precedence: bulk Subject: Risks Digest 20.55 RISKS-LIST: Risks-Forum Digest Friday 27 August 1999 Volume 20 : Issue 55 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and at ftp.sri.com/risks/ . Contents: New Microsoft Java flaw (Edward W. Felten) Internet Explorer cannot read www.microsoft.com (Keith Edmunds) Tokyo traffic chaos in GPS date rollover (Mike Martin) GPS rollover hits yacht (Justin Mason) 9/9/99 (Lindsay Marshall) Y2K in China (David Cowhig via Donald B. Wagner) Downtown Chicago hit by electrical blackout (Doneel Edelson) Power coming back on causes UPS to lose power (Ray Todd Stevens) Numeric pager sending alpha messages (Ray Todd Stevens) Ohio town law against cell phones while driving (Jim Griffith) Justice seeks wider access to computer data (NewsScan) Inadvertent nameserver cache poisoning (Rich Lafferty) Purchase circles and insider information (Joseph A. Dellinger) Can Linux survive software patents? (Martin Minow) Canadian spy secrets leak on Web (David Kennedy) Auto-Fix feature for Dell PCs (Henry Robertson) Re: Car won't start if payments are delinquent (Keith Edmunds) gnu touch has an unusual sense of time (B. Elijah Griffin) Security check powers up computer (Edward Holden) Re: NCIC 2000 (Otto Stolz) USENIX Annual Conference 2000, Announcement and Call For Papers (Moun Chau) USENIX Security Symposium 2000, Announcement and Call for Papers (Moun Chau) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 26 Aug 1999 19:51:37 -0400 From: "Edward W. Felten" Subject: New Microsoft Java flaw We have discovered a serious security flaw in the versions of Microsoft's Java Virtual Machine that are distributed with Internet Explorer 4 and Internet Explorer 5 for Microsoft Windows. The flaw allows the creation of a malicious applet that is attached to a HTML page, which could be delivered over the Web via Internet Explorer or by e-mail via Outlook or other mail programs that use Microsoft's Java Virtual Machine. When the malicious applet is executed, it can read, modify, or destroy any data on the computer, insert a virus, insert software to spy on the user's future on-line activities, or take any other malicious action. The attack does not require the user to do anything beyond viewing the Web page or e-mail message. The flaw is a programming error (a race condition) in one of the security-critical parts of Microsoft's Java class libraries. A malicious applet can exploit this error to violate Java's security rules. The applet can then proceed to take control of the machine and perform any actions it likes. We have implemented and tested an applet that demonstrates this flaw by deleting a file on the victim's PC. We are not releasing the demonstration applet or any further technical details about the flaw at this time. After consultation with us, Microsoft has issued a new version of their Virtual Machine that fixes this problem. A security bulletin from Microsoft can be found at http://www.microsoft.com/Security/Bulletins/ms99-031.asp. For further information, contact Edward Felten at , 609-258-5906, or Teresa Lunt at , 650-812-4424. Edward Felten, Princeton University Drew Dean, Xerox PARC Dan Wallach, Rice University Dirk Balfanz, Princeton University / Xerox PARC ------------------------------ Date: Fri, 27 Aug 1999 16:24:03 +0100 From: "Edmunds, Keith" Subject: Internet Explorer cannot read www.microsoft.com I recently installed NT Server 4.0. Before upgrading to Service Pack 5, I wanted to download some third party drivers. NT4 comes with Internet Explorer V2, which is dated to say the least. I first decided to visit Microsoft's web site to upgrade IE2 to IE4 or IE5. However, IE2 refuses to display the home page at www.microsoft.com, giving instead the following message: "Unable to open http://www.microsoft.com/. You do not have permission to open this item. Directory Listing Denied This Virtual Directory does not allow contents to be listed." The RISK here is obvious. Ensure that your web site can be read by old browsers, even if it isn't very pretty. This is particularly so if your current product (NT 4.0) includes an obsolete browser itself... Keith Edmunds Reading UK ------------------------------ Date: Tue, 24 Aug 1999 10:55:20 +1000 From: "Martin, Mike" Subject: Tokyo traffic chaos in GPS date rollover The Australian Financial Review's Tokyo correspondent, Andrew Cornell, reports (AFR Aug 24) that the GPS date rollover, previously discussed at length in RISKS, occurred at 9 am Sunday Aug 22 in Japan and that "an estimated 100,000 systems", mainly used by vehicle drivers for navigation through Tokyo's unnamed streets, "froze or went blank as the