Subject: RISKS DIGEST 16.81
REPLY-TO: [email protected]

RISKS-LIST: RISKS-FORUM Digest  Tuesday 14 February 1995  Volume 16 : Issue 81

  FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
  ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc.       *****

 Contents:
Stolen ATM Card nets $346,770 (David Tarabar, Jerome Whittle)
Sweden-Pedophiles-Internet (Mich Kabay)
A RISKy place on the Web (Stephen R. Savitzky)
Rumors in Cyberspace (Adam Shostack)
Priests told to keep cell phones out of confession (Mich Kabay)
Cellular phones (Chaim Seymour)
Web Page copying reader's system information (Brian Leibowitz)
RISKS of posting to newsgroups (A. Padgett Peterson)
Good Pentium Followup (Martin Minow)
Invisible blue zone (Jeff Jonas)
RISKS of third-party-billed calls not uncommon (Tony Yip)
Self-disabling software (Jerry Leichter, Bob Brown)
What "RISKS of Third-Party-Billed Calls"? (Gary Beckmann, PGN, GB)
Re: attack scanning (Stephen Kelley, Frederick B. Cohen)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

----------------------------------------------------------------------

Date: Sun, 12 Feb 95 16:39:56 -0500
From: [email protected] (David Tarabar)
Subject: Stolen ATM Card nets $346,770

Thieves broke into a van and stole an Oregon woman's ATM card and
discovered her PIN number written on her Social Security card.
They then made repeated withdrawals, covering 100 miles and visiting
48 ATM machines over a three day period. (Friday night - Monday 2 AM)

They were able to get $346,700 in cash with the help of some
questionable computer systems.

1) Ordinarily there is a $200 daily limit for withdrawals, Howver,
"because of a computer program change at the Oregon TelCo Credit
Union, the limit was not in effect that weekend."

2) When the account was down to zero, the thieves fed empty deposit
envelopes into the machine and credited the account with bogus
deposits of $825,000 -- and then made withdrawals against this sum.

Technology did work in at least one repect.  At least 5 of the machines
had taken photos of the people using the stolen card. Three persons
are in custody and are facing Federal charges.

[From an AP report in the New York Times 12 Feb 1995.]

  [Also noted on-line by
     Jerry Whittle, Belleville, Illinois  <[email protected]>,
     [email protected] (Paul Szabo),
     "Mich Kabay [NCSA Sys_Op]" <[email protected]>,
     [email protected] (Dave V. Schaller), and
     [email protected] (David Olsen),
  and by snail-mail from Ed Coover at MITRE-McLean VA.  PGN]

------------------------------

Date: Sun, 12 Feb 95 12:05:00 cst
From: "Whittle, Jerome SMSgt" <[email protected]>
Subject: Stolen ATM Card nets $346,770

I see a number of mistakes/risks here.
1. Smith wrote left her purse in a van overnight and wrote down her PIN
  number.
2. The bank's software allowed withdrawals of over $200 per day.
3. The bank immediately credited someone's account for a deposit - even a
  huge amount like $820,500.  My bank doesn't credit my account until the
  next business day.
4. Only about 10% of the ATM machines had hidden cameras.  Had the crooks
  been a little more lucky, they may have never been caught.
5. Karen Smith isn't liable for the theft even though she left her card and
  PIN number unsecured.  I believe that she should shoulder some of the
     blame and loss.

Jerry Whittle, Belleville, Illinois  <[email protected]>

------------------------------

Date: 10 Feb 95 07:42:36 EST
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Sweden-Pedophiles-Internet

>From the Associated Press news wire via CompuServe's Executive News Service:

       APn  02/06 1228  Sweden-Pedophiles-Internet
       By THOMAS GINSBERG
       Associated Press Writer

       STOCKHOLM, Sweden (AP) -- Pedophiles have found a home on the
       Internet and exchange hundreds of pictures a week through
       anonymous conduits, a researcher said Monday.

       The statistics provided a glimpse at the scope of the potentially
       illegal activity, which police fear can lure kids into sex. It
       came from a study by Mats Wiklund, a researcher at Stockholm
       University's Institute of Computer and System Science.

