precedence: bulk
Subject: Risks Digest 20.69
RISKS-LIST: Risks-Forum Digest Thursday 16 December 1999 Volume 20 : Issue 69
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/20.69.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
Biryukov and Shamir cryptanalysis of A5/1 GSM privacy algorithm (Matt Blaze)
Debit-card fraud in Canada (Steven M. Bellovin)
Croydon Tramlink: those signalling problems in full (Clive D.W. Feather)
Computer technology at the end of the 20th century (David Sedlock)
On the Internet nobody knows your five identities (NewsScan)
More CERT Advisories on buffer overflows (PGN)
Re: No bounds checking in Microsoft RTF controls (R A Downes, Mark Brader)
Macros in RTF files (Tom Hill)
Y2K-related viruses (PGN)
Power-out in Y2K test (Debora Weber-Wulff)
Risks of Y2K overreaction (Steven Huang)
Top 10 Risks search queries (Lindsay Marshall)
Go to jail - go directly to jail ... (Martyn Thomas)
According to Alta Vista, everything is for sale... (Daniel P. B. Smith)
Quicken's no-undo interface design (Timothy Prodin)
Risks of webbed e-mail and cookies (Lloyd Wood)
Windows98 censoring word processing apps (Eric Wagoner)
Re: Crack in GSM cell-phone encryption scheme (Boyd Roberts)
Re: DVD encryption (Brad Ackerman)
Re: Why computers are insecure (Durwin Sharp)
*Absent* source code now available (Avi Rubin)
CFP, 23rd National Information Systems Security Conference (Ed Borodkin)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 09 Dec 1999 15:02:57 -0500
From: Matt Blaze <
[email protected]>
Subject: Biryukov and Shamir cryptanalysis of A5/1 GSM privacy algorithm
As RISKS readers probably already know, Alex Biryukov and Adi Shamir
announced that they have a practical cryptanalytic attack against the A5/1
algorithm (which is the "strong" GSM privacy cipher). (Actually, the attack
is against the version of A5/1 published at www.scard.org, which may differ
from the version deployed in various actual GSM systems).
I've gotten permission from Adi Shamir to distribute a draft of the
Biryukov/Shamir A5/1 attack paper, so it's now available (in PostScript
format) on my web site:
<
http://www.crypto.com/papers/others/a5.ps>
Assuming the Biryukov/Shamir attack against A5/1 works against the fielded
version of the algorithm, routine, over-the-air monitoring of GSM traffic by
even modestly-funded eavesdroppers should be considered a serious and
realistic threat. This attack should represent another nail in the coffin
for security systems designed in secret and not subjected to the scrutiny of
the community. Had the A5/1 designers published their scheme in the open
literature instead of trying to keep it secret, this weakness would likely
have been discovered much sooner, perhaps before the cipher had actually
been used to protect real traffic. One of the first lessons we teach
cryptology students is that secret algorithms are a bad idea.
Unfortunately, there are still people designing important systems who don't
seem to grasp this basic principle.
------------------------------
Date: Fri, 10 Dec 1999 22:12:27 -0500
From: "Steven M. Bellovin" <
[email protected]>
Subject: Debit-card fraud in Canada
According to the *Toronto Globe and Mail* (10 Dec 1999), a massive
debit-card fraud operation has been detected in Canada. It involves
doctored swipe readers that record and transmit the mag stripe information;
they also record the PIN entered on the keypad. The operation is allegedly
being run by organized crime.
The article noted that earlier schemes involved double-swiping (a recent news
story in New York had someone arrested who used a suitably-modified PalmPilot
for that), plus shoulder-surfing or concealed cameras to capture the PIN.
For details, see
http://www.globeandmail.com/gam/National/19991210/UDEBIN.html
--Steve Bellovin
------------------------------
Date: Mon, 13 Dec 1999 21:01:02 +0000
From: "Clive D.W. Feather" <
[email protected]>
Subject: Croydon Tramlink: those signalling problems in full
The opening of the new tram system in Croydon has been delayed due to a
signalling problem. A poster on a UK newsgroup reports that the problem was
a little unusual:
> When a tram was approaching traffic lights, the lights would automatically
> be set to red for other traffic flows: unfortunately, the lights were not
> reverting to green after the tram had passed, so a single tram passing
> once around the town centre would gridlock the roads for the rest of the
> day.
