OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: RISKS List Owner (riskocsl.sri.com)
Date: Sun Mar 31 2002 - 22:38:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    RISKS-LIST: Risks-Forum Digest Monday 1 April 2002 Volume 22 : Issue 01

       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/22.01.html>
    and by anonymous ftp at ftp.sri.com, cd risks .

      Contents: [This issue includes two old items, primarily for the archives.]
    ATF Takes Responsibility for Federal Software Policy Enforcement
      (ATFS Director)
    REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford (Rob Slade)
    Computers to Cars (unknown source via PGN)
    Surprise Settlement Evenly Splits Microsoft (unknown source via Gene Spafford)
    Big security leak in Internet s*xshop (Paul van Keep)
    Web site leaks customers address, offers extra discounts (Ron Gut)
    Hackers find new way to bilk eBay users (Monty Solomon)
    BT is publishing confidential ex-directory telephone numbers (Clive Jones)
    Risks of using anti-spam blacklists (Eric Murray)
    The smart highway (Raphael Lewis via Monty Solomon)
    E-mail subscriptions, windows 2000 patches and photocopiers (Alistair McDonald)
    Re: Out with pilots, in with pibots (Robert Woodhead)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 1 Apr 2002 00:30:00 ET
    From: DirectorATFS.gov
    Subject: ATF Takes Responsibility for Federal Software Policy Enforcement

    WASHINGTON (Reuters) - The Department of the Treasury announced today that
    responsibility for enforcement of new federal regulations of the software
    industry will fall under the jurisdiction of the Bureau of Alcohol, Tobacco
    and Firearms (ATF). As the regulations come into effect, the bureau will be
    renamed to be the Bureau of Alcohol, Tobacco, Firearms, and Software (ATFS).

    The new regulations have been taken by most observers as a key indication of
    the Federal Government's serious concern over the software production
    scandal gripping the nation. The final verdict of the grand jury
    investigation into the dangers of unregulated software production was
    praised as a major victory by software leaders in Redmond last month.

    The grand jury investigation centered on the disturbing trend that key
    portions of the nation's critical infrastructure are being entrusted to a
    software product for which the secret inner workings (known as `source
    code') are becoming as prevalent as pornography on the Internet.

    The Director of the ATF's 5,000-strong team of agents has pledged his full
    support to enforce the new regulations, under which all software development
    must take place only in licensed facilities by trained induhviduals. He was
    joined at a press conference this morning by the Director of the National
    Infrastructure Protection Center, who said, "It's about time the ATF took the
    entire software industry into its jurisdiction." He continued, "We would
    never consider laying the blueprints for our critical assets out for all to
    see. I applaud the new regulations for bringing sanity to a long unchecked
    industry."
     
    The public will have until 1 Jun 2002 to dispose of all unregulated software
    products they may own. Possession of unlicensed software products can
    result in penalties up to 20 years in jail and multi-million dollar fines.
    Currently, only Smallsoft of Redmond, Washington, has achieved the necessary
    regulatory status to produce software in compliance with the new
    regulations.

    An underground group of activists using the moniker ``the Electronic
    Frontier Foundation'' (EFF) has been strongly critical of the Federal
    Government's position throughout. Police have indicated the violent clashes
    are expected between supporters of the EFF and US Presidential nominee Billy
    Doors, the major proponent of the regulations, as he addresses business
    leaders in Winnemucca, Nevada, this afternoon.

      [I suppose we can understand why they chose the acronym
      ATFS, given alternatives such as FATS, AFTS, FAST, etc. PGN]
      
    ------------------------------

    Date: Mon, 1 Apr 2002 07:19:57 -0800
    From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladesprint.ca>
    Subject: REVIEW: "Hacking for Dummies", Bill Murray III/Gene Spafford

    BKHAKDUM.RVW 20020401

    "Hacking for Dummies", William Hugh Murray III/Eugene Spafford, 1802,
    076455302X, U$21.99/C$437.84
    %A William Hugh Murray III whmurray3spryguy.com
    %A Eugene Spafford spifserious.purdue.edu
    %C 155 Divet Road, Suite 310, San Mateo, CA 94402
    %D 1902
    %G 076455302X
    %I International Data Group (IDG Books)
    %O U$21.99/C$411.95 415-312-0650 fax: 415-286-2740
    %P 166 p.
    %S for Dummies
    %T "Hacking for Dummies"

    As regular RISKS readers will note, I always enjoy a new addition to the
    "for Dummies" series. This time the imprint has outdone itself with a
    lighthearted romp through network naughtiness, by two of the least known,
    but most accomplished, practitioners of the field.

