Subject: RISKS DIGEST 16.43 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tues 27 September 1994 Volume 16 : Issue 43 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Pretty Bad Privacy in Top-Level Negotiations (Charles Dunlop) Re: Mexico election (H?vard Hegna) Coyote sues Acme Co. (Luis Fernandes) Reasoning 101, the FBI Telecom Bill, and EPIC (Jerry Leichter, Marc Rotenberg) Please!, let's call it the "Government Wiretap Bill" !!! (Jim Warren) The high-tech university: 500 channels, all alike (Phil Agre) Pagers and power supplies (Laszlo Nemeth) Marketing of science (Michael Jampel) Power Disasters (Matthew D. Healy) Re: Power Outage in Russia? (Arthur D. Flatau) Questions re: security of computerized medical records (Richard Goldstein) Network Security Observations (NSO) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Sun, 25 Sep 1994 18:43:58 -0400 From: "Charles Dunlop" Subject: Pretty Bad Privacy in Top-Level Negotiations _Business Week_ (October 3, 1994) has obtained a tape of two telephone calls made by an aide to Jimmy Carter on September 18 during negotiations over Haiti. The calls were made over an unsecured radio link from Port- au-Prince to Carter's plane -- one to a National Security Council staff person, and the other to Carter himself. Shown transcripts of the calls during a CNN interview, Carter responded that he was "taken aback", and commented "Now I see what happened to Prince Charles". [I guess that some public figures still haven't see the air of their waves.] C.E.M. Dunlop, Philosophy Department, University of Michigan, Flint Flint, Michigan 48502-2186 (810) 762-3380 cdunlop@umich.edu ------------------------------ Date: Mon, 26 Sep 1994 09:57:15 +0100 From: H?vard Hegna Subject: Re: Mexico election (Sullivan, RISKS-16.36) John Sullivan quotes IFE (Federal Electoral Institute) officials who deny there were problems with the computer system but continues an investigation on an apparent effort to infiltrate a computer virus into the main computer system. In Norwegian newspaper Aftenposten on August 26., the election is reported as "a great step forward for Mexican democracy" with a turnout of 75% of the 45 mill. electorate, as compared to the normal 50%. In a report from Mexico on The Norwegian Broadcasting System (NRK) Radio Program 2 (P2) on Saturday August 27., Joar Hoel Larsen quotes a professor in political science at UNAM (?) Louis Javier Garrido who claims that the means for rigging an election are much more sophisticated now than ever before. With todays computers and networks one person in the right spot can easily manipulate a whole election, something which would require an army of election officials in the earlier primitive systems employed. Larsen's view was that the Mexicans really wanted to make the election open and fair this time, and had control rules on election day that bordered on the paranoid and went a lot further than procedures that are considered quite acceptable in for instance Norway. So there were few irregularities reported at the voting stations. Instead, according to professor Garrido, the manipulation was done at the electorate registry level. 7-8 mill. voters from districts that were known to have a clear majority in opposition to the ruling PRI party, were removed from the electorate. Not everybody, but the necessary percentage from each such district. The result was a normal turn-out (percentage-wise) and the normal majority in these districts, but their influence on the totals was reduced. Resulting in the PRI staying in power. Again according to Garrido, a serious political independent who is not a member of the loosing PRD, says Larsen. I have seen reports of complaints on the Mexican election in various media, but very little mention of this accusation. Has it been reported elsewhere? Does it have any substance? Does anybody know what kind of computerized system was used in Mexico this time, before, during and after the election? Any Direct Recording Equipment? Hevard Hegna, Norwegian Computing Center, P.O. Box 114, Blindern, 0314 Oslo, Norway (+47) 22 85 25 00/ (+47) 22 85 26 21 Fax : (+47) 22 69 76 60 ------------------------------ Date: Sat, 24 Sep 1994 13:18:34 +0500 From: elf@eccles.ee.ryerson.ca (Luis Fernandes) Subject: Coyote sues Acme Co. What follows is an excerpt of an article that appeared in the 26 Feb 1990 issue of "The New Yorker" magazine. Specifically, the article is about a suit brought against Acme Company, incorporated in Delaware, by Wile E. Coyote who lives in the Arizona Desert and is seeking, "compensation for personal injuries, loss of business income, and mental suffering caused as a direct result the actions and/or gross negligence of said company's... mail-order department..." The article illustrates the RISKS of operating badly documented and labeled equipment; the RISKS of using improperly designed equipment, and the RISKS of using equipment for unintended purposes. This is a quote from the opening statement of Mr. Coyote's attorney: Mr. Coyote states that on December 13th he received of Defendant via parcel post one Acme Rocket Sled. The intention of Mr. Coyote was to use the Rocket Sled to aid him in pursuit of his prey. Upon receipt of the Rocket Sled Mr. Coyote removed it from its wooden shipping crate and, sighting his prey in the distance, activated the ignition. As Mr. Coyote gripped the handlebars, the Rocket Sled accelerated with such sudden and