Clive D.W. Feather, Demon Internet Ltd. Tel: +44 20 8371 1138
------------------------------
Date: Tue, 14 Dec 1999 14:14:27 +0100
From: "David Sedlock" <
[email protected]>
Subject: Computer technology at the end of the 20th century
I think this quote from Bill Bryson's "Notes from a Big Country" pretty much
sums up computer technology at the end of the 20th century. I believe that
Bill would allow us this "fair use" of his words.
"For a long time it puzzled me how something so expensive, so leading
edge, could be so useless, and then it occurred to me that a computer is a
stupid machine with the ability to do incredibly smart things, while
computer programmers are smart people with the ability to do incredibly
stupid things. They are, in short, a perfect match."
David Sedlock
------------------------------
Date: Tue, 14 Dec 1999 08:43:55 -0700
From: "NewsScan" <
[email protected]>
Subject: On the Internet nobody knows your five identities
Montreal software company Zero-Knowledge Systems (www.freedom.net) is now
marketing software that will allow a person to use five different anonymous
and untraceable identities on the Internet, preventing companies or agencies
from using technology to track people's buying habits or other personal
information. Of course, such software will also "make it a little more
difficult to trace wrongdoers," as the National Association of Chiefs of
Police makes clear. But privacy advocate Jason Catlett counters: "Anonymous
speech is inconvenient and sometimes has bad consequences, but if you
removed it we would be living in a very dangerous world." Zero-Knowledge
says that spammers would not be aided by their technology, because a user of
the software will be able to send only a small number of anonymous e-mail
messages. [AP/*San Jose Mercury News*, 13 Dec 1999,
http://www.sjmercury.com/svtech/news/breaking/ap/docs/1184635l.htm; NewsScan
Daily, 14 Dec 1999, reprinted with permission]
[Note that Canada's policies regarding crypto differ from those in
U.S., so this product is generally freely exportable. PGN]
------------------------------
Date: Mon, 13 Dec 1999 15:59:13 -0800 (PST)
From: "Peter G. Neumann" <
[email protected]>
Subject: More CERT Advisories on buffer overflows
The spate of security problems related to buffer overflows seems to continue
unabated. Two recent CERT Advisories may be of particular interest to RISKS
readers.
CERT Advisory CA-99-15
Buffer Overflows in SSH Daemon and RSAREF2 Library
CERT Advisory CA-99.16
Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind
CERT publications and other security information are available from
http://www.cert.org/
Email:
[email protected]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
------------------------------
Date: Wed, 08 Dec 1999 19:24:45 +0000
From:
[email protected] (R A Downes)
Subject: Re: No bounds checking in Microsoft RTF controls
A number of people have written and asked about the RTF utility, when it
would be ready, if it ever would be ready, etc. Well now it is ready, and it
can be downloaded at:
http://32bit.bhs.com/download.asp?filename=Rtfboom5%2EZIP
It's only about 10KB, so it should go rather fast. The program acts as a
filter, but you have to "drop" your suspect files on it. All is revealed
within the HTML documentation in the ZIP file.
RA Downes, Radsoft Laboratories
http://www.radsoft.net
------------------------------
Date: Wed, 15 Dec 1999 01:43:53 -0500 (EST)
From:
[email protected] (Mark Brader)
Subject: Re: No bounds checking in Microsoft RTF controls (Meeroh, Risks-20.68)
>> ... I mean, this is very _basic_ programming, isn't it?
>> for (cp = buf; cp < buf + BUFSIZE; cp++) ...
> [This] code fails in the subtle case when buf + BUFSIZE extends past the
> end of the address space. Note that the ANSI C guarantee that you should
> be able to compute the address of the first element beyond the end of a
> named array doesn't apply if buf is dynamically allocated. ... yet almost
> every programmer I've seen uses the same idiom for both cases.
> ... (See Writing Solid Code by Steve Maguire, p 132.)
And so they should, because this claim is simply wrong. The standard's
guarantee that buf + BUFSIZE provides a valid (though undereferenceable)
pointer "one past the last element" is independent of how the space is
allocated, and this has not changed as the standard has been updated.
