precedence: bulk Subject: Risks Digest 23.48 RISKS-LIST: Risks-Forum Digest Monday 9 August 2004 Volume 23 : Issue 48 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can be found at Contents: Kolwicz kicked out for submitting real election tests (via Susan Marie Weber) Image flaw pierces PC security (Keith A Rhodes) Windows Buffer Overflow Protection Programs: Not Much (Paul Robinson) Security Cavities Ail Bluetooth (Kim Zetter via Monty Solomon) Emoticon-interpreters create risks in instant messaging services (Dale Hawkins) First malicious program aims for handhelds (Keith A Rhodes) Two more Canadian Banks with computer software screwups (Bob Heuman) Top Australian banking sites vulnerable (NewsScan) Cable giants seek to dominate VoIP (NewsScan) Another airline outage (Jeremy Epstein) Two Million Scans Uncover 55 Million Instances of Spyware (Monty Solomon) Memory error paper (Laurent Guerby) Risks of automated calling systems (Jeremy Epstein) Internet voting in The Netherlands update (Joseph Kiniry) Re: The Mr Micawber Syndrome (Fernando Pereira) Re: Stolen: one-third of the world's software (Jurek Kirakowski) REVIEW: "Software Forensics", Robert M. Slade (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thursday, August 05, 2004 11:27 AM From: alkolwicz@qwest.net Subject: Kolwicz evicted for submitting real tests (via Susan Marie Weber) > Date: Thu, 5 Aug 2004 14:30:13 -0700 > From: "SusanMarieWeber" > Subject: Kolwicz kicked out for submitting real election tests > This is message from Al Kolwicz. I suspect that we are all going to face > these problems during the next accuracy and logic testing of the voting > machines before the November 2004 election. Imagine having cops around to > tell people to leave. We must stop questioning authority? I don't think > so, NOW more than ever we need to keep asking these questions. > Susan Marie Weber Kolwicz kicked out for submitting real election tests Al Kolwicz, official representative to Boulder County's test of its new vote counting system, was asked by County Clerk, Linda Salas, to leave the test. When asked what happened, Kolwicz said, "we submitted sample ballots to test the security and accuracy of the county's new vote counting system." The sample ballots included tests such as - (a) what happens if a voter circles the box rather than filling in the entire box with a black pen, and (2) what happens if a voter marks over the ballot serial number in hopes that this will make the ballot secret. (Boulder County's new ballots are not secret.) Salas consulted with the Secretary of State, Donetta Davidson's office, by phone. Following their private conversation, Salas asked Kolwicz to leave. Kolwicz left immediately and went outside of the building to record some notes. Deputy P. Dunphy, who was in the room where the testing was being conducted, came out to find Kolwicz on a bench. He told Kolwicz that he was not to return to the building. "It looks like a sham is being foist upon the public", said Kolwicz. The tests prepared by Kolwicz are limited to things that can happen in this year's primary election. Al Kolwicz, CAMBER - Citizens for Accurate Mail Ballot Election Results 2867 Tincup Circle, Boulder, CO 80305, 303-494-1540 AlKolwicz@qwest.net www.users.qwest.net/~alkolwicz http://coloradovoter.blogspot.com ------------------------------ Date: Fri, 06 Aug 2004 07:31:51 -0400 From: "Keith A Rhodes" Subject: Image flaw pierces PC security Robert Lemos, CNET News.com, 5 Aug 2004 http://zdnet.com.com/2100-1105-5298999.html Six vulnerabilities in a common code that handles an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X. The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image. Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues. Apple and Microsoft could not immediately be reached for comment. Evans did not test every platform to check which vulnerabilities work, he said. ------------------------------ Date: Mon, 09 Aug 2004 17:24:00 GMT From: "Paul Robinson" Subject: Windows Buffer Overflow Protection Programs: Not Much I happened to stumble upon the most recent issue of the hacker e-zine Phrack, Issue #62, of July 10, 2004, and looking over the table of contents I found article #5, "Bypassing 3rd Party Windows Buffer Overflow Protection" which can be read at the following url: http://www.phrack.org/show.php?p=62&a=5 I found the article fascinating in that it shows exactly why several major commercial anti-buffer overflow exploit programs are inadequate for their advertised purposes. The article even points out what you are going to end up with: a false sense of security. For those who are not so technically inclined, a buffer overflow exploit is one in which someone sends too much data to a program (such as a web server application), sending far more data than the program would expect, in order to force arbitrary data into a storage area (a "buffer") so the amount of data forced into the buffer goes beyond the expected limits, causing the data to overflow the buffer and makes it possible for that data to be executed as arbitrary program code. Since the attacker forces code of his choosing into the execution stream, he now 0wns your box, because as the saying goes, if I can run code