Subject: RISKS DIGEST 15.79 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 26 April 1994 Volume 15 : Issue 79 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Fax programming -- risk to politicians (Tom Keenan) Data Escape from Prison (Mich Kabay) Industrial espionage (Mich Kabay) Trojan @ U. Michigan (Mich Kabay) $14 million QA failure (Mich Kabay) Security and Privacy panels (John Rushby) Strange Stalking (Flint Waters) UK Industrial Spy Law (Peter Sommer) Combination Locks I Have Known (Neil McKellar) Unusual Newspaper Error (Stewart Rowe) Risks of advertising on the net (Jerry Leichter) Updated addresses for Canter & Siegel (Paul Robinson) Re: MIT student arrested for BBS used ... (Tim Shepard, Douglas Rand) Re: NYC subway fare cards double-deduct (Mark Brader, Dan Lanciani, Padgett Peterson) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Mon, 25 Apr 94 18:40:56 MDT From: "Tom Keenan" Subject: Fax programming -- risk to politicians According to the April 25/94 Globe and Mail: Canadian Human Resources Minister Lloyd Axworthy is embarrassed by the leaking of a sensitive working paper to the press. It concerns government plans and "specifically indicated that Quebec wasn't going to get full control over job training any time soon." Unfortunately, an operator did not press the 0-2-1 fax code that would have sent it to English speaking provincial government offices. By hitting 1-2-1 instead, the working paper went to eight French language newspapers in Quebec, two of which eventually published stories on it. Some are questioning whether it was indeed an error or the work of a saboteur. Reporters "marvel that a document of particular sensitivity to Quebec accidentally went to Quebec newspapers only." Several years ago a similar faux pas occurred in the Canadian parliamentary press gallery when a young woman sent a detailed account of her romantic exploits of the past weekend by email to a female friend. She accidentally filed it with every newspaper's parliamentary reporter, but they were gentlemen and did not publish it. Dr. Tom Keenan, I.S.P. Dean, Faculty of Continuing Education University of Calgary 2500 University Dr. NW Calgary, AB T2N 1N4 CANADA Voice: (403) 220-5429 FAX: (403) BUG-EXIT = 284-3948 ------------------------------ Date: 26 Apr 94 12:13:52 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: Data Escape from Prison >From the Associated Press newswire via Executive News Service (GO ENS) on CompuServe: Inmates-Computers, By MARIA S. FISHER, Associated Press Writer KANSAS CITY, Kan. (AP, 18 Apr 1994) -- The letter startled Nick Tomasic. It was from a prison inmate; other fellow prisoners, assigned to computerize records, had taken a Social Security number from an accident report and tried to sell it. Tomasic is the district attorney for Wyandotte County. It was his number. The author makes the following key points: o 29 states and the federal government use prisoners for data entry. o The National Correctional Industries Association in Belle Mead, NJ scoffed at the potential risk of misuse, saying that in 12 years, there have been no cases of abuse. o Tomasic warned that criminals could determine addresses and phone numbers of witnesses and victims during data entry. o In Johnson City, KS, Sheriff Kent P. Willnauer is looking into allegations that a prisoner passed Social Security numbers and other data to a confederate who opened fraudulent bank accounts. o Kansas State government officials insist that the data entry program saves taxpayers hundreds of thousands of dollars and that there is no danger to privacy or safety of residents. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc. ------------------------------ Date: 26 Apr 94 12:13:39 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: Industrial espionage >From the Reuter newswire via Executive News Service (GO ENS) on CompuServe: CHINESE PAIR HELD IN TECHNOLOGY THEFT, By Robert Boczkiewicz DENVER, April 15 (Reuter) - A federal judge cited national security concerns Friday when he refused to free a Chinese citizen who remains under house arrest charged with stealing software technology." According to the author, the FBI arrested Wang Liaosheng and Jing Cui for an alleged theft of source code from Ellery Systems, Inc of Boulder, CO. Wang, a former employee of this firm, allegedly sold information to Beijing Machinery Import & Export (Group) Corp for $550,000. The pair face charges of computer and wire fraud and could be punished by a maximum of 15 years in prison and $500,000. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc. ------------------------------ Date: 26 Apr 94 12:13:46 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: Trojan @ U. Michigan >From the Washington Post newswire via Executive News Service (GO ENS) on CompuServe: Message Posted On Internet Spurs Probe; Jokes, Threats Directed At African Americans By John Burgess, Washington Post Staff Writer, 25 Apr 1994 The sordid side of the emerging electronic culture got a very public airing at the University of Michigan this month. Officials there are investigating an incident involving a stolen computer password and a death threat against African Americans that was sent over the global Internet computer network. The author continues with the following key points: o the perpetrator is still unknown. o On April 5, someone using a University of Michigan email address sent the offensive