Date: Tue, 01 Jun 93 16:42:32 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V2#047
Computer Privacy Digest Tue, 01 Jun 93 Volume 2 : Issue: 047
Today's Topics: Moderator: Dennis G. Rears
Re: Calif requires ID?
CPSR Seeks Clipper Docs
SS#s
Re: P.O. Boxes
Retaliatory Crimes
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Fri, 28 May 1993 12:50:07 -0400 (EDT)
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Subject: Re: Calif requires ID?
From: Paul Robinson <TDARCOS@MCIMAIL.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
-----
bjones@weber.ucsd.edu (Bruce Jones) wrote to Comp Privacy:
> A couple of nights ago on the local TV news I heard
> that California now requires that all adults carry
> identification at all times.
>
> Can anyone offer any pointers to more information on
> this subject?
>
> Bruce Jones - bjones@ucsd.edu
>
> [ I have never heard of such a requirement here in
> California! If anyone knows otherwise on this topic,
> we'd like to hear about it! -- MODERATOR ]
[Moderator's Note: That wasn't my comment. I don't live in California
I wish I did though :-) ._dennis ]
I used to live there and I know what the actual story is, and
what may have been misunderstood.
In the following article I have to make specific identification of
someone by race for the purposes of explaining what happened; it is
not meant to convey the gentleman was doing anything wrong.
It was reported that there was this young, black man, who liked to walk
around a lot, because he liked to get the fresh air and exercise.
In an unrelated book called "Going Public," by David Westheimer, this
young man stumbled upon a basic problem in certain areas. He was noticed
by local persons and by police in areas where "loitering or appearance by
persons of his particular pigmentation are strongly discouraged."
In several cases he was stopped by police and asked his reasons for being
in a specific area, and asked to show identification. Since he had done
nothing wrong, he refused to do so and in at least one instance he was
arrested.
California has a law on the books requiring anyone who is stopped by
police to show identification upon request; this essentially is the law he
was charged with violating. (This is separate and different from the one
requiring the operator of a motor vehicle to carry his or her license on
their person at all times while operating a motor vehicle and to show it
when involved in an accident or stopped by a police officer).
I think he was convicted or he fought the law in court, but it was
reported on some tabloid talk show a few years ago: the California Supreme
Court struck down the law as unconstitutional because it violated the
right to privacy.
About two years ago when I moved to DC I wanted to get a copy of the
Vehicle Code. In California, the DMV sells copies for $3.50; it's a
slightly large paperback and is about 500 pages. In DC, the Department of
Public Works (the agency that issues Drivers Licenses) does not sell
copies of the Municipal Regulations: those are sold over at the District
Building on the other side of town at 13 1/2th Street. (I kid you
not about the number of the street; the building is six blocks from the
White House at 1350 Pennsylvania Ave., N.W., at the corner of Penn. and 13
1/2 St.)
The municipal regulations confirm what I later saw on the back of a copy
of an ID card issued by the Bureau of Public works. The regulations state
very clearly that the obtaining of an ID card is a voluntary measure for
the convenience of the person who obtains it and no person is required to
be carrying identification or to obtain an identification card.
-----
Paul Robinson -- TDARCOS@MCIMAIL.COM
------------------------------
Organization: CPSR Civil Liberties and Computing Project
From: Dave Banisar <banisar@washofc.cpsr.org>
Date: Fri, 28 May 1993 14:30:44 EST
Subject: CPSR Seeks Clipper Docs
CPSR Seeks Clipper Docs
PRESS RELEASE May 28, 1993
CPSR Seeks Clipper Documents - Brings Suit Against NSA and National
Security Council
Washington, DC -- Computer Professionals for Social
Responsibility filed suit today in federal district court seeking
information about the government's controversial new cryptography
proposal.
The "Clipper" proposal, announced by the White House at an
April 16 press conference, is based on a technology developed by the
National Security Agency that would allow the government to intercept
computer encoded information. Law enforcement agencies say that
capability this is necessary to protect court ordered wire
surveillance.
But industry groups and civil liberties organizations have raised
questions about the proposal. They cite the risk of abuse, the
potential loss in security and privacy, costs to US firms and
consumers, and the difficulties enforcing the policy.
