The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 14 Issue 85

Friday 20 August 1993


o Child-Prodigy or Prodigy-Child? 14-year-old triggers alarms
Jason Harrison
o IRS accounting bugs
Mich Kabay
o IRS & security
Mich Kabay
o Re: Dorney Park Hercules roller coaster ...
Gary Wright
o Accessible answering machines may grant *too much* access
Tsutomu Shimomura
o Re: ATM Scam
Gene Spafford
o High-speed password matching
Steve Stevenson
o Re: Crash of JAS 39 Gripen
Derrick Everett
o Risks of coming mass-communication capabilities
Jim Hiller
o Re: Computers dialing 911
o Good news from the front lines
Jeremy Grodberg
o Gideon Kunda, Engineering Culture
Phil Agre
o Virus Catalog: new edition
Klaus Brunnstein
o InfoWar announcement
Mich Kabay
o Info on RISKS (comp.risks)

Child-Prodigy or Prodigy-Child? 14-year-old triggers alarms

Fri, 20 Aug 93 12:49:36 -0700
As a supposed joke, a 14-year-old Seattle-area girl sent a Prodigy message to
her boyfriend in New Jersey containing a phony death threat against Baltimore
Orioles' shortstop Cal Ripkin, Jr., who is getting ever closer to Lou Gehrig's
record for consecutive games.  Seattle and Baltimore were playing in the
Kingdome in Seattle, and her boyfriend is an avid Orioles' fan.  Known for its
monitoring of messages, Prodigy alerted the police --- who tightened security
at the Kingdome and also camped out waiting for the girl to return home.  They
apparently reprimanded the girl, but she was not charged.  Police said she was
``very embarrassed and apologetic'' and added, ``By the time her [28-year-old]
sister got done chewing her out, that was enough.''  [Source: A UPI item
datelined Seattle, 19 Aug 93, PGN Excerpting and Extrapolating Service]

[The news on 20 Aug 93 noted that Kingdome officials are planning on charging
the cost of the extra security assigned to Ripkin to the girl.  - Jason]

IRS accounting bugs

"Mich Kabay / JINBU Corp." <>
18 Aug 93 15:13:41 EDT
 See IRS's Books. Color Them Red.;
   First Audit Ever Uncovers $752 VDT Valued at $5.6 Million
 By Stephen Barr, Washington Post Staff Writer, Washington Post, 18 Aug 1993

The Internal Revenue Service, which has made many an American anxious over
an audit, recently underwent a comprehensive audit of its own - its first.
Among the findings:

   A video display terminal costing $752 was valued in IRS inventory
records at $5.6 million.

   $36,000 was paid for a maintenance contract for a minicomputer that had
been idle for three years.

   32 duplicate payments and overpayments worth $500,000 were found in a
review of 280 payments to vendors, and 112 payments totaling $17.2 million
lacked complete supporting documentation.

The IRS examples are but a small slice of one of the federal government's most
serious problems: financial books that are out of whack, perhaps by tens of
billions of dollars."

The article goes on to detail a litany of egregious accounting blunders in
various parts of the government:

"...more than $200 billion in accounting errors by the Army and Air Force,..."

"...more than $500 million worth of errors in NASA financial statements...."

In addition, the GAO's report was discussed in the Senate's Governmental
Affairs Committee chaired by John Glenn (D-Ohio).  The Committee was concerned
"...about the disclosure that taxpayer privacy had been compromised by an
internal breakdown in computer security."

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

IRS & security

"Mich Kabay / JINBU Corp." <>
20 Aug 93 10:37:39 EDT
 IRS Computer Revamp Faulted By Study Panel; Privacy, Security Risks Seen
   In Multibillion-Dollar Program,
 By Stephen Barr, Washington Post Staff Writer, Washington Post, 20 Aug 1993

   The Internal Revenue Service `has shown little progress' in addressing
concerns about taxpayer confidentiality as it proceeds with a
multibillion-dollar overhaul of its computer systems, a National Research
Council panel said yesterday.
   The Tax Systems Modernization program at IRS "can lead to a wide range
of potentially disastrous privacy and security problems for the IRS unless
the IRS develops effective, integrated privacy and security policies," the
panel said."

The article continues to report that the program modernization will
cost about $7.8 billion over the next 15 years.

