Date: Fri, 30 Apr 93 12:59:41 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#039
Computer Privacy Digest Fri, 30 Apr 93 Volume 2 : Issue: 039
Today's Topics: Moderator: Dennis G. Rears
Wiretaps without warrants
Encryption
SSNs and College Applications
* Report on privacy-protecting off-line cash available *
No FTP? You can still have PGP!
Re: SSN
I won one!
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: David Brierley <davidbri@lynx.dac.northeastern.edu>
Subject: Wiretaps without warrants
Organization: Division of Academic Computing, Northeastern University, Boston, MA. 02115 USA
Date: Wed, 28 Apr 1993 01:54:13 GMT
Sorry to get this out so late, but better late than never. It is
from the Boston Sunday Globe of April 11, 1993, page 16.
-------------------------
New England Votes in Congress
Roll Call Report Syndicate
WASHINGTON - This is how New England members of Congress were recorded
on major roll-call votes last week.
...
TO EXPAND FBI PHONE ACCESS:
By a vote of 367-6, the House sent the Senate a bill expanding the FBI's
power to obtain, without court warrants, telephone records and
conversations in investigations of international terrorism and
espionage. The bill grants the FBI access in such investigations to
information on unlisted numbers that phone companies cannot now divulge.
It also enables FBI counterintelligence agents to obtain a broader
range of telephone conversations involving suspected terrorists and
spies.
A yes vote was to pass the bill.
Connecticut: Voting yes: Kennelly, Gejdenson, Shays, Franks, Johnson.
Not voting: DeLauro.
Maine: Voting yes: Andrews, Snowe.
Massachusetts: Voting yes: Neal, Blute, Frank, Meehan, Torkildsen,
Markey, Kennedy, Moakley, Studds. Not voting: Olver.
New Hampshire: Voting yes: Swett. Not voting: Zeliff.
Rhode Island: Voting yes: Machtley, Reed.
Vermont: Not voting: Sanders.
...
------------------------------
From: thomas ciccateri <tciccate@carina.unm.edu>
Subject: Encryption
Date: Wed, 28 Apr 93 0:32:50 MDT
The proposed Clipper Chip scheme seems to rely on a degree of public
trust in the government to maintain the confidentiality of encryption
keys unless a court order allows access. A recent story in the
Albuquerque Journal (April 25) shows that such trust may be misplaced.
A worker at a government facility (Sandia Labs) alledges that he was
discharged for not engaging in illegal acts for his employer and his
employer's customer (NSA). The worker resisted direct orders to copy
comercial embedded software, reverse engineer electronic locks, and
develop computerized lockpicks for industrial espionage. The worker
said he was told on the one hand that he would lose his clearance if
he engaged in any illegal activities and on the other he would lose
his clearance if he refused to accept any work assignment. Guess
what, he lost his clearance. The Department of Energy has sealed
all court records for National Security Reasons.
Does this sound like the kind of government which deserves our
trust regarding privacy ?
------------------------------
Date: Wed, 28 Apr 1993 7:36:26 -0400 (EDT)
From: "Dave Niebuhr, BNL CCD, 516-282-3093" <NIEBUHR@bnlcl6.bnl.gov>
Subject: SSNs and College Applications
I've filled out quite a few college loan applications for my kids
and in each case the SSN was required since the Privacy Act statement
is given.
Each of them (Pell, NYHESC (NY Higher Education Service something),
NY Tuition Assistance Program, Parent Plus) contained this and all
are tied to some federal law (I forget which) required that they do
this.
My feeling is that if I want their money, they have a right to know
as much financially about me as possible.
Dave
Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Brookhaven National Laboratory Upton, LI, NY 11973 (516)-282-3093
Senior Technical Specialist: Scientific Computer Facility
------------------------------
From: Stefan Brands <Stefan.Brands@cwi.nl>
Subject: * Report on privacy-protecting off-line cash available *
Date: 28 Apr 93 09:45:27 GMT
Followup-To: sci.crypt
Organization: CWI, Amsterdam
PRIVACY-PROTECTING OFF-LINE ELECTRONIC CASH SYSTEMS
___________________________________________________
I recently published a new privacy-protecting (!) off-line electronic
cash system as a technical report at CWI. Being a PhD-student at David
Chaum's cryptography-group, our group has a long history in research
in the field of privacy-protecting cash systems.
