FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Vandals Cut Cable, Slow MCI Service (Mich Kabay) Mexican election computers (John Sullivan) Attack of the killer spellcheckers... (Valdis Kletnieks) U.S. Mail causes ZIP-code problem (Al Stangenberger) Re: Bug in Microsoft Word (Dave Moore) Salt in wounds (Re: New Cray and Unix Passwords...) (Peter Wayner) Re: Fraud and Identity -- SCI-FI (Andrew Marchant-Shapiro) Politicians Join the Internet (Mich Kabay) Re: pi = 3 (Mark Stalzer, Rob Boudrie) System makes bank check forgery easy (Christopher Klaus) CFP: 2nd ACM Conference on Computer and Communications Security (Li Gong) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: 28 Aug 94 13:12:43 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Vandals Cut Cable, Slow MCI Service >From the Washington Post newswire (94.08.27): VANDALS CUT CABLE, SLOW MCI SERVICE By Elizabeth Corcoran Washington Post Staff Writer "Telephone calls between New York City and Washington on the MCI network encountered traffic jams yesterday afternoon after vandals removed a segment of cable in Newark. The problems began just before 2 p.m. and lasted until 5:45 p.m. "MCI Communications Corp. spokesman Jim Collins said vandals `neatly cut' out a 20-foot segment of fiber-optic cable that ran along a railroad overpass above a street in Newark. The cable, which was wrapped in a thin plastic casing, was not easy to reach." The article continues with the following key points: o Repairs took about an hour after the break was located. o NJ residents, in particular, got many busy signals when alternative routes were saturated. o Brokers on the NASDAQ exchange, including Dow Jones, were affected. o Motives for the theft of 20 feet of fiber optic cable are unknown. [Comments by MK: could this be a dry run for a class-3 (international) information warfare attack? "Let's see what happens when we deliberately interfere with one of the major carriers...."] M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn ------------------------------ Date: Fri, 26 Aug 94 13:21:42 -0500 From: sullivan@geom.umn.edu Subject: Mexican election computers RISKS readers will recall that six years ago, the Mexican ruling party PRI evidently stole the presidential election through tricks with the vote-counting computer. Last month, the Economist had an article about preparations for the elections this year in Mexico. Their reporter interviewed a government official in charge of elections; when he asked about the computer irregularities six years ago, the interview was abruptly ended. It seems that the elections this year were more open and fair than those six years ago. But there have been some questions raised again about the computer system. The IFE (Federal Electoral Institute) has delayed releasing the final vote totals. PRI representatives say the delay is because the PRD (opposition party) is demanding recounts of each ballot box. But, according to Reuters, PRD representatives to the IFE claim instead that the delays were "due to suspicious problems with the official computer system". The Reuters report continues to say that: IFE officials denied Thursday there were any problems with the computer system but said an investigation was continuing into an apparent effort by unknown individuals to infiltrate a computer virus into the main electoral computer. Interior Minister Jorge Carpizo said Wednesday that investigators had found some clues indicating who might have been responsible for the effort but did not say who they were or whether the effort was politically motivated or not. John Sullivan sullivan@geom.umn.edu ------------------------------ Date: 26 Aug 1994 18:53:21 GMT From: valdis@black-ice.cc.vt.edu (Valdis Kletnieks) Subject: Attack of the killer spellcheckers... Seen on page 2 of the New River Valley Current section of the Roanoke Times & World-News, Aug 24, 1994: Corrections: Because of an overzealous computer spellchecker, a number of names in a story on Radford University sports in the Welcome Students section appeared incorrectly and were not caught by a sports-ignorant editor. Phil Leftwich is the former Highlander now in the pros. Chris Connolly plays ball in WIlmington, Del., not Laminating, Del., and there's no such place as Educator, Ga. -- Eric Parker is from Decatur. Chibi Johnson is not in the least bit Chubby, and Done Staley is legendary, not Don Stellae. Meanwhile, Paul Beckwith, who is no relation to Paul Backwash, departed for Cornell. Because of a reporter's error, a story in Saturday's New River Current incorrectly reported a July 20 vote by the Montgomery County Planning Commission on a Price Mountain tower proposal. The vote only recommended the proposal for a public hearing. But by a 5-4 vote, the commission recommended approval of the tower Monday. The Board of Supervisors will consider it next month. ..... The obvious first-order RISK is of course not keeping your spellchecker in line. However, the following should also be noted: 1) The correction contained the WIlmington with an upper-case 'I' - there's nothing like having a typo in an apology for an errant spellchecker. 