Henry H. "Hank" Philcox said that the IRS has been studying security for at
least the last 10 months, including both anti-hacker considerations and
protection against abuse by employees.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn

Re: Dorney Park Hercules roller coaster ... (S.D.Walter, RISKS-14.83)

Gary Wright <>
Wed, 18 Aug 1993 23:51:37 -0400
> This accident sounds remarkably similar to the accident on the Timber Wolf
> roller coaster at Worlds of Fun in Kansas City, on March 31, 1990.  The
> nature of the accident and the fixes were essentially the same!  See
> RISKS-9.96.

In fact, the Timber Wolf and Hercules were both built in 1989 and
designed by the same firm, Curtis D. Summers, Inc.  I believe the same
construction company was used (Dinn).  The material I have only lists
designers.  (Guide to Ride, American Coaster Enthusiasts, 1991).

  [By the way, the identity of the original contributor was cited
  erroneously in RISKS-14.83.  He is Steven D. Walter, of Bethlehem PA.
  Sorry for the error.  Thanks to Steve for the SnailMail.  PGN]

Remotely accessible answering machines may grant *too much* access

Tsutomu Shimomura <>
Thu, 19 Aug 1993 13:34:23 -0700
Many telephone answering machines provide "remote access" features which
permit the user to call and retrieve messages from elsewhere, often with the
aid of a Touch-Tone(tm) telephone.  There are often other functions provided,
such as the ability to delete messages, change the outgoing message, and set
various operating parameters for the machine.  Some minimal degree of security
is usually provided, typically a short "security code" to be sent via
Touch-Tone to authenticate the user.  The short "security code" is justified
as a compromise between user convenience and security; after all, the worst
thing that might reasonably happen is that someone else might retrieve and
delete your messages, right?

The ability to change the outgoing message, in combination with the in-band
signalling used in analog telephone systems, poses some interesting
opportunities beyond the obvious juvenile pranks.  If I have "cracked" the
"security code", it is likely a simple matter to record an outgoing message
which includes in-band signalling information (e.g., Touch-Tones) designed to
be sent upon receipt of dialtone.  Next, I must arrange for dialtone into
which the answering machine can play its message; this can be accomplished by
calling the machine and disconnecting just before it answers.  We now have a
manifestation of the classic telephone line "glare" race condition: the
"answerer" does not realize that it is really an "originator", and has just
initiated a call.

Numerous applications suggest themselves.  The simplest are ones involving
messages which call revenue-generating numbers (e.g., 1-900 for those of you
in the NANP) or long distance call-forwarding for toll fraud purposes.

A more interesting possibility is the use of the answering machine as an
"anonymous" messaging device.  Suppose that the outgoing message is modified
to dial a number, pause for an answer, and play a (voice) message?  Having
delivered its spiel, the machine will dutifully record a message from the
called party.  The answering machine can then be called in the "usual" manner
and the message retrieved and erased.  BTW, this *has* actually been tested,
and found to work as described.

ISDN (out-of-band signalling), anyone?  Perhaps we really need auditing and
intrusion detection systems for home appliances ...

Note: If you work for an RBOC, you aren't allowed to use this note as a sales
pitch for your CO-based voice-mail offerings.  Oh yeah, and if you're a
kidnapper, you can't use this to deliver your ransom note! ;-)

Tsutomu Shimomura        +1 619 534 5050
University of California at San Diego/San Diego Supercomputer Center, USA

ATM Scam (RISKS-14.60 to 74)

Gene Spafford <>
Fri, 20 Aug 93 16:04:10 -0500
In recent RISKS, there have been some details on the fake ATM being set up in
a shopping mall in New Haven.

Last week at the 5th FIRST Incident Response Workshop, an agent of
the Secret Service regaled the audience with some details of the case:

 * Several people were arrested
 * One has admitted everything and is cooperating with authorities
 * over 300 accounts at over 50 banks were hit by the counterfeit cards
 * over 100K in fraudulent charges were made with the captured cards

This was not an isolated incident, but the latest in a 12-year string of fraud
activity that may have netted over 12 million dollars.  Included in this past
history were computer-assisted forgeries of stocks, bonds, passports, military
IDs, and even law enforcement IDs.  On several occasions the people involved
used forged ID documents to carry guns on-board airplanes.