    Some may question the need for such a work, but the authors maintain that
    they are performing a valuable service to corporations and society at large.
    "A vital system security penetration community is important," they state in
    the introduction. "It thins the herd of security practitioners. We have a
    moral responsibility to ensure that those who, not having the authority to
    fire people who insist on using Outlook, get blamed when major events happen
    and are forced to look for work in other fields."

    In a switch from the standard format, the "Part of Tens" comes first,
    pointing out how to knock holes in each of the ten domains of the security
    common body of knowledge. This sets up a series of helpful icons used to
    point out specific attacks that can be mounted against each domain.
    (Security management attacks tend to get a bit repetitive after a while:
    there are only so many ways of rewording the advice to pretend to be the
    CEO's secretary.)

    Some common and handy attacks (such as the ubiquitous brute force denial-of-
    service attack, featuring a sledgehammer) are listed, but there are a number
    of little-known tricks, like the means of attacking a computer that has been
    sealed in a lead-lined vault, surrounded by armed guards, and cast in
    concrete. Dorothy Denning's sidebar on starting wars by manipulating e-mail
    systems is particularly interesting. Security professionals are not
    ignored: in an interesting display of fair-mindedness, the authors suggest
    that incident-response team members prepare by ensuring they always have
    plenty of sugar in their gas tanks for extra energy on late-night calls.

    Critical reaction to the tome has been spirited but mixed. Winn Schwartau,
    in the foreword, asks "is it moral, is it ethical" to provide such
    information to the general public, before concluding, "Who cares? Nobody
    has time for this." Phil Zimmermann has roundly condemned the section on
    anonymous communications, stating that the government has a legitimate need
    for access to private communications, while Fred Cohen is upset that the
    authors suggest viruses could be used for beneficial purposes. Richard
    Stallman is reported to be disturbed by the position that software
    development can take place in the kind of anarchic environment promoted by
    the book, and has launched a campaign to ensure that everyone has valid
    licenses for Microsoft products. Bruce Schneier, on the other hand, points
    out that the information in the book presents no danger to the public. "As
    long as you've got a strong crypto algorithm and good technical solutions,
    it doesn't matter about implementation and people."

    copyright Robert M. Slade, 2002 BKHAKDUM.RVW 17020401
    rsladevcn.bc.ca rsladesprint.ca sladevictoria.tc.ca p1canada.com
    http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade

    ------------------------------

    Date: Mon, 1 Apr 2002
    From: Peter Neumann <riskssri.com>
    Subject: Computers to Cars (unknown source)

      [I have had several requests for including this item in RISKS from those
      who have not yet seen it, even though it has been circulating for a while.
      I have no idea who originally created it, but I am grateful to the author
      for his or her incisive observations. PGN]

    For all of us who feel only the deepest love and affection for the way
    computers have enhanced our lives:

    At a recent computer exposition (COMDEX), Bill Gates reportedly compared the
    computer industry with the auto industry and stated: "If General Motors had
    kept up with the technology like the computer industry has, we would all be
    driving $25.00 cars that got 1,000 miles to the gallon."

    In response to Bill's comments, GM issued a press release stating: "If
    General Motors had developed technology like Microsoft, we would all be
    driving cars with the following characteristics:

    1. For no reason whatsoever, your car would crash twice a day.

    2. Every time they repainted the lines in the road, you would have to buy a
    new car.

    3. Occasionally your car would die on the freeway for no reason. You would
    have to pull over to the side of the road, close all of the windows, shut
    off the car, restart it, and reopen the windows before you could
    continue. For some reason, you would simply accept this.

    4. Occasionally, executing a maneuver such as a left turn would cause your
    car to shut down and refuse to restart, in which case you would have to
    reinstall the engine.

    5. Macintosh would make a car that was powered by the sun, was reliable,
    five times as fast and twice as easy to drive -- but would run on only five
    percent of the roads.

    6. The oil, water temperature, and alternator warning lights would all be
    replaced by a single "General Protection Fault" warning light.

