Subject: RISKS DIGEST 17.91 RISKS-LIST: Risks-Forum Digest Tuesday 19 March 1996 Volume 17 : Issue 91 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** ====> ANOTHER ITERATION ON SUBMISSIONS AND REUSE. <==== Contents: Hare Krsna chants trigger answering machine remote access (Dan Cross) Medical Device Recalls: Heart monitor (PGN) Jury-duty-pool selection-criteria risks (Varda Reisner Bruhin) FTC Targets Internet Fraud (Edupage) Iomega Stock Volatility Blamed on AOL Postings (Edupage) Risks of onboard flight manuals (Hank Nussbacher) Foreign CDA (Kurt Fredriksson) Risks of assuming all computers are PCs (Timothy Panton) PacBell ID Blocking [For California readers] (Henry Baker) Response from Strassmann/Marlow illustrates further risk (Benjamin Bokich) Flash Crowds (David M. Chess) Re: Netscape's syntax checking (Matt Welsh, Max TenEyck Woodbury) Internet Privacy and Security, Call for Papers (Joseph M. Reagle Jr.) InfoWarCon V 1996: Call For Papers (Winn Schwartau) ABRIDGED info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 18 Mar 1996 10:35:10 -0500 From: Dan Cross Subject: Hare Krsna chants trigger answering machine remote access I bought a CD by the hardcore group ``Shelter'' yesterday. They're a straight edge (that is, no drugs, alcohol, tobacco, etc) band who are also quite into Krsna consciousness. Track number 11 of this CD is a 5 minute section of Hare Krsna chanting and music. I told my girlfriend this, and she thought that it sounded kind of ``interesting.'' So, when I called her up just a second ago and her answering machine picked up, I thought it would be humorous to play the chants REALLY loud so that it would be picked up over the phone. Thinking that she might be there but just not have answered, I was holding the receiver to my ear, when to my surprise, I heard the answering machine say, ``enter access code for remote operation...''! I was quite amazed, and speculated that the chanting had had some sort of tone in it that triggered an attempt to use the remote operation facility present in most modern answering machines. The risk? Things like this go to illustrate how far our modern technical society has come, and how it has grown in many different directions at once. It is possible to say that we have advanced to such a point in so many areas that seemingly innocuous things in one (such as a track of music on a CD) can trigger *very* unexpected results in another. Dan C. ------------------------------ Date: Fri, 15 Mar 96 8:49:54 PST From: "Peter G. Neumann" Subject: Medical Device Recalls: Heart monitor Here is an item reminding us of the pervasiveness of RISKS problems: From Public Citizen's Health Research Group *Health Letter* (HRG founded by Ralph Nader and Dr. Sidney Wolfe), Mar 1996, p.8: Point of View Heart Rate and Blood Pressure Monitor (Class II Recall) Monitor resets itself causing information to be suspended, necessitating reprogramming. Model #:0998-00-0105-01, 424 units distributed world-wide Manufacturer: Datascope Corporation, Paramus NJ 800-288-2121 Recalled By: Manufacturer ------------------------------ Date: Mon, 18 Mar 1996 07:07:11 -0500 From: Varda Reisner Bruhin Subject: Jury-duty-pool selection-criteria risks Emily Green, of New Jersey, has been called to jury-duty -- but she will not be serving; she has what is being considered a "valid excuse": She needs to go to school... Emily is only 8 years old and, therefore, is not *eligible* for jury duty... So why was she even summoned in the first place? Because Governor Christine Whitman has banned all automatic exemptions from jury duty... [Source: WPVI-TV6, Philadelphia] I think the RISKs here are obvious! Varda Reisner Bruhin ------------------------------ Date: Sun, 17 Mar 1996 19:56:44 -0500 (EST) From: Educom Subject: FTC Targets Internet Fraud (Edupage, 17 March 1996) The Federal Trade Commission is conducting a "wholesale crackdown" on perpetrators of allegedly deceptive marketing schemes that are advertised in Internet news groups or on the World Wide Web. Charges were filed against nine individuals or companies accused of misleading the public, and agency officials say this is only the beginning: "The Internet opens a world of opportunities for consumers. Unfortunately, it also presents opportunities for scam artists. We intend to monitor the Internet rigorously and act decisively when we see deceptive and misleading marketing," says the director of the FTC's Bureau of Consumer Protection. (*Investor's Business Daily*, 15 Mar 1996, A4) ------------------------------ Date: Sun, 17 Mar 1996 19:56:44 -0500 (EST) From: Educom Subject: Iomega Stock Volatility Blamed on AOL Postings (Edupage, 17 Mar 1996) Iomega, maker of high-capacity removable disk drives, is the focus of controversy on America Online's Motley Fool