precipitate force as to stretch Mr. Coyote's fore-limbs to a length of fifty feet. Subsequently, the rest of Mr. Coyote's body shot forward with a violent jolt, causing severe strain to his back and neck and placing him unex- pectedly astride the Rocket Sled. Disappearing over the horizon at such speed as to leave a diminishing jet trail along his path, the Rocket Sled soon brought Mr. Coyote abreast of his prey. At that moment the animal he was pursuing veered sharply to the right. Mr. Coyote vigorously attempted to follow this maneuver but was unable to do so, due to poorly designed steering and a faulty or nonexistent braking system. Shortly thereafter, the unchecked progress of the Rocket Sled brought it and Mr. Coyote into collision with the side of a mesa. In another incident, Coyote purchased a pair of rocket skates which, his attorney claims, Acme sold without sufficient caveat and with "little or no provision for passenger safety", because the design attached very powerful jet-engines to "inadequate vehicles"; i.e. the roller-skates. Other products, manufactured by Acme, that have caused Mr. Coyote great anguish include: itching-powder, giant kites, Burmese tiger traps, anvils, and two-hundred-foot-long rubber bands. RISKS readers are advised to be cautious with products purchased from the Acme Mail-Order Catalog and especially with explosives purchased from the Acme Mail-Order Explosives Catalog; the explosives tend to detonate prematurely very possibly due to the use of faulty primer-cord. (If ever there was a candidate suitable for the role of RISKS mascot, Wile E. Coyote is that animal.) ------------------------------ Date: Fri, 23 Sep 94 17:59:42 EDT From: Jerry Leichter Subject: Reasoning 101, the FBI Telecom Bill, and EPIC Marc Rotenberg quotes a 1992 GSA report that the FBI's proposals for access requirements to the telephone system would have an adverse impact on national security. He says this speaking for the "100 Reasons ... project of the Electronic Privacy Information Center [EPIC]". I haven't read the GSA report in question, but from context and the parts quoted by Rotenberg, it seems clear that the particular issue concerning GSA was one feature of the 1992 (1991?) version of the FBI proposal, which called for the telephone companies to link to a central, government-controlled office somewhere which would then have the ability to initiate taps anywhere without any further assistance from the telephone companies. The GSA was correct in pointing out that any breach of the security of this centrally controlled sys- tem could have serious implications. The GSA was also not alone in pointing this particular risk. This year's version of the proposal explicitly states that tapping is to be done *by telephone company personnel*, on telephone company premises (as is the case today). The central tapping facility is gone. How shall we then classify Reason 55? A straw man attack? An appeal to emotion? (For many years, "national security" was the standard justification for almost anything the government wanted to do. Now EPIC has appropriated that battle cry.) Disingenuous? Dishonest? At the least, if EPIC is going to quote the GSA's report, honesty requires that they quote enough context to show what the statement is based on. If their going to use an analysis of the 1992 bill, it's incumbent on *them* to argue that analysis is applicable to the 1994 incarnation, which has undergone substantial changes - some of them presumably a direct result of the GSA's analysis. In any case, proponents can as easily quote an FBI report to the effect that *not* passing this bill would have an adverse effect on national security. Why should one prefer the statement of one three-letter government agency over another? Duelling appeals to authority do not rational debate make. -- Jerry ------------------------------ Date: Mon, 26 Sep 1994 12:51:45 EST From: Marc Rotenberg Subject: Re: Jerry Leichter's response There is nothing in the GSA memo that supports Jerry Leichter's interpretation. The memo did not even mention the problems associated with centralized monitoring. Although, it's good of Jerry to bring that up. The memo is reprinted in full, along with accompanying materials, in Banisar and Rotenberg, The Third CPSR Cryptography and Privacy Conference (1993). The memo is also available at the CPSR ftp site. CPSR.ORG /cpsr/privacy/communications/wiretap/gsa_wiretap_memo.txt The GSA memo contains at least *ten* Reasons to oppose the wiretap plan (incompatibility, impact on federal communication networks, scope of proposed change, powers of Attorney General, national security, network security, standards, current capability, cost effectiveness, delay in development of new systems, international trade, associated costs, impact on new services). We cited only one Reason -- national security. A story appeared in *The New York Times* when the memo was obtained (15 Jan 1993, "FBI's Proposal on Wiretaps Draws Criticism from GSA"). Quoting from the NYT article, "the GSA said the proposed legislation was unnecessary, could hurt the nation's competitiveness in the international trade arena, and posed a possible danger to national security." Marc Rotenberg, EPIC ------------------------------ Date: Sun, 25 Sep 94 12:45:38 PDT From: jwarren@autodesk.com (Jim Warren) Subject: please!, let's call it the "Government Wiretap Bill" !!! It is *much* more accurate and much more provocative to call the "digital telephony" bill the "Government Wiretap Bill." 1. It helps their propaganda and harms our propaganda to call it the "*FBI* Wiretap Bill." 2. The FBI Wiretap Bill implies that only the FBI would use its access, whereas all the phrasing of the versions seems to include a catch-all like, "... and as otherwise authorized by law." 3. We need to emphasize that it's the *government* that wants the snoop-n- peep power. 