precedence: bulk
Subject: Risks Digest 21.03
RISKS-LIST: Risks-Forum Digest Monday 28 August 2000 Volume 21 : Issue 03
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <URL:
http://catless.ncl.ac.uk/Risks/21.03.html>
and by anonymous ftp at ftp.sri.com, cd risks .
Contents:
New security vulnerability: 13-year-old 'r00ts' popular polynomial
(Leonard Richardson)
Pretty Good Bug found in Windows versions of PGP (Declan McCullagh)
Two cables (Doneel Edelson)
Four of the 13 root servers used by Network Solutions (Dave Farber)
Court says FBI has been given too much wiretap power (NewsScan)
"Free" e-mail accounts and passwords exposed for a month (Peter Kaiser)
Hotmail blows it badly? (Jay R. Ashworth)
Possible Y2K bug strikes UK Egg Bank (Ralph Corderoy)
More risks of filtering software (David Goddard)
Risks of Eurdora 4.x (David Sedlock)
"Verify your age with a credit card": more than $188M fraud (Lenny Foner)
Re: Airline E-tickets (Adam Shostack)
Re: Hoaxes: when will they ever learn (Eric Murray)
Re: SSL Server Security Survey (Sean Eric Fagan)
Re: mechanical and human failures in Toronto (Mark Brader)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 24 Aug 2000 13:59:24 -0500
From: Leonard Richardson <
[email protected]>
Subject: New security vulnerability: 13-year-old 'r00ts' popular polynomial
[With permission, at the request of PGN.]
13-Year-Old 'r00ts' Popular Polynomial
The well-known polynomial x^2+8x+6 was defaced today by a teenager who had
"r00ted" the beloved function of one variable through the use of a popular
script known as "QuAd 3QaZh0n". The attack set off the usual sequence of
events: an initial panic setting off an orgy of media hype reaching a
crescendo with an article in the mainstream media, a string of copycat
successors, and a meaningless stream of empty promises from vendors who
immediately lapsed back into apathy as the incident left the public's
short-term memory.
Segfault spoke with the culprit, who goes by the name of "2o31js34g",
although his real name is Alvin Schumaker. "I did it for the kicks," said
the eighth-grade desperado. "Also, it was problem 12 on my algebra homework."
Schumaker's admission that he had learned the technique used to crack the
equation "in class" led to sweeping reforms at Nathan Hale Middle School,
his alma mater. These range from a draconian school uniform policy to
periodic cavity searches to Internet filters on library computers so
restrictive that they ban the school's own home page.
"If these kids would just study their math, we wouldn't have anybody
learning these dangerous equation things," said Nathan Hale principal Fred
Fractal, previously known for shutting down the wood shop because "those
nail things look like weapons."
Numerous other tools are available for cracking polynomials exist, such as
Fac-t0R. More worrying are tools for "solving" large groups of linear
equations at a time; one such program makes reference to a "matrix",
obviously an homage to the sci-fi classic.
Many such programs are distributed for the TI series of "calculators",
tools widely viewed as a security threat in many fields and rings.
Disturbingly, such devices are increasingly being made avaliable to high
school and college students. Public policy must now answer the question:
where is the line to be drawn between useful tool and bloodthirsty weapon
of mathematical carnage? Who will answer for the countless linear equations
to have undergone Gaussian elimination?
Predictably, immediately following the defacement, thousands of polynomial
security companies came out of the woodwork to hawk their shoddy products.
"Our proprietary polynomials are one hundred percent safe because they have
no roots at all," said Len Eir of Rootless.com, a company offering sales
and consulting for polynomials such as x^2+4 and x^6+x^2+101. Despite Eir's
claims, attacks on such polynomials are not uncommon, although Eir
dismissed all such reports as "imaginary".
Dave Errential of Integrated Systems stated: "Integration technology makes
it easy to add roots to your polynomial. Take 60x^2+264x, for instance. The
roots for that polynomial have been posted in a million places on the web.
But our proprietary integration technology can turn that into 5x^4+44x^3!
I'd like to see someone try and find the roots of that polynomial!" [Try
x=0. --Ed.] Research has shown that IS polynomials are vulnerable to several
types of attacks, but, again, the vendor has chosen to go after the
research, calling it "derivative", rather than investigate the
vulnerabilities.
