precedence: bulk Subject: RISKS DIGEST 19.65 RISKS-LIST: Risks-Forum Digest Thursday 2 April 1998 Volume 19 : Issue 65 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** Contents: Problem in wintertime/summertime switching in Germany (Nikolaus Bernhardt) Y2K in China (Don Wagner) April First, a bad day for high tech in Holland (Paul van Keep) Hackers Exploiting Over 100 Holes In Windows NT (Shake Communications) Pull rip cord (Andrew Gabriel) Painful spell-checker mistake in WordPerfect (Jeroen Bruintjes) Risks of unfortunate product names (Roger Strong via Jim Griffith) Inaccurate study quoting, Re: anti-crypto rhetoric (Robert J. Perillo) RC5-64 Project can change laws on encryption technology (RC5 Team) Re: Funding for a new software paradigm (Fred Cohen) Re: DJ10K (Frank Markus) Re: Rivest's chaffing concept (Stacy Friedman) Re: EMI and TWA 800 (Piers Thompson) "Computers, Ethics and Society", Ermann/Williams/Schauf (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: 29 Mar 1998 21:30:00 +0100 From: nikolaus@nikon.on-luebeck.de (Nikolaus Bernhardt) Subject: Problem in wintertime/summertime switching in Germany On 29 Mar 1998, in the early morning hours (02:00), the official time in Germany changed from wintertime (UTC +1, MEZ) to summertime (UTC +2, MESZ). The hour from 02:00 to 03:00 is 'stolen' and will be given back in the changing from summertime to wintertime. Everyone has to adjust the clocks with a delta of +1 hour. Deutsche Telekom, the formerly state-owned telecommunication company provides the time in their ISDN exchanges ("Vermittlungsstelle"). On 29 Mar 1998 the Deutsche Telekom made some mistakes in the City of Luebeck (local area code 0451): The system clocks were adjusted *twice* instead of once so that the ISDN-exchange provided a false time to all connected ISDN-devices. Normally all the ISDN-Exchanges are synchronized by a radio driven clock (DCF77 transmitting the official time in Germany). Operators at the hotline were scared about this failure. After a few minutes they called me and told that the clock would be corrected immediately. Computer systems equipped with a ISDN-Card can normally obtain the DCF-77 based time by retrieving the time token from the ISDN-Exchange and save the money for a local DCF-77 card -- which costs several hundred Deutschmarks (1.85 Deutschmark =~ 1 US$). The risk of trusting the time provided by the Deutsche Telekom is obvious. When you want or need the official time, you better spend some money in a dedicated DCF-77 radio-controlled clock-device. Nikolaus Bernhardt ------------------------------ Date: Mon, 30 Mar 1998 05:54:43 -0500 From: D B Wagner Subject: Y2K in China Check out http://www.redfish.com/USEmbassy-China/sandt/y2ku.htm for the Y2K situation in China as well as some other risky issues. Don Wagner http://coco.ihi.ku.dk/~dbwagner [I did, and it is pretty scary. PGN] ------------------------------ Date: Wed, 01 Apr 1998 23:25:03 +0200 From: paul@sumatra.nl (Paul van Keep) Subject: April First, a bad day for high tech in Holland It might be related to the date but things went seriously on 1 Apr 1998 in The Netherlands. Here's a recap of three problems as reported on the 6 o'clock news: - Digging activity damaged a fibre optic cable in the north, leaving part of the country without phone service for hours. A classic single point of failure error. - The national BeaNet system was down for part of the day. This is the system that processes among others debit (PIN) payments, ATM cash withdrawals and online I-Pay transactions. The failure was attributed to 'a problem with the computer'. Let's hope one computer is not what they depend on to run such an essential system. - The Postbank (one of the largest banking institutions in the country) were confronted by a maintenance operation that took longer than it should. This had the side effect that the systems for online transactions (separate from the BeaNet system) were not reloaded with the latest account balances from the day befor only only. This caused problems for people trying to retrieve cash from postbank ATMs whose balance should have been positive but weren't because of the mismatch (the opposite was probably also true). Note that there are at least two separate systems here that track account balance (I think there are even three) that get synchronized only once every 24 hours. This allows for a lot of overdrafting. Paul van Keep, Sumatra Software ------------------------------ Date: Thu, 26 Mar 1998 00:03:32 +1000 From: "Shake Communications Pty Ltd" Subject: Hackers Exploiting Over 100 Holes In Windows NT 101 