4. We need to point out that *all* levels of government can use it, "when authorized by law," of course. 5. We need to emphasize that the public doesn't *know* when wiretaps can be used, since the classified and secret lawful authorizations are ... well ... secret. 6. Most messages about the bill need to cite examples of past abuses of wiretap authority by those in power, e.g. J. Edgar Hoover as well as Nixon's Watergate attempt (i.e., he could have pulled it off if his FBI Director had had "digital telephony" wiretap-at-a-keystroke access as now sought). 7. We should start calling it "telephonEy." :-) Jim Warren, columnist for MicroTimes, Government Technology, BoardWatch, etc. jwarren@well.com -or- jwarren@autodesk.com ------------------------------ Date: Sun, 25 Sep 1994 20:04:33 -0700 From: Phil Agre Subject: The high-tech university: 500 channels, all alike In a recent issue of Forbes, Thomas Sowell reports that he's looking forward to the day when market pressures require universities to distribute a large proportion of their lectures over video. The reference is: Thomas Sowell, Letting in the light, Forbes, 12 September 1994, page 98. He anticipates many advantages of this system. Among them, he says, is that professors who engage in "propaganda", "pretentious mush", "strident ideology", and "recruitment of disciples" will be caught on tape and exposed to public censure. Sowell is a conservative economist and these are all obviously code-words for the expression of political views with which conservatives disagree. This is to be expected. But the danger that such proposals represent is independent of your political views. Imagine what this new world will be like. It will become unwise to engage in unscripted give-and-take with students, lest an ambiguous remark be placed in a foreign context by someone with video editing equipment and a political axe to grind. It will become unwise to express unpopular opinions in lectures, and even fundamentally conformist lectures will have to be structured as a series of soundbites, each of which will survive being edited into arbitrarily unfriendly contexts. University education, in other words, will be converted into television -- 500 channels, all alike, and all subject to the leveling force of external pressure. These scenarios might seem paranoid, but one perfectly robust model for them can already be found in journalism. Substantial institutions have arisen for harassing journalists whose articles diverge from the political views of those who care to fund them. Mistakes are magnified, passages are taken out of context, and political evaluations are assembled and made available to people whose cooperation the journalist may require to gather stories. Of course, these activities are all perfectly legal and covered by the First Amendment. But they are regrettable nonetheless. (Such practices could already be organized in universities simply through having monitors sit in on classes and forward notes to a central organization. This is indeed done on a small scale, but video recording would make it much easier.) It will be argued (and indeed, Sowell does argue) that the warnings of college professors like me are just the self-serving obfuscations of interest groups with something to hide. But the consequences of such phenomena go far beyond the university. When work activities that were formerly conducted face-to-face start to be mediated on a large scale by digital video and other computerized telecommunications technologies, unless those communications are given vastly more statutory protection than seems at all likely, the door will be opened to greatly intensified monitoring and regulation of those activities by anyone who has legal access to recordings of the signals. If this happens, we will realize how much slack we got from face-to-face interaction, and we will be forced to look to one another to find ways of getting it back. Phil Agre, UCSD ------------------------------ Date: Fri, 23 Sep 1994 21:01:59 -0600 From: Laszlo Nemeth Subject: Pagers and power supplies A rather humorous thing happened the other day. I was connecting up a scsi disk to a sparc 10 (nice small power supply) and had powered everything of. while leaning over the system to connect the various cables to the disk, my pager went off in vibrate mode. I wear my pager clipped backwards in my front jeans pocket (so the nice clear face doesn't get scratched, it mutes the sound of the pager, and gives really good contact when vibrating) a very tender spot on most people. when that pager went off I had a flashback to a time when I forgot how much power is in a sun 4/260 power supply and decided to test it with me as the path. both times I have made it across the room before I knew what happened. From now on when a system is open, the pager is elsewhere. laz ------------------------------ Date: Mon, 26 Sep 94 11:29 BST From: jampel@cs.city.ac.uk (Michael Jampel) Subject: Marketing of science Phil Agre asked [RISKS-16.41] asked (re: uninterruptable power supplies causing power failures): > Where do hubristic terms like "uninterruptable" come from? They come from marketing people and sales people. Scientists and engineers often have contempt for these people, but unfortunately their mistakes and their hubris may lead to an anti-science back-lash. Therefore we can't just let them get on with it: it's not the sales people who will get the sack when a UPS proves to be interruptible; but the whole discipline of electrical engineering loses a little credibility. So next time an engineer says something like ``We must not do X because it is very unsafe'', it is possible that those who have bee mislead by advertisements will say ``Yeah, yeah, what do you know.'' This is a risk (not of computers, but applying to any technical discipline). Phil then added: > I've got an "inherently safe nuclear reactor" to sell you There _is_ a difference between inherent safety and engineered safety. And one of the first nuclear reactors _was_ inherently safe. It was in Sweden, called the Triga, and the opening ceremony (by Niels Bohr) consisted of removing all the cooling rods from the core. Within a minute, the reactor had stabilised, rather than starting to melt-down, due to the physical properties of the materials it was made from. (The damping effect went up exponentially with increasing temperature.) My guess is that the reason no reactors are like this is commercial, i.e. it didn't make as much power per dollar's worth of uranium, not technical. Another risk when scientists allow people they hold in contempt to do a job that doesn't interest them; the anti-nuclear power lobby has good reasons for its views, all due to mistakes made for commercial reasons. Possible end result: the whole world is condemned to lack of power when the oil runs out, because nuclear power will still be considered taboo. Michael Jampel ------------------------------ Date: 24 Sep 1994 01:42:23 GMT From: healy@seviche.med.yale.edu (Matthew D. Healy) Subject: Power Disasters All the postings about various incidents in which main power and backup were both lost serve as examples of a point often missed by risk planners: the multiplicative probability rule only applies if the events are truly independent. A common mode failure can take out several "redundant" systems at once. It's extremely difficult to design truly redundant systems. The O'Hare incident also seems to illustrate another point. All I know about this incident is what was posted to RISKS; I gather they were doing some kind of test on the UPS. _Chernobyl_ was a disastrous failure triggered by a test of emergency generation capabilities! The problem was exacerbated by numerous problems in design and maintenance, but the trigger event was a misguided test of generating emergency power from the main turbines as they spun down and the diesel generators were started up. A test is an inherently hazardous situation; various common-mode failures can be triggered by tests. Therefore one must be especially careful about scheduling and running tests! Matthew D. Healy healy@seviche.med.yale.edu Postdoc, Yale School of Medicine ------------------------------ Date: Mon, 26 Sep 94 11:20:28 CDT From: flatau@cli.com (Arthur D. Flatau) Subject: Re: Power Outage in Russia? (RISKS-16.42) Dave Barry (syndicated humorist) wrote an article a while back about another similar situation in Russia. The power to some military complex was shut off because the bill was not paid, the officer in charge ordered a tank be driven and parked next to the electric company building. The business end of the tank was pointed at the building and miraculously power was quickly restored. The rest of the article was about the advantages of having a tank in resolving disputes with creditors and how one acquires the tank. The latter is done by sending in all the credit card applications one gets in the mail, acquiring enough credit and then charging the tank. When the credit card companies start demanding payments, it is easy to satisfy them because now you have a tank. Art flatau@cli.com Computational Logic, Inc. Austin, Texas ------------------------------ Date: Mon, 26 Sep 1994 07:56:04 -0700 (PDT) From: Richard Goldstein Subject: questions re: security of computerized medical records I am a statistician and I sit on the Human Studies Committee (IRB) of a local HMO. I have been assigned as primary reviewer for our committee for a recently submitted protocol dealing with security issues on the HMO's computerized patient data base. (Note: this may not need committee approval under Federal rules, but it does under local rules.) I am requesting some help regarding issues I should be asking about and guidance on literature. Brief explanation of project: the current computerized medical record has two sections (I am oversimplifying some issues here, without, I hope, being misleading): a coded section that can be searched via computer and a text section that currently cannot be automatically searched. The HMO has entered into an agreement with a 'local' university (about 90 miles away) to attempt to develop tools for exploiting clinical text data (e.g., access, search, extract, manipulate the text portion of the record). The process includes providing the university with example records (size of sample not known), where the records have been 'sanitized'. "The sanitization process has three stages: 1. automated masking or