system rolled over into its new time sequence". Cornell reports that Pioneer, the GPS market leader, had been advertising to notify customers of the problem, and had adapted or replaced 210,000 of its 270,000 affected systems. If this incident is typical of consumers' and small businesses' response to a technology brick wall then it does not bode especially well for January 1 next year. Mike Martin [See also Reuters, *The New York Times*, 23 Aug 1999, http://www.nytimes.com/library/tech/99/08/biztech/articles/23gps.html/ PGN] ------------------------------ Date: Sun, 22 Aug 1999 20:01:15 +0100 From: jm@netnoteinc.com (Justin Mason) Subject: GPS rollover hits yacht From this evening's RTE news: The Irish Marine Emergency Service has been dealing with a yacht on route from the Scilly Isles to Kinsale which ran into fog and heavy weather south of Ireland this morning. Local reports say that "The Tam-o-Shanter" radioed for help when its Global Positioning System began to misread the boat's position. The crew were further hampered by extremely heavy weather and a torn sail. With the aid of the IMES and Coast Radio Stations, a position was given and the yacht is now safely in Kinsale Harbour. It is believed a millennium style bug caused the "Tam-o-Shanter" to lose its position today. At midnight GMT (1am Irish time) the GPS "rolled over". After its launch in 1980 it had a life span of 1,024 weeks, which reached zero this morning when the system reverted back to its start time. All mariners had been warned of this, but GPS units older than five years would not have been capable of handling the change. (snipped from http://www.rte.ie/news/1999/0822/boys.html) ------------------------------ Date: Mon, 23 Aug 1999 11:43:03 +0100 (GMT) From: Lindsay.Marshall@newcastle.ac.uk Subject: 9/9/99 According to a report in one of the UK Sunday papers two real occurrences of the fabled 9/9/99 bug have been found, one in a non-critical medical application. It would be interesting to have more information about this as I have always thought that the 9/9/99 bug sounded like press scaremongering rather than something that would really arise. http://catless.ncl.ac.uk/Lindsay ------------------------------ Date: Mon, 23 Aug 1999 09:31:45 +0200 From: "Donald B. Wagner" Subject: Y2K in China Date: Sat, 21 Aug 1999 20:32:39 -0400 Reply-To: H-Net list for Asian History and Culture From: David Cowhig Subject: H-ASIA: May 1999 China Y2K National Conference: Guarded Optimism May 1999 China Y2K National Conference: Guarded Optimism A June 1999 report from U.S. Embassy Beijing http://www.usembassy-china.gov/english/sandt/Y2kcnfwb.htm [see also the recently updated links to Chinese Y2K related websites at http://www.usembassy-china.gov/english/sandt/y2gov.htm ] Summary: China Y2K Czar Zhang Qi and other speakers at the Second PRC National Y2K Conference held on May 6-7 in Beijing expressed greater confidence in China's electric power grids but greater concerns about the effect of the Year 2000 computer problem on railroad freight, medical instrumentation and embedded chips. Zhang Qi said that electric power companies would be assured funding for Y2K solutions. Some Chinese experts doubt, however, that Y2K funding will be made available; the August 1998 State Council Y2K order made each unit responsible for funding its own Y2K solutions. Zhang mentioned the recent Shanghai Y2K Seminar with Secretary of Commerce Daley and her upcoming August 1999 USIA sponsored trip to the U.S.A.. Central government speakers discussed the Y2K problem in telecommunications, electric power, and transportation. Local government and industry Y2K speakers came from Liaoning Province, Beijing Municipality, the Beijing Municipal Health Bureau, the Baoshan steel company and Chinese banks. Two speakers discussed Y2K legal liability issues. The speakers agreed that China faces Y2K difficulties in many sectors but no one foresaw a national cataclysm. The Embassy Beijing view is that Y2K will not put American citizens in China into danger but will likely affect business and especially small businesses such as suppliers and small contractors. These Y2K problems might affect the overall Chinese economy gradually over weeks and months. ------------------------------ Date: Thu, 12 Aug 1999 16:32:30 -0400 From: "Edelson, Doneel" Subject: Downtown Chicago hit by electrical blackout Downtown Chicago experienced extensive blackouts on 12 August 1999. Initially, three of the four transformers at a North Side substation went off-line. (One transformer had been undergoing repairs.) In addition, a high-voltage cable failed. This caused Commonwealth Edison to