Marc Rotenberg, CPSR Washington office director, said "The
Clipper plan was developed behind a veil of secrecy. It is not enough
for the White House to hold a few press conferences. We need to know
why the standard was developed, what alternatives were considered, and
what the impact will be on privacy. "
"As the proposal currently stands, Clipper looks a lot like
'desktop surveillance,'" added Rotenberg.
David Sobel, CPSR Legal Counsel, said "CPSR is continuing its
oversight of federal cryptography policy. These decisions are too
important to made in secret, without public review by all interested
parties."
In previous FOIA suits, CPSR obtained records from the General
Services Administration questioning the FBI's digital telephony plan, a
legislative proposal to require that communications companies design
wiretap capability. More recently, CPSR obtained records through the
FOIA revealing the involvement of the National Security Agency in the
development of unclassified technical standards in violation of
federal law.
CPSR is a national membership organization, based in Palo Alto,
CA. Membership is open to the public. For more information about
CPSR, contact CPSR, P.O. Box 717, Palo Alto, CA 9403, 415/322-3778
(tel), 415/322-3798 (fax), cpsr@cpsr.org
------------------------------
From: pbray@reed.edu
Subject: SS#s
Date: 29 May 1993 04:10:19 GMT
Organization: Reed College, Portland, Oregon
Every so often, this group (and others like it) gets a couple of
posts about people refusing to give out their Social Security #s.
And while the SS# FAQ does a good job of explaining how to avoid
handing out your SS# (I have successfully followed its advice several
times), it does not sufficiently explain *why* one should do this.
Indeed, apparently information can be accessed with this number.
What kind of information?
Likewise, would a Mom&Pop business abuse this SS#? I doubt it; what
would their motivation be? Even if they were to abuse it, how would
they do so? That is, is there a 1-800 number they can phone that
says "You have the SS# of someone who lives at somewhere. He likes
something. He is someage and plays somegame etc."?
What type of information is available with a SS#? Is it only
"credit" type information? Is the warning to avoid handing out the
SS# around merely because it is assumed that sometime in the future
the SS# will access more information than it currently does? Is the
advice a precautionary measure? Or is there something that truly
needs protecting which can otherwise hurt me right now?
Peter
--
"Peter Bray seems to be as aptly named as any Dickens character..."
- Somone on alt.atheism
------------------------------
From: David Lesher <wb8foz@skybridge.scl.cwru.edu>
Subject: Re: P.O. Boxes
Date: 29 May 1993 05:21:09 GMT
Organization: NRK Clinic for habitual NetNews abusers - Beltway Annex
Others said:
# You need not get an actual P(ost) O(ffice) Box. Virtually all major
# cities have "Mail Services". These services provide a PO style box, have
# a regular street address, with your box number added. Frequently people
# will call these Suites or Apt's. For example
# My cost for a small box is
# about $15.00/mo.
#
Ouch.
Now we know why.....
My real POB costs me $30 per YEAR.......
--
A host is a host from coast to coast..wb8foz@skybridge.scl.cwru.edu
& no one will talk to a host that's close............(301) 56-LINUX
Unless the host (that isn't close).........................pob 1433
is busy, hung or dead....................................20915-1433
------------------------------
Date: Tue, 1 Jun 1993 00:48:56 -0400 (EDT)
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Subject: Retaliatory Crimes
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
The Moderator of Telecom Digest, Pat Townson <telecom@delta.eecs.nwu.edu>
wrote on that mailing list (also known as the Usenet news group
comp.dcom.telecom), some responses about some person or organization
whose fax machine was seeking out fax numbers of other people by
essentially trying every number in the Indianapolis area. He then
discusses a response to a similar action: a cracker who, after
'trolling' for numbers to try, then using numbers that give what he
wants, breaking into some company's system, presumably their computer
system, their PBX, or both and a response by whoever the victim was.
Feel free to edit this message to fit. I wanted to talk about the
ethics (morality) of retaliatory responses in kind or the possibility
of such actions being possible.
