Subject: RISKS DIGEST 17.21

Subject: RISKS DIGEST 17.21
REPLY-TO: [email protected]

RISKS-LIST: Risks-Forum Digest Monday 31 July 1995 Volume 17 : Issue 21

FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

***** See last item for further information, disclaimers, etc. *****

Contents:
NYT No-Op-Ed
Air Traffic Snafu, VOA's Paul Francuch in Chicago (Danny Burstein)
Radar Falls Short of Promise (Charles P. Schultz)
Air-force pilots sleep on job? (Mike Crawford)
Bad cop abuses access to personal computer data (David Jones)
Warning on Using Win95 (J Breyer via Paul Saffo via Li Gong)
Re: Woman electrocuted using hotel card-key (William Kucharski and Dan Hoey)
Risks of Surgery by Microbot (Mich Kabay)
Re: Internet gambling (Dr. Dimitri Vulis, Andy Isaacson)
Good news for a change (Nancy Leveson)
But to REALLY screw up takes a computer... (Edward Rice)
UK hacker reference (Steve Bellovin)
Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

----------------------------------------------------------------------

Date: Wed, 26 Jul 95 18:12:overture PDT
From: "Peter G. Neumann" <[email protected]>
Subject: All the News that Fits We Print: No-Op-Ed

On 10 July 1995, Simson Garfinkel gave me a copy of *The New York Times*
Op-Ed page from that day's National Edition. The page was mostly blank,
with a nicely black-boxed obit-like message:

------------------------------------
| |
| TO OUR READERS |
| Because of a computer breakdown, |
| some copies of The Times were |
| printed without the Op-Ed page. |
| |
------------------------------------

Yes, I know, the page was there; it was the Ob-Ed contents that were a No-Op.

------------------------------

Date: 24 Jul 1995 23:04:08 -0500
From: [email protected] (danny burstein)
Subject: Air Traffic Snafu, VOA's Paul Francuch in Chicago

In suburban Chicago, the main computer used by air-traffic controllers for
the busy midsection of the United States was out of service Monday, for the
third time in a week. [The good news is that the really archaic backup
system still works, although there is some disagreement over how safe it is.
The main computer system is now 30 years old.]

The control system in Aurora, Illinois, handles almost 10 thousand passing
flights a day, and despite the shut-down Monday, most airline passengers
were burdened by only minor delays.

[Source: Paul Francuch, Voice of America, 24 Jul 1995, 10:04 PM EDT]

------------------------------

Date: 26 Jun 95 08:36:20 -0600
From: [email protected]
Subject: Radar Falls Short of Promise

Airport Surveillance Radar 9 (ASR9) was supposed to be extremely reliable.
ASR9s operating at Miami International Airport and Fort Lauderdale-Hollywood
International Airport have failed a total of 13 times since 24 May 1995 -
six times in the week of 17 July. (On 20 July, for example, the Fort
Lauderdale ASR9 was down nearly five hours, following a lightning storm.)
ASR9s have also failed at others of the 101 airports where it has been
deployed.

While the Federal Aviation Administration maintains that passenger safety is
not compromised, the agency now acknowledges that it no longer considers
ASR9 nearly as reliable as it once did. Jerry Taylor, FAA radar program
manager, said Friday his agency now rates ASR9 reliable only 99.35 percent
of the time (instead of the originally advertised 99.99 percent).
[That is .65 unreliability instead of .01, off by a factor of 65.]

Although the antenna may be operating, a break in a telephone line could
prevent a radar screen from displaying data essential for tracking planes.

Down time is a significant issue in the Miami-Fort Lauderdale area because
the twin ASR9 radars rely on each other for backup. When Miami fails,
controllers switch to Fort Lauderdale and vice versa. Were the two systems
to fail simultaneously (they haven't yet), they could put aircraft at risk.
(There is no third backup.)