Ways to Hack into Windows NT MELBOURNE, AUSTRALIA: A study by Shake Communications Pty Ltd has identified not 101, but 104, vulnerabilities in Microsoft Windows NT, which hackers can use to penetrate an organisation's network. Many of the holes are very serious, allowing intruders privileged access into an organisation's information system and giving them the ability to cause critical damage - such as copying, changing and deleting files, and crashing the network. Most of the holes apply to all versions (3.5, 3.51 and 4) of the popular operating system. Shake Communications, an information and internet security firm, has compiled the statistics as part of an ongoing study and compilation of vulnerabilities in popular hardware, operating systems, applications and programming languages. The vulnerabilities are ranked High, Medium or Low according to the damage (loss or resources, time and money) they can cause and are categorised into Denial of Service (D.O.S.) vulnerabilities, Server Message Block (S.M.B.) vulnerabilities, Malicious Program vulnerabilities and Miscellaneous vulnerabilities. The majority of weaknesses affect Versions 3.5, 3.51 and 4. Some apply only to one or two of the versions and others apply where an application, such as Microsoft Access, is running on Windows NT. Some examples of how hackers (from both the outside and the inside of an organisation) can exploit the various vulnerabilities are as follows: * An intruder can crash the Windows NT system by sending spoofed packets to multiple ports where the source and destination settings are the same; * Holes in the Server Message Block authentication can give a local user unauthorised network access under certain conditions (for example, an employee can break into the payroll system); * An unauthorised user can use the alerter and messenger services to send fake pop-up messages to legitimate users and thereby fool them into entering information such as their password; * Hackers can use their own programs to exploit holes, such as L0phtCrack, a password cracking program, and NtAddAtom, a program which crashes NT; * Even where a domain user creates a file and removes all its permissions (reading, writing, deleting), an unauthorised user can still delete such a file. Some of the holes have no recommended countermeasures and others rely on physical security measures (such as locking the Windows NT server in a room). Fortunately, there are software patches or fixes available to rectify many of the vulnerabilities. Microsoft freely provides these at its Web Site (http://www.microsoft.com). Unfortunately, many users are probably unaware that this service exists. Shake Communications also provides links to patches/fixes in its Vulnerabilities Database, which also covers other operating systems, programs, applications, languages and hardware. For more information contact Shake Communications at info@shake.net or +613 9555 8560. Shake Communications maintains a Vulnerabilities Database containing over 3,000 vulnerabilities and associated patches/fixes at http://www.shake.net. This is updated daily and available by subscription. Acknowledgments Costin Raiu Joba DoVoe Microsoft Corporation Paul Ashton The L0pht www.ntshop.com ------------------------------ Date: Mon, 16 Mar 1998 22:10:00 GMT From: andrew@cucumber.demon.co.uk Subject: Pull rip cord A correction published in a magazine about flying (if I heard correctly)... The phrase reading: "state zip code" should have read: "pull rip cord". [source BBC Radio 4 - "The News Quiz"] Risks: left to your imagination :-) Andrew Gabriel, Consultant Software Engineer ------------------------------ Date: Mon, 16 Mar 1998 11:37:37 +0000 From: "Jeroen Bruintjes" Subject: Painful spell-checker mistake in WordPerfect Being copywriters with a love for reliable and simple technology, we still use WordPerfect 5.1. However, this program also seems to have its glitches, one of which can be quite embarrassing. Last week, a colleague stumbled on an error in his (Dutch) spell-checker. While scanning his text, the program didn't recognize the word 'Campbell'. It suggested 'kampbeul' as an alternative. Which in English stands for *camp bully *or *camp executioner*. Good thing he wasn't using the spell checker on autopilot. Such mistakes can very well cause a customer to end all relationships. Jeroen Bruintjes [You needed a Campbell Soup-er Checker. Dank U wel. PGN] ------------------------------ Date: Mon, 30 Mar 1998 10:45:19 -0800 (PST) From: Jim Griffith Subject: Risks of unfortunate product names Stolen shamelessly from alt.humor.best-of-usenet, which