precedence: bulk Subject: RISKS DIGEST 19.34 RISKS-LIST: Risks-Forum Digest Tuesday 26 August 1997 Volume 19 : Issue 34 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: AOL users hit by e-mail scam and Trojan horse URL (PGN) Network Solutions goof bumps NASDAQ off the Internet (Will Rodger) Computer malfunction floods Boulder garages and basements (S.J. Hutto) Carlos Salgado Jr. pleads guilty (PGN) Tobacco Deal Could Set Precedent for Would-be Net Censors (Edupage) Spelling checker not up on U.S. Marines (Julie Bird via Mike Linksvayer) Amazon.com countersues Barnes & Noble (Edupage) Florida to Automate Traffic Citations (Geoff Kuenning) Cockpit data wiped by RF interference? (Imran via Matt Clauson) The Auditor Might Notice Your Bad Data (Scot E. Wilcoxon) Netscape Communicator 4.02 and 4.01a allow disclosure of passwords (Andre L. Dos Santos) Mac/Unix security e-mail exchange (Martin Minow) Direct action to "sting" the junk e-mailers -- RISKy? (Max Stern) Re: USC 47:227 (Mich Kabay) Re: Software copying a felony (James L. Peterson) Re: Risks, Reliability, Regulation, Infrastructures (Henry G. Baker) Re: SET Risks (Jerome Svigals) Re: Stiction (Frank Hausman) A book on computers and the law by Curtis Karnow (PGN) "Trapped in the Net" by Gene I. Rochlin (Hans-Juergen Schneider) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 26 Aug 97 8:04:17 PDT From: "Peter G. Neumann" Subject: AOL users hit by e-mail scam and Trojan horse URL Subscribers of America Online recently received e-mail apparently from AOL's chief of Member Services, entitled ``Important AOL Information'' and giving an update on AOL's efforts to improve its service. At the end was a URL to a letter from AOL Chairman Steve Case, in which readers were asked to give their name, address, home phone, and credit-card number to update AOL's new computers. Surprisingly to most victims (AOL's subscribers include many online novices, more of whom should be reading RISKS!), the file being updated was that of a scammer who simply raked in the information. (It was not specified whether his/her identity had been determined.) [Source: An item by Rajiv Chandrasekaran, *Washington Post*, 26 Aug 1997, seen in the *San Francisco Chronicle*, p. A3. PGN Stark-Abstracting] [See RISKS-19.07,11,26,27,28 for other recent items on AOL.] ------------------------------ Date: Fri, 22 Aug 1997 11:41:24 -0400 From: Will Rodger Subject: Network Solutions goof bumps NASDAQ off the Internet [PGN Abstracting, from article by Will Rodger, from Inter@ctive Week Online, 21 Aug 1997, 9:14am PDT, http://www5.zdnet.com/zdnn/content/inwo/0821/inwo0002.html] The NASDAQ stock exchange was knocked off much of the Internet for several hours on 19 Aug 1997 as a result of administrative errors at the InterNIC, a centralized Internet address clearinghouse run by Network Solutions Inc. of Herndon, Va., NASDAQ officials said Wednesday. Though the problem was initially invisible to NASDAQ, which maintains its own database of Internet addresses, the temporary suspension of access to the exchange's site blocked users of major computer networks -- including those owned by IBM Corp., MCI Communications Corp., PSINet Inc. and UUnet Technologies Inc. -- from getting to the site. As a result, NASDAQ was unreachable to most Internet users for at least several hours Tuesday morning. Problems with the Web site had no effect on the functioning of NASDAQ itself. The snafu was due to a clerical error at NSI, which evidently lost track of NASDAQ's $50 fee, submitted in October 1996. Will remarked that things like this seem to be occurring more often. The weekend before, more than 5,000 Web sites were blocked for over 24 hours, when Web Communication Inc and other domains were bumped from the Internet after a screwup in routine InterNIC maintenance. Will also mentioned the disappearance of .com and .net, noted earlier in RISKS (Pouzzner, RISKS-19.25). ------------------------------ Date: Mon, 25 Aug 1997 09:22:27 -0700 (PDT) From: shutto@psibertech.com Subject: Computer malfunction floods Boulder garages and basements Subtitle: Error makes mains exceed their capacity Reported by the *Rocky Mountain News,* 25 Aug 1997. "Officials blamed a malfunctioning computer for five water main breaks late Saturday that cut service to about 40 homes, flooded basements and garages and turned city streets into rushing streams." A computer controlling water pressure gave inaccurate readings (presumably lower than actual?), prompting a city worker to open up the mains. The full article is online for a few days at http://www.rockymountainnews.com/news/0825wat3.htm S. J. Hutto, pSIBER