The Cleveland Plain Dealer, which exposed ASR9 problems in articles in
late 1993, said the Huntsville ASR9 sustained 42 outages between January
1990 and December 1993, totaling 130 hours of down time.

The worst string of outages, the newspaper said, occurred at the
Tri-Cities Airport in Pasco, Wash., where the ASR9 had been down a total of
3,545 hours or an average of 1,181 hours or 49 days a year.

Airport after airport was listed by the Plain Dealer as showing outages,
glitches or failures. Glitches included phantom planes, real planes that
vanished from screens and frequent outages.

Separately, in June 1992, Aviation Daily reported major ASR9 snafus at the
St. Louis Lambert Airport.

And Friday, The Tampa Tribune reported that Tampa's ASR9 is also
glitch-ridden because it has a tendency to miss storms.

In some cases, problems have been traced to software glitches or to
lightning like the Fort Lauderdale case Thursday. John Dunkerly, president
of the Harrisburg, Pa., chapter of the National Air Traffic Controllers
Association, told the Plain Dealer it was his view the ASR9 "was vulnerable
to lightning." Officials in Cleveland and Detroit also expressed the same
complaint.

[Source: MIA's radar falls short of promise, But passengers are safe, FAA
says by Alfonso Chardy, Herald Staff Writer, _The Miami Herald_, 24 June
1995, P.1. Stark abstracting by PGN.]

[A side box notes that a modification ``adds a computer chip to the radar
computer to prevent the system from receiving `erroneous messages'.''
(Hopefully, this won't result in ignoring ERROR messages!) In general,
this case seems to have many risky elements - backups dependent on one
another, system dependencies on sub-systems (e.g. phone, power lines)
that may not be as reliable or fail-safe as the radar product itself,
and the fact that the ``caretakers'' of the system (FAA) may not be taking
a ``total customer satisfaction'' approach to solving the system's problems.]

Charles P. Schultz Motorola

------------------------------

Date: Fri, 16 Jun 95 19:03:06 -0700
From: [email protected] (Michael D. Crawford)
Subject: Air-force pilots sleep on job?

The father of a friend of mine is a retired US Air Force transport plane
pilot, having flown such planes as C5's and C141's. Last weekend my friend
mentioned that his father sometimes flew for 20 hours at a stretch.

"They take turns sleeping, don't they?" I asked.

"Sometimes they just turn the autopilot on. It rings an alarm before
course corrections during the flight, so they can wake up and make that it
is working right."

"But what if the autopilot screws up while they are asleep?"

"How could that happen? They have _five_ computers on board!"

This filled me with confidence to know that the sheer number of computers
in the autopilot gives Air Force pilots the tranquillity they need to get a
good night's sleep while their plane flies itself across the ocean...

Mike Crawford [email protected]

------------------------------

Date: 27 Jul 1995 13:29:49 -0400
From: [email protected] (David Jones)
Subject: Bad cop abuses access to personal computer data

[from efc-talk, January 7, 1995, updated July 26, 1995]

Bad cop abuses access to personal computer data

"If we, just by fluke at guessing the dates to check,
found three records called up in an unauthorized manner,
just how much more is there? It's very scary."
--- Kim Zander, "Every Woman's Health Centre"
(an abortion clinic in Vancouver, BC)

In August, 1994, several clinic staff received phone calls or mail
from anti-abortion activists. They found this rather unsettling,
because they'd made a point of trying to keep personal information
like address or telephone numbers private.

This concern led them to the police, to whom they explained that
anti-abortion activists were recording license plate numbers outside
the clinic and apparently using them to track down personal information
.. but the police didn't seem to do much.

In September, 1994, Gordon Watson, a prominent local anti-abortion activist,
stated while on the stand in a court hearing that he had gathered license
plate numbers in order to "follow up on them" and he "paid good money"
to get personal information about the car owners. When clinic staff
asked the Crown council and police to investigate, they were told,
"Give us two weeks."

