored on a secure
    server without encryption, it is still readable by anyone with access to
    the machine. If the data is encrypted where it is stored, only the person
    (with well-publicized exceptions) with the "keys" can access it. There is a
    world of difference.

    3. The data is stored on a secure server, but I really don't know what that
    means. I think my IRS data is on a "secured server," but how many stories
    do we see where that data has leaked out? Medical data is *far* more
    sensitive to release than financial data, and I am less concerned with
    interception in transit than I am with security breaches from the server
    where the data is.

    4. If data is stored "on a secured server" for a specific period of time,
    what becomes of the routine backups made? Are they periodically destroyed?
    If not, this information is probably obtainable indefinitely.

    5. Are the links to the medications database stored? If I check on a
    medication, is the fact I did so recorded? It probably is on my client, and
    I wonder what "cookies" are employed.

    6. I have not used the system (nor am I likely to), but I wonder what
    "disclaimers" are associated with using it. This kind of information might
    fall under the Fair Credit Reporting Act (which can have a very broad
    reach), and a user might have to authorize far more than what is advertised.

    The RISKS of this system far outweigh its usefulness. We need a machine to
    tell us how to fill out a form? If you have medical issues, you discuss
    them with your *doctor*, and he fills out a form. For a fee, of course, but
    I for one, am willing to pay a reasonable fee for privacy.

    ------------------------------

    Date: Tue, 2 Oct 2001 11:25:10 +1000
    From: Richard Murnane <RichardMAttacheSoftware.com>
    Subject: Ham radios in the aftermath of 11 September 2001

    As others have noted, the terrorist attacks of 11th September caused major
    disruption to land-line and cellular phone communications. What hasn't been
    widely reported is that 570 Amateur (ham) Radio operators from 35 states and
    two Canadian provinces provided auxiliary radio communications to relief
    agencies operating in the affected areas.

    The lesson is that even the most modern communications technology can fail,
    and that there is still value in having an independent communications
    infrastructure, especially when it costs the community little or nothing to
    maintain it.

    Richard Murnane, Australian Amateur Radio station VK2SKY

    ------------------------------

    Date: Thu, 04 Oct 2001 12:34:35 +0200
    From: Gisle Hannemyr <gislehannemyr.no>
    Subject: 11 Sep 2001: Risks of electronic surveillance

    In the aftermath of the September 11 terrorist attacks on the USA, a special
    feature on automatic electronic surveillance (i.e. Echelon, Carnivore, spy
    satellites, and all that) was broadcast by the BBC ClickOnline, hosted by
    Stephen Cole, Sep. 22).

    The feature included a lengthy interview with Dr. Kevin O'Brian of RAND
    Europe about the failure of US intelligence to gather enough information to
    pre-empt the attacks. Of particular interest to RISKS readers is the
    following quote from Dr. O'Brian:

       "We've seen reports that they may have actually been spoofing or
        misdirecting intelligence services quite knowingly, and that they
        are aware of the fact that they could use the technology against
        the intelligence services by sending out false signals by sending
        out false reports and rumours, by using technology such as mobile
        phone communications or Internet messages to actually misdirect
        the intelligence services' gaze away from their attacks."

    The risks are obvious: The over-reliance on massive computer-based automatic
    systems for scanning and filtering that has characterised much of US
    intelligence gathering in the post-soviet era can only be effective as long
    as the bad guys are not aware of what you are doing. The simple fact that
    computers systems are rule-based (and AI-systems exceedingly so) permit
    enemy agents to play clever counter-intelligence games, where plotting the
    response to certain stimuli can be used to "map out" in detail how an
    automatic surveillance system will respond to diverse inputs and hence
    "learn" how to misdirect the system on a massive scale.

    A human-based intelligence system, in particularly a highly organized one,
    is of course also vulnerable to this type of attack, but the rule-based
    nature of an AI-based system makes the attack easier and more reliable

    - gisle hannemyr ( gislehannemyr.no - http://hjem.sol.no/gisle/ )

    ------------------------------

    Date: Thu, 20 Sep 2001 11:08:04 +0300
    From: Amos Shapir <amossela.co.il>
    Subject: Re: "The Risks Are Obvious"

    I first learned of the event by connecting to a local news site here, at
    about 4 p.m. local time (which was 9 a.m. EDT). At first try, the site was
    down; when I finally got in and looked at the headline "Two Airliners crash
    on NY's WTC" my first reaction (probably the result of reading too many
    RISKS issues) was "they let their test page leak out as if it were real
    news"...

