Subject: RISKS DIGEST 13.02
REPLY-TO:
[email protected]
RISKS-LIST: RISKS-FORUM Digest Thursday 9 January 1992 Volume 13 : Issue 02
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
UK Government security breach (Robert Jenkins)
Landlord's software chokes on identical check numbers (Jon Weintraub)
The "Miracle" computer-controlled piano teaching system (Ed Nilges)
Gambling machines scramble checking facility (George Michaelson)
Re: Life-and-Death Computer (Tom Perrine, Bob Kerns)
Re: Snow at San Jose ??? (Alan Marcum, Christopher Pettus)
Re: Customer Clogs Honda 800 Number (anonymous, Sanford Sherizen)
Re: Screensaver doing "nothing" (Bill Davidsen, A. Padgett Peterson)
Re: ZIP+4 (Kraig Meyer, Ed Wright, Brad Templeton, John J. DiLeo)
Risk Assessment for Aviation Safety -- a request (Peter C Olsen)
Rampant Virology -- a book by Mark Ludwig (Ray Kaplan)
The RISKS Forum is moderated. Contributions should be relevant, sound, in
good taste, objective, coherent, concise, and nonrepetitious. Diversity is
welcome. CONTRIBUTIONS to
[email protected], with relevant, substantive
"Subject:" line. Others may be ignored! Contributions will not be ACKed.
The load is too great. **PLEASE** INCLUDE INTERNET FROM: ADDRESS, especially
.UUCP domain folks. REQUESTS please to
[email protected]. For
vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 12, j always TWO digits). Vol i
summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1".
<CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
----------------------------------------------------------------------
Date: Wed, 8 Jan 92 20:52 GMT
From: Robert Jenkins <
[email protected]>
Subject: UK Government security breach
The Guardian of 8 January carries the following report, headlined
"Security Flaw in Whitehall":
Fake names were fed into a Whitehall [i.e., central government] computer to
give unauthorised staff access to details of top security safes holding cabinet
papers and sensitive defence documents, an investigation by the National Audit
Office, parliament's financial watchdog revealed yesterday.
The issue of security furniture, such as filing cabinets for classified
documents, was "left in the hands of an inexperienced officer who had virtually
unlimited control of the system and was not effectively supervised," says the
report.
It goes on: "Control over access to the computer system was minimal; staff who
were no longer authorised to use it, and two fictitious names thought to have
been entered by a previous employee, continued to have access.
"Staff training was inadequate, procedures were not documented, and inaccurate
stock information was leading to the posting of wrong figures to the accounts.
The staff were unable to generate invoices for equipment and substantial
amounts had consequently not been charged. At least one duplicate payment,
amounting to 92,000 pounds, had been made to a supplier."
The report said there was no evidence of fraud, "but the serious lack of
control, and the limited audit trails, made it impossible to provide an
unconditional assurance that it had not."
------------------------------
Date: Thu, 9 Jan 92 12:48:53 -0600
From: Jon Weintraub <
[email protected]>
Subject: Landlord's software chokes on identical check numbers
My landlord has been `politely threatening' us since the first of the year for
overdue rent. After careful checking, the problem was that both my roommate
and I each happened to pay with a check numbered 144 from our respective
accounts. The computer supplanted its record of the first check with its
record of the second -- it was counting on check serial number to be a unique
identifier across accounts! If we were less lucky, we might be in court over
this by now.
------------------------------
Date: Tue, 7 Jan 1992 17:11:16 GMT
From:
[email protected]
Subject: The "Miracle" computer-controlled piano teaching system
This morning (7 Jan 1992) on the Today show, the "Miracle" computer-controlled
piano teaching system from the Software Toolworks was demonstrated for
announcer Katy Couric. This is a high-quality electronic piano and software
running on several platforms (including the Mac and the PC) which teaches piano
by lessons and by monitoring play on a key-by-key basis. It was the subject of
some reasonably smarmy ads as Yuppie parents watched, eyes glistening, as their
Little Darlings played rather complicated pieces reasonably well. The
performance in the ads has been borne-out by tests of the system; it is a good
way of teaching piano skills, interpreted as being able to play the music on
the page. Thereby, however, lies a potential Risk to music aesthetics.