After two months of hearing nothing, the women filed a
freedom-of-information request on November 15th with the Insurance
Corporation of British Columbia (ICBC maintains all auto insurance and
registration) seeking to find out who had been accessing their personal
records. They provided 8 of their license plate numbers to be checked.

The ICBC information officer explained that while daily access logs were
kept, accesses were not recorded in the personal records themselves.
Without specific dates to check, finding out who accessed their records
would be next to impossible.

So the women just guessed, based on when they'd been contacted.

Those were lucky guesses. On December 6th, the information officer said
that 3 out of 8 records had been accessed, and those accesses were
suspicious, so he'd contacted the RCMP. The accesses originated in the
Delta police department, in a suburb of Vancouver.

Any cheers for the power of the FOI legislation must be tempered by the fact
that the RCMP apparently sat on this issue for another month until,
frustrated after what was now four months with no signs of an investigation,
the women contacted the media.

Apparently, it was media inquiries that sparked some action. On January
5th, the RCMP informed the Delta police that potentially inappropriate
computer accesses were coming from their department. Constable Steve
Parker, whose anti-abortion views were well known, was now under a cloud of
suspicion. The very same day, all Canadian TV networks ran news stories on
the situation.

[efc-talk, update, July 26, 1995]

Officer admits to improper use of police computer

(excerpt from Canadian Press wire service:)

DELTA, B.C. (CP) -- A police officer acknowledged yesterday
that he acted improperly when he used a police computer to
check the licence plates of cars parked outside a Vancouver
abortion clinic.

Steve Parker of the Delta police force was charged with
discreditable conduct under the Police Act and faces a
maximum penalty of a five-day suspension without pay.

------------------------------

Date: 30 Jun 1995 07:47:48 U
From: "Paul Saffo" <[email protected]>
Subject: Warning on Using Win95

>From PLS_MCI_MAIL FWD>>Warning on Using Win95

Date: 6/26/95 8:44 PM
From: [email protected]
Subject: Warning on Using Win95 [Update on RISKS-17.13 item]

Believe it or not, this is not Net humor but serious. It would otherwise
be outstanding satire!

Subject: Windows 95 Warning on comp.risks [RISKS-17.13], in Information Week

Microsoft officials confirm that beta versions of Windows 95 include a small
viral routine called Registration Wizard. It interrogates every system on a
network gathering intelligence on what software is being run on which
machine. It then creates a complete listing of both Microsoft's and
competitors' products by machine, which it reports to Microsoft when
customers sign up for Microsoft's Network Services, due for launch later
this year.

"In Short" column, page 88, _Information Week_ magazine, May 22,1995 The
implications of this action, and the attitude of Microsoft to plan such
action, beggars the imagination.

An update on this. A friend of mine got hold of the beta test CD of Win95,
and set up a packet sniffer between his serial port and the modem. When you
try out the free demo time on The Microsoft Network, it transmits your
entire directory structure in background.

This means that they have a list of every directory (and, potentially every
file) on your machine. It would not be difficult to have something like a
FileRequest from your system to theirs, without you knowing about it. This
way they could get ahold of any juicy routines you've written yourself and
claim them as their own if you don't have them copyrighted.

Needless to say, I'm rather annoyed about this.
So spread the word as far and wide as possible: Steer clear of Windows 95. =

There's nothing to say that this "feature" will be removed in the final
release.

[GML addition: Prodigy was accused of doing something similar several
years ago. In that case it was not nearly as threatening due to: 1) it
was = limited to a single PC, 2) Prodigy couldn't do much with the info
(i.e. they could not pursue you for copyright infringement, nor were they
trying to expand into so many businesses the way Microsoft is).]

------------------------------

Date: Fri, 28 Jul 1995 18:01:44 -0600
From: William Kucharski <[email protected]>
Subject: Re: Woman electrocuted using hotel card-key

I have to object to the inference that the woman was somehow electrocuted
because she was using a card key lock.