  [5th FIRST?  Perhaps they drank a 5th FIRST?  PGN]

High-speed password matching

Steve Stevenson <>
Wed, 18 Aug 93 10:12:33 -0400
cross-post request from comp.parallel
To: comp-parallel@uunet.UU.NET
Newsgroups: comp.risks
From: (J|rgen B. Madsen)
Subject: World record in password checking
Organization: UNI-C, Danish Computing Centre for Research and Education
Date: Wed, 18 Aug 1993 11:05:07 GMT
Summary: World record in password checking


Roch Bourbonnais, a Thinking Machines Corporation engineer, has ported
and optimized the CM/2 port of the UFC-crypt to a CM/5 system.

The UFC-crypt (Ultra Fast Crypt) implementation on the CM/2 Connection
Machine (parallel computer) is a UNIX password checking routine (crypt())
ported by Michael Glad at UNI-C.

The port, that is written in CM-fortran, utilizes the CM/5 vector units
and is partly programmed in cdpeac (vector unit assembly language).

The package achieves 1560 encryptions/second/vector unit. This scales to

    6,4 million encryptions per second on a large  1024 node machine.
    800,000          -       -     -    - - small   128  -      -

With this impressive performance, all combinations of 6 letters can be
tried in less than an hour and all combinations of 6 lower-case letters
can be tried in less than one minute.

Congratulations, Jorgen Bo Madsen

Jorgen Bo Madsen,  Security Consultant
UNI-C Lyngby,  Danish Computing Centre for Research and Education
DTH,  Building 305,  DK - 2800 Lyngby,
Phone  : +45-45-938355
Telefax: +45-45-930220
E-Mail :

Re: Crash of JAS 39 Gripen

Derrick Everett <>
Fri, 20 Aug 93 21:19:47 DFT
I was in Stockholm the day after the JAS crash and read some of the
local papers, which were mostly filled with speculation. The
investigative commission has just made public their preliminary
findings. I enclose a translation of a local newspaper report.

>From Aftenposten (Oslo) 19 August 1993:


  Too rapid deflection in the control system and quick joystick movements by
  the pilot were the causes of the JAS accident in Stockholm on 8 August.

  The Crash Investigative Commission into the JAS accident during the Water
  Festival, with ten thousand spectators around the crash location, presented
  their provisional report yesterday and have concluded that the technology
  and the pilot together caused the accident.

  'The JAS crash was caused by the control systems high amplification of
  joystick deflections in combination with the pilots large and rapid joystick
  movements. This caused margins of stability to be exceeded`, the report

  According to the Commission, 'the pilot flew below the minimum permitted
  altitude by an insignificant amount during the demonstration and exceeded by
  some amount the maximum permitted angle of attack.'  The aircraft had no
  technical faults at the time of the accident and the motor continued to
  function normally right until the plane hit the ground. Everything happened
  very quickly: from the pilot losing control of the plane to his ejection and
  parachute descent took only 6.2 seconds.

  The unthinkable consequences that would have followed if the JAS plane had
  crashed into the crowd have led to renewed and intense debate both in the
  political arena and among the Swedish public, about whether the JAS program
  should continue. It has so far cost 22 billion crowns [3.2 billion dollars].

  The Crash Investigative Commission asks the Air Force Chief of Staff to
  ensure that measures are taken to prevent any future occurrence similar to
  the JAS accident. When this has been done, the Commission expect there to be
  no reason for continued grounding of the JAS 39 Gripen, the report adds. But
  discussion continues about adding some inertia to the control system.

  The JAS project (JAS stands for search, attack, reconnaisance [jakt, angrep,
  spaning]) was announced in 1979 as the Swedish Defence Forces pride and an
  aircraft for the 1990s, even the leading edge of Swedish technological
  exports in military equipment. Both before and after the first aircraft left
  the production line this year, everybody from King Carl Gustaf through Prime
  Minister Carl Bildt to Defence Minister Anders Bjoerck done everything short
  of walking on their hands to get the plane sold to other countries. The
  Swedish establishment could hardly have received a more direct smack in the

  In aircraft jargon, what happened to the JAS plane on that fatal Sunday over
  Vaesterbron in the centre of Stockholm is called, 'Pilot Induced
  Oscillations (PIO)' - the pilots hand movements led to violent banking
  [actually, it looked more like pitching] of the plane. During the upswing,
  the nose of the aircraft came up too far, and so the pilot pushed the
  joystick forward to level the plane. At this, the nose came down but by more
  than the pilot had intended, because the control mechanism is so fine-tuned
  that even the smallest movement gives a large deflection. This has
  previously been the source of problems in the advanced JAS project. To stop
  the nose dropping too far, the pilot pulled back the joystick - at the same
  time as the computer [actually, a set of three processors] had given signals
  to lift the nose. The combined signals from the computer system and the
  joystick led to uncontrolled oscillation that became a vicious circle of
  signals and counter-signals until the aircraft was totally out of control.
  Because the plane was at a low altitude, there was no time to correct from
  the instability.