bulletin board. Company officials have complained to the SEC that postings on Motley Fool and other BBSs have contained false information and may be contributing to the volatility of its stock. Online exposure has "raised the visibility of some stocks as well as the interest in those stocks," says an outside spokesman for Iomega. "At the same time, we're very concerned about how online services can be used to attempt to drive stock prices higher or lower through misinformation." Postings about Iomega escalated to flaming and physical threats last month, causing Motley Fool to pull some of the more offensive ones, but critics of online BBSs note Iomega's problems are a result of the practice of using "screen names" and the lack of verification of information that's posted. "You don't know if the person is a Ph.D. or in Sing Sing," says one critic. (*Wall Street Journal*, 15 Mar 1996, A5C) ------------------------------ Date: Sun, 17 Mar 96 10:02:08 UTC From: Hank Nussbacher Subject: Risks of onboard flight manuals A friend of mine is the general manager of a company called Excalibur that makes simulators of airline computers. He was recently sitting with a rep of a different company that happens to be a co-pilot of 747s. The guy wanted to buy some of Excalibur's processor cards to test out the system they are designing. What system? Turning all online airline manuals into an intelligent information system. Turns out that each 747 has a shelf of books the size of telephone books describing what to do and when to do it. The pilot was describing that it is constantly being updated by Boeing or by a specific airline and that it is close to impossible to find anything or understand anything in these onboard manuals. As an example, he produced a page from Northwest Airlines updates to the B-747 Emergency/Abnormal Procedures when there is a fuel-line blockage (17 Oct 1995, page 2.28.13): # 5. Scavenge center tank until empty. # If, after the center tank is empty, the NO 2 MAIN tank quantity is greater # than the NO 1 MAIN tank quantity plus the NO 1 RES and/or the NO 3 MAIN # tank quantity is greater than and NO 4. MAIN tank quantity plus the NO 4 # RES: Accomplish the "Inboard Dual Boost Pump Failure or Inboard X-Feed # Valve Failure Without Center Tank Fuel" procedure in this section. The pilot said ``Imagine you are 30,000 feet up and you have a fuel blockage and the co-pilot starts reading this?'' He said this is a typical type of page. The risks are obvious. Hank Nussbacher Israel ------------------------------ Date: Mon, 19 Feb 96 08:05:52 +0100 From: etxkfrn@aom.ericsson.se (Kurt Fredriksson) Subject: Foreign CDA There are two aspects of the censorship of the Internet that haven't been published in the Risks-Forum yet: 1 Even if most of the material found on the Internet is written in English, there exists material in other languages. If you are doing a search for English indecent words, I am pretty sure that you will get hits. But the word may not be indecent in the foreign language. (An innocent example: The Swedish for the digit six is "sex".) 2 How much it must hurt the feelings of the inhabitants of the country who started it all: you can't control the net. It has grown out of the control of an individual country. If every country in the world bans what they dislike, what will be left? Kurt Fredriksson, Sweden ------------------------------ Date: Tue, 19 Mar 1996 16:41:06 +0100 From: Timothy Panton Subject: Risks of assuming all computers are PCs I gave a talk at Sun's Dutch JavaDay last Thursday. In keeping with the WWW atmosphere, I presented my slides from HTML pages, and (stupidly) without notes. Two unpleasant things happened to me whilst on stage. When I walked on, the previous speaker handed me a mouse and said "You will have to plug this in". He had used it to illustrate some of the basic problems Java has to overcome (1 button vs 3 button mice). Now whilst you can unplug a mouse from a PC with out much risk, Sparcs (which is what was sitting in front of me) tend to halt if they lose contact with their rodent. Fortunately this one didn't. The second thing was *much* worse. I was demonstrating an applet I've written that monitors the status of a UPS. Due to the weight of the UPS and the security restrictions in Java, I had chosen to leave the UPS in my office, attached to my Solaris-2.4-on-intel workstation, and also run a web server there to provide the slides and the application over the live internet link Sun provided. So there I was on stage with no notes -- when the next slide refused to come up. I continued from memory and my colleague in the audience called back to the office to see what had happened. It was quickly fixed, and my talk finished ok -- but having aged me considerably. So, what had