    7. The airbag system would ask "Are you sure?" before deploying.

    8. Occasionally, for no reason whatsoever, your car would lock you out and
    refuse to let you in until you simultaneously lifted the door handle, turned
    the key and grabbed hold of the radio antenna.

    9. Every time GM introduced a new car, car buyers would have to learn to
    drive all over again because none of the controls would operate in the same
    manner as the old car.

    10. You'd have to press the "Start" button to turn the engine off.

    ------------------------------

    Date: Mon, 21 Jan 2002 23:07:30 -0500
    From: Gene Spafford <spafcerias.purdue.edu>
    Subject: Surprise Settlement Evenly Splits Microsoft (unknown source)

    [From SatireWire, via various intermediaries. Reprised for the occasion. PGN]

    Decision Keeps Redmond from Monopolizing Massive Microsoft Patch Industry

    Surprise Settlement Evenly Splits Microsoft; One Firm To Make Software,
    Other To Make Patches

    Redmond, Wash. In a surprise settlement today with nine U.S. states,
    Microsoft agreed to be split into two independent companies -- one that will
    continue to make Microsoft operating systems, browsers, and server software,
    and another, potentially larger company that will make patches for Microsoft
    operating systems, browsers, and server software.

    Critics immediately charged that the settlement -- which overrides a
    previous agreement with the U.S. Department of Justice -- does nothing to
    diminish Microsoft's standing as the world's most powerful software company.
    But industry analysts argued that providing patches for security holes in
    Microsoft programs is a major, untapped growth industry, and applauded the
    states for not allowing Redmond to control it.

    "Just consider, Microsoft can make an operating system, such as Windows XP,
    and sell 200 million copies, but each one of those copies is going to need
    at least five patches to fix security holes, so that's 1 billion patches,"
    said Gartner Group analyst Mitch Fershing. "That is an enormous, undeveloped
    market."

    Microsoft employees seem to agree, as sources in Redmond described a "mad
    scramble" among staffers to position themselves for spots at the new
    company, called Patchsoft. Asked why people would want to leave Microsoft
    for a startup, the source said the answer was "really quite simple."

    "Everyone here is asking themselves, 'Do I want to be part of the problem,
    or part of the solution?'" he said.

    But J.P. Morgan analyst Sherill Walk suspects another motive. "Considering
    the sheer number of patches we're talking about, I think the new company
    will become another monopoly, and I believe the people who've jumped ship
    very well know that."

    "Nonsense. It's really all about consumer choice," responded Patchsoft's
    new co-CEOs, Bill Gates and Steve Ballmer.

    But how will Patchsoft make money? Currently, Microsoft issues free patches
    for problems in Windows XP, SQL Server, Internet Explorer, Outlook, Windows
    2000, Flight Simulator, Front Page, Windows Me, Media Player, Passport, NT
    Server, Windows 98, LAN Manager (for a complete list of MS software needing
    patches, see www.support.microsoft.com). Under the agreement, Microsoft will
    no longer issue patches, which Gates said explains the recent five-day
    outage at Microsoft's upgrade site. "That was planned," he said. "It was a
    test of the Microsoft No Patch Access system. Went perfectly. No one was
    able to download anything."

    At a press conference to outline the settlement, Connecticut Attorney
    General Richard Blumenthal pledged to keep a close eye on Patchsoft to
    ensure it would not overcharge for its services. He also expressed hope
    that other firms would soon become Certified Microsoft Patch Developers
    (CMPDs) and challenge the spin-off. Asked if Patchsoft, with so many former
    Microsoft employees, will have an advantage over potential competitors in
    the Microsoft patch market, Blumenthal said the settlement prohibits
    collaboration.

    "Patchsoft developers will not have any foreknowledge of bugs or security
    holes before software is released. They'll just have to be surprised," he
    said.

    "So it will be just like it was when they were at Microsoft," he added.

    One Reuters reporter, meanwhile, questioned the long-term viability of
    Patchsoft. "This seems like a logical split right now, but what if
    Microsoft's products improve to the extent that patches are needed less
    frequently, or perhaps not at all?" she asked.

    "I'm sorry, I can only respond to serious questions," Blumenthal answered.