       During a seven-day period in late December and early January,
       Wiklund counted 5,651 messages or postings about child
       pornography in four electronic "bulletin boards."

The author makes the following key points:

* Many graphics showed what appeared to be "adolescents engaged in
 sexual acts."  A few showed young children, apparently to attract
 the interest of other pedophiles.

* The messages tracked and counted were a fraction of the total traffic,
 since Wiklund was unable to track private e-mail and scanned only
 about half of the porn-related groups he knew of.

* Most of the pornographic messages were sent through the anonymizing
 server located in Finland.

* The Internet offers advantages to pedophiles:

       "The Internet has become a channel of communication for
       pedophiles," Wiklund said. "From their point of view, they've
       found a green technology. You can be anonymous and still be
       reached."

* Exchanging pornography electronically is a crime in many areas of the
 world:

       In most countries the distribution of child pornography is
       illegal. Two years ago, U.S. police raided about 40 locations
       where people were exchanging child pornography by computer.
       Two Danes were convicted in 1993 of transmitting child
       pornography to an estimated 6,000 people worldwide.

* 85% of the messages Wiklund scanned were fantasies about sex with
 children or technical tips on how to transmit pornographic pictures.

* Law enforcement officials are still unsure of how to handle this
 traffic:

       Finnish detective Sgt. Timo Laine said it was unclear whether
       the country's laws would apply to "electronic smuggling" by
       computer. He said did not know whether police would take
       action against the computer owner in Finland.

       "We've never had this kind of case before," Laine said. "If
       I transmit this information through the Internet, is it
       considered smuggling?"

M.E.Kabay,Ph.D., Director of Education, Natl Computer Security Assn
(Carlisle, PA); Mgmt Consultant, LGS Group Inc. (Montreal, QC)

------------------------------

Date: Tue, 14 Feb 95 15:14:36 -0800
From: [email protected] (Stephen R. Savitzky)
Subject: A RISKy place on the Web

There was an announcement in misc.kids.computers yesterday that, at first
glance, appeared to be just what it said: ``a communication playground for
children ages 8-12''.  The full text of the announcement is quoted below:

 KidsCom, a communication playground for children ages 8-12 is up and
 running.  Kids can find key pals, get help with Internet questions from an
 Internet guru, talk about what they'd like to be when they grow up, explore
 links to other children's sites, enter sweepstakes to win prizes, and give
 feedback on what they'd like to see and do on the Internet.

 http://www.spectracom.com/kidscom/
 For more info, please email [email protected]

What they didn't mention, however, was that before you can ``play'' you have
to fill out a form that asks for:  name, address, e-mail address, demographic
information, *and a password*!  Some people are already advising kids against
giving out their names and addresses on the Net; this goes *much* farther.

There are at least two risks here, the most obvious being the risk (almost a
certainty) of ending up on some direct marketer's mailing list.  The other one
is the usual one of sending passwords in the clear: what if the kid has an
account on a Unix system somewhere (mine does, on our Linux box at home), and
what if they use the same password in both places?

Now, the folks at SpectraCom may simply not have thought about the potential
consequences of what they're doing; their description of the company as

a full service research, strategic planning and communications company that
specializes in conveying information in an understandable and actionable
way.                                                          ^^^^^^^^^^(sic)

would seem to indicate as much.  But the same technique could be used by
someone trolling for easy systems to crack.  It would work even better on
adults, of course, and the next bunch might ask for a 4-digit number instead
of a password...

Hey, kid, want a free lollypop?  Just fill out this form...

Steve Savitzky h:[email protected] 408-294-6492 http://www.rahul.net/starport/
           w:[email protected] 415-496-5710 http://www.crc.ricoh.com/~steve/

------------------------------

Date: Thu, 9 Feb 1995 16:15:32 -0500 (EST)
From: Adam Shostack <[email protected]>
Subject: Rumors in Cyberspace (Kabay, RISKS-16.79)

In RISKS-16.79, Mitch Kabay writes:

> ...  Now imagine this rumour spreading through cyberspace, aided by
> anonymous postings ...

       While there may be risks in anonymous postings, spread of rumors
really doesn't seem to be one of them.  The "Good Times" virus of a few
months back spread without going through anonymizing services.  This is to
be expected of the way rumors spread.  People who saw and spread the virus
did so because they heard it from people they knew.