For when Katy Couric played a decent version of "Happy Birthday", including
some rather elegant grace notes, the computer gave her a low score of 38%.
This is it could not recognize the slight improvisation represented by grace
notes as an improvement over the music displayed on the screen. In my opinion,
a good piano teacher would give Couric a higher score for the creativity
implicit in grace notes.
More than this, the developers of "The Miracle" seem unaware of the fact that
Playing The Music Exactly As Written (PTMEAW) is (in a global sense) not the
usual practice. Not only is folk music almost completely improvised, Indian
classical music gains much of its richness from being IN PART improvised by
master musicians every time it is performed. Even in the Western classical
tradition, improvisation was the norm prior to the Baroque era. Deliberate
error, even, has played an extensive part in music. Italian and German
violinists of the 17th century used a system of deliberately "incorrect"
tuning, called "scordatura", by which the Baroque composer Biber gained much
emotional intensity in his violin sonatas. Up until Beethoven the
instrumentalist in a concerto provided a "coda" in which the soloist could
improvise on the theme, so PTMEAW was not even the norm in Mozart's time.
Nowadays, although classical music is subject to PTMEAW (with the absurd stress
on "original instruments" being part of this), non- classical music, including
folk, rock and country gains much of its liveliness by retaining both
improvisation and "scordatura" (that is, deliberate error for emotional
intensity.)
"The Miracle" completely ignores this by assigning high scores in a dehumanized
fashion to students who, unlike Couric, don't have the creativity to improvise.
I predict that two types of populations will evolve on "The Miracle":
unimaginative keyboarders of the music as written, and hackers, who will misuse
the features. In neither group will true musicians be found.
"The Miracle" does look like a useful tool for learning music, but I object
both to its operatic name, which makes an overlarge claim, and to its
incorporation of numeric scoring. The designers could have (under the advice
of a decent musicologist) deliberately eschewed the assignment of numeric
scores and restricted themselves to the display of natural-language
evaluations.
------------------------------
Date: Tue, 7 Jan 1992 10:02:53 +1100
From: George Michaelson <
[email protected]>
Subject: Gambling machines scramble checking facility
ABC Radio (Australia) reported this morning that different manufacturers "one
armed bandits" (in-line gambling machines) confuse the centralized checking
systems to which they are networked, and destroy each others records.
This has delayed installation of the systems in clubs and hotels around the
state of Queensland, until new code can be put in to ensure they can be checked
up on.
Worry about abuses of the machines for gambling, tax evasion and links with
crime (for money laundering, and alleged mafia involvement in the manufacture &
distribution) has been a big political football here.
-George
------------------------------
Date: Tue, 7 Jan 92 11:03:13 PST
From:
[email protected]
Subject: Re: Life-and-Death Computer
The Washington Post editorial in Risks 13.01 (Subject: Life-and-Death
Computer) overlooked one other problem with the APACHE software: it
has the potential to generate self-fulfilling prophecies.
It appears that APACHE is really reporting on patient "profiles": age,
weight, general medical condition, cross-referenced with specific
complaints or injuries and treatments and survival rates.
Since APACHE reduces people to profiles, we might as well use that
term in discussion.
Lets say that a "profile" is not treated with a given procedure, in part due to
the "advice" of APACHE, and then dies. If the information concerning this
"profile" is then fed back into the APACHE database, this will decrease the
"survivability" quotient for subsequent "profiles" with the same initial set of
problems. Each time a patient (oops, "profile") with a given complaint is not
treated (and dies), the survival quotient decreases again.
Each time APACHE (indirectly) advises a doctor to withhold treatment for a
condition, it increases the probability that it will "advise" withholding
treatment for the next patient (oops, "profile") with the same basic
complaint/injury, leading to another death, leading to another survival
quotient decrease.
The editorial remarks that "a computer can serve the cause of accurate
diagnosis only on the basis of properly entered information by the physician
using his or her senses". Even if data is 100% correct, it still leads to
positive feedback which will further skew the output data.