happened? One of my colleagues was looking for a PC to do some windows work, and seeing my unoccupied work place decided to shutdown Solaris and reboot it into windows. Conclusions: 1) buy post-it-notes and write "Keep off - beware of the OG" on them next time. 2) People who work with PC's assume that all computers behave the same way. Tim ------------------------------ Date: Fri, 15 Mar 1996 12:50:34 -0800 From: hbaker@netcom.com (Henry Baker) Subject: PacBell ID Blocking [For California readers] PacBell will allow you to do `complete blocking' of caller ID for *free* -- but you have to call 1 (800) 298-5000 and specifically request this. You also have to listen to this 2-3 minute canned speech extolling the virtues of caller ID before they'll let you get complete blocking. This number supposedly works 24 hours/day, 7 days/week. It's very irritating that `complete blocking' wasn't made the default, but perhaps these telecom dinosaurs will learn a lesson if most people sign up for complete blocking. Due to the number of busy signals, I gather that a lot of people aren't interested in caller ID. BTW, even if you have `complete blocking', I think that you can make your ID available on a per-call basis by predialing `*82' before the number. I understand that even complete blocking does not block (800), (900) and 976- ID's. To do that, you have to call one of these `remailer'-type services, which charge you something like $3/minute. www/ftp directory: ftp://ftp.netcom.com/pub/hb/hbaker/home.html ------------------------------ Date: Sat, 16 Mar 1996 19:22:22 -0500 (EST) From: Benjamin Bokich Subject: Response from Strassmann/Marlow illustrates further risk (17.90) Both Mr. Mayer-Schoenberger's original message as well as the response by Messers. Strassmann/Marlow point to an obvious, but often forgotten, risk regarding information on the Internet: Namely, the propensity to take anything posted or submitted at face-value and to trust someone else's words and report explicitly. (If we want to be truly cynical and doubting Thomases, we could also ask if e-mail from Dorothy Denning can be relied on to be Strassmann/Marlow's actual thoughts. I have no doubt, however, that our moderator did some checking of his own to ensure reliability.) Simply put, even in the absence of deliberate misrepresentation, any statement made on the net is subject to a certain degree of human bias. Benjamin Bokich bokich@andrews.edu ------------------------------ Date: Mon, 18 Mar 96 14:02:12 EST From: "David M. Chess" Subject: Flash Crowds For a taxonomy of risks that includes this very term, see http://www.research.ibm.com/massive/bump.html We've also got weeds, freeloaders, and Flying Dutchmen, as well as the usual Trojan horses, viruses, and worms... David Chess, IBM T. J. Watson Research ------------------------------ Date: 13 Mar 1996 10:49:47 -0500 From: mdw@CS.Cornell.EDU (Matt Welsh) Subject: Re: Netscape's syntax checking (Kamens, RISKS-17.89) Welcome to the computer industry. Companies with a large market share in a particular area are always apt to ignore the "recognized" standardization process and implement features which are (a) great for their product, and (b) probably hard to duplicate in other products. When applied to operating systems, APIs, and protocols, this can lead to serious problems, especially when those features are "proprietary". Need I cite examples? * Microsoft's Win32 API, which, interestingly enough, is being pushed through the ISO standardization process (against Microsoft's wishes). * All commercial versions of UNIX. * JavaScript. * Computer hardware, processor, and bus design, especially those systems for which NDA's must be signed to get programming specifications. All this amounts to is that "standards" are only as good as the company-centric market in which they are derived. Jonathan says that the HTML standardization process is "recognized" --- recognized by whom? Certainly not Netscape. M. Welsh, mdw@cs.cornell.edu ------------------------------ Date: Thu, 14 Mar 1996 13:52:51 -0500 From: Max TenEyck Woodbury Subject: Re: Netscape's syntax checking (Kamens, RISKS-17.89) While I do not particularly care for the way Netscape and its creators treat syntax errors, Jonathan goes much too far in his condemnation. In my view a standard is a set of minimum requirements. There are many situations when a designer may want to go beyond the standard. As long as the person responsible for the design is aware the the standard is being broached, and what the consequence of that departure from the standard are, and is willing to take responsibility for those consequences, that person should be allowed to do what he or she wants. However, the existence of Netscape's or any other extensions to the HTML standard should NOT be subject