The electronic version of the report is called CS-R9323.ps.Z, contains
77 pages, and can be retrieved from
ftp.cwi.nl (192.16.184.180)
from the directory pub/CWIreports/AA.
The postscript-file is suitable for 300dpi laserprinters.
====================================================================
TITLE : An Efficient Off-line Electronic Cash System Based On The
Representation Problem
ABSTRACT: (from coverpage): We present a new off-line electronic cash
system based on a problem, called the representation problem, of which
little use has been made in literature thus far. Our system is the
first to be based entirely on discrete logarithms; the security is
unrelated to RSA. Using the representation problem as a basic concept,
some techniques are introduced that enable the construction of
protocols for withdrawal and payment that do not use the cut and
choose methodology of earlier systems. As a consequence, our cash
system is much more efficient in both computation and communication
complexity than any privacy-protecting off-line cash system proposed
before.
An important aspect of our system concerns its provability. Contrary
to previously proposed systems, its correctness can be mathematically
proven to a very great extent. Specifically, if we make one plausible
assumption concerning a single hash-function, the ability to break the
system seems to imply that one can break the Diffie-Hellman problem.
Honest users of the system are guaranteed to be
information-theoretically untraceable, i.e., they remain completely
anonymous in the sense that not even a cooperation of the bank(s) with
all shops can find out which user paid in what shop.
Our system offers a number of extensions that are hard to achieve in
previously known systems. All these extensions can be achieved very
efficiently. Perhaps the most interesting of these is that the entire
off-line cash system (including all the extensions) can be
incorporated in a setting based on so-called wallets with observers (a
user-module with embedded within it a tamperresistant module), which
has the important advantage that double-spending can be prevented (!),
rather than detecting the identity of a double-spender after the fact.
In particular, it can be incorporated even under the most stringent
requirements conceivable about the privacy of the user, which seems to
be impossible to do with previously proposed systems. Another benefit
of our system is that framing attempts by a bank have negligible
probability of success (independent of computing power) by a simple
mechanism from within the system, which is something that previous
solutions lack entirely. Furthermore, the basic cash system can be
extended to checks, multi-show cash and divisibility, while retaining
its computational efficiency.
====================================================================
Cryptographers are challenged to try to break this system!
I made a particular effort to keep the report as self-contained as
possible. Nevertheless, if you have any questions, please e-mail to
me and I will try to reply as good as I can. Any comments are also
welcome!
Stefan Brands,
--------------------------------------------------------
CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands
Tel: +31 20 5924103, e-mail: brands@cwi.nl
------------------------------
From: Stanton McCandlish <anton@hydra.unm.edu>
Subject: No FTP? You can still have PGP!
Date: 28 Apr 1993 19:16:01 -0500
Organization: UTexas Mail-to-News Gateway
*************************************************************************
DEFEAT THE BIG BROTHER PROPOSAL! JUST SAY F!CK NO TO THE PRIVACY CLIPPER!
*************************************************************************
************************************************************
The security of PGP encryption for those without FTP access!
************************************************************
This is not an ad, but a public service announcement. NitV-BBS is FREE.
This info (and my system!) has been updated to make it easier for you to
obtain Pretty Good Privacy (PGP): Secure RSA pubkey encrytion for all!
Due to the overwhelming response, I have sought out as many ports as
possible. After a week of exhaustive FPT/Archie searches it appears to
me that NitV-BBS is the world's singlemost comprehensive PGP site, with
executables and/or source code for the following platforms:
Platform exec source patch extras
MS-DOS (PC-DOS, etc.) X X X
Macintosh X X
Archimedes X ?
OS/2 X X
Amiga X X
Unix X X
NeXT X
In one case I do not have the means to open the archive to see if
it comes with the source code, thus "?".
WARNING: My DallasFax 14.4k v32bis modem does not always cooperate too
well with USR/Miracom Dual Standards.
BY MODEM TO BBS:
Call NitV-BBS (see .sig at end of message for details)
Here you will find:
File area file name description
LOGIN PGP22.ZIP DOS version of PGP
LOGIN PGPSHEL1.ZIP menu/shell for PGP (DOS only)
NONIBM PGP22B-A.LHA PGP for Amiga (w/source)
NONIBM ARCPGP22 PGP for Archimedes (format unknown; w/src??)