Tom Perrine (tep), Logicon - T&TSD, P.O. Box 85158, San Diego CA 92138
+1 619 597 7221 UUCP: sun!suntan!tots!tep
------------------------------
Date: Wed, 8 Jan 92 06:12:15 -0500
From:
[email protected]
Subject: Life-and-death computer: Numbers lie
In RISKS 13.01, Warren McLaughlin cites a Washington Post article about
programs which give highly-precise probabilities on medical treatment outcomes,
and how this can lead to doctors relinquishing their proper decision-making
responsibility.
It seems clear to me that the problem here isn't that the doctor
is relinquishing his responsibility by being too trusting of the
software, so much as it is the programmer is relinquishing the
responsibility to the doctor by presenting bad information.
The problems inherent in encoding weights for different courses of action (or
any other "non-monotonic" comparison) is very familiar to anyone familiar with
expert systems. In addition to the illusion of accuracy illustrated in the
article, there are numerous other kinds of error introduced at every step, from
the initial assignment of weights for the raw data (what is a "favorable
outcome" in treatments to prolong life in a terminal disease), observed
situation (what is "slight swelling of the lymph nodes"), anomolies when these
are reasoned on in conjunction with each other (often you can prove a>b>c>a),
and then, finally, in the way they are reported.
Assuming that these problems are dealt with in a realistic manner, for the
program to communicate reasonably with the doctor, it is necessary to give some
idea of the precision of these numbers. One of the better techniques is to use
"error-bars". This can help transform what appears to be a definitive
decision:
Cut off head: 40%
Give aspirin: 30%
Cut off foot: 20%
vs:
-Treatment- 0 10 20 30 40 50 60 70 80 90 100
Cut off head: |-------------------X----|
Give aspirin: |---------X--------------|
Cut off foot: |----X--------------|
As you can see, this makes it much more clear that the
program really hasn't decided much of anything at all.
It should also be clear from my example that in addition to the numerical
information, an explanation of the reasoning process together may well be
warranted, to check for any unwarranted assumptions, and other things to look
out for. (Such as the need for reattaching the head after repairs are
effected, and the assumption that the patient is a robot).
(The disease in question, of course, is "headache").
In real life, a doctor giving a second opinion isn't just going to give a
number. He's going to give reasons, and an idea how sure he is of the
appropriateness of a particular treatment and alternative treatments and even
perhaps alternative diagnosis to consider. [Or maybe the insurance industry
has this process reduced to a coded number now too, in which case, the Risks
should be obvious].
The deceptive problems of encoding preferences and subjective evaluations into
numbers is, of course, a pervasive problem in other areas. Indeed, the entire
area of risk analysis is rife with it, as I've pointed out indirectly in other
messages. It's so much easier to calculate with simple numbers that this is a
very tempting trap to fall into. But we must resist the temptation to
manufacture certainty where non exists. Whether we are computer professionals,
scientists, pollsters, or journalists, or newspaper reader I think being
careful with these issues is a matter of professional integrety. It's an
integrety which is all too often lacking, out of ignorance, sloppiness, desire
to persuade, or desire to be persuaded.
[finger rwk@... suggests this might be someone named Bob Kerns. PGN]
------------------------------
Date: Mon, 6 Jan 92 14:47:46 PST
From:
[email protected] (Alan M. Marcum - Tech Support)
Subject: Re: Snow at San Jose ??? (Pettitt, RISKS-13.01)
> 1) a decode error (I don't know what the correct decode of VBSY is)
> 2) VBSY does mean snow and spray and the NWS screwed up the forecast.
There's a third possible cause, which I guess I'd call the probably
cause. Someone made a typographical error. VSBY is the contraction
for visibility. BSY could well translate to snow and blowing spray.
For the RISKS folks, note also that the translation Contel provides
is made available as a courtesy. They have a large disclaimer
stating this, and requesting that the pilot acknowledges his
responsibility for correct translation according to the relevant
portions of the Federal Aviation Regulations.
There is the RISK, though, of typos in critical information with little or no
redundancy, such as the FAA's cryptic weather information.
Alan M. Marcum, NeXTedge Technical Support,
[email protected]
------------------------------
Date: 6 Jan 92 21:57:25 GMT
From:
[email protected] (Christopher Pettus)
Subject: Re: Snow in San Jose ??? (RISKS-13.01)
>Either way computer weather briefing has a way to go yet.
