OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: RISKS List Owner (riskocsl.sri.com)
Date: Fri Dec 07 2001 - 16:21:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    RISKS-LIST: Risks-Forum Digest Friday 7 December 2001 Volume 21 : Issue 81

       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.81.html>
    and by anonymous ftp at ftp.sri.com, cd risks .

      Contents:
    Trader's error causes multi million-dollar loss (George C. Kaplan)
    Security hole at WorldCom left internal computer networks at risk (PGN)
    Judge ordered hack of Interior Department trust fund system (James H. Paul)
    NatWest bank turns debits into credits (Bob Buxton)
    Cops get speeding tickets from cameras (Monty Solomon)
    Gwinnett County GA keeps prison inmates list online (Nick Brown)
    "Late-night" Internet-porno-ban (Debora Weber-Wulff)
    Optimizations at kiosks can be costly (Seth Arnold)
    Grocery self-checkout risks (Scott Nicol)
    Swedish police reportedly doctor video evidence, admit it
      (Jerry via Declan McCullagh, Ulf Lindqvist)
    E-voting and international law (Lucas B. Kruijswijk)
    Re: "Light turnout" for election (Andrew Fleisher)
    Re: Connecticut AG website wants Microsoft ... (Roland Roberts, Nathan Sidwell)
    Re: PLEASE REMOVE me from the CAL database (RootsWeb HelpDesk)
    Re: REVIEW: "Hackers Beware", Eric Cole (Mark Brader)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 04 Dec 2001 08:19:18 -0800
    From: "George C. Kaplan" <gckaplanack.berkeley.edu>
    Subject: Trader's error causes multi million-dollar loss

    An article in the *Wall Street Journal* on 3 Dec 2001 describes how a simple
    data-entry error could end up costing UBS Warburg up to $100 million:

      Dentsu Inc., one of the world's biggest advertising companies, was making
      its trading debut Friday on the Tokyo Stock Exchange after completing one
      of the year's biggest initial public offerings -- a deal arranged by UBS
      Warburg, a unit of Switzerland's UBS AG, ...

      Before the Tokyo market opened Friday, a UBS Warburg trader entered what
      was intended to be an order to sell 16 Dentsu shares at 610,000 yen
      ($4,924.53) each or above. Instead, the trader keyed in an order to sell
      610,000 Dentsu shares at 16 yen apiece ...

    The order was canceled by 9:02 AM, but not before 64,915 shares, almost half
    of the 135,000 shares in the IPO, had been sold. The price of Dentsu
    shares, which had been bid up to 600,00 yen before the market opened, fell
    to 405,000 yen. Now, UBS Warburg is obligated to deliver the shares it
    sold, and will have to buy them on the open market.

    The article doesn't say anything about sanity checks in UBS's trading
    software. These have their own risks, of course, but you'd think that an
    error of 4 orders of magnitude in the selling price would at least merit an
    "Are you sure?" before the order went through.

    Once again, we see how computers let people make really big mistakes quickly.

    George C. Kaplan. Communication & Network Services, University of California
      at Berkeley 1-510-643-0496 gckaplanack.berkeley.edu

    ------------------------------

    Date: Thu, 6 Dec 2001 10:16:14 PST
    From: "Peter G. Neumann" <neumanncsl.sri.com>
    Subject: Security hole at WorldCom left internal computer networks at risk

    A security hole at WorldCom Inc. left internal networks at several of the
    nation's top companies (e.g., AOL Time Warner, Bank of America, CitiCorp,
    News Corp., JP Morgan, McDonald's Corp., Sun Microsystems) open to hackers.
    Adrian Lamo, a consultant in San Francisco, worked with WorldCom to fix the
    months-old problem over the weekend. There is no evidence that the security
    hole had been exploited, although it was possible to reconfigure or shut
    down corporate networks. Lamo: ``These networks were never designed to be
    connected to the Internet, They were private circuits running between
    locations.'' [Source: eponymous AP item, 05 Dec 2001, PGN-ed]
      http://www.siliconvalley.com/docs/news/tech/080991.htm

    ------------------------------

    Date: Wed, 05 Dec 2001 15:17:56 -0500
    From: "James H. Paul" <jpaulCapaccess.org>
    Subject: Judge ordered hack of Interior Department trust fund system