black out about 2300 customers in two different areas. The Chicago Board of Trade, other exchanges, banks, businesses, and residences were shut down. [Reuters item, forwarded by Doneel from Yahoo! News Top Stories Headlines, 12 August; PGN-ed] ------------------------------ Date: Mon, 23 Aug 1999 20:03:41 +0000 From: "Ray Todd Stevens" Subject: Power coming back on causes UPS to lose power This is an interesting failure mode. Situation: Computer (monitor and printer) running on a UPS that is plugged into 110 with other items. Here is the failure sequence. Power goes out for a period of several minutes (at least 15 to cause failure) UPS has been sized to allow 1 hour run time for computer. Everything runs fine. User acknowledges the UPS alarm and continues to work as planned. Power is restored. Everyone assumes that all is OK. UPS switches into battery charge mode and switches to line mode. The combined load is more than the breaker can take. Now we have a localized power failure. #1 The power is back for such a short duration that the alarm on the UPS doesn't reset and trigger. #2 The other items on the circuit are noncritical and are not noticed to be off line. So, after about 30-45 minutes, the computer crashes with no warning. Ray Todd Stevens, Senior Consultant, Stevens Services R.R.#14 Box 1400, Bedford, IN 47421 (812) 279-9394 Raytodd@tima.com ------------------------------ Date: Mon, 23 Aug 1999 20:05:19 +0000 From: "Ray Todd Stevens" Subject: Numeric pager sending alpha messages One of my friends works in the customer service call center of a national pager company. He deals with the usual complaints regarding poor pager operation, as well as the occasional crank caller demanding to be paged less often, more often, or by more interesting people. The best call came from a man who repeatedly complained that he keeps being paged by "Lucille." He was instructed that he would have to call her and tell her to stop paging him. "She don't never leave no number, so I can't call her back," he said. After three such calls, someone thought to ask how he knew it was Lucille if she didn't leave a number. "She leaves her name," was the reply. After establishing that the customer had a numeric-only pager, the light bulb came on. "How does she spell her name?" the service rep asked. "L-O-W C-E-L-L" Another problem solved. [I picked this up off of a joke list, but it certainly seems to apply to this list also.] Ray Todd Stevens, Senior Consultant, Stevens Services R.R.#14 Box 1400, Bedford, IN 47421 (812) 279-9394 Raytodd@tima.com ------------------------------ Date: Wed, 25 Aug 1999 16:17:00 -0700 (PDT) From: Jim Griffith Subject: Ohio town law against cell phones while driving CNN reports that Brooklyn, Ohio has passed a city ordinance banning the use of all but hands-free cell phones in moving vehicles, except in emergency situations. Effective September 1, violations may result in a $100 fine. The city is responding to recent studies that show that the chance of having an accident dramatically increases (one study says "quadruples") when cell phones are being used. http://www.cnn.com/US/9908/25/cellphone.ban/ ------------------------------ Date: Fri, 20 Aug 1999 08:20:25 -0700 From: "NewsScan" Subject: Justice seeks wider access to computer data The Justice Department wants to broaden rules for allowing law enforcement officials to secretly enter suspects' homes or offices and disable security on PCs in advance of administering a wiretap or conducting a further search. An Aug. 4 memo says that encryption software "is increasingly used as a means to facilitate criminal activity, such as drug trafficking, terrorism, white-collar crime, and the distribution of child pornography." Officials at the Justice Department have drafted the Cyberspace Electronic Security Act, which would expand existing search warrant powers to allow for disabling encryption. To extract information from the computer, agents would still be required to get additional authorization from the court. Privacy advocates say the proposed legislation would compromise personal freedoms: "They have taken the cyberspace issue and are using it as justification for invading the home," says a spokesman for the Center for Democracy and Technology. [*The Washington Post, 20 Aug 1999*, http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm; NewsScan Daily, 20 August 1999; reproduced with permission. To subscribe to NewsScan Daily, send an e-mail message to NewsScan@NewsScan.com with 'subscribe' in the subject line.] ------------------------------ Date: Mon, 23 Aug 1999 02:51:02 -0400 From: Rich Lafferty Subject: Inadvertent nameserver cache poisoning [Site names omitted to protect the guilty and innocent...