message to 30 newsgroups on the Net. o "Purporting to come from a group called the Organization for the Execution of Minorities, the posting was a lengthy collection of jokes and riddles directed against black Americans. It also contained rambling threats of death and injury." o The host system was immediately flooded with angry protests from around the Net. o The supposed originator protested his innocence and repudiated the message and its content. o Campus computer security specialists think the student may have been a victim of a classic Trojan Horse which collected logins and passwords by spoofing the login screen and writing the ID/password pairs to a file for retrieval. o International users also received the posting and criticized Americans for racism. Michel E. Kabay, Ph.D./ Dir. Education / Natl Computer Security Assoc. ------------------------------ Date: 26 Apr 94 15:28:10 EDT From: "Mich Kabay / JINBU Corp." <75300.3232@CompuServe.COM> Subject: $14 million QA failure >From _The Globe and Mail_ [Canada], Mon 94.04.25 p. A3: "Pensioners to keep overpayments: Ottawa to write off $14 million mistake by computer." According to the Canadian Press report, 8,000 pensioners received overpayments because the computer programs at the Canada Pension Plan did not correctly combine pensions. "...[I]t took years to uncover the mistake and figure out what to do about it." [MK comments: what amuses me is the headline which blames the mistake on the computer. Quality Assurance, where art thou?] Michel E. Kabay, Ph.D. / Dir. Education / Natl Computer Security Assoc. ------------------------------ Date: Sun 24 Apr 94 17:07:28-PDT From: John Rushby Subject: Oakland posting for risks Last chance to register for 1994 IEEE SYMPOSIUM ON RESEARCH IN SECURITY AND PRIVACY May 16-18, 1994 Claremont Resort, Oakland, California The program for this, the main conference on computer security research, was posted in RISKS-15.43, 30 Jan 1994. I won't repeat the whole thing, but here are the details of the very exciting panels that have been arranged. These were missing from the earlier posting. Monday 2:00--3:30 PANEL: Firewalls Moderator: Steve Kent (BBN) Panelists: Steve Bellovin (AT&T) -- "Firewalls are good" Phil Karn (Qualcomm) -- "Firewalls are bad" Tuesday 2:00--3:30 PANEL: What Security Needs To Learn From Other Fields Moderator: Teresa Lunt Panelists: Nancy Leveson (U. Washington) -- safety Fred Schneider (Cornell) -- dependability Jeffrey Voas (Reliable Software Technology) -- testing Brian Snow (NSA) -- security perspective There's still time to register. The easiest way to get the program and registration form is by WWW from http://www.csl.sri.com (follow the link under conferences), or by anonymous ftp of the file /pub/oakland94.txt from ftp.csl.sri.com. If all else fails, send email requesting the form to John Rushby (Rushby@csl.sri.com). ------------------------------ Date: Tue, 26 Apr 1994 14:00:00 +0000 (M) From: Flint Waters Subject: Strange Stalking We just finished a pretty strange case. A woman came in a reported that her estranged husband was stalking her. The officer that took the call started an investigation for the alleged stalking and contacted our County Attorney, (DA to most folks). While investigating the matter the suspects lawyer turned over email from the wife to the husband soliciting contact. It started to look like a normal domestic situation where the complaint matches the mood. Sgt Banks brought me the email so I could verify it and move on to other things. As I started looking into it things got strange. One of our campus systems is an Alpha running VMS and we have a special NEWUSER procedure which allows staff to create their own accounts, providing they know all of the important information about themselves. As I investigated the accounts I found that the suspect and victims account were created within a few minutes of each other. I placed a trap on the logins to both accounts and soon learned that every access to her account was immediately preceded or followed by an access to his account and from the same computer. Over the next several months I tracked the access to both accounts and watched as the suspect turned over more and more email from his wife. This guy was pretty creative in that he wrote long letters to himself and even changed his writing style to mimic hers. We had a pretty solid interference case for the false evidence he was creating but it was only a misdemeanor. We really wanted to put together a felony due to some other crimes the suspect had committed, which were pending prosecution. Finally, the wife decided to take a computer course on campus. The first day of class the students were told to create accounts on the campus computer system. Our victim went to the computer lab and followed all of the appropriate steps only to find she couldn't create an account because her authorization had been used already. Confused she went to her assigned User Consultant and complained that she was denied access. The consultant, not knowing about my investigation, disusered the fraudulent account and helped the victim get a new one. The gig was up since I was certain the suspect would realize we were watching him now. Fortunately, denial of computer service is a felony in Wyoming. We then pursued the arrest warrant. Several days later our suspect was arrested at his office on campus. When arrested he asked if he could call