    In an extraordinary step approved by a federal judge, a computer expert
    hacked his way into a government-run, Denver-based financial system last
    summer, created a false account and later altered yet another account. All
    this happened without the hacker being detected. Those steps, endorsed by
    U.S. District Judge Royce C. Lamberth in advance, were revealed Tuesday as
    part of a court case involving the Interior Department's handling of more
    than 300,000 trust accounts it is supposed to manage for American Indians.
    A court-appointed master said the ease with which the government's computer
    system could be penetrated was "deplorable and inexcusable." In a report
    ordered released by Lamberth, the special master, Alan Balaran, called on
    the judge to seize control of the system. [Source: Court-appointed hacker
    altered Indian accounts, by Bill McAllister <bmcallisterdenverpost.com>,
    *Denver Post* Washington Bureau Chief, 5 Dec 2001
      (http://www.denverpost.com/Stories/0,1002,53%257E254976,00.html; PGN-ed

      [The DoI Web site is now OFF THE NET. PGN]

    ------------------------------

    Date: Mon, 03 Dec 2001 11:35:36 +0000
    From: Bob Buxton <bob_buxtonuk.ibm.com>
    Subject: NatWest bank turns debits into credits

    NatWest Bank (UK) online banking service offers the ability to download bank
    statement information into Quicken and Microsoft Money on your PC and until
    recently this worked correctly.

    Previously you could choose to download all of your transactions from
    multiple accounts in a single download, now you have to download each
    account separately which takes much longer - especially since when using
    Netscape it forces you to go through the long winded logon procedure each
    time.

    But the real problem is that the information that you download into Quicken
    or Microsoft money in the .OFX file format is plain wrong. It shows
    standing orders out of my account as credits into the account!

    This of course results in the account balance appearing to be much higher
    than it should be and as a result I went overdrawn before I realized what
    was going on.

    The NatWest help desk acknowledge that this is a known problem but don't
    know when the problem will be fixed and have done nothing to warn customers
    or disable the function from the web site.

    ------------------------------
     
    Date: Sat, 1 Dec 2001 16:10:41 -0500
    From: Monty Solomon <montyroscom.com>
    Subject: Cops get speeding tickets from cameras

    Cops get speeding tickets from cameras
    By Brian DeBose, *The Washington Times*, 1 Dec 2001

    Some D.C. police officers say they are slowing their response to emergencies
    because photo-radar cameras are ticketing them for speeding on Code One
    calls, and they are being forced to pay the fines.

    At least three D.C. police officers told The Washington Times they were
    caught by the cameras and ticketed while on official police business. They
    said they and other officers have been forced to pay the fines, and are now
    on edge about speeding to a crime scene and running red lights in
    emergencies. Like area motorists, they have little chance of getting a
    reprieve from the D.C. Bureau of Traffic Adjudication without evidence to
    present in their defense. ...

    Some officers have paid so many tickets that they are no longer speeding or
    running red lights to get to their dispatched calls even in emergency
    situations, Sgt. Neill said. ...

    http://www.washtimes.com/metro/20011129-13345237.htm

    ------------------------------

    Date: Thu, 6 Dec 2001 13:48:45 +0100
    From: Nick Brown <Nick.BROWNcoe.int>
    Subject: Gwinnett County GA keeps prison inmates list online

    As reported at the excellent www.cruel.com:

    Wondering what happened to that acquaintance from Gwinnett County, Georgia,
    from whom you haven't heard in a while ? Try
      http://www.gwinnettcountysheriff.com/Docket%20Book.htm.

    The RISKs are many and varied, but to get you started, click on the link to
    see the list of charges against any inmate, at the end of which you find:

      "If you have reason to believe this information is inaccurate, you may
      submit a request for review to:

      Gwinnett County Sheriff's Department
      Records Section
      2900 University Parkway
      Lawrenceville, Georgia 20043"

    No indication is given of how long it takes between one's (postal)
    application to have incorrect details removed, and the update to the Web
    site, but presumably the interval can be reduced if your lawyer can spell
    "defamation".