       Attempts to spread rumors through anon. services will be subject to
much more fact checking and consideration than 'normal' rumors.  News and
mailing lists do just fine in causing runaway rumor spread.  Theres no
little that anonymous servers will do to change that.

Adam

------------------------------

Date: 09 Feb 95 07:51:57 EST
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Priests told to keep cell phones out of confession

>From the Reuters news wire via CompuServe's Executive News Service, yet
another unexpected technological interference with a religious process:

       RTw  02/08 0749  Priests told to keep cell phones out of confession

       ROME, Feb 8 (Reuter) - Even Italians who religiously carry
       their cellular phones while dining in restaurants or jogging
       in forests might draw the line against priests using them in
       the confessional box.

       An Italian Catholic magazine has told priests who own such
       phones to keep them out of the confessional box or at least
       turn them off while administering the sacrament to the faithful.

It seems the February editorial in _Vita Pastorale_, a monthly magazine
for parish priests, cited a case in which a woman complained after her
priest's cell phone rang during her confession.

       A cartoon in the left-leaning daily La Repubblica showed a
       priest in a confessional box holding a cellular phone to his
       ear while simultaneously hearing a member of the faithful confess.

       "Say three Our Fathers and three Hail Marys...No, no I wasn't
       talking to you," the priest says to the caller.

M.E.Kabay,Ph.D., DirEd, Natl Computer Security Assn (Carlisle, PA);
Mgmt Consultant, LGS Group Inc. (Montreal, QC)

------------------------------

Date: Sun, 12 Feb 1995 15:28:20 +0200
From: [email protected] (Chaim Seymour)
Subject: Cellular phones

Re: M.E. Kabay's posting. The official Israeli term for Cellular phones:

 The term 'pelephone' means 'wonder phone' and not 'miracle phone'.

It is generally used and is not peculiar to Rabbis.

Chaim Seymour, Chairman, Cataloguing and Classification Dept, Wurzweiler
Library, Bar-Ilan University, Ramat Gan 52100 Israel  Tel: 03-5318127

------------------------------

Date: Fri, 10 Feb 1995 09:40:37 -0800
From: [email protected] (Brian Leibowitz)
Subject: Web Page copying reader's system information

I found this on the edupage newsletter.
****************************************************************************
Edupage, a summary of news items on information technology, is provided
three times each week as a service by Educom -- a Washington, D.C.-based
consortium of leading colleges and universities seeking to transform
education through the use of information technology.
****************************************************************************

ONLINE SPYING
While you're connected to your favorite Web page, it's also connected to
you, and could be copying all sorts of information off your hard drive, say
industry experts. In fact, it happened last year when Central Point
Software used registration software developed by Pipeline Communications,
and inadvertently also gathered descriptions of the users' systems -- the
type of microprocessor, the version of DOS and Windows, the type of display
and mouse, and the amount of free space available on the hard drive.
Customers squawked, and Central Point had Pipeline change the software.
However, Pipeline reports that at least one of its clients is using the
scanning feature now -- but only after getting the owner's permission. The
lesson? "If you can't trust it, don't connect to it." (Forbes 2/13/95
p.186)

Brian Leibowitz  [email protected]

------------------------------

Date: Thu, 9 Feb 95 11:43:59 -0500
From: [email protected] (A. Padgett Peterson)
Subject: RISKS of posting to newsgroups

>From:  UVS1::"[email protected]"  8-FEB-1995 22:25:48.89
>To:    [email protected]
>CC:
>Subj:  Anonymous code name allocated.

>You have sent a message using the anonymous contact service.
>You have been allocated the code name an199742.
>You can be reached anonymously using the address
>[email protected].

>If you want to use a nickname, please send a message to
>[email protected], with a Subject: field containing your nickname.

>For instructions, send a message to [email protected].

This arrived in my morning mail. Seems someone has either subscribed to the
FIREWALLS newsgroup or set up a mail forwarder such that anyone posting to
the FIREWALLS group is automatically granted an "anonymous" account.