"Our polynomials are of a magnitude so high that it would be impossible to
find their roots even with the most sophisticated technology," said
OrderOfMagnitude.com's Sean Gular. "Our proprietary technology allows us to
offer x to the power of one billion, x to the power of one trillion, even x
to the power of ten gazillion! No one can crack these polynomials!" [Try
x=0. --Ed.]
"It's irresponsible to distribute these polynomial-cracking kits," says
security expert Bruce Schneier of Counterpane Internet Security. "It's like
teaching a baby how to do surface integrals. He doesn't understand the
socially responsible way to use this knowledge, so he wreaks havoc." For
improved security, Schneier urges all polynomials to be of fourth order or
higher, and to change roots at least once every two weeks.
Originally published on segfault.org:
http://segfault.org/story.phtml?id=396f3e5c-0958dfa0
Written by Leonard Richardson <
[email protected]>
Posted on Fri 14 Jul 09:24:53 2000 PDT
[Bastille Day, eh? Well, although it is a little late for the 1 April
RISKS issue, this item seemed very timely in light of certain continuing
efforts to control the underpinnings of cryptography. PGN]
------------------------------
Date: Fri, 25 Aug 2000 08:19:40 -0700
From: Declan McCullagh <
[email protected]>
Subject: Pretty Good Bug found in Windows versions of PGP
Background:
http://www.politechbot.com/p-00067.html
http://cgi.pathfinder.com/time/digital/daily/0,2822,12854,00.html
http://www.wired.com/news/print/0,1294,16219,00.html
FC: Pretty Good Bug Found in PGP, by Declan McCullagh (
[email protected])
25 Aug 2000
A bug in newer versions of Network Associates' popular
PGP software exposes purportedly scrambled communications to prying eyes.
Network Associates (NETA) Thursday confirmed the vulnerability, discovered
by a German cryptanalyst, which allows malicious attackers to hoodwink
Windows versions of PGP into not encoding secret information properly.
The bug appeared in controversial features that the company included to
satisfy government and corporate demands for key recovery, a technology that
allows a third party to read encrypted communications. [...]
In December 1996, the company that became Network Associates joined the Key
Recovery Alliance, a group of dozens of companies trying to promote the idea
of key recovery and key escrow technologies. Federal government regulations
at the time gave preferential treatment to such products.
Because of PGP's long history of institutional opposition to key recovery,
Network Associates dropped out after buying the smaller software
company. But in February 1998 they purchased Trusted Information Systems, a
founder of the Key Recovery Alliance.
"Trusted Information Systems has been a pioneer in key recovery and the Key
Recovery Alliance where over 60 companies and systems vendors like IBM,
Hewlett-Packard, Sun Microsystems, Boeing and Motorola are supporting their
key escrow capability that allows for the export of strong encryption under
U.S. Commerce laws," Network Associates CEO Bill Larson said in an interview
on CNNfn at the time.
Months later, Network Associates had quietly rejoined the Key Recovery
Alliance. [...]
------------------------------
Date: Mon, 28 Aug 2000 12:28:53 -0400
From: "Doneel Edelson" <
[email protected]>
Subject: Two cables
During the Verizon strike, two New York employees attempted to cut a
telephone cable with wire shears. Two cables were running up the side of a
pole, one was for telephone service and the other was a high-voltage
electric line serving about 4000 homes. They cut the wrong cable, showering
hot sparks that burned their clothes and skin. The main part of the voltage
ran up the pole; however, the heat was enough to melt the blades of the wire
shears. The two were caught by the police, arrested, and treated at a local
hospital.
[Treated to what? Quite a trick. (It's too early for Hallowe'en.)
I guess in this context "Pride in your work" becomes
"Fried in your shirk" (with multiple meanings and a pun).
Strike while the irony is hot? PGN]
------------------------------
Date: Fri, 25 Aug 2000 18:02:53 -0400
From: Dave Farber <
[email protected]>
Subject: Four of the 13 root servers used by Network Solutions (From IP)
Four of the 13 root servers used by Network Solutions to manage global
Internet traffic partially failed for a brief period Wednesday night due to
technical difficulties. The computers -- one in Tokyo, one in California
and two in Virginia -- failed to serve requests for links to Web sites
ending in ".com" suffix for a little over an hour. Web addresses ending in
other suffixes were unaffected. While an e-mail distributed Wednesday by
Network Solutions VP Mark Rippe described the event as "a *MAJOR, MAJOR*
incident", an NSI spokesman later insisted the failure was simply "a minor
hiccup invisible to end users." Minor hiccup indeed. The last time
something like this happened, July of 1997, it was seven root servers that
failed, disrupting much of the traffic on the Net for a few hours.