was stolen shamelessly from rec.humor.oracle.d: > Subject: Re: The question was too hard... > From: "Roger Strong" > Newsgroups: rec.humor.oracle.d > > One of my co-workers was on the phone, walking a customer through removing > the software for a Star multiport from an NCR Tower. The command was > "rm -r star". It took a full fifteen minutes for him to figure out why it > was taking so long..... Jim ------------------------------ Date: Fri, 20 Mar 1998 14:56 EST From: perillo@gibraltar.ncsc.mil (Robert J. Perillo) Subject: Inaccurate study quoting, Re: anti-crypto rhetoric (Ellison, R-19.62) The statement made by Carl Ellison , 06 Mar 1998 (RISKS-19.62), "How come Dorothy Denning didn't find any significant use of crypto by criminals in her survey of law enforcement officers?", is inaccurate. The Denning-Baugh report, referenced below, did find significant use of encryption by criminals, 500 current cases worldwide, over 20 cases were presented in detail, and they estimate that the number is growing at annual rate of 50-100% (some cases from the report are listed below). In more than one of the cases, the encrypted information could not be deciphered by law enforcement. The report does make clear that encryption could pose problems for law enforcement in the future. "Our findings suggest that the total number of criminal cases involving encryption worldwide is at least 500, with an annual growth rate of 50 to 100 percent." And "Quite a few people are technically sophisticated." Instead, the study's main conclusion was that it was unable to find any current incident where the use of cryptography significantly hindered an investigation or prosecution. "Most of the investigators we talked to did not find that encryption was obstructing a large number of investigations. When encryption has been encountered, investigators have usually been able to get the keys from the subject, crack the codes, or use other evidence," states the report. The statements that criminals have not used Crypto AG or CyLink encrypting telephones are also incorrect. The Denning-Baugh report did not even address this topic. But, evidence was presented in the late 1980's that possible foreign Terrorist organizations and Drug Cartels were using Crypto AG Voice Ciphering products. According to an ex-employee's legal filings, and "tell-all" book, Crypto AG was requested to insert flaws and weaknesses into their equipment that could be falling into criminal hands. An interesting observation about the report is that when encryption is encountered by law enforcement, they are unprepared to deal with it and forced to use in-house computer forensic specialists (with little training in cryptography), consultants, academics, and/or private companies to attack the problem. While the U.S. Government spends at least $7 to $10 billion per year on "code breaking" at Military-Defense and Intelligence organizations, under current law ("posse comitatus" on up) it is illegal for these resources to be used for domestic law enforcement. We could change these laws, and increase funding to these agencies to handle their new mission? We could create similar agencies inside domestic law enforcement at equivalent cost? Therefore, the requests by law enforcement, to promote and have access to corporate and local Key Recovery systems, can be seen as a low-cost solution to the problem and an effort to save money for the U.S. taxpayer. The cases examined include: * "The Japanese death cult, Aum Shinrikyo, which used encryption to store records on its computers. Authorities were able to decrypt the files in 1995 after finding the decryption key on a floppy disk. And found evidence of plans to launch attacks in the U.S. and Japan." * The New York subway bomber, Edward Leary, who had created his own encryption system to scramble files on his computer. According to the report, after Manhattan police "failed to break the encryption, the files were sent to outside encryption experts. These experts also failed. Eventually, the encryption was broken by a federal agency. The files contained child pornography and personal information which was not particularly useful to the case." * "A police department in Maryland encountered an encrypted file in a drug case. Allegations were raised that the subject had been involved in document counterfeiting, and file names were consistent with formal documents. Efforts to decrypt the files failed, however, so the conviction was on the drug charges only." * "The head of a California gambling ring kept his records in a commercial accounting program encrypted with a code