The limitations on addition involving pointers are specified in section
3.3.6 of the original ANSI C standard, 6.3.6 of the first ISO version,
and 6.5.6 of the new standard; in all cases the wording refers to an
"array object". "Object" essentially just means a region of data storage
(defined in section 1.6/3.14/3.14), and dynamically allocated space can
certainly be accessed as an array (see section 4.10.3/7.10.3/7.20.3).
I suspect that Maguire misunderstood the standard's phrase "array object"
and thought it meant what Meeroh calls a "named array".
Mark Brader, Toronto,
[email protected]
------------------------------
Date: Wed, 15 Dec 1999 11:07:05 -0800
From: Tom Hill <
[email protected]>
Subject: Macros in RTF files (re: Stewart, RISKS-20.68)
> >We'll pass CVs internally across to other "more sensitive" machines in .rtf
> >format (using rtf avoids Word-type macro viruses).
Be careful about your assumptions. If you save a Microsoft Word document as
a .doc file, and then change the extension to .rtf, word will still open it,
macros and all. Word is apparently smart enough to figure out the actual
format of the file, and react accordingly.
The risk is that your users may assume that it is ok to open any attachment
with an extension of ".rtf", since RTF files are 'safe'. Or your firewall
may not filter out pseudo-rtf files for the same reason.
I'm using word 97, on Windows. I didn't test this with an auto-run macro,
just verified that the macro warning message came up when I opened the file
with the ".rtf" extension which contained the macro. (Note: You might want
to turn on macro warnings from the tools menu/options/general/macro virus
protection, if you haven't already.)
Tom
P.S. I did understand that apparently Ross was discussing the case where
they do the conversion to RTF themselves, and so won't have this problem,
but I still thought the risk worth noting.
[Lots of folks noted this one as well. PGN]
------------------------------
Date: Wed, 8 Dec 1999 14:36:03 -0500 (EST)
From: "Peter G. Neumann" <
[email protected]>
Subject: Y2K-related viruses
Y2K seems to be a spawning ground for security attacks. W95.Babylonia
is a virus masked as a Y2K fix. It has the ability to update itself
remotely, and spreads through autodownloads in Microsoft chat-room software
or e-mail. Other viruses posing as Y2K upgrades have also been reported.
[Source: Self-updating virus spreads on Internet, AP item, 8 Dec 1999;
Courtesy of Sam Kasseman]
------------------------------
Date: Tue, 14 Dec 1999 13:07:36 +0100
From: Debora Weber-Wulff <
[email protected]>
Subject: Power-out in Y2K test
The Berlin newspaper "tageszeitung" from Dec. 11, 1999 reports on a Y2K test
conducted at the federal Department of Justice. The workers had been asked
to not use their computers from 14.00 on Friday. Good thing, since the tests
managed to shut down the power in the building. No one wants to make an
official statement on the subject, since the official German policy is that
"Everything is going to be all right".
http://www.taz.de/tpl/1999/12/11/a0131.fr/text?re=ba for those who read
German "Millennium-Bug im Justizministerium"
Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin
[email protected],
http://www.tfh-berlin.de/~weberwu/
------------------------------
Date: Wed, 8 Dec 1999 14:59:17 -0500
From: "Steven Huang" <
[email protected]>
Subject: Risks of Y2K overreaction
The human element of widely published risks like the Y2K problem has seen
some coverage in RISKS, but seems to have been limited to predictions.
The *Philippine Daily Inquirer* and Associated Press report that a 61-year
old retired government engineer, fearing the Y2K bug, withdrew his life
savings of PHP2.8 million (about US$69,000). Ten days later, four men
slipped into his house and robbed him of his savings, plus some PHP300,000
(about US$7,400) worth of jewelry. This is a large amount of money in the
Philippines, worth about a decent-sized new house outside the city.
First of all, it appears that the banking industry's assurances were
insufficient to calm this educated man's fears. Secondly, even if you
don't trust the banks, it's probably sufficient to convert the savings
to cash (or better yet, cashier's check or manager's check) and put it
away in a safe deposit box at your bank. Was information about the Y2K
bug spread so poorly that an educated grown man was so scared he ignored
a much more conventional Risk?