For those familiar with the VingCard system, there is NO WAY the woman could
have been electrocuted by the lock itself, as the card key is
(nonconductive) plastic. The woman was likely electrocuted when she grabbed
the metal doorknob.

If a faulty A/C caused the problem by causing the door to acquire a charge
(obviously a metal door), she would have been electrocuted even if the hotel
had used a conventionally keyed door lock (and would have most likely been
zapped when she inserted the key into the lock).

An additional issue is the fact that most hotels have metal door frames (to
make it more difficult for a door to be kicked in), meaning that mere contact
with the door FRAME would most likely have been fatal.

William Kucharski [email protected]

[also commented further on by various others, including
Jim Garrison <[email protected]>, and
Dan Hoey <[email protected]>, who added (among other things),
This is the hotel that hosted the Disclave science fiction convention
from 1984 to 1991, and so this incident was much on the minds of the
Washington Science Fiction Association at its meetings last month.
... I suppose it could be considered a technological risk that the
use of card-key entry systems has led to grounded doorknobs. Dan Hoey
PGN]

------------------------------

Date: 14 Jul 95 10:45:37 EDT
From: "Mich Kabay [NCSA Sys_Op]" <[email protected]>
Subject: Risks of Surgery by Microbot

>From the German Press Agency news wire via CompuServe's Executive News
Service; translated by MK with the help of Power Translator Deluxe 1.0 from
Globalink Inc:

Mini - Robots should make possible long-distance operations

Karlsruhe (German Press Agency) - scientists from Karlsruhe have developed a
Mini-robot which will enable remote surgery. The prototype has been built by
the university and the research center at Karlsruhe. These so-called
"Mikromanipulationsroboter" are about ten centimeters long and eight
centimeters broad and high.

The robot would be inserted in the field of operations and would allow
specialists from anywhere in the world to participate. The
computer-controlled instrument can make controlled movements with a
precision of a few microns.

It may lead to the construction of extremely small robots that could swim
through the veins of a person and, for example, remove plaque in
atherosclerotic arteries.

[Comments from MK:

Unless due attention is paid to protecting the data stream controlling these
devices, there will be direct human tragedy as a result of data errors,
radio-frequency interference, and from meddling by criminal hackers.

Can someone in the Karlsruhe area investigate the security measures being
put in place to protect surgical microbots from such interference?]

M.E.Kabay,Ph.D. / Dir. Education, Natl Computer Security Assn (Carlisle, PA)

------------------------------

Date: Tue, 20 Jun 95 21:48:29 EDT
From: [email protected] (Dr. Dimitri Vulis)
Subject: Re: Internet gambling (Koenig, RISKS-17.19)

[>From [email protected] Tue Jun 20 21:16:51 1995]

>I wish I remember the title or author of the paper. Anyway, such
>things leave me with the distinct impression that Internet gambling
>is no less feasible than any other kind of electronic commerce.
>
>Andrew Koenig [email protected]

The quote is from the MIT Technical Report _Mental Poker_ by none other than
Adi Shamir, Ronald L. Rivest, and Leonard M. Adelman. (MIT-LCS-TM-125,
February 1979, about the same time they announced their RSA public key
cryptoscheme). This was the seminal paper for the problem of of playing
poker without a card deck over the telephone (or Internet), related to many
other network protocols, such as oblivious transfer.

I have the actual MIT report, but it was also reprinted in _The Mathematical
Gardner,_ edited by David A. Klarner, Wadsworth, 1981. The original RSA's
protocol (later compromised, see below) is also described in Wayne
Patterson's book _Mathematical Cryptology_.

RSA attributed the question: _Is it possible to play a fair game of ``Mental
Poker''?_ to Robert W. Floyd. However Heisenberg mentions in his memoirs
that Niels Bohr invented mental card games during a boring ski trip and
tried without success to write protocols for them.