to debate. Without an ability to try new things, a standard becomes an inescapable cage, and that which is confined to the cage will eventually die of starvation. Jonathan, in condemning the Netscape extensions, is attacking the wrong problem. If he did succeed in getting what he wanted, we would all loose by it. On the other hand, the creators of Netscape must recognize that it is one of the tools, and sometimes the only tool other than a simple text editor, used to design web pages and has to provide a mode where departures from the standard can be flagged. While I am not positive what the consequence of a failure to provide such a flag will be, I suspect that Netscape will loose some market share to any decent browser that does provide such a capability. Max TenEyck Woodbury ------------------------------ Date: Fri, 15 Mar 1996 12:17:23 -0500 From: "Joseph M. Reagle Jr." Subject: Internet Privacy and Security, Call for Papers CALL FOR PAPERS INTERNET PRIVACY AND SECURITY WORKSHOP Haystack Observatory, MA May 20-21, 1996 Privacy and Security Working Group Federal Networking Council Research Program on Communications Policy Center for Technology, Policy, and Industrial Development Massachusetts Institute of Technology INVITATION The Privacy and Security Working Group (PSWG) of the Federal Networking Council (FNC) and the Research Program on Communications Policy of the Center for Technology, Policy, and Industrial Development at the Massachusetts Institute of Technology will hold an invitational workshop at the Haystack Observatory outside of Boston, MA, on May 20-21, 1996. This workshop is intended to bring Federal, academic and private sector participants together in collaboration to develop strategies and potential solutions related to Internet privacy and security. Though a principal focus of the workshop will be on the Federal portion of the Internet, the FNC recognizes that the Federal Internet is tightly coupled with the Global Internet, whose security policies, practices, and goals are complementary to those of the Federal Government. To define those practices, procedures and goals, the PSWG has undertaken two major initiatives: - The Federal Internet Security Plan (FISP), which was developed as a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs; and - The Collaborations in Internet Security (CIS) project, an effort aimed at testing the strength of agency approaches to security and moving these technologies beyond individual agency networking environments and into both inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technologies that are interoperable at all levels of the Federal government and within the commercial and academic sectors. These initiatives are intended to highlight the critical interface between Federal and commercial users and developers of Internet services and technologies. OBJECTIVES This workshop will bring together principal players in the Federal and overall Internet community to discuss the problems and challenges of privacy and security on the Internet, and will: - Identify critical issues, requirements, and recommendations related to future Internet privacy and security research and development efforts; - Describe "best practice" approaches to Internet privacy and security; - Develop specific strategies for implementing Internet Security programs involving all sectors of the Internet community; - Extend the Federal Internet Security Plan (FISP) by defining specific implementations; and finally, - Develop specific strategies for the migration of technologies from the individual RFC unit test stage to the integration of a complete functional managed system in the CIS test/demonstration/pilot projects. SUBMISSIONS Abstracts or complete paper drafts related to the topics listed above are welcome. Accepted papers will be a part of the published record of the workshop. All points of view on Federal policies affecting Internet privacy and security are welcome. Please make all electronic submissions in ASCII format. For further information or to submit an abstract or paper contact: Internet Security and Privacy Workshop c/o Joseph Reagle Research Program on Communications Policy Massachusetts Institute of Technology One Amherst St. (E40-218) Cambridge, MA 02139 Voice: (617) 253-4138. Fax: (617) 253-7326 papers@rpcp.mit.edu SCHEDULE and DEADLINES Call for papers - March 14, 1996 Abstracts Due - April 14, 1996 Invitations to Participants - April 20, 1996 Revised/Completed papers due - May 19, 1996 Workshop - May 20-21, 1996 PARTICIPANTS Participation in the workshop is by invitation, based primarily on submitted papers and abstracts. Additional individuals may be invited to ensure that participation reflects a broad cross-section of the Internet community. PROGRAM COMMITTEE Dennis