2) The first 2 paragraphs have an unusual amount of levity - the third is reprinted as a sample of their usual correction style. One almost needs to wonder if in fact, the original error never happened, and that the retraction is itself a creation of an AI gone amuck... ;) Valdis Kletnieks, Computer Systems Engineer ------------------------------ Date: Sat, 27 Aug 1994 13:37:23 -0700 From: Al Stangenberger Subject: U.S. Mail causes ZIP-code problem Residents of Oak Avenue in San Rafael, CA, are victims of a burgeoning mail problem caused when their street was "inadvertently" deleted from the Postal Service's national ZIP code database. San Rafael has several ZIP codes for various areas; two of these (94901 and 94904) have Oak Avenues with similar street numbers. Somehow the Oak Avenue in 94901 was deleted from the master database of streets, and this deletion was propagated to all commercial mailers in the USA who subscribe to the Post Office's ZIP code update service. The result of the deletion was that commercial mail programs automatically changed all Oak Avenue addresses in code 94901 to the Oak Avenue in 94904. The resulting flood of misdirected mail has caused the usual problems associated with missing bills, mortgage statements, etc. Further, any ZIP code changes back to 94901 requested when residents discovered this error were automatically "corrected" back to 94904 by the programs which relied on the Post Office's bad data. This situation will persist until the next revision tapes for the national ZIP database are distributed. The article I saw (Marin Independent-Journal, 12 August 1994) did not explain how a record was "inadvertently" deleted from the national database. I checked a printed ZIP code directory for San Rafael, and saw at least four other pairs of streets which could also have fallen victim to the problem. Fortunately, they did not. Until the problem is fixed, Oak Avenue mail is being manually sorted. Al Stangenberger Univ. of Calif Berkeley Dept. of Env. Sci., Policy, & Mgt. forags@nature.berkeley.edu ------------------------------ Date: Thu, 25 Aug 1994 14:20:37 -0400 (EDT) From: Dave Moore Subject: Re: Bug in Microsoft Word >>Word has a summary info area, for each document, that cannot be turned off. I wasn't aware of this specifically, but there is a much more substantial but similar feature that I encountered in version 4.x & 5.x of Word for the Mac. I suspect that it exists in the PC versions as well but have not checked. Fortunately, it's easy to test it yourself. Just create a Word file. Save it with "Fast Save". Re-open the file, delete something and save again with fast-save. Now use any external file viewer and look for your deleted text. The following is an internal memo I sent out a couple of years ago: -------------------------- Do you send WORD files via e-mail ? If so, be aware that you may be accidentally sending out your underwear along with your intended message. The default configuration in WORD for file saving is "Fast Save". The way this works is it only saves a list of edits and appends them to the existing file. When this file is opened, only the end result is displayed. However when you send this file via e-mail, the entire file is sent. So what does this mean ? It means that if you use Word to delete stuff that you change or that you don't intend to send or be seen; the supposedly deleted stuff may still be present in the file. The recipient of that file may be able to recover some or all of the deleted information. Under ordinary usage, this is not a problem. Recovery of deleted text by the recipient requires some specific knowledge and time. For obvious reasons, I won't explain the method. If you have some specific reason to be sure that no deleted text can be recovered, turn off Fast Save prior to saving for transmittal. Otherwise, your underwear may be visible. --------------- Actually recovery is not difficult at all, but the above was intended for a non-technical audience. ------------------------------ Date: Fri, 26 Aug 1994 09:54:31 -0400 From: pcw@access.digex.net (Peter Wayner) Subject: Salt in wounds (Followup to new Cray and Unix Passwords...) One should be careful pushing the envelope while calculating on the back of it. I made one misstep in my piece in RISKS-16.34 when I stated that 1000 passwords could be attacked as easily as one. I neglected to take account of the Salt, which is a neat part of the UNIX password system that effectively increases the size of the password space by a factor of 1024. If you are attacking one password, then the time limits from the earlier piece still hold if you're able to guess the salt ahead of time. This may not be possible and it certainly isn't possible if you're trying to use the "neat" trick of compare 1000 passwords in one swell FLOP. There are additional weaknesses that should be pointed out. If people only use lower-case characters and numbers, then the size of the key space is even smaller. This is only 36^8 possible choices which is about 1/76th the size of the space made up of {A-Z,a-z,0-9}. But who uses digits? Many don't. The number of 8 character passwords made up of just lower-case letters can be