    ------------------------------

    Date: Wed, 05 Dec 2001 15:02:30 +0100
    From: Debora Weber-Wulff <weberwufhtw-berlin.de>
    Subject: "Late-night" Internet-porno-ban

    German officials are apparently attempting to prove that the PISA results
    (Germany is pretty much at the bottom of the pack in regards to education
    world-wide) are true and anyone, no matter how ignorant, can be a politician
    in Germany:

    The German Federal Government and the State governments have agreed to new
    measures for protecting youth from pornography on the Internet: according to
    the "Financial Times Deutschland" (http://www.ftd.de/pw/de/FTDPRAR3MUC.html)
    all such content is banned from 11 p.m. until 6 a.m.

    No, this is not April Fools' Day. Really. The German government seems to
    think that when it is 11 p.m. in Germany, it is 11 p.m. everywhere else. And
    that all those XXX folks on the Internet will happily turn off the sleaze
    during the German day when the kiddies are awake.

    This has of course caused an uproar amongst those in the know.
    Spiegel-on-line wrote an open letter to the guy in charge of publishing this
    nonsense, Frank-Walter Steinmeier
      http://www.spiegel.de/netzwelt/politik/0,1518,170361,00.html
        [The sarcastic wit in the letter may not make it through Babelfish
        intact, but it is quite funny]

    What a sorry state of affairs. The risks posed by ignorant politicians may
    yet be far more dangerous that the odd virus and software mistake.....

    Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Treskowallee 8, 10313 Berlin
    +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/

    ------------------------------

    Date: Tue, 27 Nov 2001 18:28:30 -0800
    From: Seth Arnold <sarnoldmarcelothewonderpenguin.com>
    Subject: Optimizations at kiosks can be costly

    Like Richard Akerman and Geoffrey Brent, an automated vending machine's
    failure mode caught me by surprise. However, what I interpreted as a failure
    mode may just be an optimization:

    When purchasing a bus pass from an automated credit-card kiosk, I was
    informed "Authorization Denied" after selecting the pass I wanted, so I took
    my card and walked away. A kind soul ran up to me, handing me my receipt. An
    unkind soul didn't bother to hand me my bus pass.

    As far as I can figure, the Authorization Denied screen was probably the
    last screen displayed on an off-screen buffer -- upon switching the display
    to the previously off-screen buffer, the machine did not clear the old
    screen. I imagine had I waited two more seconds, the machine would have
    informed me of the successful transaction.

    While I can think of several technological solutions to this problem, I
    decided to do something more pragmatic: purchase my bus tickets from the
    human-operated vending station a few blocks away.

    (And yes, several phone calls and two days later, my money was refunded to
    my card.)

    ------------------------------

    Date: Thu, 06 Dec 2001 00:37:22 -0500
    From: Scott Nicol <sbnicolmindspring.com>
    Subject: Grocery self-checkout risks

    This past summer, two major grocery store chains in my city installed
    self-checkout lines. They are arranged in groups of four, with one cashier
    station supervising the group.

    Credit-card purchases can be signed for at the self-check line (electronic
    pad), but sometimes the line's register will prompt you to go to the
    cashier's station to finish your transaction. In other words, credit-card
    transactions for 4 different stations are handled at one register.

    On my August credit-card statement, I noticed two charges on the same day in
    the same store. To make a long story short, the charge was finally reversed
    today. The "extra" charge was for the checkout line adjacent to the one I
    used, and was completed before my checkout was complete (it showed up
    first). The head cashier volunteered today that she had dealt with one
    other customer who had the same thing happen.

    The only strange thing about the checkout was that, at the end of the
    transaction, I was prompted to swipe my card twice, then prompted to go to
    the cashier station to sign the receipt. Swiping a card twice isn't unusual
    - credit cards and credit-card readers aren't perfect. Having 4 different
    card readers connect to one cash register is. I assume, in this case, the
    system assigned the first swipe to the order from the adjacent line, and the
    second swipe to my order.

