Date: Thu, 12 Aug 93 16:43:10 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V3#013
Computer Privacy Digest Thu, 12 Aug 93 Volume 3 : Issue: 013
Today's Topics: Moderator: Dennis G. Rears
Re: Cell Phone Fraud and New Systems
Re: Digital Cellular - was Re: First Person broadcast on privacy
Call for Papers IFIP SEC'94 Caribbean
Re: Returned mail: Host unknown
Re: Computer Privacy Digest V3#012
Encryption policy.
Unrequested Remote Call Forwarding
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Thu, 12 Aug 1993 11:31:47 -0400 (EDT)
From: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Reply-To: "Tansin A. Darcos & Company" <0005066432@mcimail.com>
Subject: Re: Cell Phone Fraud and New Systems
Jon Allen <jrallen@devildog.att.com>, writes in Telecom Digest:
> I just got home ... see a story on new types of cell phone fraud.
> thieves are using an ESN reader to read the ESNs and phone
> numbers ... off the air and then program them into their own
> phones to rip people off.
Patrick Towson <Telecom@delta.eecs.nwu.edu> wrote:
> [Moderator's Note: Yep, ESN 'readers' are the latest thing in
> vogue for phreaks. It lets them hit up the cellular carriers for
> a few million per year with stolen ESN's which are sold to other
> unsavory types. PAT]
There was an article printed in a magazine once on the subject of
Cellular Fraud and the fact that there is no encryption in the system.
The article was authorized for reproduction over BBSs and networks which
is how I downloaded a copy once. The article mentioned that swapping ESN
and MIN codes (also a serial number field) is supposed to be prohibited by
the standards for cellular and doing so is supposed to disable the unit,
but because the manufacturers use standard EPROM chips, it is quite easy
to do and is common for field replacement of a unit. One item mentioned
in the article stated that in exchange for one gram of cocaine, a cellular
installer in Washington, DC put the same serial number on someone else's
phone.
In my Not So humble opinion I would suspect that cellular thieves are
found in three flavors: those that want to make calls without paying for
them; those who wouldn't mind paying for calls but want to have
deniability that the calls came from them (like someone selling items the
government wants to prohibit ownership of, such as certain drugs for which
the pharmaceutical industry can't force people to pay high prices,
cellular radio receivers or non-interceptable encryption software), and
those that are reselling someone else's access code (to assist those in
classes 1 and 2, of course).
The article also stated that the next step for cellular thieves is the
"Rolls-Royce" of theft enhancement devices: the "Cellular Cache Box" a
device that acts exactly the way the "one-time pad" does in cryptography:
you use an encryption key once and throw the key away. Well, the Cellular
Cache Box works the same way: it listens on cellular channels for the
codes being sent by a cellular phone: when you go to make a call, the
Cache Box generates one of the ESNs that it has just heard, then never
uses it again. The fraud is then spread over hundreds or thousands of
users instead of one or two easily detected instances, and may be much
harder to detect. (Would you be able to tell if someone had stolen
10 minutes of airtime use and stuck it on your bill? If you routinely
use a lot of airtime, you might never notice. And if you do, how do you
prove that the call wasn't yours?)
Here's the kicker: The article came out at least 5 years ago! I remember
reading it in California before I moved out to the DC area and I've been
living here for four years. So for at least 5 years the issue has been
well known enough to make the general media yet nothing has been done
about it. If the Cellular Cache-Box is just now becoming noticed, either
crooks are less smart than I would expect or the problem has more-or-less
stayed hidden but now the cellular companies are so upset by the amounts
of fraud that they are now publicising it.
Since I have been proven wrong on my thought that it was not possible,
it is the answer and it is what we need to do: we need Kerberos
Authentication for Cellular Telephones. Anyone in the MIT Athena group
care to figure out how to design it? :)
Paul Robinson - TDARCOS@MCIMAIL.COM
-----
The following Automatic Fortune Cookie was selected only for this message:
Button: Couch potatoes have brain tubers
------------------------------
Date: Wed, 11 Aug 93 01:29 GMT
From: Christopher Zguris <0004854540@mcimail.com>
Subject: Re: Digital Cellular - was Re: First Person broadcast on privacy
In Computer Privacy Digest V3#012 Bill Stewart <wcs@anchor.att.com> writes:
>Spread-spectrum techniques substantially increase privacy, though
>their real value is reducing interference and power requirements,
>but it's still eavesdroppable. Spread-spectrum cordless phones a
>just coming out on the market, though I'm not sure I'd be willing
Okay, so if you have a fully digital system without encryption using
spread-spectrum (by spread-spectrum I assume you mean frequencies are
changed very often during the call), how long would it take your
average person with a scanner to tune around trying to follow the call?