Steven Huang Hughes Network Systems, 11717 Exploration Lane,
Germantown, MD 20876 MobileSat (240) 453-2357
------------------------------
Date: Thu, 16 Dec 1999 14:12:40 +0000 (GMT)
From:
[email protected]
Subject: Top 10 Risks search queries
10 hacking
9 ariane
8 virus
7 airbus
6 GPS
5 ATM
4 software failure
3 year 2000
2 Y2K
1 y2k
Aren't we all so predictable!
http://catless.ncl.ac.uk/Lindsay
------------------------------
Date: Sun, 12 Dec 1999 23:41:25 -0000
From: "Martyn Thomas" <
[email protected]>
Subject: Go to jail - go directly to jail ...
A recent Spam e-mail called "free world site" gave me a shock. In Outlook
98, simply selecting the message (to delete it) executed the HTML it
contained, which used the OpenWindow function to connect to a remote Web
site.
The risk? In the UK, according to the BBC radio news, several people have
recently been arrested "in co-ordinated raids across the country" for
downloading child pornography from the Internet. They were apparently found
by monitoring Net traffic, and part of the evidence against them is the
record of web-sites visited "automatically stored on their computer's hard
disk".
Then again, there's all the other things you can do with HTML.
Martyn Thomas, Holly Lawn, Prospect Place, Bath BA2 4QP UK 01225 335649
------------------------------
Date: Mon, 13 Dec 1999 21:00:34 -0500
From: "Daniel P. B. Smith" <
[email protected]>
Subject: According to Alta Vista, everything is for sale...
I did an Alta Vista search on the phrase "priesthood of all believers"
and was somewhat surprised when Alta Vista invited me to:
"Comparison Shop! - Find products and compare
prices for 'Priesthood of all believers'"
I tried "members of Congress" and, sure enough...
"Comparison Shop! - Find products and compare
prices for members of Congress"
A search on "Love," as expected, invited me to
"Comparison Shop! - Find products and compare
prices for love"
but it also said:
AltaVista knows the answers to these questions:
Am I in love?
"Daniel P. B. Smith" <
[email protected]>
Lifetime address
[email protected]
------------------------------
Date: Tue, 7 Dec 1999 16:55:43 -0500
From: "Prodin, Timothy (T.R.)" <
[email protected]>
Subject: Quicken's no-undo interface design (Re: Welsh, RISKS-20.67)
> It does not even have the "Undo" feature which, starting in word
> processors and text editors, has come to be expected in all well-written
> Windows applications.
As it shouldn't. Consider that Quicken has designed their register to
behave exactly like a real pen and ink ledger.
When entries are made in an old-fashioned ledger; they are immediately
committed, by the virtue of writing the the registry entry. If a mistake is
made, you must void the transaction - you can't undo it.
In this case, Quicken has done the right thing. A bank ledger is not a word
processing document; and therefore it should not have the same interactions
that word processors have.
[We received a slew of messages on this topic, plus a few snide remarks
on the oxymoronicism of "well-written Windows applications". PGN]
------------------------------
Date: Thu, 9 Dec 1999 00:55:25 +0000 (GMT)
From: Lloyd Wood <
[email protected]>
Subject: Risks of webbed e-mail and cookies
A while back, I received a couple of free e-mail accounts on ZDNet Mail,
which has previously been mentioned in RISKS [McGlothlen, R-19.74].
A while after that, ZDNet Mail become ZDNetOnebox, with a completely new
database system and a new interface, requiring javascript enabled to do
something as get help to find out why something as simple as deleting mail
doesn't work (because you haven't got javascript on, of course - a risk in
itself). I now have some US phone, fax and voicemail facility I'll never use
either too.
Both accounts were migrated to this new interface. A redirect from
www.zdnetmail.com to www.zdnetonebox.com was implemented, but I'd never
gotten around to updating my bookmarks.
ZDNet Onebox uses session management with cookies. Imagine my surprise,
after accessing one account, selecting the menu entry corresponding to
www.zdnetmail.com from my browser's bookmarks menu, and logging in with name
and password for the second account, on being presented with the contents of
the mailbox of the _first_ account.
Risks lie in assuming that only one person uses a browser session, that that
person will be able to sign off to force the end of the session, and that
session information is more important than any user-supplied information
that overrides and cancels it.
(If I update my bookmarks, I'll see the mailbox contents immediately,
without the chance to login. some risks of assumption and complexity
here.)