    Scott Nicol <sbnicolmindspring.com>

    ------------------------------

    Date: Sat, 01 Dec 2001 19:07:13 -0500
    From: Declan McCullagh <declanwell.com>
    Subject: Swedish police reportedly doctor video evidence, admit it

    Date: Sun, 2 Dec 2001 01:19:37 +0100
    >From: jerryxs4all.nl
    To: <declanwell.com>
    Subject: Swedish police files complaint against themselves

    interesting article re Video Evidence in belgium newspaper;
    http://www.standaard.be/nieuws/buitenland/index.asp?doctype=detail.asp
    &ArticleID=DST01122001_034 (in Dutch)

    re. http://www.svt.se/granskning/reportage.asp?S=744&A=744
    (Swedish)

    quick translation;

    Swedish police filed a complaint against themselves after a sewdish TV show
    revealed that police used manipulated video footage as evidence.

    The TV show Uppdrag Granskning [http://www.svt.se/granskning/] compared its
    own footage with the evidence used by the attorney general.

    The comparison shows that images were swapped, sound was edited, and police
    brutality cut out. Scenes where 19 year old Hannes Westberg gets shot in the
    belly have been tampered with.

    PS. The complaint is about copyrights and abuse of power. Jerry

    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/

    ------------------------------

    Date: Sun, 2 Dec 2001 21:38:01 -0800 (PST)
    From: Ulf Lindqvist <ulfsdl.sri.com>
    Subject: Swedish police reportedly doctor video evidence, admit it

    This is in agreement with what I have read in Swedish media. What is
    missing here is that the prosecutor's office has repeatedly tried to obtain
    raw film footage from TV stations, presumably to compare with the police
    videos, but they refused and the Supreme Court agreed with the media. Out of
    context, it sounds pretty nasty that a teenager was shot by police, but it
    is apparently proven that he was hurling 4x4x4 inch solid cubic pavement
    stones at an officer who was already badly wounded from previous stones,
    bleeding and semiconscious. The police, relatively inexperienced with riots,
    were armed with nightsticks and pistols only, nothing "in between" such as
    water cannons, teargas/pepper spray or rubber bullets.

    ------------------------------

    Date: Mon, 3 Dec 2001 00:18:25 +0100
    From: "Lucas B. Kruijswijk" <L.B.Kruijswijkinter.NL.net>
    Subject: E-voting and international law

    Many articles were posted about the risks of computers with elections. I
    wondered to which extend the national Constitutions and International Law
    protects the election process and reduces the risks. After some research I
    made the conclusion that some kinds of voting are indeed violating
    International Law. This means that there is a risk that a judge may forbid
    some kind of voting methods, making the investment worthless. I also asked
    my government (the Dutch government) to react on the issues which led to
    remarkable responses.

    The Dutch government is investigating the possibilities of two new ways of
    voting. Voting at home with the use of the Internet and voting with a
    "voting pillar". The voting pillars can be placed in public areas. There are
    no officials nearby and the pillar is controlled remotely. The voter has to
    identify itself with an electronic card with biometric information (iris
    recognition).

    Both ways of voting can not ensure that the voter is alone when he/she casts
    his/her vote. There are no technical solutions known that prevent that
    couples votes together at home. It might be possible to ensure this for a
    voting pillar, but with the different body sizes this is certainly not
    trivial. These limitations conflict with International Law.

    First of all, there is article 21.3 of the Universal Declaration of Human
    Rights:

      "The will of the people shall be the basis of the authority of government;
      this shall be expressed in periodic and genuine elections which shall be
      by universal and equal suffrage and shall be held by secret vote or by
      equivalent free voting procedures."

    But more precise and more important is article 25.b of the International
    Covenant on Civil and Political Rights:

      "To vote and to be elected at genuine periodic elections which shall be by
      universal and equal suffrage and shall be held by secret ballot,
      guaranteeing the free expression of the will of the electors."

    When I read this article I conclude that the primary concern is the "free
    expression of the will". However, the only legal way to achieve this is by
    "secret ballot". So, if a government chooses a voting method where there is
    no indication that the free expression of will is compromised but where the
    vote is not secret, then this method is still not allowed to be used
    (obvious the reason for this is that it is very hard to determine whether a
    will is free or not).