["End user" is an interesting term in this context. Users were left
with ends that were not connected. If the ends justify the means,
then I suppose we need to have "mean" users as well. As in the movie
*Network*, we need to at least get mad, if not mean. I mean it. PGN]
------------------------------
Date: Wed, 16 Aug 2000 09:51:39 -0700
From: "NewsScan" <
[email protected]>
Subject: Court says FBI has been given too much wiretap power
A three-judge panel of the U.S. Court of Appeals for the District of
Columbia has ruled that the Federal Communication Commission's attempts to
implement a 1994 electronic wiretap law have been too accommodating to law
enforcement agencies and not sufficiently protective of the right of
citizens to individual privacy or of the financial requirements of
companies. The wiretap law (the Communications Assistance for Law
Enforcement, or CALEA) was passed by Congress because the FBI had insisted
it was losing ground against criminals because wireless phone companies
were not designing wiretapping capabilities into their networks. An
executive of the Center for Democracy and Technology, which had opposed the
FBI's request to Congress, says the appellate court's decision means that
"government cannot get its hands on what it's not authorized to get just by
promising it won't read what it's not supposed to read." [*The Washington
Post*, 16 Aug 2000; NewsScan Daily, 16 August 2000;
http://www.washingtonpost.com/wp-dyn/articles/A32193-2000Aug15.html]
------------------------------
Date: Thu, 03 Aug 2000 23:19:54 +0200
From: Peter Kaiser <
[email protected]>
Subject: "Free" e-mail accounts and passwords exposed for a month
Zurich newspapers have just reported a horrible security lapse at one of
Switzerland's big Internet service providers, Sunrise. Sunrise is the
second biggest telecommunications provider in Switzerland, and like the two
other big telephone providers -- Swisscom and diAx -- also offers Internet
service.
From July 2 to August 1, following a hardware upgrade, a search page
supposed to be used only internally by Sunrise was exposed to external use,
allowing anyone to look up e-mail account names and passwords. Sunrise
knows that these data were accessed from at least twenty different
locations to collect data on at least 700 (of about 300,000) accounts.
Sunrise has sent e-mail to all its ISP customers advising them to change
their passwords. The national data protection officer, Odilo Guntern, is
reported as saying that the security lapse is a clear breach of the rules
concerning protection of such data, and that he will be discussing it with
Sunrise.
Although it's not stated clearly, the tenor of the articles seems to be
that the passwords were stored unencrypted. This reaches a too-familiar
depth of careless design, especially coupled to their not noticing the
situation for a month. It appears that the ability to do these searches
was always there, protected only through the tiny obscurity of not making
the search page externally accessible; but actual searches required no
authentication. Perhaps they still don't.
But that's not the only evidence of poor judgment; they've been clueless
from the beginning. As a Sunrise phone customer I was among the first to
get their offer of "free" Internet service, and of course I took a look.
The signup page asked for an account name and password, but was unsecured.
Not only did I abandon immediately the idea of signing up with them, but I
called the next day and tried to get through to whomever was responsible
for that particular stupidity; and although I talked to a lot of people,
not one of them seemed to understand the risk of transmitting account
information unencrypted. The least clueless of them told me that in any
event it was software bought from a third party, and they had no control
over it. I eventually gave up.
Recently Sunrise began offering its phone customers another "free" service,
storage and forwarding for voice messages and faxes, with signup over the
web or via their call center. I went to the signup page and damn if it
wasn't ANOTHER request for a password via an unsecured form page! I want
to use the service, so I phoned the call center, which set it up at once
over the phone. Once again I brought up the risk of doing it unsecured
over the net, and the young lady at the call center told me "We prefer
people to do it by telephone anyway, because it's easier for us."
Many RISKS and obvious errors here, none of them new.
[I have probably said it before here: ALWAYS look a Trojan horse in the
mouth, whether it is free or not. PGN]
------------------------------
Date: Fri, 25 Aug 2000 13:31:44 -0400
From: "Jay R. Ashworth" <
[email protected]>
Subject: Hotmail blows it badly?