--r] I just ended an unusual conversation in which myself and a colleague were enlisted to help debug a nameserver problem in which, according to the original report, a large site had started using a smaller site's nameservers for all its requests. As it turns out -- and the nature of the original report, pointing at the large site, managed to disguise this for a while -- the smaller site was a domain farm, where, instead of adding A records for their thousands of domains and hundreds of hostnames in each domain, they had configured their nameserver to respond with a particular A record for any responses that managed to make it to their nameserver. While this would also give their address to queries for names that they weren't authoritative for, this wasn't a problem in practice, as they had no local users using those nameservers. In other words, when working, only queries regarding their domains would reach their server, and their server would respond with the same address for all of those. Not particularly elegant, but it seemed to work. Then they added NS records to those responses. And not just any NS records -- accidentally or otherwise, all of their responses were claiming NS authority over .com. Now, usually, that wouldn't get picked up by anyone -- nameservers querying their server would have a perfectly-good cached NS record for .com. obtained from a root nameserver. But it *did* happen that the nameserver at this large site managed to start thinking that this little nameserver was responsible for .com., and started sending all of its queries there. As far as I can tell, it was only a matter of unfortunate timing, with a request landing at that server and their cached NS record for .com. expiring at nearly the same time. The effects were somewhat disastrous, of course. Since the nameserver was configured to give the same A record for everything, all of the requests for *.com from the large site ended up at the same page full of advertisements. The domain servers at the small site were overwhelmed, and so were the *web* servers, having to serve up the page full of adverts so often. While nameserver cache poisoning is something of an old RISK, this instance had unusual repercussions in that it basically ended up with a denial of service for all parties involved. (While we hope we caught it before it became an extended problem, had we not, it would have continued indefinitely as the small site's nameserver continued reminding the large site that it was responsible for .com. with every request any of the large site's clients might have made.) (Interestingly, it took some explaining before the small site would acknowledge that the problem was at their end -- it often comes as a surprise to small Internet quick-buck operations such as these that what they do wrong can have such a disastrous effect on other parties. The ones described above ended up getting things resolved after encountering myself and a colleague on an IRC channel which offers help with Unix.) Rich Lafferty, Information and Instructional Technology Services, Concordia University, Montreal, QC 1-514-848-7625 rich@alcor.concordia.ca ------------------------------ Date: Thu, 26 Aug 1999 15:54:23 -0500 (CDT) From: "Joseph A. Dellinger" Subject: Purchase circles and insider information Amazon.com has come out with a new service, "purchase circles". It lets you look up the 10 most popular books ordered by people at different companies. I'm not sure amazon.com realizes how powerful an information source this is. I heard about this new feature from Stanford students near graduation, who are using it to assess the relative "Dilbert index" of possible future employers (as indicated by the ratio of new-age management to technical books making the list). You can also use it to get some idea of the current mood within a company. One large oil company in particular stands out: people there are mostly ordering books on changing careers and on introductory web/programming/internet skills. Not surprisingly, this is a company about to be acquired. The complete list of books being ordered by a given company might provide very interesting insider information. There might be a noticeable spike in "What color is my parachute" orders preceding public disclosure of an impending big layoff, for example. A rash of "introductory Spanish" book orders might indicate a planned expansion into or relocation of workers to a Spanish-speaking country. How long before employees are ordered not to order books over the internet using their work