The other associated risk with ZDNet Onebox is the constant stream of
Jesse Berst e-mails that I'd swear blind I never signed up for.
.. but hey, at least it's not Hotmail, right?
<
[email protected]>PGP<
http://www.ee.surrey.ac.uk/Personal/L.Wood/>
------------------------------
Date: Wed, 8 Dec 1999 11:40:36 -0500
From: "EricWagoner" <
[email protected]>
Subject: Windows98 censoring word processing apps
A friend of mine recently bought a new Gateway computer for his family. He's
a playwright and an English professor, and so does plenty of writing. The
computer came pre-installed with Microsoft Word 97, which he was beginning
to get comfortable with. He told me the other day that he was having a
problem he needed help with -- he was writing a script that contained a
character with a mild potty mouth, but every time he wrote the "S-word", it
got instantly replaced with XXXX. What's worse, in another script, a period
piece with archaic English, MS Word would replace those four letters with
XXXX even if they were parts of two different words, such as "'Tis hit!".
These four letters show up surprisingly often in English of a few hundred
years ago, and this was driving him crazy.
I thought it was a simple matter of setting the auto-correct feature in MS
Word, that maybe cuss words were now censored by default. I told him how to
disable the feature, or at least how to remove those letter combinations
from the lists. He told me a few days later that it didn't help, that even
with auto-correct completely shut off he was still plagued with XXXXs in his
scripts. I told him I'd gladly come over and take a look.
When I did, I found he was correct, that I had told him wrong. I scoured
Word for some kind of "child protection" feature, but could find nothing
anywhere. Out of curiosity more than anything, I opened WordPad and tried to
type the word, and it was instantly replaced with XXXX. I opened NotePad,
and again XXXX. I realized then that it was a global Windows 98 setting and
had nothing at all to do with Word. In the control panel, I looked in Users,
Accessibility Options, and anywhere else I could think to look for child
protection features, and came up blank. Finally, I noticed that in the Start
menu was the item "Log Off DEFAULT". It struck me that in all the many times
he and his family had booted up the computer since he bought it, no one had
logged into Windows under their own name, that everyone was using the
DEFAULT user.
I restarted Windows and logged in as "eric". All of the XXXXing was gone,
and I was free to type what I wished. I logged on again as DEFAULT, and
censoring began anew. I gave him the solution, and he was happy.
I've now scoured the web for some mention of this "feature" but have found
nothing. I tried logging on as DEFAULT on my own computer, and when Windows
started I got an error (advpack not started -- missing dll -- something like
that), so it seems that this may be something built in by Microsoft for some
reason. The only thing I can guess is maybe it's for store floor models so
some kid can't go leaving dirty graffiti on the screens. Of course, Gateway
sells direct by mail-order, so that's not an issue here.
Anyone ever heard of this before? Certainly, real professional work was
being prevented by this seemingly undocumented feature. Interestingly, very
few words were censored in this way. I could be plenty raunchy with nary an
interference, but say the "S-word" or what CAP calls the "most foul of foul"
words, and I was silenced.
Eric Wagoner <
[email protected]>
http://www.partnersoft.com
Partner Software; Kestrel's Nest Weblog
http://www.athens.net/~ewagoner
[And all that XXXXing is likely to get THIS issue censored! PGN]
------------------------------
Date: Thu, 9 Dec 1999 13:00:39 +0100
From:
[email protected]
Subject: Re: Crack in GSM cell-phone encryption scheme
an Omnipoint executive says, "What they're describing is an academic
exercise that would never work in the real world. What's more, it
doesn't take into account the fact that GSM. calls shift frequency
continually, so even if they broke into a call, a second later it would
shift to another frequency, and they'd lose it."
Yes, there is frequency hopping, but it is slow -- and that it is not
significant with respect to the modulation (i.e., the 600us bursts every
1.2ms). The 'executive' admits just that; 1 second is insignificant when
compared to the 600us bursts.
The frequency hopping may not be turned on.
The hopping sequence can be learned over the radio link from the BTS. I
forget if this is in the clear or encrypted with A5 during an exchange with
the BTS. I don't think it really matters whether it's in the clear on the
BCCH or encrypted with A5; once A5 is cracked all bets are off, provided you
can do it in real time. It appears they can.
I've had this discussion before with people that you can't build a GSM
scanner. Each time I've picked up my mobile and said 'What's this?