NONIBM MACPGP22.CPT PGP for Mac (.cpt archive)
NONIBM PGP22.TAZ PGP for Unix (compressed .tar; w/source)
WIN PGP22OS2.ZIP PGP for OS/2 (w/source patch)
LOGIN PGP22SRC.ZIP PGP source code & utils for DOS
NONIBM MPGP22SC.S_H PGP source code for Mac (BinHex .hqx encode
of a .sea self-extracting archive)
MONIBM MPGP22SC.SIG PGP signature for validation of Mac source
NONIBM NXTPGP22.ASC PGP source code diff (patch) for NeXT. ASCII
A quick <T>ext search for "pgp" will yield the files for flagging quickly.
Note: original name of Mac version is: MacPGP_2.2.cpt
original name of Unix version is: pgp22.tar.Z
original name of Mac source is: MacPGP2.2src.sea.hqx
original name of Mac signature is: MacPGP2.2src.SIGNATURE
NeXT patch is a concatenation of: PGP.random.c.diff and
PGP.random.c.diff.README
These names were changed because of the 12 char limit of MesSDOS filenames.
All files are direct from these FTP sites: nic.funet.fi, sony.com,
garbo.uwasa.fi, and ftp.uni-erlangen.de. They are NOT uploaded by BBS users,
nor gotten from other BBSs. You can rest assured that they are "clean"
(the superparanoid^H^H^H^H^H^H^H^Hcautious may wish to obtain additional
copies and compare them for further validation.)
You may login anonymously as ANONYMOUS, password GUEST. If you want the
whole lot you won't have time, as that acct. is limited. In that case,
login normally, but if you never intend to call again, please be
courteous, and leave a <C>omment to sysop to delete your account.
Disk space is limited!
All user accounts are free. There is no charge (other than your phone
expenses of course) for obtaining PGP from NitV-BBS.
BY FIDO-PROTOCOL FREQ
Anyone in FidoNet or any other FTN/FTSC network (such as RBBSNet, etc.),
or anyone with a working Fido-type mailer, can get PGP from the same
source, via File REQuest, as long as they can send mail to Fido address
1:301/2 (you will need a Fido nodelist to pull that off). You do not have
to be nodelisted to do this. You can even be a point system. Just send
a DIRECT not routed netmail To: Sysop, NitV (1:301/2)
From: <your info here>
Re: <filename>,<filename>,<etc>
St: Crash, Direct, FilReq, <etc>
<filename> can be a full file name, or a "magic name". Status is not that
important, as long as the message is set for at least these 2: Direct and
FilReq.
You can use the following magic names (which will still hold for future
releases of PGP):
Magic Name files description
PGPDOS PGP22.ZIP, PGPSHEL1.ZIP DOS PGP and menu/shell
PGPAMI PGP22B-A.LHA Amiga PGP & source
PGPARC ARCPGP22 Archimedes PGP
PGPMAC MACPGP22.C_H Mac PGP
PGPNXT NXTPGP22.ASC NeXT PGP source code diff
(requires a full src package)
PGPOS2 PGP22O2.ZIP OS/2 PGP & patch
PGPUNX PGP22TAR.Z Unix PGP & source
PGPSDOS PGP22SRC.ZIP PGP source & utils (DOS fmt.)
PGPSMAC MPGP22SC.S_H, MPGP22SC.SIG PGP source & sig (Mac fmt.)
---------------------------------------------------------------------------
Please upload, file-attach via netmail, uuencode and email, or just tell me
where to find, any interesting utils, FAQs, etc for PGP that you come across,
so that I can make them available to the needy but FTPless hordes.
Please do NOT further distribute this copy of PGP, especially to BBSs. Part
of the Good Thing about getting it from NitV is that you know it came right
from one of the original FTP sites for it, not from some cheezy BBS via the
hands of 27 other people and systems, any of which might harbour a baddie.
This is not to say that BBSs are bad (hell, I run one!) but rather that too
much is left to chance (and ill-will!) in it's distribution methods. PGP is
a security program, and needs to be guaranteed to be secure. Thank you.