word. The maker of the program refused to help law enforcement break the code, but access to the files was gained by exploiting a weakness in the computer system. This yielded four years of bookmaking records which resulted in a guilty plea on criminal charges and payment of back taxes." * The espionage case against former CIA employee Aldrich Ames, who was directed by his Soviet handlers to encrypt computer file information that was passed to them, "and was eventually convicted of espionage against the U.S., was aided because the investigator handling the case was able to decrypt Ames's files using AccessData Corp. software (an automatic de-encryption program)." References : * National Strategy Information Center, Dorothy Denning and William Baugh, "Encryption and Evolving Technologies as Tools of Organized Crime and Terrorism," July, 1997. * The Washington Post - WashTech, Elizabeth Corcoran, "Around the Beltway, Encryption: Who will Hold the Key? Two Bills Reflect the Split over Restrictions", Aug-04-1997. * Mercury News, Simson Garfinkel, "Denning unable to confirm FBI Assertions; alters her position", 31-Jul-1997. Robert Perillo, CCP, CNE Richmond, VA perillo@dockmaster.ncsc.mil Staff Computer Scientist perillo@gibraltar.ncsc.mil [Usual disclaimers] [The Ames case strikes me as a bad example, and a classic case of trying to oversell the impediments of crypto, considering the long history of incriminating phone calls in the clear and the long trail of other evidence that would seem to have been ignored or perhaps suppressed in an effort to gather more evidence. PGN] ------------------------------ Date: 27 Mar 1998 15:03:44 GMT From: RC5Team Subject: RC5-64 Project can change laws on encryption technology The RC5-64 Project can change the US law on encryption technology. However, it needs your help to achieve this goal. US laws currently limit the export of high-bit encryption messages/programs. The RC5-64 Project proves that these low-bit technologies offer insufficient protection. If you're interested, visit http://bovine.home.ml.org . The Bovine United Team ------------------------------ Date: Tue, 31 Mar 1998 22:06:44 +6400 (PST) From: Fred Cohen Subject: Re: Funding for a new software paradigm (Moran, RISKS-19.64) I assume (hope? wish!!??) this is a joke? > this new approach, dubbed "Fault-Oblivious Computing", to quickly become the > dominant software-engineering paradigm. [...] I have a few better ideas - but DARPA will not likely fund them: 1) Devise a language that fails safely (where safety has programmer adaptable defaults and values) so that failures "do the right thing". I think that Perl and Basic come pretty close to this. 2) Create a set of standard and approved subroutines that replace the default system calls and include proper error handling (as well as providing for easier portability). 3) Teach programmers that "don't care" return values are turned into real - and usually wrong - semantics at runtime. 4) Create a charge-back system where each system crash costs the company that provided the software $100. Based on historical statistics, mandate that a bond in the expected amount for the lifecycle of the system be posted as a condition of sale. 5) Use a real operating system and real programs built for resiliency instead of demos built for time to market in critical systems. 6) Require a quality control and support system for those who provide government systems for military use. Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:510-454-0171 ------------------------------ Date: Wed, 01 Apr 1998 14:17:30 -0500 From: Frank Markus Subject: Re: DJ10K (RISKS-19.64) The report in RISKS-19.64 about the likelihood that a five-figure Dow Jones Average will break many software programs designed to deal will four-digit averages brings to mind a current problem. Berkshire Hathaway is a significant stock on the New York Stock Exchange. For good and sufficient reasons, Warren Buffett, the chairman of the company, does not consider it wise to either split the stock or to pay dividends. As has been widely reported, Berkshire Hathaway has been very successful. The problem is that as the price of the stock is now far greater than any other stock on the NYSE. (As I write, it is well above $60,000 a share.) The computers that set the stock tables for the *Wall Street Journal* and *The New York Times* cannot cope with Berkshire. I discovered that the price of BRK.A is hand entered into the stock tables of both papers when I called both to report that their closing price for the previous day differed substantially. Apparently it was not