It would seem like most of the time would be spent on tuning and little
on listening! Or are the bulk of the eavesdroppers out there using
hacked cellular phones that would automatically follow the freq. shifts
to provide continuous coverage like the real phone? Isn't one of the
other benefits of the digital system the ability to eliminate cloning
of ESN (it's ESN for a cellular right? so many abbreviations for serial
numbers), if the ESN is protected than a hacked phone would be more
difficult, or there'd be no benefit in eliminating fraud which is the
cellular industrys' main goal with digital right?
Christopher Zguris
CZGURIS@MCIMail.com
------------------------------
Date: Wed, 11 Aug 1993 01:58 +0100
From: fortrie@cipher.nl
Subject: Call for Papers IFIP SEC'94 Caribbean
=================================================================
Call for Papers IFIP SEC'94 - updated information August 1993
=================================================================
***************************************************************
C A L L F O R P A P E R S
***************************************************************
Technical Committee 11 - Security and Protection in Information
Processing Systems - of the UNESCO affiliated INTERNATIONAL
FEDERATION FOR INFORMATION PROCESSING - IFIP,
announces:
Its TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE, IFIP SEC'94
TO BE HELD IN THE NETHERLANDS ANTILLES (CARIBBEAN), FROM MAY 23
THROUGH MAY 27, 1994.
Organized by Technical Committee 11 of IFIP, in close cooperation with
the Special Interest Group on Information Security of the Dutch
Computer Society and hosted by the Caribbean Computer Society, the
TENTH International Information Security Conference IFIP SEC'94 will be
devoted to advances in data, computer and communications security
management, planning and control. The conference will encompass
developments in both theory and practise, envisioning a broad perspective of
the future of information security.
The event will be lead by its main theme "Dynamic Views on
Information Security in Progress".
Papers are invited and may be practical, conceptual, theoretical, tutorial
or descriptive in nature, addressing any issue, aspect or topic of
information security. Submitted papers will be refereed, and those presented
at the conference, will be included in the formal conference proceedings.
Submissions must not have been previously published and must be the
original work of the author(s). Both the conference and the five
tutorial expert workshops are open for refereed presentations.
The purpose of IFIP SEC'94 is to provide the most comprehensive international
forum and platform, sharing experiences and interchanging ideas, research
results, development activities and applications amongst academics,
practitioners, manufacturers and other professionals, directly or indirectly
involved with information security. The conference is intended for computer
security researchers, security managers, advisors, consultants, accountants,
lawyers, edp auditors, IT, adminiatration and system managers from
government, industry and the academia, as well as individuals interested and/or
involved in information security and protection.
IFIP SEC'94 will consist of a FIVE DAY - FIVE PARALLEL STREAM - enhanced
conference, including a cluster of SIX FULL DAY expert tutorial workshops.
In total over 120 presentations will be held. During the event the second
Kristian Beckman award will be presented. The conference will address
virtually all aspects of computer and communications security, ranging
from viruses to cryptology, legislation to military trusted systems,
safety critical systems to network security, etc.
The six expert tutorial workshops, each a full day, will cover the
following issues:
Tutorial A: Medical Information Security
Tutorial B: Information Security in Developing Nations
Tutorial C: Modern Cryptology
Tutorial D: IT Security Evaluation Criteria
Tutorial E: Information Security in the Banking and Financial Industry
Tutorial F: Security of Open/Distributed Systems
Each of the tutorials will be chaired by a most senior and internationally
respected expert.
The formal proceedings will be published by Elsevier North Holland
Publishers, including all presentations, accepted papers, key-note talks,
and invited speeches.
The Venue for IFIP SEC'94 is the ITC World Trade Center Convention
Facility at Piscadera Bay, Willemstad, Curacao, Netherlands Antilles.
A unique social program, including formal banquet, giant 'all you can eat'
beach BBQ, island Carnival night, and much more will take care of leisure
and relax time.
A vast partners program is available, ranging from island hopping, boating,
snorkeling and diving to trips to Bonaire, St. Maarten, and Caracas.
A special explorers trip up the Venezuela jungle and the Orinoco River
is also available.
For families a full service kindergarten can take care of youngsters.
The conference will be held in the English language. Spanish translation
for Latin American delegates will be available.