accounts? ------------------------------ Date: Sun, 15 Aug 1999 21:14:30 -0700 From: Martin Minow Subject: Can Linux survive software patents? An interesting article on the effect of patents on open source software. Disclaimer: I'm a co-author of one patent, and recently authored three software patents for my former employer. Before moving to San Francisco, I helped a friend try to recover backup tapes from MIT-AI (the birthplace of the Open Source movement, though there was much open source available before that computer). It seems that MIT folk wanted to recover "prior art" (from the 1960's) that is now being patented. Martin Minow minow@pobox.com ------------------------------ Date: Fri, 27 Aug 1999 02:32:39 -0400 From: David Kennedy CISSP Subject: Canadian spy secrets leak on Web http://www.globeandmail.com/gam/National/19990826/USPYYN.html by Andrew Mitrovica >In what intelligence experts are calling an embarrassing gaffe and a >serious breach of security, one of the military's top-secret electronic >eavesdroppers posted the names and location of CF-18 pilots based in Italy >on his own Web page before and during the war in Yugoslavia, The Globe and >Mail has learned. [...] >Moreover, he said he set up his Web page with the consent of his superiors >at the Defence Department before he shut it down in the spring because he >feared that it might imperil the lives of CF-18 pilots and their crews, who >made hundreds of bombing sorties during the Balkans war. [...] >Reg Whitaker, a York University political science professor and an expert >on intelligence matters, said MCpl. Arsenault's Web page was "a very >serious breach of security. And it clearly provides confirmation that these >guys [CSE] were there [in Italy]. It's safe to assume that this kind of >sensitive information being posted on the Internet is not official policy >for the agency. That's really very embarrassing." [...] >His Web page was not the only source of information about military snoops >and the CSE to appear on the Internet recently. > >In March of 1997, the Defence Department briefly posted on its own Web site >confidential information about military personnel who collect and monitor >communications for the CSE, known in the military as "291ers." > >The department's Web site provided a complete list of the number, location, >rank and responsibilities of hundreds of researchers throughout Canada, the >United States and Britain. However, it did not include names. Dave Kennedy CISSP Director of Research Services ICSA.net http://www.icsa.net ------------------------------ Date: Thu, 26 Aug 1999 09:34:48 -0400 From: "Henry Robertson" Subject: Auto-Fix feature for Dell PCs These days many people (not me) have gotten used to the auto-update features for various software packages. For example, the Norton Antivirus program can be set so that every Friday night it automatically connects to the Norton web site and downloads the latest virus protection features. Not a bad idea if you trust this type of connection. Well, Dell has taken this a bit further. A product called "Open Manage Resolution Assistant" will reside on their next series of servers/workstations. It looks for failures or errors and auto-notifies Dell's technical staff. (The worst is yet to come.) Dell's staff then has the capability of doing remote diagnostics and running certain "scripts" on your computer to find the problem. This requires a major hole in your system firewall! If you feel comfortable with a technician in Texas roaming around on your financial server, then this isn't as scary for you as it is for me. For more info see "Inter@ctive" magazine, vol.6, no.34, page 7. Henry Robertson, Safety Systems Group, Jefferson Lab robertsn@jlab.org 1-757-269-7285 ------------------------------ Date: Fri, 27 Aug 1999 16:02:39 +0100 From: "Edmunds, Keith" Subject: Re: Car won't start if payments are delinquent (Smith, RISKS-20.54) > ...The big difference is that an ignition lock malfunction puts the > _purchaser_ at risk, so presumably market forces would work to insure > reliability." Insure or ensure? "Insure" means you accept that the risk exists and ask someone else to pay out in some way if the risk is realised; "ensure" means you do everything you need to do to remove the risk. The RISK here is a misunderstanding about whether or not the risk exists, and what comeback there might be if it does. Perhaps the real risk is not understanding the difference between American and English: as one person once said, "Two nations divided by a common language." Keith Edmunds Reading England ------------------------------ Date: Fri, 27 Aug 1999 16:59:09 -0400 (EDT) From: "B. Elijah