The protocol originally proposed in the RSA paper was to shown be insecure
by Don Coppersmith ("Cheating at Mental Poker") and by Ron Lipton (How to
Cheat at Mental Poker, _Proceeding of the AMS Short Course in Cryptography_,
AMS, January 1981). Lipton found a way to determine one bit about the
messages using the fact that exponent mod n preserves quadratic residuosity.

A secure protocol for only two players based on probabilistic encryption was
proposed by Shafi Goldwasser and Silvio Micali (Probabilistic Encryption &
How to Play Mental Poker Keeping Secret All Partial Information. In
_Proceedings of the 14th Annual ACM Symposium on the Theory of Computing
(STOC)_, ACM-SIGACT, San Francisco, 1982, 365--377). This too was a seminal
paper on probabilistic encryption.

There are many variations on mental poker protocols for more than 2 players;
you may or may not have a "card dealer", trusted by all other players; allow
for collusion among some players. More papers on more then 2 players:

Mordechai Yung. _K-Player Mental Poker_. Master Thesis, Tel-Aviv U., 1982.

Mordechai Yung. Cryptoprotocols: Subscription to a Public Key, The Secret
Blocking, and the Multi-Player Mental Poker Game (extended abstract). In
_Advances in Cryptology: Proceedings of Crypto '84_, Lecture notes in
Computer Sciences #196, Springer Verlag, 1985, 439--453.

The paper by Imre B'ar'any, Zolt'an F"uredy, Mental Poker with Three or More
Players, _Information and Control_, v.59, 84--93, 1983, claims that a
similar problem for mental bridge was stated and partially solved by D.
Grigor'ev and Yu. Matiyasevich, but apparently not published in open
literature.

Steven Fortune and Michael Merritt, Poker Protocols, in _Crypto '84_,
454--464, also describe the history of mental card games.

Claude Cr'epau. A Secure Poker Protocol That Minimizes the Effect of Player
Coalitions. In _Crypto '85_, 73--86.

Claude Cr'epau. A Zero-Knowledge Poker Protocol That Achieves Confidentiality
of the Players' Strategy _or_ How to Achieve an Electronic Poker Face.
In _Crypto '86_ 240--247.

(The above paper is closely related to Gilles Brassard and Claude Cr'epau,
Zero-Knowledge Simulation of Boolean Circuits, and to Gilles Brassard, Claude
Cr'epau, and Jean-Marc Robert, All-or-Nothing Disclosure of Secrets, also in
_Crypto '86_. In the last protocol the players are not required to reveal their
cards at the end of the game to show that they didn't cheat.)

Finally, the extended abstract by Oded Goldreich, Silvio Micali and A.
Widgerson (How to Play Any Mental Game, or: A Completeness Theorem for
Protocols with Honest Majority, In _Proceedings of the 19th Annual ACM
Symposium on the Theory of Computing (STOC)_, ACM-SIGACT, 1987, 218--229)
mentions a general solution for _any_ such mental game.

Conclusion: the effort is not small-scale, rather old, many important papers
in cryptography had to do with mental poker, and the subject seems to have
been beaten to death. There are protocols now that don't require a "trusted
dealer".

[Maybe, but SOME trustworthy operating systems are needed,
as I commented in my "infostructure" insertum in RISKS-17.19 -- or
else the crypto could be compromised. PGN]

------------------------------

Date: Tue, 20 Jun 1995 00:12:00 -0500
From: [email protected] (Andy Isaacson)
Subject: Re: Internet gambling

[fair game of telephone poker algorithm]

Bruce Schneier's book, _Applied Cryptography_, describes this algorithm (if
my memory doesn't fail me). A very good read, even if one is not involved in
cryptography.