Members of the RISKS community are well aware of the problems that can
happen when one user impersonates another on purpose. We've also seen porn
purveyors cruise in behind the producers of less... exciting movies, and
grab their expired top level domain names -- names which should never have
been registered at the top level in the first place, because they were, by
design, disposable.
Well, there's a new contender in that category.
Hotmail.
According to this story
<
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO48970,00.html>,
Hotmail is having a problem with buddy lists:
> Microsoft is investigating a complaint that expired Hotmail accounts
> retain the linked MS Instant Messenger buddy lists, and those lists
> are available to the next person who registers the same e-mail address
> on a Hotmail account.
That's all fine and dandy, but it was the last clause that worried
*me*: "registers the same e-mail address".
What? You *can* do that? They *allow* the reuse of names?
There are so many possible risks there that I don't think I *can* enumerate
them. Even *AOL* has this right: once a screen name has been dropped, it's
no longer reusable.
Not that I ever thought Hotmail was a great idea in the first place, now I
have even more reason to tell people not to use it. I wonder if they've
finally gotten it to run on NT? :-)
Jay R. Ashworth <
[email protected]>, The Suncoast Freenet, Tampa Bay, Florida
http://baylink.pitas.com +1 727 804 5015
------------------------------
Date: Wed, 23 Aug 2000 22:52:08 +0100
From: Ralph Corderoy <
[email protected]>
Subject: Possible Y2K bug strikes UK Egg Bank
I've just received my first statement for an account with the UK's Egg
Bank; www.egg.com. It was triggered by the annual interest payment on
the 19th August 2000. The account has been opened for just under a
year. The statement goes something like this.
Opening balance. 0.00
19 Aug 1999 Interest gross xx.xx
19 Aug 1999 Tax deduction -xx.xx
23 Aug 1999 Deposit xx.xx
15 Oct 1999 Deposit xx.xx
According to the above statement, the interest was paid before any money was
in the account. If I inspect the account online the two interest entries
are at the bottom of the statement dated correctly 19 Aug 2000. When
telephoning Egg's service staff they also viewed the account on their
computers with the correct year 2000 date. They seemed unconcerned that the
printed statements they were sending people had the wrong year since the
amount of interest was correct anyway. I doubt my report has been passed on
internally by them.
It's interesting to see what might be a Y2K bug popping up eight months
after 1st Jan 2000 in an `Internet' bank that has only been running a year
or two.
Since information regarding interest received and tax paid has to be passed
onto the Inland Revenue (the UK's IRS) as part of an individual tax return
for the year this could cause problems for individuals when they fail to
produce supporting material with the dates they are claiming.
[Egg on the face of it? PGN]
------------------------------
Date: Mon, 28 Aug 2000 12:08:47 -0400
From: "David Goddard" <
[email protected]>
Subject: More risks of filtering software
The subject of usernames containing "offensive" words being automatically
banned from blackplanet.com has recently received some publicity on Declan
McCullagh's Politech list, with the filtering software getting upset about
the name 'Babco*k'. Interestingly, the filtering software at
blackplanet.com could be criticised not for what it doesn't let through but
what it _does_ -- it appears to accept usernames based around the British
swear words 'ar*e' and 'wa*k', for example. [PGN-ed asterisks just to avoid
blocking of this issue?] It's a sure bet that many obscenities in other
languages can also be used. Given that blackplanet.com appears to be aimed
at a partly international audience, this is pretty poor.
The RISK, yet again, is the blind faith in a software solution that a)
operates only with a limited scope and b) returns false positives which
irritate users and ultimately generate bad publicity. Given the many
creative ways of coming up with offensive usernames and the obvious problems
with being too restrictive, maybe they would be better off just relying on
robust Terms Of Service and maybe a little grepping of the user lists.
[I wonder in what language "grep" is a bad word! Grep Suzette? PGN]
------------------------------
Date: Mon, 28 Aug 2000 09:04:34 +0200
From: "David Sedlock" <
[email protected]>
Subject: Risks of Eurdora 4.x
I have used the "lite" version of Eudora for some time. It was good enough
for my undemanding needs I recently upgraded to the latest Eudora, which
doesn't provide a separate lite version, but instead offers three modes:
full-featured paid, full-featured free paid by ads, and limited-feature free
with no ads. The second mode fetches ads from the Eurdora site via HTTP.