This offer, due to IDIOTIC export restrictions, must of course be limited to
the USA. <snort>
Authors are stongly encouraged to upload, mail, etc. their ports of PGP,
their PGP utilities, etc. directly to me or the system listed below so that
non-FTP-using PGP afficionados can be certain that they are getting a "pris-
tine" copy. Thanks!
----------------------------------------------------------------------------
Distribute ENTIRE contents of this message freely.
----------------------------------------------------------------------------
--
Testes saxi solidi! ********************** Podex opacus gravedinosus est!
Stanton McCandlish, SysOp: Noise in the Void Data Center BBS
IndraNet: 369:1/1 FidoNet: 1:301/2 Internet: anton@hydra.unm.edu
Snail: 8020 Central SE #405, Albuquerque, New Mexico 87108 USA
Data phone: +1-505-246-8515 (24hr, 1200-14400 v32bis, N-8-1)
Vox phone: +1-505-247-3402 (bps rate varies, depends on if you woke me up...:)
------------------------------
From: Charles Mattair <mattair@synercom.hounix.org>
Subject: Re: SSN
Organization: Synercom Technology, Inc., Houston, TX
Date: Wed, 28 Apr 1993 20:32:11 GMT
In article <comp-privacy2.38.5@pica.army.mil> Mitch Collinsworth <mkc@graphics.cornell.edu> writes:
>
>Implementation of juror solicitations is, I assume, left up to the
>various courts. In my county, they use drivers licenses, voter
>registrations, and one other database, which I can't recall at the
>moment.
>
Texas has just started using DLs instead of voter registration rolls (there
was a perception many people were not registering to avoid jury duty :-( ).
The result has been, shall we say, a very mixed success. On the positive
side, the pool of potential jurors is definitely up. Other positives
include - actually, the courts and the DA say that's it. Negatives are:
much higher rate of no-shows; lower average level of educational attainment;
lower socio-economic status (that is, much higher percentage of un/under
employeed); much higher percentage of undocumented workers and non-English
speakers; jurors who serve but really don't participate in the process; in
general, a lower quality juror pool.
There probably are areas where a system like this could work. The courts
here have been underwhelmed by the result.
--
Charles Mattair (work) mattair@synercom.hounix.org
<standard.disclaimer> (home) cgm@elmat.synercom.hounix.org
In a mature society, "civil servant" is semantically equivalent to
"civil master." - Robert Heinlein, _The Notebooks of Lazarus Long_
------------------------------
Date: Thu, 29 Apr 93 00:08:23 GMT
From: Bear Giles <bear@eagle.fsl.noaa.gov>
Subject: I won one!
I just opened a new checking and savings account (since my former bank
forgot who hired whom) and several interesting things happened:
The bad news:
1. The _very_ first thing the rep did was call a telephone number to
"verify" my SSN. Said verification was nothing more than verifying
that SSN had actually been assigned to a person (I don't recall if
she read my name or not), but a completely bogus SSN will _not_ work.
(I hadn't been paying attention because I thought she was verifying
my driver's license).
2. I asked about this and she said the bank _requires_ SSNs for any
account. If I went in with $1000 in cash and tried to open a
savings account, agreeing that 33% of all interest will be paid
to the IRS (and 5% to Colorado) to cover any possible income tax,
_they would refuse my business_.
The good news:
3. After providing my legal name, I asked if the records could be marked
a/k/a for my use-name. After a bit of hemming and hawing (since I
don't have court documents to force them to do this) they agreed to
accept both names _and_ to print my use-name on the checks. My previous
bank insisted on court papers, but it was an existing account when
I inquired.
4. When I handed over my standard "a condition of me doing business with
you is _no_ _mailing_ _lists_" letter she said that the Bank did not
release the names of its customers, but she would accept it in case
the policy changed in the future.
I had also been told (when investigating banks) that I would be asked for
a 4-digit identifying number -- they don't use readily available information
like SSNs for checkcodes. I wasn't asked today, but this may be because
this rep had recently started.
In many ways, the bank's willingness to accept something other than my
legal name for the account (both signature and check) is more important
than the hassles over the SSN. I can see how the _bank_ will want
information to find me if I do fraudulent misdeeds (e.g., writing lots of
bad checks), but they shouldn't care if I arrange it so I can use the
name "John Doe" on my checks.
--
Bear Giles
bear@fsl.noaa.gov
------------------------------
End of Computer Privacy Digest V2 #039
******************************