Branstad - Trusted Information Systems (TIS) Rich Pethia - Computer Emergency Response Team (CERT) Jeffrey Schiller - Massachusetts Institute of Technology (MIT) Richard Solomon - Massachusetts Institute of Technology (MIT) Rick Stevens - Department of Energy /Argonne National Labs (DOE) STEERING COMMITTEE Stephen Squires, DARPA (FNC/PSWG Co-Chair) Dennis Steinauer, NIST (FNC/PSWG Co-Chair) Tice DeYoung, NASA Phillip Dykstra, Army Research Laboratory (ARL) Mike Green, NSA George Seweryniak, Department of Energy (DOE) Walter Wiebe, Federal Networking Council (FNC) BACKGROUND Federal Internet Security Plan: In September 1995, the PSWG published the draft Federal Internet Security Plan (FISP). The FISP is oriented toward a scalable, continual improvement process, based on common principles and mechanisms compatible with Internet community values and needs. See . The plan addresses Internet security requirements, including interoperability, from the perspective of the goals and objectives outlined in the National Performance Review (NPR), http://www.npr.gov/. The Federal Networking Council developed this framework in conjunction with its Advisory Committee which represents industry, academia, and non-profit sectors. Action Items, from the FISP, to be addressed during the Workshop: Internet Security Policy and Policy Support Activities * Establish overall Internet security policies * Address security in all Federally supported NII pilots * Coordinate Internet community involvement * Establish an ongoing Internet threat database and assessment capability * Identify legal and law enforcement issues Internet Security and Technology Development * Develop an Internet security maturity model * Develop Internet security architecture * Enhance Internet security services and protocols * Develop a "Secure-Out-of-the-Box" endorsement * Enhance application security Internet Security Infrastructure * Establish a set of Internet security interoperability testbeds * Support privacy, authentication, certificate, and security services pilots * Establish Internet security testing and evaluation capabilities * Improve security incident handling capabilities * Develop security self-assessment capabilities * Establish effective secure software and document distribution mechanisms Education and Awareness * Compile Internet user and site profiles * Encourage use of available security technologies * Establish an Internet security information server * Establish an Internet security symposium/workshop series * Establish an Internet security fellowship program Collaborations in Internet Security: With the Federal government's ever-increasing dependency on computers and distributed systems, there is great urgency for it to develop and employ enhanced information system security technologies and practices. At the same time, these Federal technologies must interoperate with those of the broader Internet community (encompassing the private and academic sectors, along with the Federal sector). In recognition of these needs, the Federal Networking Council's Privacy & Security Working Group (FNC/PSWG) has been awarded a National Performance Review (NPR) Innovation Fund grant to compare and validate agency approaches to security. This Collaborations in Internet Security (CIS) project aims to test the strength of these technologies beyond individual agency networking environments, emphasizing the inter-agency and agency-commercial sector communications. The CIS will result in the development of a new and sustainable process for developing, integrating, and deploying security technology that is interoperable at all levels of the Federal Government and within the commercial and academic sectors. The governing principles behind the Security Testbeds include: employment of an open process (with the activities and results open to participation and comment by both public and private sector participants); a focus on multivendor technologies; an emphasis on testing and experimentally deploying security technologies emerging from research and private sectors as well as security technologies currently in use in the commercial environment; and an underlying objective to ensure interoperability among the broad Internet community (federal, private, and academic). Initial tests will include demonstrations of Kerberos v.5, testing of single-use passwords, and digital signatures. For more information, please see (http://www.fnc.gov/cis_page.html) ------------------------------ From: winn@Infowar.Com Date: Sat, 16 Mar 1996 23:01:35 -0500 Subject: InfoWarCon V 1996: Call For Papers InfoWarCon 5, 1996 Fifth International Information Warfare Conference "Dominating the Battlefields of Business and War" September 5-6, 1996 Washington, DC Sponsored by: Winn Schwartau, Interpact, Inc. National