    The interpretation of "secret ballot" is now very important. Note that word
    'ballot' refers to "voting balls" and not to the vote itself. There is a
    risk in translating this into another language, because a literal
    translation of 'ballot' might not exist. In such case a translation from
    "secret paper" is maybe better than a translation from "secret
    vote". According to the New Shorter Oxford Dictionary, the words "secret
    ballot" means "in which votes are cast in secret". So, the circumstances in
    which the vote is cast are important. If someone tells his/her vote
    afterwards, it is still a secret ballot (because the vote was *cast* in
    secret), but if two persons vote together with their personal computer, then
    it is not a secret ballot.

    This does not necessarily imply that voting at home or with voting pillars
    are violating the Covenant. First of all if the voter is in such situation
    that there is no realistic possibility to ensure that he/she casts his/her
    vote in secret (for instance when he/she is abroad), then of course the
    right to vote is more important then the secrecy of the vote. Second, the
    article in the Covenant does not specify the responsibilities of the
    States. You may argue that the secrecy of the vote is also the
    responsibility of the voter to some extend.

    The Human Rights Committee made comments on this article. The Committee is
    allowed to make such comments under article 40 of the same Covenant. If a
    State did also sign the first optional protocols, then individuals (and they
    are admissible in this case) can ask the Committee for a judgment when
    domestic remedies are exhausted. So, the Committee is the highest court.

    On paragraph 20 of the comments, the Committee says:

      "States should take measures to guarantee the requirement of the secrecy
      of the vote during elections including absentee voting, where such a
      system exists."

    The States are not fully responsible for the secrecy, but they are obliged
    to make effort to ensure the secrecy.

    To my opinion the "voting pillars" violate the Covenant. The government can
    give the same service to the voter and ensuring the secrecy. It just adds a
    supervising official to the voting pillar. So, the government is not
    fulfilling its obligation of making this effort.

    Voting at home via the Internet, is allowed for those people that live in
    remote areas or abroad. However, a judge might forbid it for people that
    live in urban areas where polling stations are not a practical problem. A
    judge is probably more willingness to listen when is realized that voting
    via the Internet will finally lead to the elimination of polling
    stations. In the Netherlands the introduction of voting machines led to a
    10% reduction of polling stations, because of the expensive voting machines
    and budgets policies of the local governments (according to documents of the
    national government). When voting at home is possible, then less people will
    go to the polling stations, which result that polling stations are closed,
    which will result that more people will vote at home etc.

    I have requested 'Het Ministerie van Binnenlandse Zaken en
    Koninkrijksrelaties' (the Ministry of the Interior or Home Department), to
    react on the matter of the Constitution and International Law in relation
    with the new ways of voting. The Ministry responded that the responsibility
    of the State for the secrecy of the vote is "facilitating". So, according to
    this principle the State is not responsible in anyway to ensure that the
    votes are cast in secret; it should only guarantee that the voters have the
    possibility to vote in secret. I think the Ministry is in error on this
    point. First of all, if that would be the case, then the Covenant should say
    something like "one has to right to vote in secret", but that are not the
    words of the Covenant. Second, it would mean that it is allowed to give the
    voter the option to make his/her vote with his/her name public on the
    Internet (the voter has still the possibility to vote in secret). I think
    one does not consider this as a proper way of voting.

    In a new letter I explicitly asked the Ministry to react on the text of the
    Human Rights Committee. I also pointed on the inaccuracy of the Dutch
    translation on the words "secret ballot". Since I wrote this letter
    recently, I did not have a response yet.

    Despite the fact that serious questions can be raised about the
    compatibility of the new voting methods with national Constitutions and
    International Law, the Ministry does not mention these in the official
    documents at all.

    I hope they do a better job with security.

    Lucas B. Kruijswijk <L.B.Kruijswijkinter.nl.net>

    ------------------------------

    Date: Mon, 03 Dec 2001 14:09:35 +1000
    From: Andrew Fleisher <andrew8start.com.au>
    Subject: Re: "Light turnout" for election (Rhodes, RISKS-21.80)

    [With respect to] power/phone outages and online voting, what about the case
    where there is localised damage to power or phone systems preventing people
    from using online voting systems in significant elections which are close?
    It makes the recent Florida debacle during the Presidential election seem
    simple.