    It seems that this "this isn't happening" initial reaction was shared by
    many, even some to whom this was actually happening. This had never
    happened before, and even though technically possible, the perceived risk of
    its realization was considered unreal.

    The main risk is, IMHO, of evaluating the relative costs and benefits of
    preparing for an eventuality which, by our common sense, is very improbable;
    while the perpetrators seem to be making their evaluations by a completely
    different set of priorities and morals. How do we apply "crazy logic" to
    risk assessment? When do we apply it, and how crazy can we get before
    making the very notion of assessment senseless?

    Amos Shapir, Sela Software Labs, Ltd. 14 Baruch Hirsch st., Bnei Brak
    51202 ISRAEL Tel: +972 3 6176037

    ------------------------------

    Date: Wed, 3 Oct 2001 14:11:16 -0400
    From: Peter Wayner <pcwflyzone.com>
    Subject: Risks of bogus e-mail addresses "FROM: ObL"

    Sincerely yours, *Not* Osama bin Laden?

    A Filipino in Belgium ended up in jail after *receiving* a joke e-mail
    seemingly from Osama bin Laden (but apparently from one of his friends),
    asking to "stay with you for a couple of days." The man was freed only
    after a Catholic priest vouched for him as a regular attendee each Sunday.
    [http://www.vnunet.com/News/1125822]

      Ah, there's nothing like putting faith in identity, keyword scanning
      surveillance, and data stored in computers.

    ------------------------------

    Date: Mon, 01 Oct 2001 22:25:03 -0400
    From: Steve Bellovin <smbresearch.att.com>
    Subject: Remote control of airliners

    The Associated Press reported on a test of a remotely-piloted 727. The
    utility of such a scheme is clear, in the wake of the recent attacks;
    to the reporter's credit, the article spent most of its space
    discussing whether or not this would actually be an improvement. The
    major focus of the doubters was on security:

            But other experts suggested privately that they would be
            more concerned about terrorists' ability to gain control
            of planes from the ground than to hijack them in the air.

    I'm sure RISKS readers can think of many other concerns, including the
    accuracy of the GPS system the tested scheme used for navigation (the
    vulnerabilities of GPS were discussed recently in RISKS), and the
    reliability of the computer programs that would manage such remote control.

    ------------------------------

    Date: Mon, 1 Oct 2001 23:29:14 -0400
    From: "Leonard X. Finegold" <Ldrexel.edu>
    Subject: Re: Oxygen tank kills MRI exam subject (RISKS-21.67)

      [Leonard X. Finegold, Physics, Drexel University (3141 Chestnut Street)
      Philadelphia PA 19104 U.S.A. (215) 895-2740 (allow 5 rings)]

    Volume 345:1000-1001, 27 Sep 2001, Number 13
    Preventable Deaths and Injuries during Magnetic Resonance Imaging

    To the Editor: In July, a six-year-old child undergoing magnetic resonance
    imaging (MRI) in New York suffered a skull fracture and intracranial
    hemorrhage after an oxygen tank that had been brought into the room was
    pulled into the machine at high speed. He died two days later [1].
    Undetected or misplaced metal objects have caused numerous injuries during
    MRI. Twenty-four of 46 MRI facilities responding to a survey in 1999 (52
    percent) reported the occurrence of MRI-related accidents [2]. Large
    objects involved in such incidents included an intravenous-drug pole, a
    toolbox, a sandbag containing metal filings, a vacuum cleaner, mop buckets,
    a defibrillator, and a wheelchair, among others. Five incidents involving
    oxygen or nitrous oxide tanks, one of which caused facial fractures, have
    recently been reported [3].

    To prevent such incidents, most imaging facilities currently provide safety
    training to employees and administer patients a standardized questionnaire
    about implants and other embedded foreign bodies before an MRI examination
    is performed. Although these efforts prevent many injuries, they are
    inherently limited. System-wide strategies to decrease the incidence of
    serious errors are important.4 Safety interventions that work continuously
    and automatically are generally far more effective than efforts to train
    large numbers of employees or to enlist the assistance of large numbers of
    patients.