Indeed. One of the problems with computerized decoding of National Weather
Service (NWS) weather information is that the format, while supposedly
standardized, is actually typed in by humans with no checking in a pretty
free-form format. In this case, the answer is both (1) and (2).
A terminal forecast has two parts, an 18-hour "forecast" and a 6-hour
"categorical outlook" (although even weather briefers are often unaware of the
difference). The forecast is relatively detailed: the clouds are going to be
at 4000 feet, it's going to be raining, the visibility is going to be 5 miles
in fog, etc.
The categorical outlook is pretty generic, and just makes braod claims about
the weather, in particular ceilings greater than 3000', visibility greater than
6 miles, etc. If the visibility is expected to be restricted, "VSBY" is put
into the categorical.
In this case, the forecaster expected the visibility to be at three miles, so
he stuck a 3 in the categorical (free-format, no checking). This is not a
meaningless thing to do, since three miles of visibility is a "magic number"
(it allows flight operations that might otherwise be prohibited).
This isn't what the "official" format allows, so the program decided
that it had just hit a standard notation for visibility, where the
visibility is given in miles, then followed by letter codes for what
kind of goo is restricting the visibility (for example, "2RF" means
"visibility 2 miles in rain and fog"). "S" is snow, "Y" is spray, and
"B" in front of a code means "blowing," and the "V" I assume was
ignored, so we have "Visibility 3 miles in snow and blowing spray."
The whole weather reporting system is based on ancient 110-baud teletype
technology, and is in desperate need of being trashed and redone. But it
probably will not be for many years.
-- Christophe
------------------------------
Date: Mon, 6 Jan 92 22:06:51 PST
From: [anonymous]
Subject: Re: Customer Clogs Honda 800 Number
It is pretty well established that such abuse of an 800 number (or any number
for that matter) constitutes harrassment. In the famous case of the guy doing
this to the tele-evangelist, I believe that the caller was prosecuted, found
guilty, and had to make some sort of restitution.
Keep in mind that virtually all 800 (and 900) customers already receive the
caller's number for about 95%+ callers via the carriers' Automatic Number
Identification (ANI) systems (this is actually different from Caller-ID, but
the distinction is too complex to elaborate on here). Only larger customers
usually receive this information in real-time with the call, but most receive
the caller numbers with their phone bills, or sometime after the call via other
means, and abusive patterns can be clearly seen in such data.
------------------------------
Date: Wed, 8 Jan 92 01:54 GMT
From: Sanford Sherizen <
[email protected]>
Subject: Customer Clogs Honda 800 Number (Cont.)
There is more about this incident. According to the TAB, a very good local
newspaper in this area, Daniel Gregory has been charged with telephone
harassment after he made at least 100 phone calls in one day and faxed a 14-foot
computer banner saying "Dan Gregory is unhappy with his Honda." Gregory
admitted making the calls. "It could have been as many as 100 in one day," he
said last week. "MAYBE I OVERDID IT. BUT EVEN IF THAT WAS THE CASE, SO LA DE
DA." (Emphasis added by me to highlight why the U.S. is in decline)
He made a comment about the long fax. "A roll of fax paper is $12 at Staples
(office store). We're talking about a multi-million dollar company getting mad
because I use a lot of fax paper?"
While this story has received some coverage around the U.S., it has been treated
as if it is a funny story. Some form of man-bites-Honda. The fact is, however,
that this incident shows a vulnerability of technology. Is this phone clogging
almost a virus-type phenomenon? Can it be possible on a larger scale? Say
someone doesn't like their boss, the Internal Revenue, their ex-spouse, a
political candidate, a computer network, or some other party. Then "la-de-da"
is the right response.
For all we know, Gregory may run for national office on the La De Da Platform.
Oop, sorry, I think that political platform is already taken by at least one
other candidate for president.