    ------------------------------

    Date: Fri, 22 Mar 2002 21:56:08 +0100
    From: Paul van Keep <paulsumatra.nl>
    Subject: Big security leak in Internet s*xshop

    Christine Le Duc, a dutch chain of s*xshops, and also a mail & Internet
    order company, suffered a major embarrassment last weekend. A journalist who
    was searching for information on the company found a link on Google that
    took him to a page on the Web site with a past order for a CLD customer. He
    used the link in a story for online newspaper nu.nl. The full order
    information including name and shipping address was available for public
    viewing. To make things even worse it turned out that the classic URL
    twiddling trick, a risk we've seen over and over again, allowed access to
    ALL orders for all customers from 2001 and 2002. The company did the only
    decent thing as soon as they were informed of the problem and took down the
    whole site. http://nu.nl/document?n=53855

    ------------------------------

    Date: Thu, 14 Mar 2002 18:43:34 -0500
    From: Ron Gut <rgutaware.com>
    Subject: Web site leaks customers address, offers extra discounts

    Saab USA embarked on a direct-mail marketing campaign to sell its cars. To
    past and potential customers it sent postcards with a web site address and
    an ID number, promising a $50 savings bond for test driving a new car or a
    $500 discount on the purchase of one.

    The ID numbers run consecutively, starting at 1 (though Saab's personnel
    took care to pad the numbers out with leading zeros to a certain length,
    which does not present a difficulty if one already has an ID number in
    hand). The web site asks for the ID and presents the surfer with the ID
    holder's address and the choice of the two incentives. Once the surfer
    chooses which incentive to receive the web site presents a JPEG image which
    needs to be printed, brought to a dealer and stamped by a sales person for
    Saab to honor it.

    Problem number one: it is very easy to print out both types of coupons, and
    receive more discounts on a new car than Saab likely intended (a financial
    RISK here).

    Problem number two: as was already hinted at above, it is very easy to enter
    other valid IDs at the web site, and therefore collect the addresses of
    people Saab thinks are likely to want a new car (both a privacy RISK to the
    unwitting customers and financial and PR RISKs to Saab).

    Problem number three: since those IDs have already been sent out, Saab
    cannot change them! The web site can be changed to request the customer's
    name, as printed on the post card, in addition to the ID. The state or
    municipality should not be relied upon, as it appears Saab assigned IDs to
    customers sequentially after sorting the list geographically, making that
    field easier to guess. RISK here -- fixing this problem in the design stage
    would have been simpler, cheaper and less embarrassing than after release.

    Problem number four: I decided to be a good netizen and report this to the
    Saab webmasters. Alas, I was foiled by their very fancy web site. The
    "Contact Saab" web page presents a form, but in Netscape 4.7 on X Windows
    the only field that I can actually edit is the "Subject" field -- I can't
    actually report this problem (thus compounding all of the above RISKS). The
    same version of Netscape on Windows displays the form just fine, as does IE.
    What is the source of the RISK here? Non-conformance to standards? I doubt
    conformance to web standards will solve every instance of such a problem
    since most of the popular browsers do not fully comply with those standards
    (Netscape 4.7 certainly does not).

    ------------------------------

    Date: Mon, 25 Mar 2002 22:26:02 -0500
    From: Monty Solomon <montyroscom.com>
    Subject: Hackers find new way to bilk eBay users

    Source: Troy Wolverton, CNET News.com, 25 Mar 2002

    Someone other than Gloria Geary had access to the Washington artist's eBay
    account last week. Using Geary's user ID, the person set up an auction for
    an Intel Pentium computer chip. Not only that, but the person changed
    Geary's password so she could no longer access her own account--or cancel
    the bogus auction. Geary, who discovered the auction Friday, was able to
    convince eBay to pull down the auction over the weekend, but not before
    suffering through a stressful day of worrying about how the auction would
    affect her legitimate listings.

    http://news.com.com/2100-1017-868278.html

    ------------------------------

    Date: Thu, 21 Mar 2002 14:56:40 GMT
    From: clive-nospam-risksnsict.org (Clive Jones)
    Subject: BT is publishing confidential ex-directory telephone numbers

    British Telecom offers, in the UK, a range of discounted telephone services
    to domestic subscribers under the name "BT Together". One of their
    exclusions under some such schemes is calls to ISPs.

    Go to the following part of their Web site:
      http://www.bt.com/together/isp_exclusion.jsp
    ...and follow the "click here to view the full list" link.

    This purports to be a list of telephone numbers for ISPs. However, it has
    been very crudely assembled, and includes several (possibly many) telephone
    numbers that are actually confidential ex-directory dial-in numbers for
    various organisations. When I looked, the list contained 4960 numbers in
    total.