It's a GSM scanner'. It has a few clues about where to look, but now
it would appear that everybody can get them.
Boyd Roberts
[email protected]
------------------------------
Date: 11 Dec 1999 23:13:44 -0500
From:
[email protected] (Brad Ackerman)
Subject: Re: DVD encryption (Graifer, RISKS-20.67)
> ... They have failed at this by opting for security by obscurity and not
> employing the publicly reviewed techniques.
This isn't quite the issue. No matter what protocols or algorithms are
used, fully working copy protection (barring armed guards stationed at the
playback device) is impossible. Every DVD player must be able to decrypt
and play the DVD with no additional information, which means that no matter
how strong the actual encryption is, the key must always be available to
anyone who cares to look. Unless the decryption is implemented in
tamper-proof hardware, the resources required for key extraction are well
within the range of "casual pirate[s]." Of course, since such hardware is
not known to exist, and would be far too expensive for consumer devices if
it did, the studios will just have to live with easily copyable media, as
the software industry has been doing for some time.
Brad Ackerman N1MNB
[email protected]
------------------------------
Date: Thu, 9 Dec 1999 07:54:51 -0600
From:
[email protected]
Subject: Re: Why computers are insecure (Schneier, RISKS-20.67)
Much worse, it applies to physical sciences as well. I first ran across
this idea many years ago reading Karl Popper, The Logic of Scientific
Discovery. His basic premises are:
- Physical "laws" are actually hypotheses stated in a manner that allows
independent testing of specific physical (observable) phenomena.
- No matter how often a hypothesis is tested, it can never be proven. It
only takes one contrary observation to invalidate a hypothesis that had
previously been accepted. A useful anecdote relates to the amount of
"proof" provided for Newtonian physics over many years -- until Einstein
said, "wait a minute, this doesn't work and I have a different hypothesis".
In order to conduct our daily lives, we have to accept many hypotheses that
have been corroborated, but not proven -- as Newtonian physics, they are
good enough for our normal use. As our knowledge and understanding grows,
some "laws" may fall to new understanding (read: hacks) while others survive
to fall another day. The set of hypotheses we choose to accept as "laws" is
determined by the level of risk we are willing to assume, in the world and
in security.
DURWIN SHARP, Exxon Mobil Corporation, P. O. Box 4276,
Houston, TX 77210-4276 USA 1-713.656.6969
[email protected]
------------------------------
Date: Fri, 10 Dec 1999 00:35:57 GMT
From:
[email protected] (Avi Rubin)
Subject: *Absent* source code now available
We are pleased to announce the public release of the Absent, secure remote
access system. A description, the paper, and the code are available at
http://www.research.att.com/projects/absent
Absent is a system for secure remote access to the internal web from
outside. It addresses the problem of secure remote access to a site's
internal web server from outside the firewall. The goal is to give
authorized users access to sensitive information, while protecting the
information from others. We implemented our solution using a one-time
password scheme for client authentication and SSL for confidentiality. Our
main design considerations were security, performance, ease of use,
availability, and scale. We were further constrained by the desire to leave
our firewall and local infrastructure unchanged.
Christian Gilmore, Dave Kormann, Avi Rubin
AT&T Labs - Research
------------------------------
Date: Tue, 14 Dec 1999 14:55:26 -0500
From: "Ed Borodkin" <
[email protected]>
Subject: CFP, 23rd National Information Systems Security Conference
CALL FOR PAPERS, PANELS, TUTORIALS, AND WORKSHOPS
Co-sponsored by the National Computer Security Center and
National Institute of Standards and Technology
Week of 16-20 Oct 2000, Baltimore Convention Center, Baltimore, MD
The National Information Systems Security Conference welcomes papers,
panels, tutorials, and workshops on all topics related to information
systems security. Our audience represents a broad range of information
security interests spanning government, industry, commercial, and academic
communities.
See
http://csrc.nist.gov/nissc/call.htm for instructions on sending your
submissions.
Ed Borodkin, Program Director, NISS Conference
http://csrc.nist.gov/nissc/
------------------------------
Date: 13 Dec 1999 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 19" for volume 19]
or
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
Also, new AUSTRALIAN archive
http://mirror.aarnet.edu.au/risks/
PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 20.69
************************