Sanford Sherizen, Data Security Systems, Inc., Natick, MA 01760 USA
------------------------------
Date: Wed, 8 Jan 92 09:12:47 EST
From:
[email protected] (bill davidsen)
Subject: Re: Screensaver doing "nothing" might be a resource hog
Also note that "screensavers" and "lock screen" programs can use a lot of
ethernet bandwidth if you run them on X terminals. This can actually be enough
of a factor to measure, particularly if you have a site where people tend to
lock a lot of terminals at night while the administration is trying to take
dumps over the net.
bill davidsen (
[email protected] -or- uunet!crdgw1!crdos1!davidsen)
GE Corp R&D Center Moderator comp.binaries.ibm.pc and 386-users digest.
------------------------------
Date: Tue, 7 Jan 92 09:28:30 -0500
From: padgett%
[email protected] (A. Padgett Peterson)
Subject: ScreenSavers & Resource Hogs (Swartz, RISKS-13.01)
The comments concerning the effects of a screensaver on a Sun station brings
to mind a couple of incidents that occured a few years ago on our Vax systems.
The first involved a brand new, state-of-the-art VAX 11/780 and a digital
"clock" (with alarm). A short (50 or 60 lines) DCL program, it was quite
popular until it was found that four simultaneous "clocks" would swamp
the 1 VUP 780 and cause logins to take upwards of five minutes.
The second was a program that used QIO and QIOW calls (never could get all
of the commas straight without help) that enabled the VAX to function as
a terminal emulator. Add in a Racal-Vadic 1200 baud (great improvement over
300 baud Silent 700s) modem and it was possible to debug systems in New York
from my desk in Florida. With a TekHex conversion, binary traffic was also
possible (this was before XMODEM, KERMIT, or UUENCODE programs were available
so everything was "home grown" but worked) so we could make "on-line" fixes
to a Mil-Std-1750A program.
Trouble was that in order to make a multitasking system operate as a terminal,
constant cyclic checking of the workstation port and the output port was
necessary. As a result the program was something of a hog and we were politely
requested to only use it when necessary, preferably after hours.
In any event, one Friday an engineer left work with his terminal still running
the program (this was a *long* time ago) even though the phone was hung up.
Three weeks later we got the bill for that weekend from the computing center:
$32,000.00 for resources used. Needles to say some frantic negotiations ensued.
Of course the high cost of VAX time back then is what financed the PC
revolution here so it wasn't all bad, just "there is nothing new under the Sun"
(sorry).
------------------------------
Date: Mon, 06 Jan 92 15:38:39 PST
From:
[email protected]
Subject: Re: ZIP+4 (RISKS-13.01)
[email protected] (Douglas W. Jones,201H MLH,3193350740) writes:
>I recently asked at my post office how many houses shared the same ZIP+4 code
>with my house. The answer was that if I lived in a single-family dwelling, I
>almost certainly have a unique ZIP+4 code.
[Unique ZIP+4] was not the intended or actual implementation of ZIP+4 that I'm
familiar with. Generally, the last 4 digits indicate which block the address
lies in (or sometimes additionally, which side of the block). My parents live
in a subdivision in Michigan with one acre lots, and they share their ZIP+4
code with 1/2 miles' worth of single family dwellings, because that is the
distance between the two cross streets. The other side of the street has a
different ZIP+4 code, even though all of the mailboxes are on the same side of
the street.
Check out a ZIP+4 directory at your local post office to see who you share your
ZIP with.
Kraig R. Meyer
[Also noted by the following:
[email protected] (John R. Levine)
[email protected] (Randal L. Schwartz)
[email protected] (Craig Seidel)
[email protected] (J. Dean Brock)
[email protected] (Arthur Goldstein)
[email protected] (John Sullivan)
and PGN himself, who owns a ZIP+4 that is unique -- which
is the case for box numbers in small post offices. PGN]
------------------------------
Date: Thu, 9 Jan 92 10:21:53 PDT
From: Ed Wright <
[email protected]>
Subject: Re: ZIP+4 (RISKS-13.01)
The Zip + 4 system gets your letter to the correct carrier,
correct side of the street, correct two block segment.
Soon Zip + 6 will emerge (its under test now) and that will give each
address a unique numeric sequence.
------------------------------
Date: Tue, 7 Jan 92 20:26:22 PST
From:
[email protected] (Brad Templeton)
Subject: Re: ZIP+4 (RISKS-13.01)
Actually, rather than letting people mail to me with my Zip+4 (which only
specifies some people exactly and not others) I would rather the post office
(and other shippers) implement a scheme where I can get a unique code (number
or alpha), perhaps of my choice, which identifies my address in Post Office
computers, and only there.