on your machine - especially if it's a Windows machine where there is not much protection - I can pretty much do anything I please there. These anti-buffer overflow exploit protection programs then try to prevent this by watching for attempts to execute calls to the operating system, in places where only data should occur as opposed to program code. The article shows why these programs are inadequate both from a standpoint of how they fail to provide full protection, and how to get around the limited protection they do provide. This sort of article is an excellent example of why full disclosure of a serious problem is necessary in order to solve it. The type of response to an anti-buffer overflow exploit protection program by an attacker would, as a matter of necessity, be somewhat complicated and technical in nature, and the only way one could explain why there is a problem, what the problem is, and then allow someone to be able to solve it, is to describle how to exploit the flaw. Nothing less will do because nothing less will explain how the flaw is exploited. It is reports such as these that are important even to those that are not interested in breaking into a place, and in fact are probably of crucial interest to security people in order that (1) they not be given a false sense of security by these products that only solve part of the problem; (2) explain exactly why the products are ineffective; and (3) explain exactly what the issues are. An explanation such as the one given shows why these products are ineffective, shows what those who have to defend themselves need to look for, and can show those trying to build safety systems in the future how to better secure them. Does this mean someone can create an attack using the information shown? Absolutely. This does not make the exposure of such information any less valid. Telling someone that it is still possible to trigger a buffer overflow exploit even if a buffer overflow exploit security program is in place is probably not going to convince them without some proof. Explaining that these systems don't block everything and mentioning why will not give someone enough information to reliably check what is happening or understand how the problem affects them. Only a clear explanation of how the process is done is going to show someone how to guard against it. Digging one's head in the sand does not hide a danger, nor does making it illegal to publicize such information help, as those who will use such information for criminal purposes, since they are already breaking the law, any penalties for selling such information to other crackers (or trading it for other information) simply keeps it out of the hands of the good guys who would need it to figure out how to work around it. Additionally, by making such information available, third parties, who are neither selling security software, nor trying to crack other people's boxes in order to own them, can read this information and give an objective validation as to whether they are valid or not, and perhaps can supply solutions not requiring multi-thousand-dollar support contracts from some vendor who is more interested in what they can sell than in security, who just happen to sell this particular type of product because there is a market for it and who might not be interested in giving away information that they can sell to others. There's nothing particularly wrong with charging whatever the traffic will bear for what you know, but it creates a strong disadvantage for those kept in the dark. Which is the only thing that security by obscurity - trying to hide problems in the hope someone doesn't discover them - does, it keeps the people who most need to know how to solve the problem in the dark. ------------------------------ Date: Sat, 7 Aug 2004 16:20:31 -0400 From: Monty Solomon Subject: Security Cavities Ail Bluetooth Kim Zetter, Wired.com, 6 Aug 2004 Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage. An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace. Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched. Laurie, chief security officer of London-based security and networking firm ALD , discovered the vulnerability last November. Using a program called Bluesnarf that he designed but hasn't released, Laurie modified the Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the data-collection attacks. Then, German researcher Herfurt developed a program called Bluebug that could turn certain mobile phones into a bug to transmit conversations in the vicinity of the device to an attacker's phone. ... http://www.wired.com/news/privacy/0,1848,64463,00.html ------------------------------ Date: Fri, 30 Jul 2004 09:36:39 -0400 From: "Hawkins Dale" Subject: Emoticon-interpreters create risks in instant messaging services Many popular instant-messaging tools interpret text "emoticons" and replace them with graphical icons. For example, if you send your buddy a colon-right-parenthesis, your correspondent's messaging client may replace the :) with a yellow smiley-face icon. This is very nice, but the sender has no control. And it's hard to know in advance what character-strings will be parsed into what kind of unintended image. A colleague was