Technologies Inc. http://www.psibertech.com ------------------------------ Date: Tue, 26 Aug 97 8:13:05 PDT From: "Peter G. Neumann" Subject: Carlos Salgado Jr. pleads guilty (Re: RISKS-19.19) Carlos Felipe Salgado Jr. ("Smak") has pleaded guilty before his trial. As reported in RISKS-19.19, an FBI sting had paid him $260,000 for a diskette with personal data on more than 100,000 credit-card holders that he had obtained by hacking into company databases on the Net. The maximum penalties reported earlier have apparently been doubled -- up to 30 years in prison and fines up to $1 million. [Sources: AP and others, 26 Aug 1997] ------------------------------ Date: Sun, 24 Aug 1997 09:46:40 -0400 From: Edupage Editors Subject: Tobacco Deal Could Set Precedent for Would-be Net Censors (Edupage) A little-noticed clause in the recently proposed $368-billion deal struck between the nation's largest tobacco sellers and states' attorneys general states, "The new regime would ... prohibit tobacco product advertising on the Internet unless designed to be inaccessible in or from the United States." Critics note that if the settlement becomes law, that clause could set a disturbing precedent for restricting all forms of online speech, and could encourage other countries to emulate these restrictions or make them even tougher. Any company with a global commercial presence, says a law professor at University of California at Los Angeles, would be forced to limit its online presence to whatever is allowed by the most restrictive country it does business in. (*Investor's Business Daily*, 22 Aug 1997; Edupage, 24 Aug 1997) ------------------------------ Date: Wed, 20 Aug 1997 15:01:44 -0700 From: mlinksva@netcom.com (Julie Bird via Mike Linksvayer) Subject: Spelling checker not up on U.S. Marines (from BONG Bull No. 437!) Julie Bird at the *Air Force Times* reported a spelling-checker gaffe that could have caused combat-relevant complications. The spelling checker rejected the Marine motto 'Semper Fi' and recommended 'Semi-pro fiddles' instead. The copy editor then accepted the change, although it was caught before publication. [Violins? Nonviolence? Puttering around? Meddling? Perhaps the spelling checker was written for the U.S. Navy, where a fiddle is a something aboard ship that keeps dishes from sliding around. This case is quite a stretch; perhaps checkers are getting ever more imaginative these days. This item from Julie Bird , abstracted for RISKS, is excerpted from BONG Bull, The Burned-Out Newspapercreatures Guild's Newsletter, #437. To subscribe: e-mail to listserv@netcom.com, with text subscribe bong-l PGN] ------------------------------ Date: Sun, 24 Aug 1997 09:46:40 -0400 From: Edupage Editors Subject: Amazon.com countersues Barnes & Noble (Edupage) In the latest assault in the escalating battle between pioneer online bookseller Amazon.com and Barnes & Noble, Amazon.com has filed a countersuit against Barnes & Noble, alleging that the bricks & mortar entity should be charging sales tax on the books it sells over the Internet. Amazon 's argument is based on the fact that B&N, unlike Amazon.com, has a physical presence in most states through its chain of 1,000-plus stores that therefore constitute the "nexus" of activity in each state. An attorney for B&N says there is "no basis whatever" for Amazon's claim. In May, Barnes & Noble filed suit against Amazon.com, saying its claim to be "the world's largest bookstore" was false advertising. (Wall Street Journal 22 Aug 97; Edupage, 24 Aug 1997) ------------------------------ Date: 22 Aug 1997 23:38:07 GMT From: geoff@ficus.cs.ucla.edu (Geoff Kuenning) Subject: Florida to Automate Traffic Citations An article on Clarinet (22 Aug 1997) tells us that Florida has let a $6.2 million contract to Unisys to automate the issuance of traffic citations. Troopers will "be armed with pen-based laptop computers and printers. The laptops...will 'recognize' the troopers' hand printing and automatically convert it to easily readable text." Anybody care to predict the number of traffic tickets thrown out of court over the next several years because they were issued to the wrong people? The one saving grace is that the motorist gets a printout with a copy of the ticket. But I can just see the poor innocent party who has to prove that he was in Bangladesh on the day that somebody with a similar license number ran a red light. Didn't they learn from the Newton? Geoff Kuenning geoff@fmg.cs.ucla.edu http://fmg-www.cs.ucla.edu/geoff/ ------------------------------ Date: Mon, 25 Aug 1997 21:18:57 -0600 (MDT) From: Matt Clauson Subject: Cockpit