A few comments might be added from reading the Swedish newspapers. The
JAS 39 Gripen is deliberately unstable. There are no ailerons on the
main wings, but instead a pair of smaller wings located forward are
used to actively correct the attitude of the aircraft. These are under
the control of the three digital computers that presumably co-operate
by majority voting. This system has to respond to signals within 200
milliseconds in order to maintain stability. If the digital system is
disconnected, an analogue backup system ensures that the plane flies
level but it is not then possible to manouevre. Since the centre of
gravity lies behind the centre of lift, there is a tendency to lift
the nose when control is lost.

Derrick Everett, Life*CDM Project Manager.  CORENA A/S, Asker, Norway.

Risks of coming mass-communication capabilities

Thu, 12 Aug 93 02:47 EDT
After reviewing several of the recent RISKS forum entries (Clipper articles,
reports, etc.), I noticed that even these items quickly referenced the
upcoming explosions of technology and capability being promised to us by AT&T,
Time/Warner, MCI, and others.  Along with the general trends coming through
fruition of ISDN as well as these various cable and fiber based commercial
offerings, which have been well-documented in newspapers and the like, I have
been continually searching for a shred of evidence that ANYONE is pausing to
look at the security and public policy issues that such offerings are bound to
tax to the limit.

Through all the various channels, the RISKS forum included, it is clear that
there is tremendous risk involved in such implementations.  As our society is
introduced to such capabilities, we will surely become orders of magnitude
more dependent on information technology than we are today.  Yet, we are
light-years behind the capability curve in terms of protecting ourselves or
even pretending to know how.  Is anyone, commercially, governmentally, or
otherwise looking at these impacts and advising the providers of these
services on how to proceed

I'd be very interested to find out what sorts of steps anyone is taking, and
the rapidity with which they are taking them.  Please direct any such
information to Hiller@DOCKMASTER.NCSC.MIL .

Thanks!  Jim Hiller

Re: Computers Dialing 911 (Kabay, RISKS-14.93)

Tue, 17 Aug 93 20:06:53 EST
In RISKS-14.83, Mich Kabay noted a cordless phone accidentally dialing 911.

That reminded me of two incidents I'd like to share here.

The first one occurred several years ago. I was doing technical support for a
local software company. One of our users had a problem, and we were trying to
get her to upload the problem to our BBS, so we could attempt to solve it.
She was unfamiliar with telecomunication software, but had copied the
directory off of her machine at work. She set up the modem, and the software,
and entered the number to dial (1 519 ... ....). Nothing seemed to happen. She
tried again, several times. We were talking to her on a second phone line,
when there was a loud knock on her door. She answered it, and there were a
large number of police at the door! Apparently, the software had been
configured to use the PBX at work, and all number's were prefixed with a 9
(for an outside line), and a 1 (for long distance). She had dialed 911 5 or 6

The second incident occurred several weeks ago. A friend of mine runs a local
BBS, and has set up a Call-Back-Verifier, to assure that people give there
real phone number. Some one called in, and gave 911 as his number, hoping the
BBS would call it, and bring the cops in. Fortunately, my friend was watching
at the time, and has since added 911 to the list of forbidden numbers.


Good news from the front lines

Jeremy Grodberg <>
Thu, 19 Aug 1993 03:59:19 GMT
As we've heard over and over, our Social Security numbers are being used in
dangerous ways.  One particular example is that they are often used as
authenticators in telephone transactions with financial institutions.  In the
past, it has been difficult to impossible to convince these institutions to
use alternate authenticators, but I want to report that I have seen some

Two years ago I sent a nastygram to Citibank complaining about them using my
SSN to verify my identity in telephone transactions involving my credit card,
and was told, in essence, "we don't have any alternative."  Recently, I tried
again, and found that not only Citibank, but also Chase, AT&T, and Bank of
America will all accept alternate authenticators, at least in their credit
card operations, in the guise of "Mother's Maiden Name", which can be any
single pronounceable codeword.  This is progress.