discussing his 401(k) plan with his boss, who happens to be female, via instant messaging. He discovered, to his horror, that the boss' instant-messaging client was rendering the "(k)" as a big pair of red smoochy lips. :( ------------------------------ Date: Fri, 06 Aug 2004 07:29:27 -0400 From: "Keith A Rhodes" Subject: First malicious program aims for handhelds [The "first" as far as we know.] Ina Fried, Malicious program aims for Pocket PCs, CNET News.com, 5 Aug 2004 http://zdnet.com.com/2100-1105-5298781.html A malicious Trojan horse program has emerged for Pocket PCs, antivirus companies, but they characterized the threat as relatively low. The program, known alternately as Backdoor.Bardor.A and WinCE.Brador.a, lets an attacker gain full control of the handheld and is the first such "backdoor Trojan" program to emerge for Pocket PCs. However, such backdoor programs are not capable of propagating on their own and instead must be sent as e-mail attachments or through similar means, making them less dangerous. ------------------------------ Date: Fri, 30 Jul 2004 21:17:30 -0400 From: Bob Heuman Subject: Two more Canadian Banks with computer software screwups TD, CIBC glitches bring down key banking systems, ITBusiness, 29 Jul 2004 http://www.itbusiness.ca/userredirect.asp?linkid=37706&userid=5 Two of Canada's best-known financial institutions join RBC in the annals of IT horror stories. Find out what went wrong, and to what extent customers' loyalty will be tested. * The CIBC error was definitely a program change that made it through testing and was put into production with an uncaught error in the code. * The TD error was still being investigated at the time of the article I reference above. Basically, more of the same, and impacting a lot of customers in Canada and elsewhere. Proof that as many times as it gets pointed out to them, it still happens, and will continue to happen. ------------------------------ Date: Tue, 03 Aug 2004 09:16:48 -0700 From: "NewsScan" Subject: Top Australian banking sites vulnerable The Web sites of three of Australia's four big banks are susceptible to cross-site scripting attacks, according to a British tech professional who gained prominence last year when he discovered a URL spoofing flaw in Microsoft's Internet Explorer browser. Sam Greenhalgh, who recently tested the Web sites of several British financial services companies and found many of them susceptible to the same kind of attacks, said the flaw resulted from sites not "sanitizing" information the user submits before displaying the information on the page: "If the information contains HTML, those HTML tags will be included on the site. Among other things this allows an attacker to include a tag that instructs the page to load a JavaScript file from another Web site." Greenhalgh provided demonstrations of injecting HTML on the sites using scripts he wrote himself. [*The Age*, 2 Aug 2004; Rec'd from John Lamp, Deakin U.; NewsScan Daily, 3 Aug 2004] [http://theage.com.au/articles/2004/08/02/1091412044139.html] ------------------------------ Date: Wed, 04 Aug 2004 08:05:40 -0700 From: "NewsScan" Subject: Cable giants seek to dominate VoIP Time Warner Cable, Cablevision and other cable giants have begun setting up their own Voice over Internet Protocol (VoIP) services for American consumers, says a new Yankee Group report, aimed at quickly gaining the lead over alternative Internet telephony providers in 2004. "After many years of testing, the VoIP technology is finally available and ready for prime time. The U.S. market, which represents almost all the cable VoIP market today, also will drive the global MSOs (multiservice operators) to move forward," says a Yankee Group analyst. Already, some alternative providers such as Vonage and Net2Phone are collaborating with cable and other broadband partners to offer their services, but in the long run, consumers likely will opt for VoIP service straight from their local cable or phone company. In a separate report on the U.S. broadband market, Yankee predicts that subscriptions to high-speed services will overtake narrowband signups by 2006. That study listed Comcast as the leader in cable modem subscribers and SBC as the dominant DSL provider. [CNet 3 Aug 2004; NewsScan Daily, 4 Aug 2004] http://news.com.com/2100-7352-5295023.html ------------------------------ Date: Tue, 3 Aug 2004 08:49:51 -0700 From: Jeremy Epstein Subject: Another airline outage Independence Air (www.flyi.com), a newly formed airline, suffered from a rather severe computer outage yesterday from about 3pm-9pm (not sure exactly). The result was that they couldn't check passengers in, couldn't track baggage, etc. The front-side people had no way of knowing which flights were in the air or who was on them. This may have been related to a severe round of thunderstorms that went through the Washington DC area at about the same time. One would hope they had backup computer systems (or power supplies, or network connectivity), but that's just a guess. What made this particularly nasty as an outage is that they didn't have backup procedures - no one had phone numbers, as they rely on getting those from the computer system. It made for a particularly long evening waiting 