Griffin" Subject: gnu touch has an unusual sense of time Today I was trying to use the output of "ls -l" and the --date option of touch (from GNU fileutils 4.0) to restore time stamps on some files I'd ftp'd to something close to the original time stamps. Apparently, however, a command like: touch --date='Nov 11 1996' file results in "1996" being interpreted as 7pm plus 96 minutes or 8:36pm, which I find to be a distinctly non-intuitive understanding of time. Had I not double-checked the results, these mistaken time stamps would have remained and conflicted with my intent for restoring them in the first place. Elijah Of course, ls's ideas about displaying time are screwy enough. [Of course, "fileutils" looks like it might be a French word if you treat the "eu" as a diphthong. But then a diff-thong might be a program that discriminates between things like thongs and songs. PGN] ------------------------------ Date: Tue, 24 Aug 1999 08:22:45 -0400 From: eholden@ix.netcom.com Subject: Security check powers up computer Before flying I normally put my laptop computer in my carry-on bag in standby mode, where the contents of memory are stored on the hard disk and the power is off. Perhaps a dozen times in six months, the procedure for inspecting bags on entry to the terminal seems to have managed to restart the computer. An hour into flight, I discover the computer is on and the battery is 80% used. This is irritating(!) and perhaps dangerous, although none of my flights has crashed. Sometimes, now, I remember to check the machine is still power-off by inspecting it after boarding the plane while still parked at the gate. On one such occasion I was strongly reprimanded by a flight attendant for "using" the computer at that time. I find it interesting that an anti-terrorist inspection might risk creating an electronic hazard to a flight. Edward Holden ------------------------------ Date: Mon, 23 Aug 1999 10:17:38 -0600 From: Otto Stolz Subject: Re: NCIC 2000 (Fairfax, RISKS-20.54) > What is particularly ironic about the new licensing requirement is that > (legal) firearms ownership has long been limited to those persons who have > no criminal record. Thus, the statute mandates the collection and > dissemination of fingerprints from people who are known to have committed > no crime. Rather, those fingerprints are collected from people who are not known to have committed a crime -- an essential difference, and probably part of the rationale for that statute. Otto Stolz ------------------------------ Date: Fri, 27 Aug 1999 19:57:52 GMT From: moun@usenix.ORG (Moun Chau) Subject: USENIX Annual Conference 2000, Announcement and Call For Papers 2000 USENIX Annual Technical Conference June 18-23, 2000 San Diego Marriott Hotel & Marina San Diego, California, USA http://www.usenix.org/events/usenix2000 Sponsored by USENIX, the Advanced Computing Systems Association. Please see the detailed submission guidelines and conference information: http://www.usenix.org/events/usenix2000/cfp Paper Submissions deadline: November 29, 1999 ----------------------------------------------------- Date: Tue, 24 Aug 1999 20:00:31 GMT From: moun@usenix.ORG (Moun Chau) Subject: USENIX Security Symposium 2000, Announcement and Call for Papers 9th USENIX Security Symposium 2000 Conference August 14 - 17, 2000 Denver, Colorado, USA Conference URL: http://www.usenix.org/events/sec2000 The USENIX Security Symposium brings together researchers, practitioners, system administrators, systems programmers, and others interested in the latest advances in security and applications of cryptography. The keynote speaker is Dr. Blaine Burnham, Director of the Georgia Tech Information Security Center (GTISC) and formerly Program Manager for the National Security Agency (NSA) at Ft. Meade, Maryland. See http://www.usenix.org/events/sec2000/cfp/guidelines.html Paper submissions due: February 10, 2000 [Wow! A year from now, and I just got back last night from the 1999 Conference in WashDC, after sitting on the plane docked at the gate at Dulles, which finally took off four hours late while we waited for a bunch of storms to pass. At least I did not have to go through Chicago, where most UAL flights were cancelled because of someone who evaded the security controls. PGN] ------------------------------ Date: 23 Sep 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 19" for volume 19] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. PostScript copy of PGN's comprehensive historical summary of one liners: illustrative.PS at ftp.sri.com/risks . ------------------------------ End of RISKS-FORUM Digest 20.55 ************************