data wiped by RF interference? from Imran The forwarded message below was sent to the "DefCon Stuff List" (dc-stuff@dis.org, majordomo@dis.org for information, sub/unsub requests, etc.). My concern about is this: why would an aircraft designer take RISKs with passenger safety by installing (apparently, at least to me) non RF-shielded equipment that can be damaged by the RF output from a 3 watt 800MHz RF signal (saying the phones are analog), not to mention several computers? I have several computers, radios, etc. here on the ground (producing a lot of RF, spurious and non) and I have no problems with 3 watts of 800MHz RF. If that little RF can wipe a aircraft computer, what could it do to major office buildings, etc. where cell phones are used in MUCH closer proximity to computers (and sometimes much more sensitive ones). Matt - ---------- Forwarded message ---------- Date: Mon, 25 Aug 1997 09:07:54 +0300 >From: Imran To: DC-Stuff Subject: Can your cell-phone hijack a plane? Yesterday I read an article in a local newspaper describing how it is illegal to take all your weapons and explosives on flight -- except for your cell-phone and laptop. Last week a flight inbound for London from Istanbul had to crash land in Switzerland because all the cockpit data got wiped off because of a cell-phone. At the specific moment two people were talking and three had their phones open. Police are still investigating. [...] ------------------------------ Date: Tue, 26 Aug 1997 11:43:21 -0500 (CDT) From: sewilco@fieldday.mn.org Subject: The Auditor Might Notice Your Bad Data A Florida state agency auditing group (OPPAGA) reported: Best agency answer to data question: When asked to explain why its data base showed that lab tests of water quality samples were completed before the samples had even been collected, agency staff provided the following memo: Top 10 Reasons Why Data is Analyzed Before it is Collected 10. We practice Zen and the Art of Ground Water Sampling. 9. We can impress auditors that way. 8. We can tell whether collecting the sample will be worth our time. 7. We get results much sooner this way. 6. It saves money. 5. It lets us know what type of sample we need to take. 4. We can notify the well owner that we have a hunch their well should be tested. 3. Our lab has an incredible turn around time. 2. The lab transmits data faster than light speed, so it arrives before it is sent. 1. Our computer's clock battery has been dead since 1992, so every sample gets that creation date. Quoted in: http://www.ncsl.org/programs/fiscal/nlpes/nlp96-64.htm Scot E. Wilcoxon sewilco@fieldday.mn.org ------------------------------ Date: Mon, 25 Aug 1997 15:45:56 -0700 (PDT) From: "Andre L. Dos Santos" Subject: Netscape Communicator 4.02 and 4.01a allow disclosure of passwords Using the latest Netscape Communicator we are able to get your credit card number, password for online banking or online brokerage order, etc, only restricted by the imagination of the malicious server implementer. This is due to a flaw in Javascript identified by the Reliable Software Group at University of California Santa Barbara. It enables a malicious site to track all activities of a user in the Internet. Besides being able to get this information, which violates the user's privacy, by using an ingenious technique we are able to target chosen pages and use a fake server to convince the user to type in privileged information. We submitted a security bug report to Netscape, but we believe that this is a very serious threat, which is easy to implement. As such it should be widely disseminated. This flaw was tested in Netscape Communicator 4.01a, the latest version of Netscape, and it is described, together with other attacks in our paper at http://www.cs.ucsb.edu/~andre/attack.ps. Netscape has released a new version of Communicator for Windows 95/NT. It is Netscape Communicator 4.02. In this version our attack is much more threatening. This is because on the previous version the access on the location object was better implemented and in order to get a string value to this object we had to close a second browser we opened. Using the new version of Netscape we are able, using an infinite loop, to access the string that represents the location object, against the security policy of Javascript. Therefore, using this version, we don't even need to close the second browser. We are still investigating which other security policies are badly implemented in this new version of Netscape Communicator. Andre L. dos Santos, Reliable Software Group University of California Santa Barbara ------------------------------ Date: Tue, 26 