For the IBM-PC lists, consider if someone could do this to you, i.e. call
into your desktop computer and trash it. For the mainframe, ethics and
objectivism lists I've sent this to, what is your opinion of the ethics of
retaliatory responses, e.g. you break into my computer system, I break
into yours and erase your files? For the readers of Telecom Digest I
wonder what your opinons are:
---
Original Title: Re: Autodialer Plaguing Indianapolis
PT> [Moderator's Note:
[material relating to suggested responses to use on a 'trolling fax
machine' deleted]
PT> The security department in one large corporation *is* responding
PT> in a similar way to hackerphreaks they catch on their site: If
PT> they capture the calling number, they wait a few days and call
PT> back.
[Item indicating caller then is able to access the called-party's machine
directly and run a formatting program to damage their computer. The actual
text appears below in another comment.]
This assumes the called-party has a program running that would allow
access to his computer's DOS from the telephone. I have seen
reports about at least two programs that are used to hack phone
numbers for making unauthorized calls. They are, in both of the
cases I've seen, outbound dialing programs, and do not accept
incoming calls.
For some outside party to get access to my computer, the program that
provides access would have to accept commands to be submitted to DOS, or
allow me to shell to DOS. Just because a computer answers doesn't mean you
can even get a response, let alone run a program or access the DOS prompt.
The modem answers the phone. The computer can simply wait for an
appropriate request string and if it doesn't get it, ignore further
messages or even disconnect the call.
One of the reports I read in Phrack [an on-line magazine devoted to
cracking computers and telephone systems] stated that in one case, a BBS
that people posted hacking material on answered the phone and left silence
waiting for the CALLER to switch to answer mode. In some cases they might
use a WATSON [a combined modem, touch-tone decoder and voice-mail box that
allows the called computer to receive touch-tone responses] or similar
device to require the caller to enter a touch-tone sequence. In short,
some of these intruders have better incoming call security on THEIR
online systems than the commercial sites they broke into!
[This was Pat Townson's remarks about retaliation by companies that had
been hit by crackers; 'they' probably refers to the corporate security
people:]
PT> If a computer answers, they proceed to format the hard
PT> drive, and leave a single line textfile message saying "You
PT> have been visited by someone who knows a lot more about
PT> hacking than you will ever know!" ... self-help! .... don't
PT> get mad; get even. PAT]
Assuming this is true or that it happened, this is not a good idea.
While the person in question (who was called back) is doing something
wrong, the executives and security people who run their system risk that
the person in question can turn around and file charges against them for
the same thing. Further, since this is being done by the security
department of a corporate entity, there is the possibility of the
defendant (who might be looking at a trial anyway) whose lawyer will then
file civil AND criminal charges of Conspiracy and Racketeering!
There is also the doctrine of 'unclean hands'. It's going to be hard for
them to claim damages against the cracker or criminal activity on his part
when they are doing worse; (especially if what the incoming caller did
essentially amounted to stealing computer time or phone service. In his
case, it constitutes mere 'embezzlement', 'unauthorized access' or 'toll
fraud'. In their case, it's 'malicious destruction of a computer system'.
If someone runs unauthorized charges on my credit cards, let's say I'm
stuck for the $50 fraud maximum on all of them, this will not give me
permission to set fire to their car, forge documents and raid their bank
account, or steal their property to make up the difference, or to break
into their house and paint the inside walls black. (I've been told this
is one of the worst things that can be done to someone's property is to
paint their inside walls black.)
Also, using retaliatory activity against someone who is alleged to commit
a criminal act may *fatally damage* an attempt to prosecute them. Because
if the plaintiff is doing the same thing, i.e. invading the defendant's
computer system, this could be used to show that this is common practice,
i.e. that the defendant didn't do anything wrong since *trained
professionals* are doing the same thing, or worse.
In short, unless and until a company is willing to declare the law to be
nonexistent, e.g. that the government has essentially ceased to function
or has become morally bankrupt, using self help is not a good idea. If
you don't intend to prosecute and don't think the so-called 'victim' will,
then you might get away with it. On the other hand, if it got out that
the professional computer security people of a major company were involved
in *intentional criminal activity*, the resulting bad publicity might be
much worse. Honest professionals are not supposed to engage in
'tit-for-tat' tantrums, or 'steal from me, I burn down your house' mafia
style activity.
-----
Paul Robinson -- TDARCOS@MCIMAIL.COM
------------------------------
End of Computer Privacy Digest V2 #047
******************************