his attorney. When we said yes, he led us down the hall to a locked computer lab. He entered the code on the door and walked to the phone which sat two feet from the very computer that had been used to generate many of the fraudulant messages. By now our case was pretty solid. The suspect was charged with Computer Crimes: Crimes Against Computer Users which carried a three year felony term, ten years if intent to commit fraud is proven. Kinda heavy but pretty funny when you face the guy and he lies through his teeth. He thought he was dealing with a couple of Barney Fife's and he treated us like we were stupid. Obviously we didn't know what we were talking about and he had received all of the mail from his wife. We booked him and went back to work. As it turned out, the joke was on us. On the day of the preliminary hearing the suspects lawyer arrived with a sworn affidavit from the wife. She decided that she had not been stalked and that her husband had not denied her of any computer service. It appears a reconciliation is in the works. Naturally we decided not to pursue prosecution with a hostile victim and our case was dropped. Really a shame considering the hours we had invested. The suspect has some federal time hanging over him on some other crimes but I really would have liked to see him lie on the stand about his computer feats. Oh well. I never thought I'd have a computer-domestic disturbance. ------------------------------ Date: Sat, 23 Apr 94 10:59:15 GMT From: hcorn@virtcity.demon.co.uk (Peter Sommer) Subject: UK Industrial Spy Law INDUSTRIAL SPY'S LEGAL LOOPHOLE TO BE CLOSED Britain's industrial spies enjoy a legal loophole. If they access a computer to which they are not authorised, they can be found guilty under the Computer Misuse Act, 1990. If they manage to deceive an authorised user into giving them information from that computer, they almost certainly commit no offence. The UK government signaled on March 24th 1994 that it would introduce remedial legislation. However the precise form is still unclear and there appears to be no date for implementation. English Law knows no concept of information theft - you can steal pieces of paper and data media containing information but there is no specific law protecting commercial secrets. The law is more concerned with catching the means of industrial espionage: bugging and tapping are criminal offences, respectively under the Wireless Telegraphy and Interception of Communications Acts. The Computer Misuse Act punishes unauthorised access without, in section 1, caring what the reason was. Recent coverage by the BBC-TV's leading current affairs show Panorama and by the London Sunday Times has revealed that 200 UK pounds is the average rate charged by private detectives to assemble a dossier of an individual's bank balances, medical records and tax status. Nearly all of the information comes via abuse of this loop-hole. The technique is variously called the pretext call, the voice-hack, the imposter and the masquerade. The private detective assumes whatever "official" identity is necessary to mislead the bank clerk or government employee. Recently one "detective agency" has been circulating leading figures in the UK with offers to obtain critical data on any individuals in whom they were interested. If any offence is being committed, it is probably by the computer owners, who, under the Data Protection Act, have an obligation to take appropriate steps to secure data under their control. (Eighth Principle, Data Protection Act, 1984). Data Protection obligations apply within the European Union. A case in a magistrate's court (lowest level) last December suggested that there might be a way of extending the Computer Misuse Act to cover such third parties. Malcolm Farquharson induced a female employee of a cellular phone company to obtain details of cellular phone numbers and their ESNs (Electronic Serial Numbers) so that he could fraudulently clone phones. The numbers were held on a computer to which the female employee had authorised access. Farquharson, but not the employee, was found guilty and sentenced to six months in prison although he had never touched the computer. However legal experts believe that this case would not survive appeal to a higher court. The UK Home Office say that the loophole will probably be closed by means of an amendment to the Data Protection Act but have so far produced no wordings nor a timetable. On April 10th, Home Secretary Michael Howard said that the Government was considering a new offence of gaining information by deception. Even when the loophole is closed the abuse is likely to continue - enforcing a law where a telephone-based perpetrator is already doing a good job pretending to be someone else is never going to be easy. Peter Sommer at the Virtual City London N4 4SR United Kingdom hcorn@cix.compulink.co.uk CompuServe: 100012,2610 ------------------------------ Date: Tue, 26 Apr 1994 13:56:55 -0600 Subject: Combination Locks I Have Known From: Neil McKellar I have owned four combination locks in my life. All of them were made by 'Dudley', a Canadian company. Admittedly, these are not top of the line locks. They were, however, the brand of lock officially "endorsed" by my school in grade 7 when I first got a locker. That was in 1979. I owned that lock until 1991 when it was broken into at the local gym. I immediately went out and bought the first 