Computer Security Association Robert Steele, Open Source Solutions, Inc. Information Warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the easiest and cheapest way for less developed nation-states and religious or political movements to anonymously and grievously attack major nations and international corporations. This Fifth International Conference on Information Warfare is an unclassified, open source conference, and will examine US and global perspectives on all three classes of Information Warfare: Class One: Personal Privacy: In Cyberspace You Are Guilty Until Proven Innocent Class Two: Industrial and Economic Spying and Warfare Class Three: Global Conflict, Terrorism and the Military The three planned tracks will be: * Financial/Civilian Information Warfare (Class I and Class II) * Military and Terrorist Information Warfare (Class III) * Offensive and Defensive Technologies for Business and Government (Classes I, II and III) We are seeking forward-thinking papers, demonstrations and interactive concepts for presentation to an audience of 1000+, representing civilian and military from more than 20 countries, all branches of the US government and the top US corporations. The papers should offer new perspectives, attitudes, studies, and technologies that can be used for the advancement of the field. You are free to submit on any subject matter, including, but not limited to: - Battlefield Dominance - Industrial Espionage: cases, policies and defense. - Military perspectives on "Information in Warfare" - Policy Quagmires - Policy Resolutions - Personal Privacy in the global marketplace - Denial of Service techniques and technologies for the private sector and the military - Terrorism and Counter-terrorism - Defending Against the Internet: new techniques and methods - Threats to Global Electronic Commerce and Solutions - Anonymous International Banking - The convergence of the commercial and military in the Post Cold War World - InfoWar Technologies - Case Studies - Your Thoughts and Ideas Please submit your 1-2 page concept white papers no later than May 5, 1996. The evaluation committee will let you know the results by May 15, at which point we will need your complete submission no later than July 15, 1996. Send you papers to Betty@Infowar.Com For sponsorship opportunities and registration information at InfoWarCon V 1996, please contact: National Computer Security Association 1.800.488.4595 pgates@ncsa.com or infowar96@ncsa.com Winn Schwartau - Interpact, Inc., Information Warfare and InfoSec V: 813.393.6600 / F: 813.393.6361 Winn@InfoWar.Com ------------------------------ Date: 18 March 1996 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: ABRIDGED info on RISKS (comp.risks) The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. [...] DIRECT REQUESTS to (majordomo) with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] INFO [for unabridged version of RISKS information] CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, nonrepetitious, and without caveats on distribution. Diversity is welcome, but not personal attacks. [...] ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Particularly relevant contributions may be adapted for the RISKS sections of issues of ACM SIGSOFT Software Engineering Notes or SIGSAC Review. * Submissions: By submitting an item that is accepted for publication in RISKS, the author grants permission for unlimited public distribution and redistribution in electronic or other form. * Reuse: Blanket permission is hereby granted for reuse of all materials in RISKS, under the following conditions. All redistributed items must include the Risks-Forum masthead line. All reuse must be accompanied by the following statement: Reused without explicit authorization under blanket permission granted for all Risks-Forum Digest materials. The author(s), the RISKS moderator, and the ACM have no connection with this reuse. As a courtesy, reusers of individual items (as opposed to forwardings of entire issues) should notify the authors, and should pay particular attention to any subsequent corrections. RISKS ARCHIVES: "ftp ftp.sri.comlogin anonymous[YourNetAddress] cd risks or cwd risks, depending on your particular FTP. [...] [Back issues are in the subdirectory corresponding to the volume number.] Individual issues can be accessed using a URL of the form http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue] ftp://ftp.sri.com/risks The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS PRIVACY: For info on the PRIVACY Forum Digest and Computer PRIVACY Digest, see the unabridged INFO file at RISKS-Request (send one-line message INFO to risks-request@CSL.sri.com as noted above). ------------------------------ End of RISKS-FORUM Digest 17.91 ************************