    The use of metal detectors over the doors of MRI examination rooms could
    have prevented every one of the large metal objects listed above from being
    brought into the MRI rooms and would have prevented the recent death in New
    York. Highly sensitive walk-through metal detectors, such as those used in
    airports, are available commercially for about $2,000 to $5,500 and require
    minimal maintenance. By comparison, a typical MRI unit costs approximately
    $1.3 million annually to operate and generates net revenues of $1.8 million
    during use in more than 3000 patients, resulting in an annual net profit of
    approximately $500,000 [5]. The cost of installing a metal detector could
    thus easily be paid for with operating revenues. Factoring in liability
    savings would further decrease real costs.

    Metal detectors should not replace the screening protocols currently in use,
    since the detectors may be insufficiently sensitive to detect small
    implanted metal objects, such as aneurysm clips or cardiac pacemakers. Their
    installation would, however, be an inexpensive, simple, and potentially
    life-saving addition to current practice.

    Christopher Landrigan, M.D., M.P.H.
    Children's Hospital, Boston, MA 02115
    landrigan_chub.tch.harvard.edu

    1. Chen DW. Boy, 6, dies of skull injury during M.R.I. The New York
       Times. July 31, 2001:B1, B5.

    2. Chaljub G, vanSonnenberg E, Johnson RF Jr. Accidents and
       incidents in MRI: a questionnaire. AJR Am J Roentgenol
       1999;172:Suppl:14-14.abstract

    3. Chaljub G, Kramer LA, Johnson RF III, Johnson RF Jr, Singh H, Crow
       WN. Projectile cylinder accidents resulting from the presence of
       ferromagnetic nitrous oxide or oxygen tanks in the MR suite. AJR Am J
       Roentgenol 2001;177:27-30. [Abstract/Full Text]

    4. Kaushal R, Bates DW, Landrigan C, et al. Medication errors and adverse
       drug events in pediatric in-patients. JAMA 2001;285:2114-2120. [Medline]

    5. Evens RG, Evens RG Jr. Analysis of economics and use of MR imaging units
       in the United States in 1990. AJR Am J Roentgenol, 1991;157:603-607.
       [Abstract]

    ------------------------------

    Date: Fri, 21 Sep 2001 09:58:22 +0100
    From: Alistair McDonald <alistairbacchusconsultancy.com>
    Subject: MS Front Page 2002 Licence Agreement

    Slashdot http://slashdot.org/article.pl?sid=01/09/20/1443226 reports that
    the latest MS Front Page licence agreement prevents you from any
    anti-microsoft Web content with it:

      "You may not use the Software in connection with any site that disparages
      Microsoft, MSN, MSNBC, Expedia, or their products or services ..."

    I always click through licences these days, so I wouldn't have read it (not
    that I'd install Front Page anyway), but what is the world coming to! Is
    this legal in _your_ country?

    Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com

      [UCITA (RISKS-21.27,45,41) seems to make this legal in those states in
      which UCITA has passed (at least Virginia and Maryland). Incidentally,
      The Risks Forum tries to be an equal-disparager forum, but it is worth
      noting for the record that each issue is prepared using Gnu-emacs on
      Linux. PGN]

    ------------------------------

    Date: Tue, 02 Oct 2001 00:15:41 -0400
    From: "Gene Berkowitz" <genebma.ultranet.com>
    Subject: Re: Creator of Kournikova virus gets 150 hours ... (RISKS-21.67)

      "... The American investigation service FBI reported an amount of $166.827
      in damages." [Translation from Dutch]

    Needless to say, I don't think the FBI calculated the damages to the nearest
    tenth of a cent. As is European custom, the period (.) is used as a thousands
    separator, while the comma (,) is used as the decimal point.
    So, is one hundred and sixty-six thousand dollars ($166,827) limited damage?

    If so, Mr. De W.'s time is apparently worth over one thousand dollars per
    hour...

    --Gene Berkowitz

    ------------------------------

    Date: Tue, 2 Oct 2001 11:56:13 -0700
    From: Mark Hull-Richter <Mark.Hull-Richterquest.com>
    Subject: Re: Hacker re-writes Yahoo! (Stock, RISKS-21.67)

    Respected news outlets? Respected by whom? And since when does Yahoo! rate?

    RISK: Assuming that there is such a thing as a "respected news outlet" and
    that the "news" presented has some resemblance to news (i.e., unbiased
    information) instead of the usual propaganda.

    P.S.: Remember, the "liberal press" myth is dead and buried.