Andy Isaacson irc:drewd [email protected]

------------------------------

Date: Mon, 24 Jul 1995 06:12:16 PDT
From: Nancy Leveson <[email protected]>
Subject: Good news for a change

Several messages in Risks have reported supposed problems with TCAS II
(airborne collision avoidance system) that rumor said had led to near
misses. I thought it might be helpful for us to hear the other side
occasionally and see the positive side of technology. Vivek Ratan found
this on misc.news.southasia:

Bombay, Jul 23 (PTI) Three cases of "air misses" involving Air India
Boeing 747 over Tehran air space have prompted the Indian civil aviation
authorities to take up the matter with Iranian aviation officials. In a
recent communication to the civil aviation administrator in Tehran, the
director of civial aviation (DGCA), Mr H S Khola, pointed out three
instances which had occurred on December 14, 1994, January 6 and May 27
last. In all the three cases, the commanders were alerted by the traffic
collision avoidance system (TCAS), fitted on the aircraft, and accordingly
took evasive action well in time to avoid near disasters.
In the December incident, the incoming flight from Toronto (AI
184) via London narrowly missed a Balkan air aircraft (flight No 8605)
at 27,000 feet near a point called "Zanjan" which comes under Tehran
flight information range (FIR). The Air India commander was reported to
have visually sighted the aircraft.
In the second case, Air India's flight (AI 159) to Paris narrowly
missed an Air Lanka flight (UL 549) near "Tabrij" at 35,000 feet. Alerted
by TCAS warning followed by visual sighting, the aircraft descended to avoid
any collision.
In the May 1995 incident, the London bound flight (AI 111) received
TCAS warning near "Isfahen" again at 35,000 feet with another aircraft at
close proximity. The commander descended to avoid any collision.

[Attributed to S.Ramani. PGN]

------------------------------

Date: Tue, 25 Jul 1995 13:57:31
From: [email protected] (Edward Rice)
Subject: But to REALLY screw up takes a computer...

I was somewhat surprised to get a postcard in the mail on Monday, July 24,
from Bell Atlantic, my local phone company. It notified me that my area code
was changing from 703 to 540, provided me with some little stickers to put on
the phones, encouraged me to re-program and notify everything and everybody...
and mentioned that the effective date was July 15th. The postcard had been
mailed on July 21st.

After several minutes of serious grumbling, I called the 800-number mentioned
on the postcard, intending to whine very loudly. It was busy, and remained so
for the rest of the afternoon. The local business office number rang busy
most of the afternoon, but I managed to get through on about every fifth call,
and after seven or eight attempts to launch myself through the voice-mail
system (which was also generating internal busies!), finally reached a human
being. Who informed me that the notification had erroneously gone out to the
wrong set of people, the customers (residential and business) whose area code
would /not/ be changing.

I noted, before ending the conversation, that mailing out the announcement
first class, to the wrong customers, a week after the effective date, was
unlikely to win any Good Management awards for TPC.

The computer risk seems obvious, that we have the power to cause vast
disruptions to people and systems on an almost casual basis. In "the good old
days," people would have looked at the labels after testing the program and
verifying the counts. Today, someone entered a command into a DBMS front-end
and went home for the weekend, secure in the knowledge that automated systems
would carry through the instructions without intervention. As they appear to
have done, last Friday.

Here's the official Bell Atlantic press release for the incident. I figure it
cost them at least twenty cents per postcard, around $100,000, just to make
the mistake; and that it will probably cost them another dime or so per
customer to sooth things over (if it's done with a simple bill enclosure on
the next cycle).

FOR IMMEDIATE RELEASE Contact:
JULY 24, 1995 Paul Miller

804-772-1460
800-491-0190 (Va. only)

'703'CUSTOMERS GET '540' NOTICE IN ERROR

RICHMOND, VA -- Bell Atlantic misdirected some 388,000 post cards,
introducing the new 540 area code, to its customers in the northern
Virginia suburbs of Washington. The cards were supposed to have gone
to '540' customers in the western part of the state.

The misdirected cards apparently were received by residential and
business customers throughout northern Virginia's 703 area code. Bell
Atlantic officials suspect the mistake stems from a programming error.