Since ANON.PENET.FI is generally believed to have been compromised some time
ago and all accounts/real user names extracted, this could be an attempt by
someone wanting to discredit any such list (wonder if the numbers are
assigned sequentially).

Personally, I have no use for such an account and did not request it (why
I did not bother to obscure the account number), just one reason being that
"Security by Obscurity" has been proven not to work in the long term, another
being that I would consider certain domestic agencies lax if they were not
monitoring international gozintas and gozoutas.  Of course, on the gripping
hand (literary plug) this may have a plus in that anyone who receives an
account this way probably did not have one before.  8*)

Padgett

------------------------------

Date: Thu, 9 Feb 1995 16:45:22 -0800
From: [email protected] (Martin Minow)
Subject: Good Pentium Followup

In IEEE Spectrum, February 1995, there's a good overview of the Pentium
problem, including a reasonable amount of technical detail and links to
several technical papers.

Of particular interest to Risks readers is the author, Linda Geppert's,
conclusion:

"These scientists and others did all of us a service by digging deep into
the causes and ramifications of the bug and so precipitating Intel's
no-questions-asked replacement policy. But in the process they spent
valuable time and effort on something that could have been a non-problem,
had Intel been more forthcoming."

Martin Minow  [email protected]

------------------------------

Date: Tue, 14 Feb 1995 18:29:13 -0500 (EST)
From: Jeff Jonas <[email protected]>
Subject: Invisible blue zone

With all the outcry about people not knowing what phone calls cost, this is
somewhat related in that people are assumed responsible for knowledge that
is not readily available.

In a TV "Shame On You" report, it was shown that an entire area of lower
Manhattan, New York is a "Blue Zone" where the curb is SUPPOSED to be
painted blue and have signs that tell that there's no parking and it's a tow
away zone.  Well, there are entire blocks with NO signs or paint on the
curbs.  The traffic department issued tickets from US $55 to $200 if towed.
Appeals are useless as even a reporter with the parking commissioner was
told that "leaflets were distributed".  Yea - back in 1988.  Traffic court
simply found everyone 'guilty'.  So now the leaflets are being distributed,
along with the parking ticket.  So even when there's no notification or
warning, New York City's Parking Violations Bureau doesn't back down and
gets to keep your money.  At least with the phone companies, folks seem to
be getting refunds.

Now jump to the computer network world.  There are many newcomers spamming
USENET with posting to EVERY newsgroup (some apparently use some script as
they're too thorough to post to EVERY newsgroup so fast, and some even
crosspost to 8-10 groups at a time).  When informed "you should not do
that", some reply "nobody told me it was wrong, were was I to find out?".

I'm not sure of the balance of abiding by the rules that you never read vs
"how was I supposed to know?".  (Ex: "I never knew murder was illegal" is no
defense anywhere I know.)

There are cancel-bots used to filter out internet abusers.  I'm concerned
about a denial of service attack.  Let's say somebody forges my header and
spams the network.  The cancelbots then cancel those postings and I'm
essentially barred from the internet.  Unless I get replies that I'm being
blocked, I have no way to know to appeal (let alone to whom) and I must get
a new network identity to ever reachieve connectivity.  My apologies if the
cancelbot control is already centralized and fair, but I fear that I may be
blocked with no way to appeal, even if wrongly accused.  I guess this boils
down to internet connectivity being a privilege, not a right.

-- Jeffrey Jonas  [email protected]

------------------------------

Date: Mon, 13 Feb 1995 15:06:16 -0800 (PST)
From: "Tony Yip, 431-3183, F13" <[email protected]>
Subject: RISKS of third-party-billed calls not uncommon (Altman, RISKS-16.80)

I find that a reader's experience with PacBell's third party billed policy not
uncommon. Living in Vancouver, BC, I've had to call BC Tel periodically
(meaning once every year or two depending on my luck) to credit my bill with
third party calls that I did not make.

It appears that BC Tel rarely verifies third party calls. In other words,
anybody can pick up a pay (or any other) phone, dial the operator and request a
long distance call to be billed to a third phone number that they make up. The
operator may ask for the caller's name but, again, that is not verified so any
name will do.

I am not certain but I believe the route BC Tel takes is that if they cannot
collect from the caller (i.e. the person who gave a phony name and third party
number), they will try to collect from the number that was called.