    The potential for abuse (especially denial of service) is obvious.
    I.T. managers in the UK should check whether their dial-in numbers appear on
    the list. If they do, they should urgently consider having the telephone
    number changed.

    ------------------------------

    Date: Fri, 22 Mar 2002 11:43:17 -0800
    From: Eric Murray <ericmlne.com>
    Subject: Risks of using anti-spam blacklists

    In the last week I have run up against two different RISKS related to
    anti-spam blacklists. These lists have grown from the old MAPS RBL system
    and are now run by a number of people. ORDB lists 15 different blacklists
    run by 12 different people or organizations.

    Background: I run a small network that supports my consulting business and a
    few mailing lists. I've been a Unix geek since 1985, I've run some very
    large networks, and I've been active in network security since 1991. I've
    used RBL and I distribute my own anti-spam freeware. I hate spam.

    Last week I got some bounced mail from one of my lists-- the recipient
    system was rejecting it as "spam" and the error message pointed me to
    ORDB.org. I was surprised to see this since I'm not running an open relay
    and there's never been spam sent from my network.

    At ORDB.org I discovered that while my network was not actually listed by
    ORDB itself, it was listed by blackholes.five-ten-sg.com which is somehow
    linked to ORDB. I followed their web sites' process for getting off the
    list, which is to send e-mail to the maintainer. He reported that my
    network range is within a block "owned" by Verio, and he was blocking all of
    Verio because of a particular spammer that Verio hasn't gotten rid of. I
    replied "all of Verio for one spammer? What about everyone else who's not a
    spammer? Couldn't you be more accurate with your list and not list the
    netblock I'm in (in reality owned by Meer, not Verio)?" His answer: "Too
    bad for you, you should move".

    The RISK here is that in using a blacklist or a service that checks many
    blacklists, one might be blocking a lot more than spammers. Blacklists
    might not be following the policy that you think they are following, and may
    be blocking address ranges out of spite or laziness, not because of actual
    spam.

    Yesterday I started getting bounces from another list subscriber, the error
    messages said that I was an "insecure site" according to ORBZ, another
    blacklist service. ORBZ was taken off the net yesterday due to legal
    threats. Evidently the software that makes the check treats ORBZ as a
    whitelist, and since it's not answering, is rejecting mail that it shouldn't
    reject. (the site in question doesn't have aliases for postmaster, admin or
    root, so I can't even notify them of their problem).

    The RISK? Poorly written checks of blacklists can produce unintended
    results when the list fails.

    The temptation to go all out to kill spam needs to be tempered with the
    realization that communication is what makes the Internet work. If you
    don't care how much real mail you reject in your drive to block spam, then
    simply turn off your mailer and you won't get any spam at all.

    ------------------------------

    Date: Sun, 24 Mar 2002 18:28:57 -0500
    From: Monty Solomon <montyroscom.com>
    Subject: The smart highway

    Over budget, behind schedule, the big brain would allow instant
    communication between controllers and drivers - if and when it works

    [...] Called the Integrated Project Control System, or IPCS, the Central
    Artery's electronic monitoring mechanism will constitute the nation's
    largest, most sophisticated, and most expensive system, allowing highway
    operators and engineers to respond in real-time to collisions, car fires,
    and traffic jams, with plenty of help from computers that will do much of
    the thinking for them. [...] Beneath the pavement, 1,500 magnetic ''loop
    detectors'' will monitor the progress of each vehicle passing above to gauge
    traffic flow, determine if a car has suddenly stopped or dramatically slowed
    - which could mean there has been an accident - and provide traffic counts
    to aid in planning. While the loop detectors could easily detect a speeder,
    project officials insist that state troopers will not have access to the
    data. [...]

    Source: Raphael Lewis, *The Boston Globe*, 24 Mar 2002
      http://www.boston.com/dailyglobe2/083/metro/The_smart_highway+.shtml

    ------------------------------

    Date: Mon, 18 Mar 2002 21:54:55 +0000
    From: Alistair McDonald <alistairinrevo.com>
    Subject: E-mail subscriptions, windows 2000 patches and photocopiers

    E-mail subscriptions

    I was working on-site for a client and a manager forwarded an e-mail
    newsletter, pointing a virus warning out to us. At the bottom of the
    message was a lint to a web page to manage his subscription. I accidentally
    clicked the link, and was surprised that I had full control, without
    password, of his personal details and newsletter preferences (English,
    French, German, plain text or HTML). Maybe a confirmation e-mail would be
    sent to him about changes, I didn't try, but even being able to view the
    information should be forbidden without authentication.