searched about 1026 times faster. That's less than an hour given the rough estimates. This pretty close to the size of the salt so the two cancel each other out and the running times from the previous post would apply here. This emphasizes the need for using different cases, numbers and punctuation in the password. When people use DES manually, they often just type in the key like a password. (Many of the automatic systems choose keys randomly from the entire key space.) If this is the case, then all of the estimates from the earlier piece in 16.34 also apply to this case without having to worry about the salt. Clearly, any new standard encryption algorithm should include a method for hashing a longer phrase down to a shorter key in such a way that the entire keyspace is covered. Finally, some have asked about shadow password files, a common UNIX system hack that prevents ordinary users from access to the password file that used to be kept open for all to read. It is unclear how common these are, but this problem is really independent of the problem of attacking encrypted passwords. People can get at encrypted passwords by sniffing the network as well as a variety of other file system hacks. If the users could never get at encrypted passwords, we wouldn't need to encrypt the passwords anymore. I should point out again that my estimates of about the Cray came from thin air. I have no direct knowledge of the exact architecture of the machine or many of the small and medium sized details that could impose factors of 2 or 4 on the results. There are several other details. Although most focus their paranoia on the NSA, there are many others who might come to own such a machine. The Cray computer eventually emerging from this project should be available on the open market. It will undoubtably have many uses in many arenas. The memory architecture may grow to be popular in desktop machines because it can be used to do ray tracing, CAD applications and many other computational projects. Other Cray innovations are now common on desktop machines. That may be well into the future, but concentrating on that is one way to keep from getting mired in the past. ------------------------------ Date: 25 Aug 94 14:58:00 EST From: "MARCHANT-SHAPIRO, ANDREW" Subject: Re: Fraud and Identity -- SCI-FI (Kabay, RISKS-16.35) MK writes: >And will such tokens become valuable >commodities--valuable enough to steal and trade in the underworld? Sounds >like the subject for an interesting science fiction novel.] I recall at least once SciFi story in which eyeballs are removed to trick retinal scanners (that is, you remove someone ELSE's eyeball, and hold it up to the scanner...not at all nice!). Andrew Marchant-Shapiro, Depts of Sociology and Political Science, Union College, Schenectady NY 12308 (518) 388-6225 marchana@gar.union.edu ------------------------------ Date: 29 Aug 94 07:42:27 EDT From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Subject: Politicians Join the Internet The Washington Post newswire (94.08.29) reports on the growing use of Internet services by the US Congress and Senate: "E-Mail Puts Congress At Voters' Fingertips; House, Senate Venturing Onto the Internet" By Elizabeth Corcoran Washington Post Staff Writer "When the House of Representatives was weighing an amendment to a bill on education earlier this year, constituents swamped Rep. Elizabeth Furse's office with questions and concerns. "The Oregon Democrat took to the information highway: Along with conventional interviews, she posted soothing explanations on various computer bulletin boards. The uproar died down, and the bill passed." The author makes the following key points: o Growing use of Internet access throughout the US government, including legislators, support staff, and government employees. o White House plans to put multimedia documents online by mid-September. o "...about 40 representatives and 30 senators have acquired Internet addresses; about that many more members and committees in both houses have requested access." o Enthusiasts praise the immediacy of the electronic communications channel. o Voters can obtain detailed information online about legislation. o Congressional staffers are working on security measures "to protect its paths onto the Internet from hackers bent on disrupting databases." o Remote voting by legislators is a possibility under discussion for the long term. [Comments by MK: 1) Disproportionate weight In social psychology, one of the observations about how people form judgements about issues ("social cognition") is that _salience_ influences judgement. That is, the unusual, the exceptional, the striking--these factors insensibly lead us to overestimate their importance. In experimental work over many years, psychologists have found that anyone who is noticeably different in a group picture is assumed unconsciously by observers to have special importance. Until Internet access becomes more widespread, anyone sending E-mail to a Congresscritter is likely to be considered with greater interest than someone sending snailmail--simply because of the novelty. 