As for how I went about establishing this new protection, there were varying
degrees of security.  Citibank took the codeword over the phone, with only my
SSN and account info as verification. BofA also took the new codeword over the
phone and only required a little more info than Citibank, but nothing that
wasn't on my monthly statement (if memory serves).  Chase required the change
in writing, required nothing but the account number in the letter, but did
mail me a notification that the codeword had been changed.  AT&T sent me a
form to fill out to authorize the new codeword, although I don't know if they
would have accepted a regular letter.

For those of you keeping score, IMHO AT&T in general, as in this particular
case, seems to have the best security.  At least the others are catching on.

Jeremy Grodberg

Gideon Kunda, Engineering Culture

Phil Agre <>
Thu, 19 Aug 1993 15:45:40 -0700
Risks readers may be interested in Gideon Kunda's book "Engineering Culture:
Control and Commitment in a High-Tech Corporation" (Temple University Press,
1992).  It's an ethnographic study of a "corporate culture" program at a real
but pseudonymous high-tech firm that Kunda calls "Tech".  Immense effort goes
into designing the symbolic aspects of work at Tech, including new-employee
orientations, the ritual aspects of meetings, slogans and posters, company
history, and so forth.  Kunda gives many examples of these things and has some
fascinating things to say about them, and particularly about the phenomenon of
"burnout" among Tech employees.

A longer review of Kunda's book is available in issue #4 of the CPSR journal
CPU, which can be obtained by ftp to in the directory /cpsr/work.
To subscribe, send a message to with a blank subject and a
single line in the body of the message:


Virus Catalog: new edition

Klaus Brunnstein <>
Fri, 20 Aug 1993 16:32:47 +0200
Computer Virus Catalog update July/August 1993

With it's July/August 1993 edition, Computer Virus Catalog describes more
forms of Malicious Code = MalCodes (including chain letters, time bombs,
trojan horses, viruses and worms) on multiple platforms (IBM and compatible
PCs, Macintosh, IBM-MVS/VM, UNIX, Amiga and Atari).

Presently, ***340 MalCodes*** have been classified active on 6 platforms:

          Amiga:       92 Viruses, 1 Trojan, 5 TimeBombs
          Atari:       20 Viruses
          Macintosh:   35 Viruses, 2 Trojans
          MSDOS:      172 Viruses, 6 Trojans, 3 Virus Generators
          MVS/VM:                  1 Chain Letter
          UNIX:         2 Viruses, 1 Worm

Entries for UNIX Internet Worm and IBM-VM CHRISTMA.EXEC are yet experimental
(in "old" CVC format 1.2). A generalized format (2.0) for the Computer MalCode
Catalog will be available, including descriptions of DEC-VMS worms (Father
Christmas, WANK and OILZ), with next edition (planned: December 1993).

New CVC entries are available in ASCII, and all entries are available
either via CVBASE.EXE (the electronic edition of CVC, for PCs) or as
compressed (PKZIPPED) files. See Virus Test Center's FTP site.

The July/August 1993 CVC edition describes the following MalCodes:
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Macintosh: 3 new viruses:
                       INIT 17, INIT M = WDEF M,
                             MerryXmas Hypercard virus

IBM/compatible PCs: 26 new MalCodes:
       25 new viruses: (Goddam) Butterflies, Chinese_Fish=Fish Boot,
           Clone, Dec_Year=Last_Year(.604), Dudley, F-Word,
           Gnat (1.0), Horns, Invisible, Involuntary, Junior,
           Little Red, Loren, Mabuhay, Nguyen,
           No_Int=Stoned.No_Int.A (Stoned Strain), Peter, QRRY,
           Requires=Requires.981=Demise=Later, RMBD,
           Runtime=Runtime-err412, Su=Susan, Terminator II,
           Tonya, Warlock Virus.
       1 Virus Generator: PS-MPC G2 Virus Generator
       Update: Parity_Boot (A-C)=P-Check Virus (Parity_Boot Strain),
           14 Minimal viruses renamed Trivial viruses.