People would be able to mail to: Code: foobazbarx, U.S.A.
And the mail would get to me. The P.O. would be pledged never to reveal where
I actually live except on court order. In fact, the actual information should
only be available in the local post office computer -- other computers would
only know which local post office to send mail for foobazbarx.
Naturally, you could have more than one code, if you wish to pay. Mailers
would be free to add more redundant information, but you would want a check
letter (the x) on the end so that people who take down your address can be sure
they have it right when they are talking to you.
There's a real way to use computers to preserve your privacy, and make mailing
and address transcription easier, too.
------------------------------
Date: 9 Jan 92 23:56:16 GMT
From: "John J. DiLeo" <
[email protected]>
Subject: Re: ZIP + 4 codes
.. For the more stout-hearted (and those to whom the CD-ROM is not available),
all government depository libraries should have a full set of printed
directories (I filed them in the depository stacks at Johns Hopkins when I was
a student employee there). Entries are listed by: 1)City name/Post Office
name; 2) Street name/P.O. Box group; and 3) numerically by block numbers.
John DiLeo,
[email protected]
------------------------------
Date: Wed, 8 Jan 1992 02:30:30 GMT
From:
[email protected] (Peter C Olsen)
Subject: Risk Assessment for Aviation Safety
I'm doing a strategic study on aviation security and I'm looking for
information about techniques that might be used to model the threat, risk, and
effectiveness of countermeasures in commercial aviation security ---
particularly airline security. I am particularly interested in approaches that
might be useful in helping to quantify and refine the qualitative data which
seems to be all that is available. Similar problems have been addressed by the
people in the computer security and nuclear safety arenas.
I'd appreciate any information or advice.
Please reply to ME via email because I don't follow this newsgroup; I will
summarize if there is any interest.
Peter Olsen
[email protected] ..uunet!super!pcolsen
PO Box 410, Simpsonville, MD 21150 202-366-6525 (office)
------------------------------
Date: Wed, 8 Jan 92 20:51 MST
From: Making memories <
[email protected]>
Subject: Rampant Virology
More books to keep you awake at night (I've only seen volume 1 so far.)
The Little Black Book of Computer Viruses, 169 pages, Mark Ludwig, ISBN
0-929408-02-0, $14.95 - American Eagle Publications, P.O. Box 41401, Tucson,
AZ 85717 - (602) 888-4957. (Thanks to Winn Schwartau for this referal to a
publisher right here in my own town!)
The back cover of this one tells it all:
WARNING. This book contains complete source code for live computer viruses
which could be EXTREEMELY DANGEROUS in the hands of incompetent persons. You
can be held legally liable for the misuse of these viruses, EVEN IF SUCH
MISUSE IS UNINTENTIONAL. Do not attempt to execute any of the code in this
book unless you are well versed in systems programming for personal computers,
and you are working on an isolated machine.
Introduction: "This is the first in a series of three books about
computer viruses... All three volumes are full of
source code... It is enevitable that these books will
offend some people ... The first volume is a
technical introduction... The second volume discusses
scientific applications... The third volume discusses
military applications ... (And, a lengthy disertation
on everything from the social meaning of this all to
the "why do it" of it all (that would play very nicely
here in RISKS.?))
Vol 1
Ch 1 - The basics
Types
Functional elements
Tools needed to write viruses
Ch 2 - Simple COM file infector
Ch 3 - Sophisticated executable virus
Ch 4 - Simple boot sector virus
Ch 5 - Sophisticated boot sector virus
Appendix 1 - TIMID
Appendix 2 - INTRUDER
Appendix 3 - A basic boot sector
Appendix 4 - KILROY
Appendix 5 - STEALTH
Appendix 6 - Hex file loader
Appendix 7 - BIOS and DOS interupt functions
Appendix 8 - Suggested reading list
Kaplan's comments:
1) - "Oh, <pregnant pause> my."
2) - Wonder if volume three will ever get out ;)
Ray 8-|)}
New address:
[email protected]
------------------------------
End of RISKS-FORUM Digest 13.02
************************