7 hours to pick my daughter up, since no one could tell us what the status was of any flight, or even what flight she was on. So when she walked out from the security area, it was something of a surprise.... ------------------------------ Date: Wed, 4 Aug 2004 09:00:46 -0400 From: Monty Solomon Subject: Two Million Scans Uncover 55 Million Instances of Spyware EarthLink and Webroot Release Six-Month SpyAudit Report; CoolWebSearch Identified as the Most Virulent Adware Program (PR Newswire, 4 Aug 2004) http://finance.lycos.com/home/news/story.asp?story=42899777 EarthLink and Webroot Software (a producer of award-winning privacy, protection and performance software) released their third SpyAudit Report, which has tracked the growth of spyware on consumer PCs for the first half of 2004. Since the SpyAudit report's inception on 1 Jan 2004, more than two million scans have been performed. The scans discovered approximately 54.8 million instances of spyware, for an average of 26.5 traces per SpyAudit scan. Scans nearly doubled from the first to the second quarter. For each category, the instances of adware increased month-over-month, while adware cookies, system monitors and Trojans decreased slightly overall. The complete report is available at . ------------------------------ Date: Wed, 04 Aug 2004 00:19:11 +0200 From: Laurent GUERBY Subject: Memory error paper Since we're talking about memory errors, there's a nice paper on memory vs a light bulb: A. Appel and S. Govindavajhala. "Using Memory Errors to Attack a Virtual Machine" in IEEE Symposium on Security and Privacy, 2003. http://www.cs.princeton.edu/~sudhakar/papers/abstracts/memerr.html http://www.cs.princeton.edu/~sudhakar/papers/memerr-slashdot-commentary.html I guess people designing voting machines without using some kind of heat sensor with alert procedure, using properly shielded case, ECC memory, etc... are not doing their engineering job. Not adding a paper trail at all is also a real bad idea, but that's just me :). ------------------------------ Date: Tue, 3 Aug 2004 17:48:37 -0400 From: Jeremy Epstein Subject: Risks of automated calling systems I got this a few weeks ago, and just noticed it. As with so many risks, the problem isn't the technology, but rather the unexpected combinations of technologies (i.e., cell phones left on all night along with automated calling systems). >I wanted to open this month's newsletter by sincerely apologizing to the >almost 60 people in our database who mistakenly received a call in the >middle of the night to remind them of our upcoming webinar held on [date]. >[Vendor] does not usually "telemarket" to our database - in fact, we >had never done so before. But when the webinar company offered us a chance >to broadcast a pre-recorded VM reminder at no charge, we fell for the lure >of the "free" opportunity against our better judgment. The theory was >that if it was sent after hours, it would not disturb anyone during their >work day. It sounded good in theory... > >The result? Four complaints the next morning from people notifying us that >we had woken them up by calling their home offices or cell phones that had >not been turned off that night. I asked the webinar company to run a call >report afterward and although we only received a few actual complaints, >the data showed that up to as many as 60 of you may have received these >disturbing calls. All I can say is that I am extremely sorry for the >inconvenience and I assure everyone that we will never mass call to our >database again. I do hope you accept my sincere apology for the mistake. ------------------------------ Date: Wed, 4 Aug 2004 09:58:09 +0200 From: Joseph Kiniry Subject: Internet voting in The Netherlands update Major events in Internet Voting are taking place in The Netherlands. The Dutch government tested an Internet voting system called "KOA" in the European Elections last month. A portion of that system was written by the Security of Systems (SoS) Group using formal methods. Additionally, partially based upon my group's work and influence, the entire KOA system has been Open Sourced under the GPL license. I have written a short article "Electronic and Internet Voting in The Netherlands" on what has been happening here over the past few months. See and for more information. ------------------------------ Date: Mon, 2 Aug 2004 22:01:59 -0400 From: Fernando Pereira Subject: Re: The Mr Micawber Syndrome I was struck by the parallels between the risks discussed by Michael Bacon and those arising in backcountry skiing and mountaineering. For example, his risk (4) pretty much corresponds to the failure to set a firm turn-around time that allows for a safe return. See Chapter 18 of "Mountaineering: the Freedom of the Hills" (6th edition, Graydon & Hanson, 1997) for additional interesting parallels. Articles like Ian McCammon's "Evidence of Heuristic Traps in Recreational Avalanche Accidents" http://www.snowpit.com/articles/traps%20reprint.pdf give independent evidence of decision-making bugs that are quite familiar to us in the computing realm: "Even though people are capable of making decisions in a thorough and methodical way, it appears that most of the time they don't. A growing body of