'Dudley' lock I picked out of a basketful in front of the local bookstore checkout counter. By mere coincidence, this lock had the same combination as my old one. I treated this as fortunate happenstance. Later, I lost the new lock and was forced once again to replace it. Again, I selected the first lock in the basket. This time it had a different combination which I promptly forgot when the lock lay idle for six months. So this time, I purposely searched through the basket for a lock with MY combination on it. I found one in less than thirty seconds. The locks are of the tumbler variety with markings from 0 to 59. I've tried my lock and I can be off by one marking when dialing the combination. Still, considering that I have successfully obtained 3 of 4 locks with the same combination, I'm tempted to go home tonight and try to "find" the combination I lost. Perhaps I'll even time myself. Neil McKellar (mckellar@cs.ualberta.ca) ------------------------------ Date: Fri, 22 Apr 1994 16:55:29 -0400 From: "Stewart Rowe" Subject: Unusual Newspaper Error Perhaps one of your readers can explain how the Midwest edition of *The New York Times* today had a photo on the front page with the caption. "Joseph P. Kennedy Jr. being arrested at the White House yesterday", with no further explanation or story anywhere in the paper? Stewart Rowe usr2210a@tso.uc.edu ------------------------------ Date: Tue, 26 Apr 94 08:23:08 EDT From: Jerry Leichter Subject: Risks of advertising on the net In their Internet advertising, Canter and Siegal are ignoring some fundamental characteristics of the net as currently constituted. I think they'll find their attempt at Internet advertising will fairly quickly become ineffective - though many people may be annoyed along the way. The relevant characteristics of the Internet are (a) the anonymity; (b) the low cost of generating any particular kind of message. What, after all, prevents anyone from taking a C&S ad, modifying it slightly - changing the addresses and phone numbers, for example - and posting it back as widely as the original? If only a few people do this, it will be impossible to tell which are the real ads and which are fakes - short of calling a phone number and finding that it terminates, say, at the Bar Association rather than C&S. Of course, ads that mention price will raise even more severe problems. If the spoof suggests a completely unreasonable price, the business can probably disclaim it. But what happens when the spoof suggests a reasonable-looking price that happens to leave the advertiser with no profit? He is left the the choice of accepting the price, and losing money, or disclaiming the ads, damaging his own reputation. Traditional printed ads can, of course, also be spoofed. However, attempts to do so are rare. First, it's very expensive to do; second, the traditional at least attempt to verify the identity of advertisers. Neither of these constraints apply on the net. It's true that a careful reading of the header lines will often reveal which are the true ads, and which are the fakes. But why should the people who the ad is trying to reach bother to check header lines? The whole point of an ad is to communicate information quickly. The same reasoning shows that digital signatures wouldn't help. Who would bother to check them? Only those who have an established relationship with the sender of the ad would likely even have a quick ability to verify the signature - and that's not the population a broadly distributed ad is trying to reach. When the spoofers are traceable - and it's well known that it's often impossible to trace a message, much less *prove* that a particular individual sent it - the legal situation might get rather interesting. Even ignoring the very broad protection the courts have recently granted to parody, why is the spoofer's message any less legitimate than the original? If the spoof ads look entirely different, refer to "Carver and Siegalman", and have different addresses and phone numbers, just what right to "Canter and Siegal" have to complain? They are not being directly referred to or identified. If they have a problem establishing a unique identity in the noise of the marketplace - and no one ever said that all marketplace participants have to be genuine - that's not the law's concern. -- Jerry ------------------------------ Date: Fri, 22 Apr 1994 14:24:08 -0400 (EDT) From: Paul Robinson Subject: Updated addresses for Canter & Siegel This list should help in setting up kill files or to watch for later posts: Sender: LISTSERV list owners' forum Poster: Wes Morgan Subject: Updated addresses for Canter & Siegel [mispeling curekted] It appears that Canter & Siegel, the law firm which recently flooded both Usenet and LISTSERVs with their "Green Card Lottery" posting, have secured access to the net through many sources. For those of you interested in blocking their access to your list, here is the current collection of addresses for that firm. cslaw@delphi.com cslaw@win.net cslaw@witchcraft.com cslaw@pipeline.com cslaw@netcom.com cslaw@indirect.com (currently disabled) lcanter@delphi.com lcanter@win.net lcanter@witchcraft.com lcanter@pipeline.com lcanter@indirect.com (currently disabled) 76636.443@compuserve.com They also, apparently, have sites of their own; those sites are lcanter.win.net and msiegel.win.net. In an article in Tuesday's _New York Times_, Mr. Carter basically said, "this was