2) Spoofs Congresscritters naturally weigh public comments with an eye to voter preferences. If there 20,000 messages supporting a particular initiative and 500 opposing it, the recipient may be influenced in favour of the proposal. And how will the congressional staff judge how many people sent the 20,000 messages if there is no authentication of the identity of the senders? Yes, fraudsters could go to the trouble of generating thousands of printed messages and mailing them from the appropriate district (so the postmark would fit). Mind you, it would be quite a job, what with using different fonts, margins and wording to simulate the contributions of individual voters. What a contrast with E-mail! Without public key signatures, a computer program could generate thousands of E-mail messages using randomizers for the text and a list of fraudulent identifiers. Even _with_ public keys, if the Bad Guys chose to certify thousands of their own pseudonyms, nobody could stop them--and it is unlikely that Congresscritters would know which keys had been certified by criminals. 3) Representative democracy Each letter and phone call to a legislative office is assumed to represent the opinions of many others who have not taken the time to communicate with their representatives. The practice of allowing free mail to representatives is supposed to increase the availability of such communications. What assumptions will legislators make about E-mail? And what will be the demographic attributes of E-mail senders? I think there's scope for some pretty intensive research here before anyone draws conclusions about the population sending political E-mail. Legislators must analyze issues, not merely tally indices of popularity. And with electronic communications, they must be especially wary of taking the easy path of vote-counting. Some of those "voters" may be phantoms, and the rest may be very different from "normal" voters. Many commentators have suggested that access to the Internet may widen the gap between the enfranchised intelligentsia and the disenfranchised masses. As E-mail links to legislators increase, it will be important to monitor the gap. If it becomes intolerable, that gap will have to be closed by widening access to the proposed National Information Infrastructure.] M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn ------------------------------ Date: Thu, 25 Aug 1994 12:49:39 +0800 From: stalzer@macaw.hrl.hac.com Subject: Re: pi = 3 (RISKS-16.34,35) It doesn't take a law to make pi = 3. On some old versions of Basic for PDP-11s, you could assign any value to the "constant" pi. The constant was contained in a shared run-time system (with write permission!), and changing it in one program changed it for all Basic programs (until the rts was reloaded). Mark Stalzer, mas@acm.org ------------------------------ Date: Thu, 25 Aug 94 14:39:41 EDT From: Rob Boudrie Subject: More on Pi (RISKS-16.34,35) [The Indiana Pi-throwing] is covered in detail in Peter Beckmann's book "A History of PI", in which he points out both the incomprehensibility of that Indiana law, as well as the difficulty in finding Pi=3 in it. That volume (available in paperback) is absolute must reading for all of those who at one time knew Pi to over 200 digits. rob boudrie [Also noted by Hal Lewis (hlewis@voodoo.physics.ucsb.edu): the book "has lots of other great stories about this remarkable number." PGN] ------------------------------ Date: Mon, 29 Aug 94 12:42:54 EDT From: Christopher Klaus Subject: system makes bank check forgery easy Here's an obvious risk that I am not sure exists for all banks but here's the deal: I use to live in dorms and when I opened an account with a local bank, they sent 3 or 4 packets of checks. I put the extra packets in my desk. Unfortunately, my roommates were less than honest and forged a check for some pizza. I noticed 1 or 2 packets missing so I had the bank stop payment for all the packets of checks that were missing. More than 6 months later, after I moved, I grabbed a packet of checks, and wanted to verify these were good ones and not ones I had previously stopped payment on. I called up the bank and the lady told me , if the checks had been stopped payment for more than 6 months, it is automatically purged from the system , and are good again. I asked her, `If I stole a few packets of blank checks from someone, I could just wait 6 months for the stop payment to roll over in your system, and begin forging again?' And she said, `Yea, but not a lot of people know that.' Well, gee, that makes me feel safer. I am not sure if this is true for most banks, but I wouldn't be surprised if it were so. Christopher William Klaus Internet Security Systems, Inc. Computer Security Consulting 2209 Summit Place Drive, Penetration Analysis of Networks Atlanta,GA 30350-2430. (404)998-5871. ------------------------------ Date: Thu, 25 Aug 94 12:18:21 -0700 From: Li Gong Subject: CFP: 2nd ACM Conference on Computer and Communications Security This is the first announcement of the upcoming ACM conference [RISKS-pruned]. You can access the full registration information online by E-mail to acmccs2@isse.gmu.edu or by www file