The first risk is the overall reactive approach to chase down fraud after it
has occurred with no attempt to prevent it. In other words, the onus is on the
customer to check if his/her telco has made a billing mistake. In a large
family with several teenagers, this type of bill checking for erroneous third
party calls is quite impossible.

The second risk is attempting to collect from the called party. What if the
long distance call is a nuisance call from an ex-spouse? Or a $200 long
distance call from old school mates or friends or whoever (and you thought they
were so nice to call you!)... The list goes on. And what about the legal
implications of asking people to pay for calls that they did not initiate nor
authorize?

But...there is no outcry so I guess the problem is not serious enough to
warrant drastic action.

------------------------------

Date: Mon, 13 Feb 95 17:25:18 EDT
From: Jerry Leichter <[email protected]>
Subject: Self-disabling software (Epstein, RISKS-16.79)

In RISKS-16.79, Jeremy Epstein describes a proposed Virginia law requiring
that companies notify customers if the software they sell has a
self-disabling feature (e.g., after some period of time).  The law would
apparently not ban such features.

Mr. Epstein then lists two potential risks:

       a)  Does informing people that the software is self-disabling
               encourage them to try to subvert the feature?

I'm actually rather surprised that anyone would consider these to be *risks*.
Is it a bad idea to inform people that they are liable for no more than $50
in charges on their credit cards a bad idea because it encourages them to be
careless with their cards?  Does telling them their cars have dual-redundant
brakes encourage them to experiment with their master cylinders?

There are certainly good arguments for and against banning self-disabling
software to begin with.  But if it's to be allowed, requiring fair notice to
those who receive the software certainly seems very reasonable.  If this
perhaps makes life a bit tougher for those whose view of doing business is
"Well, if the customer doesn't pay up, I'll *really* screw him," isn't that
just too bad?

       b)  If someone did and that triggered the disable feature, would
               that come under the law?

It's beyond me what could be in the law that such tampering could possibly
"come under".  Even if the idea is that people could get themselves into
trouble by such tampering, which they would not have been tempted to try
without the required disclosure - is there really any reason why the law
should try to protect those individuals who are not only dishonest but
incompetent to boot?

       Mr. Epstein continues:  And what if it were used in safety critical
       systems: "I'm sorry, but the license period on the software in your
       heart monitor has expired.  Please contact the vendor to reenable."

I am at a loss as to what this has to do with the proposed law, vague as the
description we have of it might be.  Is Mr. Epstein upset because the law
doesn't simply ban self-disabling features?  It also doesn't ban murder, but
so what.  A general ban on self-disabling features might require some tough
arguing, but a ban on such features for safety-critical systems would be much
harder to oppose.  In any case, I would think it's hardly necessary:  The
liability if a deliberate action led to a serious injury or death would be
enormous.  I should think any lawyer would quite properly have no trouble
convincing a jury that the installation of code to disable a heart monitor
constituted depraved indifference to human life, among other nasty things -
with or without notice.
                               -- Jerry

------------------------------

Date: Thu, 9 Feb 95 00:01:45 EST
From: [email protected] (Bob Brown)
Subject: Self-Disabling Software (Epstein, RISKS-16.79)

Jeremy Epstein (RISKS-16.79) sees a risk in a proposed Virginia law
requiring disclosure of self-disabling features in software for sale.  Such
a law is actually an extremely good idea and a reducer of risks.  Many
reputable companies, e.g. the SAS Institute, use self-disablers as a way of
enforcing their license agreements.  Unhappily a small number of
disreputable companies have used the same technique to sandbag buyers in the
event of a contract dispute.  With regard to Mr. Epstein's example of
medical monitoring software (ahem) expiring, aren't the RISKS substantially
reduced of one knows beforehand that this is going to happen on a given
date?

------------------------------

Date: Tue, 14 Feb 1995 10:59:07 -0500
From: [email protected] (Gary Beckmann)
Subject: What "RISKS of Third-Party-Billed Calls"? (Altman, RISKS-16.80)

Micah Altman writes about a "risk" of 3rd party calls in RISKS-16.80.
However, this has always been SOP as far as I am aware.  It was an oft used
method of making long distance calls when I was in college.  Generally,
since I was calling from a listed number, the operator would "take my word
for it".  My parents would check the phone bill when it came.  If they
protested a call then the charge would be made to the number I called from.
If you call from a pay phone, the operator will verify before charging the
number you request.