Special arrangements with a wide range of hotels and appartments complexes
in all rate categories have been made to accommodate the delegates and
accompanying guests. (*)
The host organizer has made special exclusive arrangements with KLM Royal
Dutch Airlines and ALM Antillean Airlines for worldwide promotional fares
in both business and tourist class. (**)
(*)(**) Our own IFIP TC11 inhouse TRAVEL DESK will serve from any city on
the globe.
All authors of papers submitted for the referee process will enjoy special
benefits.
Authors of papers accepted by the International Referee Committee will enjoy
extra benefits.
If sufficient proof (written) is provided, students of colleges, universities
and science institutes within the academic community, may opt for
student enrollment. These include special airfares, appartment accommodations,
discounted participation, all in a one packet prepaid price.
(Authors' benefits will not be affected)
**************************
INSTRUCTIONS FOR AUTHORS
**************************
Five copies of the EXTENDED ABSTRACT, consisting of no more than 25 double
spaced typewritten pages, including diagrams and illustrations, of
approximately 5000 words, must be received by the Program Committee no
later than November 15th, 1993.
We regret that electronically transmitted papers, papers on diskettes,
papers transmitted by fax and handwritten papers are not accepted.
Each paper must have a title page, which includes the title of the paper,
full names of all author(s) and their title(s), complete address(es),
including affiliation(s), employer(s), telephone/fax number(s) and
email address(es).
To facilitate the blind refereeing process the author(s)' particulars
should only appear on the separate title page. The language of the
conference papers is English.
The first page of the manuscript should include the title, a keyword list
and a 50 word introduction. The last page of the manuscript should include
the reference work (if any).
Authors are invited to express their interest in participating in the
contest, providing the Program Committee with the subject or issue that
the authors intend to address (e.g. crypto, viruses, legal, privacy, design,
access control, etc.) This should be done preferably by email to
< TC11@CIPHER.NL >, or alternately sending a faxmessage to
+31 43 619449 (Program Committee IFIP SEC'94)
The extended abstracts must be received by the Program Committee on or
before November 15th, 1993.
Notification of acceptance will be mailed to contestants on or before
December 31, 1993. This notification will hold particular detailed
instructions for the presentation and the preparation of camera ready
manuscripts of the full paper.
Camera ready manuscripts must be ready and received by the Program Committee
on or before February 28, 1994.
If you want to submit a paper, or you want particular information on
the event, including participation, please write to:
IFIP SEC'94 Secretariat
Postoffice Box 1555
6201 BN MAASTRICHT
THE NETHERLANDS - EUROPE
or fax to:
IFIP SEC'94 Secretariat: +31 43 619449 (Netherlands)
or email to:
< TC11@CIPHER.NL >
***************************************************************
Special request to all electronic mail readers:
Please forward this Call for Papers to all networks and listservices
that you have access to, or otherwise know of.
****************************************************************
Sincerely
IFIP TC 11 Secretariat
Call for Papers - updated information August 1993
=================================================================
------------------------------
Date: Wed, 11 Aug 93 00:18:28 PDT
From: Kelly Bert Manning <ua602@freenet.victoria.bc.ca>
Subject: Re: Returned mail: Host unknown
Reply-To: ua602@freenet.victoria.bc.ca
Someone who has lost their job would probably want to pay for a pager,
rather than take a chance on missing a job offer call. I don't know
what US local monthly telephone charges are, but I know one person here
in Victoria who got a pager because it was cheaper than renting a
telephone to receive calls. It is a lot cheaper than a cellular phone.
>
>I would probably have a pager. For my job I don't need it, but remember
>the post I was responding to was talking about a person who had lost
>his job.
There is a FAQ post that shows up at our reader site periodically that
covers many of these issues. I've used E-Mail at work since at least
1984 and have always assumed that anything I write might be read, and
had this confirmed to me at one point.
A lot of the problems seem to come out of mixing an employer provided
service with personal communications. Why not get involved with getting
a freenet going in your area. That is how I avoid anyone making an
unwarranted connection between me and my employer.
Where I work there is a rule that no personal mail can be placed in
mail out baskets, even if it is stamped. The pickup was outsourced and
the cost to my employer is based on the volume. Ironically this
coincided with Canada Post Corp. cutting back on mail boxes and denying
private individuals access to real P.O.s because "people can mail from
work".
In government jurisdictions subject to Freedom of Information statutes
there is actually a legal basis for archiving a lot of E-Mail and
retaining it for at least some period of time. Is the private sector
so different, at least with regard to internal access?