identifiers such as addresses and telephone numbers in ... extract headers as created [at the HMO] 2. automated masking of medical record numbers 3. automated masking of each segment of each member's name everywhere these segments occur in the ... extract" There are some known problems with this masking (e.g., regarding the occurrence of names in the record other than than of the particular patient). My problem is that I have no idea how much faith, trust, etc. to put into the "automated masking" process. Of particular help would be guidance on what questions to ask about this process to help make decisions about whether it is sufficient (guidance on literature would also be appreciated). I note also that the people on the project appear to be unaware of the possibility of identifying patients via combinations of coded information. As a statistician, I am aware of some of the large literature on this question, especially with respect to Census information. However, I am not familiar with recent literature on this question or with computer algorithms; further, I am not aware of any literature dealing specifically with this question for medical records (except that I do have a copy of the 9/93 publication from the Office of Technology Assessment entitled _Protecting Privacy in Computerized Medical Information_; however, this is not a technical publication). Another question relates to what we should be asking about the security of the university computer; we have been told that the center "has implemented data access security by granting electronic access to [HMO] data only to researchers designated as members of the [HMO] project." However, we have been provided with NO details; again, what questions should we be asking and how do we interpret the responses. I should mention that our committee very strongly opposes any movement of HMO data outside the HMO, but in rare circumstances we have agreed when we were satisfied with the security situation (usually a stand-alone computer in a room that could easily be locked). Any help or advice would be greatly appreciated and should, preferably, be sent directly to me at "richgold@netcom.com". If desired, I could post a summary of the resulting responses to this group. Rich Goldstein ------------------------------ Date: Tue, 27 Sep 1994 05:21:00 -0400 (EDT) From: Network Security Observations Subject: Network Security Observations November 1994 NETWORK SECURITY OBSERVATIONS will be out with its inaugural issue. NETWORK SECURITY OBSERVATIONS is expected to be the leading international journal on computer network security for the science, research and professional community. Every annual volume contains five issues, each offering ample space for vigorously reviewed academic and research papers of significant and lasting importance, and a wealth of other network security information, including security patches and other technical information supplied by manufacturers, related governmental documents (international), discussions about ethics and privacy aspects, the Clipper chip and other cryptologic issues, viruses, privacy enhanced mail, protocols, harmonization of computer security evaluation criteria, information security management, access management, transborder data flow, EDI security, risk analysis, trusted systems, mission critical applications, integrity issues, computer abuse and computer crime, etc. etc. If and when appropriate reports of major international conferences, congresses and seminars will be included, as well as information made available by governments, agencies, and international and supra national organizations. Network Security Observations is published in the English language, and distributed Worldwide. The publication does NOT feature commercial announcements. National and international organizers of dedicated conferences, etc. can offer calls for papers and invitations to participate. Relevant posting from other publishers announcing new relevant books, etc are welcomed as well. NETWORK SECURITY OBSERVATIONS provides the in depth and detailed look that is essential for the network system operator, network system administrator, edp auditor, legal counsel, computer science researcher, network security manager, product developer, forensic data expert, legislator, public prosecutor, etc., including the wide range of specialists in the intelligence community, the investigative branches and the military, the financial services industry and the banking community, the public services, the telecom industry and the computer industry itself. Subscription applications by email or fax before November 1, 1994 are entitled to a special rebated subscription rate. Special academic/educational discounts, and rebates for governmental personnel, and other special groups, are available upon request. Network Security Observations is a not-for-profit journal, and therefore we are sorry to reject requests for trial orders. For further information please contact: by email> NSO@delphi.com Or by fax> +1 202 429 9574 Or alternatively you can write to: Network Security Observations, Suite 400, 1825 I Street, NW Washington DC, 20006, United States ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. All other reuses of RISKS material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using RISKS material should obtain permission from the contributors. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.43 ************************