The only risk is the good ol' risk of not checking you bill when it comes in
the mail.  At least we have that, the eight years I lived in Austria I never
got an itemized bill.  You took the Post/Telephone Company's word for it!!!
Now, there was a risk!

Gary Beckmann

------------------------------

Date: Tue, 14 Feb 95 8:53:03 PST
From: Peter G. Neumann, Moderator <[email protected]>
Subject: Re: What "RISKS of Third-Party-Billed Calls"? (Beckmann, RISKS-16.81)

You are correct that it is not new.  But practice a few years ago was NEVER
to accept a third-number charge unless it was verified live by the third
party.  With the new automated servers, that has been abandoned.  The
savings in fewer operators seems to offset the losses.

------------------------------

Date: Tue, 14 Feb 1995 15:53:52 -0500
From: [email protected] (Gary Beckmann)
Subject: Re: What "RISKS of Third-Party-Billed Calls"? (RISKS-16.81)

So the question, then, is for whom is the risk?  The customer who
doesn't read the bill?  The telephone carrier who swallows the cost of
fraud?  The operators who are losing their jobs?

------------------------------

Date: Mon, 13 Feb 95 15:43:47 -0500
From: [email protected] (Stephen Kelley)
Subject: Re: attack scanning (Cohen, RISKS-16.80)

- Management Analytics is offering (in a test mode only) the ability to
- scan sites over the Internet for well-known over-the-wire security holes.

What assurance is there that the results mailed back to the
system administrator actually match the result of the test?

       Send us the name of a computer you're worried about
       and we'll try to break in.  If we can, we'll tell you
       about it.  Really, we will.

Not my computers, thanks just the same.

Steve Kelley, Purdue University Cytometry Laboratories

------------------------------

Date: Mon, 13 Feb 1995 16:11:50 -0500 (EST)
From: "Dr. Frederick B. Cohen" <[email protected]>
Subject: Re: attack scanning (Kelley, RISKS-16.81)

> What assurance is there that the results mailed back to the
> system administrator actually match the result of the test?

These are all tests you can perform yourself using public domain
software (for the most part).  The service is just a convenience
for checking against external attack from an external location.
But even more importantly, it helps test your detection capability.

>       Send us the name of a computer you're worried about
>       and we'll try to break in.  If we can, we'll tell you
>       about it.  Really, we will.

Really!

> Not my computers, thanks just the same.

You are very welcome to use it or not at your discretion.

FC

------------------------------

Date: 6 February 1995 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

The RISKS Forum is a moderated digest.  Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.

SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you.  BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS.  U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>).  UK subscribers please contact
<[email protected]>.  Local redistribution services are
provided at many other sites as well.  Check FIRST with your local system or
netnews wizards.  If that does not work, THEN please send requests to
<[email protected]> (which is not yet automated).  SUBJECT: SUBSCRIBE
or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent]

CONTRIBUTIONS: to [email protected], with appropriate,  substantive Subject:
line, otherwise they may be ignored.  Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious.  Diversity is
welcome, but not personal attacks.  PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them.  Contributions will not be ACKed; the load is
too great.  **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks.  Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks
  Individual issues can be accessed using a URL of the form
  http://catless.ncl.ac.uk/Risks/VL.IS.html
  (Please report any format errors to [email protected])

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>YourName<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 16 is in that directory: "get risks-16.J<CR>".  For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 15, J always TWO
digits) for Vol I Issue j.  Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>"  I and J are dummy variables here.  REMEMBER,
Unix is case sensitive; file names are lower-case only.  <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password.  Also ftp [email protected].  WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail [email protected] for info)
  or visit the web wais URL http://www.wais.com/ .
Management Analytics Searcher Services (1st item) under http://all.net:8080/
also contains RISKS search services, courtesy of Fred Cohen.  Use wisely.

------------------------------

End of RISKS-FORUM Digest 16.81
************************