    ------------------------------

    Date: 03 Dec 2001 12:28:57 -0500
    From: Roland Roberts <rolandastrofoto.org>
    Subject: Re: Connecticut AG website wants Microsoft ... (Ravin, RISKS-21.80)

    I took a look at this with both Netscape 4.77 and Mozilla 0.95 (both on
    Linux) and it displayed fine. The only "functionality" provided by
    Javascript appears to be a pop-up that tells me the site is best viewed at
    800x600 or 1024x768.

    I think the real issue here is general stupidity: turning a "nice" feature
    (the pop-up about resolution) into an absolute requirement.

    Roland B. Roberts, PhD, RL Enterprises, 76-15 113th Street, Apt 3B
    Forest Hills, NY 11375 rolandrlenter.com rolandastrofoto.org

    ------------------------------

    Date: Mon, 03 Dec 2001 11:13:35 +0000
    From: Nathan Sidwell <nathanacm.org>
    Subject: Re: Connecticut AG website wants Microsoft ... (Ravin, RISKS-21.80)

    I've noticed more and more of this kind of brokenness over the last 12
    months. (This is with Netscape on Solaris or Linux.)

    1) An Internet bank (which no longer has my custom), broke the 'print'
    capability of all but IE. And then failed to understand that (a) the Web !=
    Microsoft, and (b) a standalone machine would not be connected to the web.

    2) A credit-card company had the same problem. It used to work, but back in
    May it broke. I reported the problem and nothing has happened since then.

    3) Many Flash sites claim I have not got flash enabled. One of these has
    enough smarts to say something like 'You don't appear to have Flash, go
    <here> to get it or go <here> to continue, if you know our check bombed out'

    Dr Nathan Sidwell :: Computer Science Department :: Bristol University
    nathanacm.org http://www.cs.bris.ac.uk/~nathan/ nathancs.bris.ac.uk

    ------------------------------

    Date: Sat, 1 Dec 2001 13:35:12 -0700
    From: RootsWeb HelpDesk <helpdesk-postrootsweb.com>
    Subject: Re: PLEASE REMOVE me from the CAL database (RootsWeb, RISKS-21.80)

      [This was the reply many of us received in response to requests to be
      removed from the RootsWeb database noted in RISKS-21.80. Apparently quite
      a few RISKS readers made such requests! PGN]

    A response to your Help Desk message, "PLEASE REMOVE me from the CAL
    database," of Saturday, 1 December 2001, at 12:52 p.m. follows [...]:

      As some states have passed laws to make their records publicly available,
      many of these records have been made searchable on RootsWeb.com for
      genealogical purposes. This data is a great asset to many individuals
      doing family history research.

      In addition to our goal to provide outstanding genealogical resources to
      our users, MyFamily.com is very committed to the privacy of those using
      our services, whether on MyFamily.com, Ancestry.com or RootsWeb.com. For
      this reason we have removed the CA and TX birth records from our site.

    ------------------------------

    Date: Sat, 1 Dec 2001 20:57:46 +0000 (UTC)
    From: msbvex.net (Mark Brader)
    Subject: Re: REVIEW: "Hackers Beware", Eric Cole (Slade, Risks-21.80)

    > %T "Hackers Beware: Defending Your Network from the Wiley Hacker"
    > ... within [the first] six sentences , misspells the word "brakes."

    It would be still more impressive if the title was misspelled [Wiley] as
    shown above. Or was that one the reviewer's error, perhaps induced by
    familiarity with books published by Wiley?

    Mark Brader, Toronto, msbvex.net

      [Note: It is actually wrong [Wiley, and not too wily!] on the cover page
      as shown on the Wiley Web site:
        http://images.amazon.com/images/P/0735710090.01.LZZZZZZZ.jpg
      The Wiley Coyote Editor must have been working overtime. PGN]

    ------------------------------

    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestcsl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

     The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you. Alternatively, via majordomo,
     send e-mail requests to <risks-requestcsl.sri.com> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoCSL.sri.com .
     [If E-mail address differs from FROM: subscribe "other-address <xy>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestpica.army.mil> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues. *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing

    ------------------------------

    End of RISKS-FORUM Digest 21.81
    ************************