The differences in the modes were clearly explained and after firing up the
program I soon decided the limited-feature free mode with no ads was good
enough for me. After choosing that and restarting the program the entries in
my proxy log for the Eurdora site appeared to stop and I thought that was
the end of the matter.
However, looking in the proxy log a few days later to solve an unrelated
problem, I was perplexed to find new connections to the Eudora site. In
fact, the mail tool was connecting to a Java servlet in a directory called
"adserver" about twice a day.
I wrote to both the webmaster and customer service (as a nonpaying user you
don't even get a support e-mail address) and heard nothing for a few days. I
wrote back and threatened to go public and then got two answers. One came
from a technical person who said Eudora is checking for upgrades and I can
turn this off by adding a few lines in its ini file. I did and the
connections didn't stop. The other came from a non-technical person who said
the connections where there to support "co-branding" (whatever that is) and
not to worry since they happen "really really fast" and don't divulge "any
private data". This reply failed to comfort me, since after all I pay for
the price of a phone call to my provider if I'm not hooked up when Eudora
decides to co-brand and my dialing daemon fires up. I wrote again for
clarification and have yet to receive a reply.
The risks? Many come to mind, but the one that stands out is software that
silently carries out unexpected actions. One day our PCs may be so bound up
with the Internet that we expect a software program to make unannounced
connections to external servers, but today I don't expect that a mail client
has any need to connect to external servers except when it is sending or
receiving mail. Today such connections need to be documented and
announced. Eudora was clear about its fetching ads in the "full-featured
free paid by ads" mode, and I have no problem with that. But the fact that
after choosing the limited-feature mode the program continued connecting was
totally unexplained and probably goes on undetected by the majority of
users.
Eudora, you're in the dog house!
David Sedlock
------------------------------
Date: Fri, 25 Aug 2000 14:29:33 -0400 (EDT)
From: Lenny Foner <
[email protected]>
Subject: "Verify your age with a credit card": more than $188M fraud
Back when the CDA was hot news, lots of people were claiming that "asking
for credit card numbers" was a reasonable way to prove that someone was "old
enough" to view certain web sites. Below is a great example---one which
people have been warning about for years---of why this is a horrendous idea,
even if you don't care about the civil liberties implications [see [*]
below] of using a credit card as an age check, or of having an age check at
all:
U.S. CRACKS DOWN ON NET PORN FRAUD
The Federal Trade Commission has filed a lawsuit against Crescent
Publishing Group and 64 affiliated companies that operate adult Web sites,
accusing them of charging customers for services advertised as "Free Tour
Web Sites." Like many adult sites, the Crescent sites requested that users
supply credit card information to verify they were of legal age to view
pornographic material. Customers who'd been promised a free online peep
show say they were then billed for recurring monthly membership fees
ranging from $20 to $90. Included among the complainants were some people
who said they'd never visited the sites at all -- in fact, one woman who'd
been charged a recurring fee for several months didn't even own a computer.
To add to the confusion, the charges were made under different company
names. Instead of finding a charge from Highsociety.com on their
statements, consumers would find charges from "Online Forum," or "Hoot
Owl," or "Knock Knee." The FTC has classified the scam as one of the
largest it's ever seen on the Internet, generating $141 [million]
in the first 10 months of 1999 alone. (E-Commerce Times 24 Aug 2000)
http://www.ecommercetimes.com/news/articles2000/000824-4.shtml
(The above was from NewsScan; the full story is at the cited URL, including
how the company moved to Guatemala to continue the scam.)
[*] What civil liberties problems? How about:
(a) It discriminates against people who are too poor or have too bad
a credit history to own a card (including those who've gone bankrupt)
(b) It identifies people to sites in a very accurate and intrusive
way, by name, rather than simply making it clear that they are
"old enough". Remember, it's age, not identity, that such sites
are supposed to be caring about.
(c) "Old enough" varies based on where you are, even in the US and
especially in the world, but this system makes no provisions for
that.
(d) How old you have to be to get a credit card varies by country,
and many countries don't have the sort of credit-card presence
that the US does, which might make it impossible to get one at
all.
(e) It assumes that differentiating content by age is a reasonable
idea in the first place.