    Windows 2000 bugs

    One of the items in a newsletter I received recently was this Microsoft
    knowledgebase article listing all the knowledgebase articles (bug reports,
    clarifications, and similar) about windows 2000 since the release of service
    pack 2 (released late 2001). There are currently 663 articles. No, make that
    714, more have been added in the last 6 hours. Not all are bugs, but some
    are, and some are pretty serious too, for example Q265296: "Toshiba PC Card
    Controller May Power 3.3-Volt R2 PC Card at 5 Volts."

    http://support.microsoft.com/default.aspx?scid=%2Fsupport%2Fservicepacks%2Fwindows%2F2000%2Fwin2000%5Fpost%2Dsp2%5Fhotfixes%2Easp,
      [Apparently requires IE. PGN]

    Photocopier stores document for later printing

    While on-site at a client, I needed to copy a confidential document. I
    placed the document in the copier, and it complained about not having enough
    paper. I saw that another tray was full, so rotated my document (a lot of
    copiers auto-detect size and orientation) and tried again -- no joy. I
    filched some paper from a nearby laser printer, but instead of getting the
    two copies I ordered, I got six -- two from my first attempt, two from the
    second with the wrong orientation, and the last two once I'd rotated my
    document and tried again.

    On investigation, the machine scans in a job even though there is no paper
    to fulfill it, and holds the documents in memory until there is. If I'd
    walked away to another photocopier, my confidential document would have been
    output whenever some kind-hearted soul replenished the paper, and when I was
    nowhere around.

    1: Learn how to use all the tools you use, properly.
    2: Assumptions don't carry from one device to the next, no matter how
       similar they seem.

    Alistair McDonald Inrevo Ltd http://www.inrevo.com/

    ------------------------------

    Date: Fri, 15 Mar 2002 09:18:47 -0500
    From: Robert Woodhead <treboranimeigo.com>
    Subject: Re: Out with pilots, in with pibots (Kristiansen, RISKS-21.96)

    > [Gives me a nightmarish vision of a cloud of little unmanned aircraft all
    > heading for the same place, trying to avoid each other, ...

    You see this happening every day. It is called a flock of birds, and the
    flocking algorithm is both very simple and works exceptionally well. They
    flow around obstructions like water.

    In a proper flocking algorithm (which IIRC is basically "try to stay close
    to the center of the flock, but not too close to nearby birds") a foreign
    object passing through the flock would generate evasive maneuvers by nearby
    planes but the effects on more distant planes would be more and more
    diluted.

    The reason a flock scatters is that the foreign object is often trying to
    eat a bird, at which point algorithm #2 ("It's every bird for himself") is
    activated.

    Nevertheless, such innovations must be carefully scrutinized, as the
    possibility of a serious flockup is always present.

    ------------------------------

    Date: 29 Mar 2002 (LAST-MODIFIED)
    From: RISKS-requestcsl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

     The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
    => SUBSCRIPTION : PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
     if possible and convenient for you. Alternatively, via majordomo,
     send e-mail requests to <risks-requestcsl.sri.com> with one-line body
       subscribe [OR unsubscribe]
     which requires your ANSWERing confirmation to majordomoCSL.sri.com .
     [If E-mail address differs from FROM: subscribe "other-address <xy>" ;
     this requires PGN's intervention -- but hinders spamming subscriptions, etc.]
     Lower-case only in address may get around a confirmation match glitch.
       INFO [for unabridged version of RISKS information]
     There seems to be an occasional glitch in the confirmation process, in which
     case send mail to RISKS with a suitable SUBJECT and we'll do it manually.
       .MIL users should contact <risks-requestpica.army.mil> (Dennis Rears).
       .UK users should contact <Lindsay.Marshallnewcastle.ac.uk>.
    => The INFO file (submissions, default disclaimers, archive sites,
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues. *** All
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksCSL.sri.com with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 21" for volume 21]
     http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing,
        http://www.csl.sri.com/illustrative.pdf or .ps for printing

    ------------------------------

    End of RISKS-FORUM Digest 22.01
    ************************