http://www.csl.sri.com/acm-ccs/ccs.html Call For Participation 2nd ACM Conference on Computer and Communications Security Nov 2-4 1994, Fairfax, Virginia Sponsored by: ACM SIGSAC Hosted by: Bell Atlantic and George Mason University In cooperation and participation from International Association of Cryptologic Research IEEE Communication Society TC on Network Operations and Management IEEE Computer Society TC on Security and Privacy Conference Highlights Building on last year's highly successful inaugural conference, we are pleased to invite your participation in this year's conference. The purpose of the conference is to bring together researchers and practitioners of computer and communications security. As evidenced by the program, the conference offers a unique blend of cryptography and security, theory and practice, with emphasis on the practical. The conference will be held in the Holiday Inn, Fair Oaks, in Fairfax, Virginia; minutes from the Nation's Capital. We welcome you to enjoy an informative and invigorating program, and Washington's pleasant mid-fall sight-seeing weather. Advance Technical Program (Subject to Change) November 2 8:45 - 9:00 Welcome, D. Denning and R. Pyle 9:00 - 10:30 Applications, R. Sandhu - Support for the File System Security Requirements of Computational E-Mail Systems, A. Prakash and T. Jaeger - Secure Wireless LANs, V. Bhargavan - The Design and Implementation of Tripwire: A File System Integrity Checker, G. Kim and E. Spafford 11:00 - 12:30 Emerging Areas, S. Lee - Exchange of Patient Records: Prototype Implementation of a Security Attribute Service in X.500, M. Jurecic and H. Bunz - A Process-Oriented Methodology for Assessing and Improving Software Trustworthiness, E. Amoroso, C. Taylor, J.Watson and J. Weiss - Panel: To be announced 2:00 - 4:00 Key Escrow, C. Neuman - Clipper Repair Kit - Towards Acceptable Key Escrow Systems, T. Beth, H. Knobloch, M. Otten, G. Simmons and P. Wichmann - Protocol Failure in the Escrowed Encryption Standard, M. Blaze - Panel: Corporate Key Escrow, R. Ganesan 4:30 - 6:00 Cryptography -1, J. Feigenbaum - Secure Agreement Protocols: Reliable and Atomic Group Multicast in Rampart, M. Reiter - Key Distribution via True Broadcasting, M. Just, E. Kranakis, D. Krizanc, P. Van Oorschot - Conditionally Secure Secret Sharing Scheme with Disenrollment Capability, C. Charnes and J. Pieprzyk - Meta-ElGamal Signature Schemes, P. Horster, H. Petersen and M. Michels - Anonymous Credit Cards, S. Low, N. Maxemchuk and S. Paul November 3 9:00 -10:30 Database Security, Carl Landwehr - An Efficient Multiversion Algorithm for Secure Servicing of Transaction Reads, P. Ammann and S. Jajodia - A Temporal Authorization Model, E. Bertino, C. Bettini and P. Samarati - Propagation of Authorizations in Distributed Database Systems, P. Samarati, P. Ammann and S. Jajodia 11:00 - 12:30 Cryptography-2, J. Stern - Substitution-Permutation Networks Resistant to Differential and Linear Cryptanalysis, H. Heys and S. Tavares - Information Leakage of Boolean Functions and its Relationship to Other Cryptograpahic Criteria, M. Zhang, S. Tavares and L. Campbell - Authentication Codes that are r-fold Secure Against Spoofing, R. Safavi-Naini 2:00 - 4:00 Electronic Commerce Security - R. Ganesan - The Role of Licensing, Insurance and Endorsements in Evaluating Trust of Distributed System Services, C. Lai, G. Medvinsky and C. Neuman - To be announced - Panel: Security Issues in Electronic Commerce, C. Neuman 4:30 - 6:00 Cryptographic Protocols, P. Van Oorschot - New Protocols for Third-Party-Based Authentication and Secure Broadcast, L. Gong - How to Simultaneously Exchange Secrets by General Assumptions, T. Okamoto and K. Ohta - A Key Distribution Method for Object-Based Protection, W. Ford and M. Wiener November 4 9:00 - 10:30 Cryptanalysis, L. Gong - On the difficulty of factoring, A. Lenstra - How to Break Gifford's Cipher, T. Cain and A. Sherman - Parallel Collision Search with Application to Hash Functions and Discrete Logarithms, P. Van Oorschot and M. Wiener 11:00 - 12:30 Firewalls, S. Bellovin - Application Access Control at Network Level, R. Molva and E. Rutsche - Network Security Probe , P. Rolin, L. Toutain and S. Gombault - Panel: Firewalls, S. Bellovin 2:00 - 3:00 Experience, R.Graveman - Security Modelling for Organizations, A. Anderson, L. Kwok and D. Longley - Mainstreaming Automated Information Systems Security Engineering, J. Coyne and N. Kluksdahl 3:30 - 5: 00 Multilevel Security, V. Gligor - The Compatibility of Composable Policies, H. Hinton and S. Lee - An Entropy Conservation Law for Testing the Completeness of Covert Channel Analysis, R. Browne - Prerequisite Confidentiality, J. Nestor and S. Lee General Chairs: Dorothy Denning (Georgetown University), Raymond Pyle (Bell Atlantic) Program Chairs: Ravi Ganesan (Bell Atlantic), Ravi Sandhu (George Mason Univ.) Treasurer and Local Arrangements: Richard Graveman (Bellcore) Proceedings: Jacques Stern (ENS/DMI) Publicity: Li Gong (SRI) [Program Committee distinguished, but deleted for space, along with registration info. PGN] ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.36 ************************