the first time it had happened. Other newspapers avoid both the software and the column-formatting problems by omitting Berkshire (which happens to be a leading stock in terms of market capitalization.) On the Internet, I have been unable to find a single generally available portfolio program that can deal with Berkshire! Among those that cannot are My Yahoo!, Quote.com and C|Net's Snap. ------------------------------ Date: 31 Mar 98 17:43:32 -0800 From: "Stacy Friedman" Subject: Re: Rivest's chaffing concept (RISKS-19.64) I recently read a joke which went something like this: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - LETTER TO VICE PRESIDENT: Bob Smith, my assistant programmer, can always be found hard at work in his cubicle. Bob works independently, without wasting company time talking to colleagues. Bob never thinks twice about assisting fellow employees, and he always finishes given assignments on time. Often Bob takes extended measures to complete his work, sometimes skipping coffee breaks. Bob is a dedicated individual who has absolutely no vanity in spite of his high accomplishments and profound knowledge in his field. I firmly believe that Bob can be classed as a high-caliber employee, the type which cannot be dispensed with. Consequently, I duly recommend that Bob be promoted to executive management, and a proposal will be executed as soon as possible. - Project Leader - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - A SUBSEQUENT MEMO WAS SOON SENT FOLLOWING THE ABOVE LETTER: That idiot was reading over my shoulder while I wrote the report sent to you earlier today. Kindly read ONLY the odd numbered lines (1, 3, 5, etc...) for my true assessment of him. Regards. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - How's that for separating the wheat from the chaff? Stacy Friedman, Senior Performance Engineer, Oracle Forms sfriedma@us.oracle.com (650) 506-8008 ------------------------------ Date: Wed, 1 Apr 1998 14:32:58 +0100 From: Piers Thompson Subject: Re: EMI and TWA 800 (RISKS-19.64) >The April 9 _New York Review of Books_ has published a long special >supplement, "The Fall of TWA 800: The Possibility of Electromagnetic >Interference," by Elaine Scarry, a noted author and Harvard professor: I note from the paper itself that Elaine Scarry is professor of "Aesthetics and General Theory of Value". I don't know whether her noted authorship includes any titles of relevance to air investigation or EMI. The paper itself makes a number of elementary errors of fact and relies heavily on innuendo for effect. It is far from a rational, scientific review of the evidence. The author claims that parts have been subjected to scientific review. It seems unlikely. > > http://jya.com/twa800-emi.htm (128K with 3 images) > >The article closely examines the possibility of electromagnetic interference >in TWA 800's controls, comm, and black boxes by activities of the ten US >military planes and ships in the vicinity which were heavily equipped for >electronic warfare and were conducting tests of the gear. The paper presents no evidence (and doesn't even claim) that the military units were either "heavily equipped for electronic warfare" or "conducting tests". Piers ------------------------------ Date: Mon, 30 Mar 1998 08:03:27 -0800 From: "Rob Slade" Subject: "Computers, Ethics and Society", Ermann/Williams/Schauf BKETHICS.RVW 980131 "Computers, Ethics and Society", M. David Ermann/Mary B. Williams/Michele S. Shauf, Oxford, 1997. %A M. David Ermann %A Mary B. Williams %A Michele S. Shauf %C 70 Wynford Drive, Don Mills, Ontario M3C 1J9 %D 1997 %G 0-19-510756-X %I Oxford University Press %O C$29.95 800-451-7556 fax: 919-677-1303 cjp@oup-usa.org %P 340 p. %T "Computers, Ethics and Society, Second Edition" Ethics. Don't talk to me about ethics. Computer industry the size of a planet, security specialists sleeping under every bush, a zillion philosophy students and what do we do? We write a textbook. It's so depressing. It has been seven years since the first edition of this book was published, and five years since I reviewed that first edition. I was rather looking forward to it at the time, it being the only title I had found to address this all important issue. I was a bit chagrined to find that it was, a) a series of articles, rather than a book; and, b) a textbook. Well, courses on computer ethics are important, and in the interim there have been both other textbooks and serious examinations of the topic for the working professional. I've gotten over my disappointment that the book was a textbook, but still find it to be flawed *as* a textbook. As with other, similar, works, some of the disappointment arises from the fact that, so far, this is close to the best we can do. The apparent organization of the material is good. The first section of papers deals with general ethical theory. Unfortunately, the background is somewhat limited, dealing only with utilitarianism, generally simplified to "the greatest good for the greatest number", and some minor variations. (Kant's "Categorical Imperative" is covered, but it can easily be seen as a special case of utilitarianism where "badness" is exponential.) The first paper, "Ethical Issues in Computing," stands as an overview of topics to be covered in the book. As such, the piece can't be faulted for a lack of depth. However, what analysis there is in the essay betrays a reliance on facile reasoning and presumptions based on strictly anecdotal evidence, or no evidence at all. In this regard, it foreshadows too much of the material in the book overall. The second and third papers, "Information Technologies Could Threaten Privacy, Freedom, and Democracy," and "Technology is a Tool of the Powerful," demonstrates another shortcoming of the book: an emphasis on theoretical societal, rather than practical personal, responsibilities and issues. As the material begins to examine generic ethical principles in light of specific problems, the treatment becomes uneven, although by and large it offers little except further problems in defining moral action. (I was sad to see that a first rate treatise on privacy as it relates to monitoring of criminal offenders; lucid, readable and almost poetic while casting an insightful new light on the subject; has been removed.) In light of my comments about a social bias to the book, it may seem strange that part two is entitled "Computers and Personal Life." However, personal action and responsibility is in the minority. Four papers deal with privacy, commerce, and employment, again pitting the individual against the mass, if not the state. The excerpt from Gates' "The Road Ahead" (an unremarkedly ironic inclusion given the current debate and legal battles over "ownership" of the desktop) is nothing more than a bit of blue sky pronouncing. The articles by Postman, Gergen, and Broadhurst are better informed, but no closer to ethics. Eugene Spafford seems to be the only contender in the personal activity arena. "Computers and the Just Society" is definitely back with the person against the principality, paying particular attention to employment (in the aggregate) and privacy (as being eroded by legislation against encryption). There is a nod to cyberspace and the law on the way through, but it isn't much improvement over the first edition. (Aristotle and Augustine didn't even make the cut this time out.) Part four, on "Computing Professionals and Their Ethical Responsibilities" shows titular promise, but is back on the individual against society once more. Indeed, there is little that is specific to the computing professional. A paper on "whistle-blowing' is clear as to the issues, but finally ambiguous as to any answers. Steven Levy's piece on Lotus Marketplace is a bit depressing when you realize the final outcome: Lotus never did release marketplace, but a number of recent "products" are much greater invasions of privacy. Given the almost absolute emphasis on society, I was rather surprised to see only one paper, and that tangentially, related to the rise of the Internet. The net has become a major force in society, both in spreading hate literature and other disinformation, and in promoting democracy and discourse. The second edition does not appear to have taken the opportunity to come up to date in this regard. Much of the material collated here is interesting, and worthwhile background for a course in computer ethics, but it doesn't go anywhere. The quality is very uneven and, ultimately, much of the writing is disappointing. The section and subsection headings often bear only the most tenuous connection to the contents, although related articles to tend to have some commonality. As course reading material, this book could be very useful in the hands of a good instructor. As a resource for those working in the lines ... well, I suppose we keep looking and hoping. copyright Robert M. Slade, 1993, 1998 BKETHICS.RVW 980131 ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact (Dennis Rears). .UK users should contact . => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.comlogin anonymous[YourNetAddress]cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.65 ************************