Aug 1997 09:42:52 -0700 From: Martin Minow Subject: Mac/Unix security e-mail exchange After the recent security breach of the "Crack-A-Mac" server (which has now been compromised three times), Ric Ford's Macintouch web-site provides an interesting e-mail exchange comparing the relative security of Macintosh against Unix systems. To quote one respondent: "Because the Mac was not made to be a networked computer, it is infinitely more secure than a UNIX box. If you are running plain vanilla Webstar on a Mac, you are safe. Period. If you are running plain vanilla Apache (or other UNIX webserver) on a UNIX box, you are toast if there is a determined hacker. Only the most dedicated SysAdmins can keep up with all the CERT advisories and patches... and even if you do, there will be holes. Whether it be a NIS hole, a finger hole, a telnet bug, or what have you, there will always be one more hole than fix on a UNIX box." The exchange is at . Macintouch is a daily newsletter with hints and comments on the Macintosh written by a columnist for Macweek magazine. It is at . Martin Minow minow@apple.com [Infinitely, eh? Wow, that is *really* impressive! PGN] ------------------------------ Date: Tue, 26 Aug 1997 10:06:32 -0400 (EDT) From: MaxStern@aol.com Subject: Direct action to "sting" the junk e-mailers -- RISKy? I recently saw a new anti-junk-e-mail tactic which, at first glance, struck me as a great idea. The concept is to "sting" the producers of bulk e-mail mailing lists by including something like the following in your .sig: And for you automated e-mail junk-mailers out there, here is a list of the current board of the Federal Communications Commission: Chairman Reed Hundt: rhundt@fcc.gov Commissioner James Quello: jquello@fcc.gov Commissioner Susan Ness: sness@fcc.gov Commissioner Rachelle Chong: rchong@fcc.gov And let's help you send some junk mail to the USPS, too: customer@email.usps.gov This is based on the assumption that the junk list compilers sift entire Usenet News articles (not just the "From:" lines) for any syntactically valid e-mail addresses. The e-mail addresses listed above will thus be included on the compiled lists; then these worthy individuals will receive any junk mail sent by anyone using said lists. Since these people have influence on public policy, it is hoped that the annoyance of actually receiving as much junk mail as the rest of us do will push them in the direction of strong sanctions against such junk mail. Where I work, we have been having a discussion in-house about whether or not doing this is advisable. The strongest objection that I have seen is that by including such addresses in one's e-mail, one is actually contributing to junk mail, and thus acting contrary to the same anti-junk-mail principle that one is trying to promote. Also, if one does it from one's company account, one may be acting against the corporate policy for internet use; and finally, there is the issue of contributing to a violation of the right to privacy (here meaning the right not to be harassed) of the public individuals cited. I find these contra arguments not completely persuasive, but I am still undecided. The final RISK that I can see is that we may actually influence the policy-makers to take some action, but that action may turn out different from our expectation and preference. Max Stern, Sherman Oaks, CA ------------------------------ Date: Tue, 26 Aug 1997 07:00:42 -0400 From: "Mich Kabay [NCSA]" Subject: Re: USC 47:227 (Sprunk, RISKS-19.33) Unsolicited commercial/propaganda e-mail subject to legal action. Under US Code Title 47, Sec.227(a)(2)(B), Sec.227(b)(1)(C), and Sec.227(b)(3)(C), a State may impose a fine of not less than $500 per message. Read the full text of Title 47 Sec 227 at http://www.law.cornell.edu/uscode/47/227.html This text deals with unsolicited commercial _telephone_ calls and _faxes_, not explicitly with junk e-mail. For a pessimistic analysis of the argument that existing federal laws cover junk e-mail, see "Garbage In: Emerging Media and Regulation of Unsolicited Commercial Solicitations" by Michael W. Carroll . This jurist provides a thorough and award-winning review of the applicability of such laws to junk e-mail, especially section 2a, "Has Congress Already Banned Spamming?" His answer is, alas, "No." SPAM DELENDUM EST! M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education National Computer Security Association (Carlisle, PA) http://www.ncsa.com [I read the sections and concluded that it is not a black-and-white issue. However, a suit in progress could clarify the issue somewhat. PGN] ------------------------------ Date: Fri, 22 Aug 1997 14:34:34 -0500 From: peterson@austin.ibm.com (James L. Peterson) Subject: Re: Software copying a felony (Edupage, RISKS-19.28) Does the proposed Goodlatte legislation say that the copying has to be illegal? (The Edupage squib did not say.) If not, we should be able to put those felons at Microsoft and Sun and IBM and HP away for years for the all that software that they copy and sell. About the only people who wouldn't be felons here would be GNU since their software is free and they can copy it as many times as they want and not reach the $5,000 limit. But I suspect Microsoft thinks Windows95 is worth at least $1 and they have probably made over 5000 copies, so lock them up! [This reminds me of the original California computer crime legislation, which said in effect that it is illegal to read, write, alter, or delete data. Perhaps it still does. I once chided someone in Sacramento for that, and he said, "Oh, but we'd never use it on someone who wasn't doing something wrong." PGN] ------------------------------ Date: Fri, 22 Aug 1997 11:56:31 -0700 (PDT) From: hbaker@netcom.com (Henry G. Baker) Subject: Re: Risks, Reliability, Regulation, Infrastructures (Ware, R-19.33) Methinks the Beltway Bandit doth protest too much! For some reason, bureaucrats and their Beltway Bandit lackeys always assume that more regulation is better than less regulation. In this case, Willis is arguing that "the system ain't broke, so don't fix it". I would argue that the system _is_ broken, and it is badly broken. Here in California we pay twice as much for our electricity as people in other states, and many of these costs were _caused_ by the politicians and the bureaucrats themselves in the first place. We're not happy about paying for these hair-brained ideas like nuclear power plants and doctor/dentist-taxshelter windmills. I, and nearly everyone I know, could afford to purchase a backup generator _every year_ for what we pay in excess electricity costs. The Internet works precisely because it dispenses with link-by-link guarantees, and uses end-to-end protocols. Its openness encourages innovation -- something that the electrical utilities have discouraged for the past 80-100 years. Perhaps the myth of 'economies of scale' that the utilities have wrapped themselves in for the past 100 years is just that -- simply a myth. Or if the economies of scale exist, but never make it to the customer, then they doesn't matter. The best place to put redundancy is at the customer level, where each customer can optimize for his own goals and costs. Henry Baker ftp://ftp.netcom.com/pub/hb/hbaker/home.html ------------------------------ Date: Sun, 24 Aug 1997 08:39:21 -0700 From: smartcard@sprynet.com Subject: Re: SET Risks (Sterling, RISKS-19.33) Unfortunately, this response demonstrates the problems with the SET process: 1. It is highly dependent on an Electronic Wallet, which is never discussed in the SET process. 2. It is highly dependent on who the user of the wallet is, which is never discussed in the SET process, nor is how to identify the user discussed. 3. The very practical issue of carrying the user's certificate between PCs is never discussed in the SET process. SET ignoring this issue and its security demands doesn't make the issue go away! Not addressing mobility ignores the issue that insiders will use those techniques to overcome SET protection. 4. The issue of insiders usurping complete certificate messages is never discussed in the SET process. This must be a very serious issue since the card associations have already published a disclaimer. See the V/MC press release of 8/6/97. It establishes the SET Mark (a trade mark like symbol) for SET acceptable web pages. The release clearly states the purpose to be "...to use their cards on marked web sites WITHOUT ANY WORRY OF THEIR CARD DETAILS BEING INTERCEPTED." (my capitalization). Are they so naive as to think there will not be counterfeit SET marks on unauthorized web pages? Any security solution that depends on the user or employee actions is known to be ineffective. 5. The history lesson that software exposures exist in the current card system anyway, misses the point. SET is supposed to be the NEW invincible solution and doesn't fix this known exposure. 6. The attempt to disassociate the SET process from the vendor implementation flies in face of a card association PR campaigne to enumerate the outside vendor role in making SET happen. It flies in the face of intense vendor promotion of the SET process as their basis for selling the new invincible SET solutions - which we are now told has the some of the same shortcomings as the current software solutions. 