The archived E-Mail notes of Iran Contra principals gave a very enlightening
account of their activities and their thinking, in their own words.
The Clipper chip proposal could be viewed as a proposal to scale this
up to cover all routine US Federal Government digital communications.
------------------------------
Date: Wed, 11 Aug 93 09:03:30 MDT
From: David Wade <djw@aerie.lanl.gov>
Subject: Re: Computer Privacy Digest V3#012
> and that any organization that DID choose to use it for
> identification not related to taxes was required to offer alternate
> identification numbers upon demand. Can somebody who KNOWS answer the
> following questions:
>
> 1) Who is allowed to demand my Social Security number, and for what
> purposes? I'm curious about both governmental and non-governmental
> organizations.
>
> 2) Is there any penalty for violation of this law, i.e. for
> withholding benefits, memberships, etc. on sole grounds of refusal
> to give a Social Security number?
>
> 3) Is there a government publication stating this?
>
> Thank you,
> --
> Stephen Bloch
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Check out The Privacy Act of 1974, available free from your congerscritter.
Just ask it for a copy. There is also an assessment of the 1974 Privacy Act
which is also printed by the Gov't, thus free for the asking. It is
For Sale by the Superintendent of Documents, U.S. Government printing office
Washington, D.C. 20402
The Report of the Privacy Protection Study Commission
Stock No. 052-003-00395-3 "Personal Privacy in an Information Society"
Appendix 1 "Privacy Law in the States"
Appendix 2 "The Citizen as Taxpayer"
Appendix 3 "Employment Records"
Appendix 4 "The Privacy Act of 1974: An Assessment"
Appendix 5 "Technology and Privacy"
Another source is to subscribe to "The Privacy Journal" for awhile. There is
a SUBSTANTIAL student discount available. Ask your college librarian to see
a copy. Were you aware that librarians are usually the people spending the
most time worrying about "privacy"?
Many librarians care.
And yes, there is a law, with penalty.
------------------------------
From: Leo J. Irakliotis <irakliot@longs.LANCE.ColoState.Edu>
Subject: Encryption policy.
Date: Thu, 12 Aug 1993 03:17:33 GMT
Reply-To: irakliot@lance.colostate.edu
Organization: Engineering Network Services, Colorado State University
Hope I'll get some responses here. Is encryption in email legal?
Is it legal for an electronic mailing list, or a usenet newsgroup
to operate using encryption?
If encryption is against the law, please site some references.
Thanks,
--
Leo J Irakliotis irakliot@longs.lance.colostate.edu
-----------------------------------------------------------------
Electrical Engineering l.irakliotis@ieee.org
Colorado State U
(303) 491-2021 Optical Computing Lab
------------------------------
Newsgroups: pub.tdarcos.private.mail
Date: Thu, 12 Aug 1993 11:20:10 -0400 (EDT)
From: Paul Robinson <0005066432@mcimail.com>
Reply-To: Paul Robinson <0005066432@mcimail.com>
Subject: Unrequested Remote Call Forwarding
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
From: Paul Robinson <TDARCOS@MCIMAIL.COM>
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
-----
A posting on the Risks list discussed how an inmate at a state
penetentiary was able to get some private party's phone to be
enabled with Remote Call Forwarding (RCF), AND got someone from the
phone company to give them the security code over the phone.
I just thought about this. A while back I had two additional
phone lines installed in my house to add to the two I already had.
At the request of the person who wanted the extra line, I put
"Ultra Call Forward" (C&P Telephone's name for RCF) on one of the
lines.
It just occurred to me, if I'm not mistaken, that the clerk did give me
the information (800 number if long distance; local number if local) to
set up the service and passcode) at the time I requested the service
change even though he did not ask me for any personal identification when
I placed the order.
It's been said on Telecom Digest several times that inmates in prisons
make calls that have to be made collect only. Are they referring to the
phones provided by the correctional facility or are the pay phones set up
so they cannot place calls other than collect?
If prison pay phones can only call collect, then the person that did this
had to have an outsider do this, or they had to be calling an 800 number
(can prison phones call 1-800 numbers? If not, how do they call their
lawyer if he has one?)
---
Paul Robinson - TDARCOS@MCIMAIL.COM
-----
The following Automatic Fortune Cookie was selected only for this message:
"I didn't ask to get hatched into this family!"
- Robbie, Dinosaurs
------------------------------
End of Computer Privacy Digest V3 #013
******************************