The 540 area code stretches from Lee County in southwestern Virginia
northeast through Roanoke and the Shenandoah Valley to Winchester and
east to Fredericksberg.

The revised 703 area code includes the counties of Arlington, Fairfax,
Prince William and eastern Loudoun (to include Leesburg) and the
cities of Alexandria, Falls Church and Fairfax.

------------------------------

Date: Mon, 26 Jun 95 20:53:56 EDT
From: [email protected]
Subject: UK hacker reference

ti The minister, the mints, and the net with a hole big enough to let in a
hacker.
au Radford, Tim.
pu 1, 10:4
no Availability: UMIACH C9013.00 . Article Length: Medium (6-18 col inches).
Article Type: News.
ab On Dec 7, 1994, it was revealed that just minutes after the UK government
formally joined the Internet in November, the Office of Public Service and
Science became the victim of a hacker. The hacker redesigned several pages
of the office's system.
su Office of Public Service & Science-UK; United Kingdom; UK; Computer crime;
Internet; Government agencies
IN: Guardian. Dec 8, 1994, 1, 10:4. Abbrev title: MG. ISSN: 0261-3007
b-no (UnM)new03307699

------------------------------

Date: 24 March 1995 (LAST-MODIFIED)
From: [email protected]
Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.

The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks.
Undigestifiers are available throughout the Internet, but not from RISKS.

SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on
your system, if possible and convenient for you. BITNET folks may use a
LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S.
users on .mil or .gov domains should contact <[email protected]>
(Dennis Rears <[email protected]>). UK subscribers please contact
<[email protected]>. Local redistribution services are
provided at many other sites as well. Check FIRST with your local system or
netnews wizards. If that does not work, THEN please send requests to
<[email protected]> (which is not yet automated). SUBJECT: SUBSCRIBE
or UNSUBSCRIBE; text line (UN)SUBscribe RISKS [address to which RISKS is sent]

CONTRIBUTIONS: to [email protected], with appropriate, substantive Subject:
line, otherwise they may be ignored. Must be relevant, sound, in good taste,
objective, cogent, coherent, concise, and nonrepetitious. Diversity is
welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS
MESSAGES in responses to them. Contributions will not be ACKed; the load is
too great. **PLEASE** include your name & legitimate Internet FROM: address,
especially from .UUCP and .BITNET folks. Anonymized mail is not accepted.
ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
Relevant contributions may appear in the RISKS section of regular issues
of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.
All other reuses of RISKS material should respect stated copyright notices,
and should cite the sources explicitly; as a courtesy, publications using
RISKS material should obtain permission from the contributors.

RISKS can also be read on the web at URL http://catless.ncl.ac.uk/Risks
Individual issues can be accessed using a URL of the form
http://catless.ncl.ac.uk/Risks/VL.IS.html
(Please report any format errors to [email protected])

RISKS ARCHIVES: "ftp unix.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>
cd risks<CR> or cwd risks<CR>, depending on your particular FTP.
Issue J of volume 17 is in that directory: "get risks-17.J<CR>". For issues
of earlier volumes, "get I/risks-I.J<CR>" (where I=1 to 16, J always TWO
digits) for Vol I Issue j. Vol I summaries in J=00, in both main directory
and I subdirectory; "bye<CR>" I and J are dummy variables here. REMEMBER,
Unix is case sensitive; file names are lower-case only. <CR>=CarriageReturn;
UNIX.SRI.COM = [128.18.30.66]; FTPs may differ; Unix prompts for username and
password. Also ftp [email protected]. WAIS repository exists at
server.wais.com [192.216.46.98], with DB=RISK (E-mail [email protected] for info)
or visit the web wais URL http://www.wais.com/ .
Management Analytics Searcher Services (1st item) under http://all.net:8080/
also contains RISKS search services, courtesy of Fred Cohen. Use wisely.

------------------------------

End of RISKS-FORUM Digest 17.21
************************