7. The response that consumers will not have much choice is wrong. The Mondex system completely by passes the SET complex 26 step process with a demonstrated card-to-card security solution usable through open systems. Mondex USA has announced significant roll out this and next year. The concepts are being tested by Citibank (with the Verifone Personal ATM, phone connected device), and Chase (with Mondex units) in the early 1998 major field test in New York early next year. All the banks and credit unions of Canada have announced Mondex use. Also, several USA financial institutions have announced that Mondex smart cards will carry both USA and Canadian dollars, and will carry cash, debit and credit funds. I would be a little worried at the card associations. The associations can not continue to stone wall smart card credit cards in the United States. In fact, smart cards (NOT addressed in the SET process) would go a long way to overcome the SET deficiencies I have discussed in this note. Or, maybe this message from Mr Sterling is notice that MasterCard (51% owner of Mondex International) is about to suppress Mondex use in the USA. In summary, the credit-card associations and their SET process can't have it both ways. To offer the invincible Internet solution - but keep the old problems. To offer the SET process but ignore the shortcomings of the vendor implementations. To offer an open system, Internet, solution and then to ignore smart card benefits and the practical issue of SET process mobility between the five PCs in my life. (home, office, laptop, hotel and the company I am visiting.) jerome svigals, smartcard@sprynet.com ------------------------------ Date: Fri, 22 Aug 1997 16:14:01 -0700 From: Frank Hausman Subject: Re: Stiction Addendum to the stiction item: On a very stuck Seagate hard drive, after dropping , smacking, and spinning the drive on its axis didn't unstick the heads from the disk, I took The Final Desperate Measure. Clean-area precautions were taken: hands were scrubbed and a Hefty-brand portable clean room was prepared. After the "warranty void if removed" drive lid was removed, the platter was turned by hand with about ten pounds of force and the lid was reattached. The drive powered up with no ping, ding, or screech sounds and valuable data was copied off as fast as fingers could fly. It worked for a year afterwards, after which the whole computer was decommissioned. When a friend's hard disk drive stuck badly, I made _him_ do it. Same results. The following mysteries remain: Were the environmental dust particles large enough to be simply spun off the platter? Was the garbage bag so static-ridden that it acted as a dust trap? Exactly how much luck was involved? Does this sort of thing work all the time? Of course, this is a RISK to any older in-service hard disk: tamper-labels should be inspected. ------------------------------ Date: Fri, 22 Aug 97 11:54:24 PDT From: "Peter G. Neumann" Subject: A book on computers and the law by Curtis Karnow Curtis E.A. Karnow, Future Codes: Essays in Advanced Computer Technology and the Law, Artech House, Boston and London, 1997 (xii+276) Curtis Karnow is a practicing attorney in San Francisco with considerable experience as a federal prosecutor and judge. His background includes many cases relating to computers and risks. This book brings together new material with a collection of thoughtful essays he has written (e.g., in Leonardo Electronic Almanac, WiReD and law reviews). It could be of great interest to many RISKS readers interested in the law. This is a crossover book that makes it very clear why computer folks need to know much more about the law, and why lawyers need to know much more about computer technology. ------------------------------ Date: Fri, 22 Aug 1997 19:41:35 +0200 From: "Hans-Juergen Schneider" Subject: "Trapped in the Net" by Gene I. Rochlin Trapped in the Net The Unanticipated Consequences of Computerization By Gene I. Rochlin Published by Princeton University Press 310 pages Hardback: 0-691-01080-3 Having only read the first chapter so far this book appears to discuss a lot of issues relevant to RISKS and can be found at: http://pup.princeton.edu/books/rochlin/ ------------------------------ Date: 1 Apr 1997 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Or use Bitnet LISTSERV. Alternatively, (via majordomo) DIRECT REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] => The INFO file (submissions, default disclaimers, archive sites, .mil/.uk subscribers, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.34 ************************