research suggests that people unconsciously use simple rules of thumb, or heuristics, to navigate the routine complexities of modern life. In this paper, I examine evidence that four of these heuristics -- familiarity, social proof, commitment and scarcity -- have influenced the decisions of avalanche victims.". Fernando Pereira, Dept. of Computer and Information Science U. of Pennsylvania ------------------------------ Date: Mon, 12 Jul 2004 14:02:41 +0100 From: "Jurek Kirakowski" Subject: Re: Stolen: one-third of the world's software (RISKS-23.45-46) A while ago, I tried to find out the empirical basis for claims such as these made by the Business Software Alliance. After all, they can't actually be going round and physically inspecting the software being run on people's computers, can they? Nor, presumably, are they relying on conviction rates! After some digging, I found that in 2002 their basic methodology was to count up the number of computers sold per year, and then check against the revenue from licensed software sold. They make the assumption that each computer should be loaded with X amount of licensed software. There is of course an imbalance between predicted and actuals and this is the inferential support for the detailed lists of amounts of software fraud per country they publish. The hazards of this methodology are (1) you don't check with enough software vendors, only, say the top 1,000 big ones; and (2) you don't consider that especially in economically poor countries, users may be using free-ware and open-source software. Much of the latter may simply be downloaded anonymously and you don't need to register. Even in more affluent countries the use of open source software is spreading - not only because of price, but because it is usually better written and subject to less invasive user agreements than software created by many members of the Business Software Alliance. ------------------------------ Date: Fri, 6 Aug 2004 08:21:33 -0800 From: Rob Slade Subject: REVIEW: "Software Forensics", Robert M. Slade BKSFWRFR.RVW 20040706 "Software Forensics", Robert M. Slade, 2004, 0-07-142804-6, U$39.95/C$3.95/UK#29.99 %A Robert M. Slade rslade@vcn.bc.ca rslade@computercrime.org %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2004 %G 0-07-142804-6 %I McGraw-Hill Ryerson/Osborne %O U$39.95/C$3.95/UK#29.99 800-565-5758 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0071428046/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0071428046/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0071428046/robsladesin03-20 %P 215 p. %T "Software Forensics" As long as I'm reviewing books about which I can't be objective, I might as well review my own. This book is about software forensics. Nobody seems to know what that is. "Oh, you look for child porno and drug dealer addresses on seized computers, right?" Umm, no. That's computer forensics which, although it should be broader, has become limited to the basic data recovery aspect of the wider field of digital forensics. Software forensics delves into what evidence you can glean from software itself. This is useful in malware and virus research (where it has long been known as forensic programming), as well as in cases involving intellectual property and plagiarism. The study and tools utilized in software forensics can assist with determining the intent and authorship of a piece of software. At times it can even help with tasks such as recovering source code with legacy programs, or porting to new systems. In the book there is an overview of software forensics itself. One chapter looks at blackhat sociology and culture, since those characteristics can be evident in the programming style. There is material on the various tools, and properties of malicious software. Presentation of this type of evidence in court is difficult, so chapter five reviews expert witness restrictions and other legal issues. Content is included on programming cultures, stylistic analysis, and authorship analysis. I can say, without any bias whatever, that this is the finest work on this topic available today. I can say that, because it's the *only* book that is dedicated to the subject. copyright Robert M. Slade, 2004 BKSFWRFR.RVW 20040706 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [Incidentally, Tim Grance at NIST noted out of band that a draft of a new guide on PDA Forensics is soon to be released by NIST. Stay tuned. PGN] ------------------------------ Date: 2 Jun 2004 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. To subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request@csl.sri.com containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit the process by sending directly to either risks-subscribe@csl.sri.com or risks-unsubscribe@csl.sri.com depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. INFO [for unabridged version of RISKS information] .UK users should contact . => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from The full info file may appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i] redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: for browsing, or .ps for printing ------------------------------ End of RISKS-FORUM Digest 23.48 ************************