    Mark Hull-Richter, Senior Programmer, Quest Software

    ------------------------------

    Date: Fri, 14 Sep 2001 16:05:21 -0400
    From: "Franklin, Wm Randolph" <wfranklinsf.gov>
    Subject: Trusted Computing, and Embedded and Hybrid Systems - new NSF programs

    The Computer-Communications Research Division (C-CR) of the Computer and
    Information Sciences and Engineering Directorate (CISE) of the US National
    Science Foundation (NSF) is pleased to announce two new programs whose goal
    is reducing the number of submissions to this valuable newsgroup,
    comp.risks. For each, the due date is 5 Dec 2001, and $4M-$6M may be
    available to support 20-25 awards, subject to the usual caveats.

    ** Trusted Computing (TC), NSF 01-160,
    http://www.nsf.gov/cgi-bin/getpub?nsf01160

    TC seeks to establish a sound scientific foundation and technological basis
    for managing privacy and security in a world linked through computing and
    communication technology. This research is necessary to build the secure and
    reliable systems required for today's and tomorrow's highly interconnected,
    information technology enabled society. The program funds innovative
    research in all aspects of secure, reliable information systems, including
    methods for assessing the trustworthiness of systems.

    ** Embedded and Hybrid Systems (EHS), NSF-01-161,
    http://www.nsf.gov/pubs/2001/nsf01161/nsf01161.html

    Past research in embedded systems has focused primarily on
    resource-impoverished computational environments: algorithms and software
    that must execute on memory-, processing-, and power-constrained
    processors. The computational design was simple and synchronous to maximize
    effective operating rates, and a great deal of design effort went into
    optimizing performance under these conditions. As processing speed and data
    capacity have increased and demands for automation have expanded, the nature
    of the problem has changed. Now, hard and soft real-time processes must
    interact, and they may be required to share the same resources. Applications
    such as distributed control demand communication, which introduces
    variability in operation. A scientific foundation currently is lacking for
    systematic development and integration of physical and computational
    components in embedded systems. This lack is particularly severe for
    increasingly complex, distributed embedded systems. Empirical reports show
    that relying on brute-force testing for verification and validation of
    software for modern embedded systems can push certification costs to at
    least half the total cost of the software. Scientific principles and
    supporting technology are needed to assure that requirements are met during
    development of software-based systems, in order to reduce the cost of
    evaluating dependability and certifying that a system is fit for
    operation. NSF investment is critical to sustain, adapt, and expand the
    National research and development capacity in embedded systems.

    I am your humble scribe for the programs' officers, who are:

    * Dr. Helen Gill, Program Director, CISE, C-CR, 1145,
      1-703-202-8910, hgillnsf.gov

    * Ms. Carmen Whitson, Associate Program Director, CISE, C-CR, 1145,
      1-703-292-8910, cwhitsonnsf.gov

    Please contact them for more info.

    Wm Randolph Franklin, Program Director
    Numeric, Symbolic, and Geometric Computation, CISE/C-CR. Room 1145
    National Science Foundation, 4201 Wilson Blvd, Arlington VA 22230
      1-703-292-8912, fax: 703-292-9059 email: WFRANKLINSF.GOV

    Relevant due dates:, FY02: Regular NSG: Nov 5.
    Large ITR preproposals: Nov 9, Medium ITR: Nov 13, Small ITR: Feb 7.

    ------------------------------

    Date: Sun, 30 Sep 2001 22:20:49 -0400
    From: Jay Kahn <jkahnmitre.org>
    Subject: Computer Security Applications Conference + Advance Program

    17th ACSAC, 10-14 Dec 2001, New Orleans, Louisiana, USA.

    The 17th ACSAC Committee is pleased to announce the availability of the
    Advance Program for the 17th Annual Computer Security Applications
    Conference (ACSAC) on our web site at http://www.acsac.org. The Advance
    Program is available in HTML for web viewing and also in PDF format for
    downloading and printing. If you need a hard copy of the Advance Program,
    please send your name and mailing address to Publicity_Chairacsac.org, and
    we'll mail you a copy.

    ------------------------------

    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestcsl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

     The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you. Alternatively, via majordomo,
     send e-mail requests to <risks-requestcsl.sri.com> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoCSL.sri.com .
     [If E-mail address differs from FROM: subscribe "other-address <xy>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestpica.army.mil> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues. *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing

    ------------------------------

    End of RISKS-FORUM Digest 21.68
    ************************