These are just the most obvious ones off the top of my head. I'm sure
these, and more, were all mentioned prominently at the time. But, of
course, the bad system of credit-card verification took hold anyway, and we
seem to be stuck with it.
[Also, from a purely security standpoint and not a civil-liberties
standpoint, this also assumes that no kid is going to be bright enough to
copy down a parent's CC info while they're not looking. Surely all parents
ensure that all their credit cards are secured 24x7. Of course, they can't
use a -key-, unless that key is also secured and/or on their person 24x7...
Wait---parents don't tend do this?]
------------------------------
Date: Sun, 27 Aug 2000 13:03:03 -0400
From: Adam Shostack <
[email protected]>
Subject: Re: Airline E-tickets (Wallich, RISKS-21.02)
> swipe a credit card or other means of ID [...]
I have two comments here. The first, as the credit card companies will tell
you, their cards are not meant to be used as identification (just like the
social security card.) [And yet, they are! PGN]
The second is it seems likely [...] that someone willing to go to the
trouble of blowing up an airplane can't be bothered to engage in a little
identity theft or ID-card forgery.
Adam
[Similar comments from Ian Lance Taylor, Marc Auslander, Jim Rees... PGN]
------------------------------
Date: Sun, 27 Aug 2000 09:46:13 -0700
From: Eric Murray <
[email protected]>
Subject: Re: Hoaxes: when will they ever learn
A digital signature on the press release would not have prevented this -- it
was a real press release sent out by Internet Wire, a business press-release
agency.
The hoaxers got the release sent by social-engineering IW- they convinced a
"day staff" that the "night staff" had approved the story. [Source: (San
Jose) *Mercury News*, 26 Aug 2000]. Thus the story was accepted without
checking the facts.
The real problem here is shoddy "journalism". Digital signatures would have
prevented this only if IW accepted only e-mailed releases that were
digitally signed, and they actually verified the signatures. If they
accepted phoned-in releases, hoaxers could still send in fakes ones. Fixing
the verification procedure is the way to prevent this sort of problem from
occurring again.
Eric Murray
http://www.lne.com/ericm ericm at lne.com
Consulting Security Architect
------------------------------
Date: Sun, 27 Aug 2000 03:46:04 GMT
From:
[email protected] (Sean Eric Fagan)
Subject: Re: SSL Server Security Survey (Solomon, RISKS-21.02)
Self-signed certificates are *not* any weaker than those signed by
third-party certificates. This is a popular myth I keep running into -- all
a third-party-signed certificate means is that someone else has agreed that
you are who you say you are. And in the case of Web browsers, it also means
that this someone forked out a load of cash to Microsoft and/or Netscape to
be included in the default set of known certificates.
------------------------------
Date: 27 Aug 2000 04:06:46 GMT
From:
[email protected] (Mark Brader)
Subject: Re: mechanical and human failures in Toronto (van Egmond, Risks-21.02)
> Each car has an operator's cab where motion and doors can be controlled,
> and a window which, when opened, reveals door control buttons.
I think the last sentence is misleading enough to merit correction. There
are indeed door control buttons outside of the cabs: as the cab is only on
one side of the train, this allow the doors on the other side to be opened
without the guard having to cross to the next car. But exposing these
buttons requires a key, presumably the same one that opens the cab.
------------------------------
Date: 13 Dec 1999 (LAST-MODIFIED)
From:
[email protected]
Subject: Abridged info on RISKS (comp.risks)
The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
if possible and convenient for you. Alternatively, via majordomo,
SEND DIRECT E-MAIL REQUESTS to <
[email protected]> with one-line,
SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or
INFO [for unabridged version of RISKS information]
.MIL users should contact <
[email protected]> (Dennis Rears).
.UK users should contact <
[email protected]>.
=> The INFO file (submissions, default disclaimers, archive sites,
copyright policy, PRIVACY digests, etc.) is also obtainable from
http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info
The full info file will appear now and then in future issues. *** All
contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to
[email protected] with meaningful SUBJECT: line.
=> ARCHIVES are available:
ftp://ftp.sri.com/risks or
ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
[volume-summary issues are in risks-*.00]
[back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue].
http://the.wiretapped.net/security/textfiles/risks-digest/ .
==> PostScript copy of PGN's comprehensive historical summary of one liners:
illustrative.PS at ftp.sri.com/risks .
------------------------------
End of RISKS-FORUM Digest 21.03
************************