Amiga: 24 new MalCodes:
       19 viruses: AMIGA KNIGHT, CCCP,
           COMPUPHAGOZYTE 1 (CompuPhagozyte Strain), CRIME'92,
           SADDAM_BOOT, SCA.D&A_dropper=SCA Dos kill=D&A
           (SCA Virus Strain), TOMATES GENTECHNIC, TURK,
           and the following SADDAM Strain viruses:
           SADDAM (Hussein)=IRAK=DISK-Validator, SADDAM.ANIMAL,
           SADDAM.RISK, SADDAM.][ Virus
        1 Trojan dropper: TURK Color Dropper Trojan
        4 (Time) Bombs: EXCREMINATOR_1, STARLIGHT, TIMEBOMB_09,
           VIRUSTEST_BOMB_936 Bomb

UNIX: 1 new virus, 1 worm (experimental):
        1 virus: VMAGIC virus
        1 worm:  INTERNET worm

IBM-MVS/VM: 1 chain letter (experimental): CHRISTMA.EXEC (G1,G2)

The following files may be downloaded from our ftp site:
    INDEX.793          (36 kBytes): Overview of CVC entries
    AMIGAVIR.793       (92 kBytes): new Amiga viruses
    MACVIR.793         (18 kBytes): new Mac viruses
    MSDOSVIR.793       (84 kBytes): new MSDOS viruses (part 1)
    MSDOSVIR.893       (77 kBytes): new MSDOS viruses (part 2)
    MVSVIR.793          (8 kBytes): CHRISTMA.EXEC chain letter
    UNIXVIR.793        (11 kBytes): VMAGIC, INTERNET worm

The following files contain ALL entries published in the respective
domain (since July 1989) in compacted (PKZIPPED) form:

    AMIGAVIR.ZIP                    All Amiga viruses
    ATARIVIR.ZIP                    All Atari viruses
    MACVIR.ZIP                      All Mac viruses
    MSDOSVIR.ZIP                    All MSDOS viruses
    MVSVIR.ZIP                      (=MVSVIR.793 PKzipped)
    UNIXVIR.ZIP                     (=UNIXVIR.793 PKzipped)

Virus Test Center's FTP site:

          login anonymous;
          password: your-email-address;
          directory: pub/virus/texts/catalog

Any assistance and helpful critical remarks are appreciated.

Klaus Brunnstein, University of Hamburg, Faculty for Informatics
Virus Test Center, 18 Aug 1993 <>

InfoWar announcement

"Mich Kabay / JINBU Corp." <>
18 Aug 93 06:31:20 EDT
              INFOWARFARE '93: 1st NCSA Conference in Canada
           15 September 1993, Meridien Hotel, Montreal, Quebec

   ------------------------------FRENCH IN AM-----------------------------

08:45-09:15 Introduction, probleme de la securite des reseaux (NCSA,MK)
09:15-09:45 Les lecons du desastre World Trade Center
               (Samson Belair Deloitte Touche Ross)
09:45-10:30 Video et cafe
10:30-11:00 Desastres legaux
               (Bourse de Montreal)
11:00-11:15 Fraude a distance: teleraude et reseaux (MK)
11:15-12:00 Table ronde: Mesures contre la fraude telephonique

   -----------------------------ENGLISH IN PM-----------------------------

12:00-13:15 --lunch for all-day attendees-- [ROYAL BANK: ATM fraud]
12:30-13:15 Registration for PM only
13:15-14:30 Information Warfare (Winn Schwartau)
14:30-15:15 Panel discussion: IW today (DND, RCMP, MoJ, SG, HQ, GSC)
15:15-15:30 Coffee and videos
15:30-16:15 Panel: Convincing upper mgmt (ASM,ASIMM,AVIMM,ISSA,CAAST)
16:15-16:30 Closing remarks (NCSA)

  AM or PM only       $105
  Lunch only          $ 60
  All day incl lunch  $225
Members of the NCSA, ASM, ASIMM, AVIMM, ISSA: 10% discount
For more info: phone 514-931-6187; fax 514-931-0878; email 75300,3232.

Michel E. Kabay, Ph.D., Director of Education, National Computer Security Assn
Jinbu, P.O. Box 509 Westmount, Montreal, Quebec H3Z 2T6 CANADA (514) 931-6187

Please report problems with the web pages to the maintainer