immensely profitable; we will be doing this in the future." Forewarned is forearmed... --Wes ------------------------------ Date: Wed, 20 Apr 94 15:47:49 -0400 From: Tim Shepard Subject: Re: MIT student arrested for BBS used ... (Cohen, RISKS-15.76) I've been closely following the accounts of this case in the Boston Globe and The Tech (a student-published newspaper at MIT). Until your report, I had not heard any assertions that the student had actually been arrested. According to an article in The Tech on Friday April 8th, 1994: "A federal grand jury charged an MIT student yesterday on a felony charge for allegedly allowing the piracy of over $1 million in business and entertainment software using Athena workstations." According to an article in The Tech on Tuesday April 12th, 1994: "David M. LaMacchia '95, who was indicted last Thursday for conspiracy to commit wire fraud, will be arraigned this Friday at the U.S. District Courthouse in Boston, according to LaMacchia's lawyer Harvey Silverglate." Other than Cohen's article, and a couple of followup articles in RISKS DIGEST, I've seen no report that he had been actually arrested. I cannot imagine why he would need to be arrested. (I would expect that if he already has a lawyer, and the lawyer knows of the scheduled arraignment three or more days beforehand, he would most likely show up in court. Maybe I missed something. What was your source?) -Tim Shepard ------------------------------ Date: 25 Apr 94 17:50:35 From: drand@osf.org (Douglas Rand) Subject: Re: MIT student arrested for BBS used ... (Cohen, RISKS-15.76) In his post, Fredrick Cohen states "An MIT student was arrested today for having a BBS at the school that was used by the participants to store and fetch commercial software." and goes on to paint the student as practically an innocent bystander caught up in other peoples crimes by happenstance. If one is to believe any of the reportage on the real incident, the student was anything but innocent. All the reportage in the Boston Globe, not known for its great sympathy with law enforcement, made it quite clear that the student actively advertised his BBS as a place to upload and download pirated software. He went out of his way to personally solicit software on at least some occasions (according to the reports). In this, he would be guilty of various crimes regardless of the means he used to carry the crimes out. While I feel a little sorry for him, in that he probably felt he was carrying on some idealistic fight, I don't feel particularly sorry for him, and he deserves to be prosecuted. Let's save our righteous indignation for the truly innocent, wrongly accused and persecuted by people in power. Doug Rand Open Software Foundation, Motif Development ------------------------------ Date: Mon, 25 Apr 1994 18:57:58 -0400 From: msb@sq.sq.com (Mark Brader) Subject: Re: NYC subway fare cards double-deduct (Greene, Risks-15.78) Okay, so how exactly is it possible in this system for the turnstile to (a) deduct the fare from the card, and (b) identify whose card it was, so that it won't deduct it again if the same card is re-swiped -- and yet not figure out that it now has to unlock itself? By the way, what happens if the turnstile does unlock, and the rider hands the card back across the barrier to someone else? Will the second rider get admitted without a second fare being deducted, because the same card was used? Mark Brader, msb@sq.com SoftQuad Inc., Toronto [Also related comments from dan@wais.com (Dan Aronson) and sullivan@geom.umn.edu (John Sullivan). PGN] ------------------------------ Date: Fri, 22 Apr 94 17:53:16 EDT From: ddl@das.harvard.edu (Dan Lanciani) Subject: Re: NYC subway fare cards double-deduct; UI at fault (Greene) I can't let this pass without comment. Clearly this system was designed by someone obsessed with the RISKs of free rides. The only way I can imagine this kind of failure mode occurring is if they are doing something along the lines of with the improper swipe somehow interrupting the process in the middle. Now, granted, they probably teach in transaction school that you must always make these things fail in your favor, but it seems a bit overkill for a subway. In any case, with the chance to swipe again, I suspect a true cheat would find a way to substitute a different card (if even that is really necessary)... Dan Lanciani ddl@harvard.* ------------------------------ Date: Fri, 22 Apr 94 14:08:39 -0400 From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) Subject: Double your pleasure in the subway (Greene, RISKS 15.78) Wonder if they put a limit on the "swipe again" - sounds like a new kind of "family plan". Padgett ------------------------------ Date: 15 April 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA) with SUBSCRIBE RISKS or UNSUBSCRIBE RISKS as needed. Users on US Military and Government machines should contact (Dennis Rears). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, send requests to (not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 15 is in that directory: "get risks-15.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 14, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00. "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password. WAIS and bitftp@pucc.Princeton.EDU are alternative repositories. risks-15.75 gives WAIS info. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 15.79 ************************