Date: Mon, 13 Dec 93 19:44:11 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#006
Computer Privacy Digest Mon, 13 Dec 93 Volume 4 : Issue: 006
Today's Topics: Moderator: Leonard P. Levine
SSN's in Mail Addresses
Re: Gun Control/Registration/Confiscation
Re: Guns Control/Registration/Confiscation
Re: Right To Search Floppy Disks?
Re: Right To Search Floppy Disks?
Encryption At School
Cellular Phone Security
Re: Is PGP really Uncrackable?
ALERT: FBI's Wiretap Bill is Back!
CPSR Letter on Clipper (long)
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: Brinton Cooper <abc@arl.army.mil>
Organization: The US Army Research Laboratory
Date: Fri, 10 Dec 93 18:33:15 GMT
Subject: SSN's in Mail Addresses
The following appeared in the Weekly Bulletin (sent to all employees)
of this installation. I offer it without comment:
"9. USE OF WINDOW ENVELOPES FOR PAY RELATED ACTIONS: Quote from a 14
Mar 77 letter from Treasury's Bureau of Public Debt: "Until a bond
sent through the mails is delivered to the addressee as legally
defined by the Postal statues, only employees of the U.S. Government,
its agents, or the Postal Service in performance of their official
duties, have access to the social security number. Thus, the number
is not being disclosed indiscriminately to the public. Further, as
the Postal Service is bound, under the Privacy Act, to not disclose
any information relating to the individual, we fell that the
visibility of an individual's number through the envelope does not
result in his privacy being impinged upon." Treasury's Assistant
Secretary for Legislative Affairs reiterated this position in a 17 May
90 response to a Congressional Inquiry. Considering all this, the
visibility of a social security number thru a window envelope does not
create a violation of the Privacy Act. In fact, Treasury's Regional
Disbursing Officers (RDOs) use window envelopes which are designed so
that the addressee's social security number does show, thus allowing
for faster rerouting of misaddressed mail."
------------------------------
From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
Date: Sat, 11 Dec 93 07:01:07 EST
Subject: Re: Gun Control/Registration/Confiscation
In Volume 4, Issue 5 steele!basile@uunet.uu.net (Steve Basile) writes:
>A Brady Bill-induced five day waiting period is of little consequence. My
>permit is NOT valid in the 5 Boroughs (counties) that make up NYC.
>Permits there require a psychiatric evaluation, and NYPD commissioner
>approval, and must be renewed every year.
And after what happened on the Long Island Railroad on December 7, 1993,
the Brady Bill has proved worthless. A man got on a train and proceeded
to kill five people and injure about 20 more. He used a 9mm pistol that
was purchased legally in California.
So much for a 5-day waiting period. California has a 15-day one and this
guy checked out clean.
So far, the public here knows that he came from Jamaica, formed an intense
dislike for blacks, whites and asians for unknown reasons; moved to
Louisiana and the to California where he rented a motel room until he
could satisfy the permit waiting period and then proceeded to purchase
the gun.
Following that, he came to Brooklyn, boarded a commuter train and started
shooting about 1 hour later.
Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred)
niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
From: mcinnis@vnet.ibm.com
Organization: IBM Austin
Date: Mon, 13 Dec 1993 17:05:30 GMT
Subject: Re: Guns Control/Registration/Confiscation
Of course, the lesson to be learned here is to move to NY City where the gun
laws keep the steets free of crime and to avoid lawless areas of the country
like Texas.
------------------------------
From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse)
Organization: Kansas State University
Date: Sat, 11 Dec 1993 18:33:03 -0600
Subject: Re: Right To Search Floppy Disks?
nevin@cs.arizona.edu (Nevin Liber) writes:
>In article <comp-privacy4.4.4@cs.uwm.edu>,
>Here is a thought: suppose the disk in question had a virus on it, and
>the administration confuscates the disk and tries to read the disk,
>thus invoking the virus.
Reading a disk does not invoke a virus. In order for a virus to infect
a system an executable has to be run. It is possible that the
computers in question might already be "infected" and a virus could
recognize a disk read of a floppy to start some damaging process, but
anyway the kind of protection the school is relying on is not very good.
------------------------------
From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse)
Organization: Kansas State University
Date: Sat, 11 Dec 1993 18:44:44 -0600
Subject: Re: Right To Search Floppy Disks?
bitbug@netcom.com (James Buster) writes:
>ranck@joesbar.cc.vt.edu (Wm. L. Ranck) writes:
>>Actually I think folks seem to have a basic misconception here. It is
>>precisely *because* they are not the police that they can do locker searches,
>>etc. The police are held to a higher standard for probable cause to search.
>That is, precisely, the problem. In most(all?) public schools, school
>administrators are government employees. I think that *all* government
>employees should be held to the same standard of conduct as police officers.
>Otherwise you have the current intolerable situation where "Oh, she's not a
>*police officer*, she's an *administrator*.". Just wait until some idiot
>bureaucrat figures this out, and sends administrators to illegally search
>your home: "It's ok, they're not police officers.".
The reason locker searches are o.k. is because the lockers are the
property of the school. The reason backpack, purse searches, and body
searches are o.k. is because children under the age of 18 are not
granted the same Constitutional rights as adults. The Supreme Court
has already determined that the safety of the children in schools far
more important than their personal rights. This is why schools are
allowed to ban certain types of clothing, all kinds of speech, and
other things. The police could just as easily be involved in the
locker search or any other search. Whether the person is an admin.
really has nothing to do with it. Often times police are called by
the admin to help with searches by bringing in dogs or equipment.
The issue of administators of schools coming to your house for a routine
search is a joke. You don't have to let anyone in your house unless
they have a search warrant. Basically your argument that there is
some kind of legal distinction between police and school administation
searches is wrong. If the safety of the students in the school is
in question the police could search every backpack, locker, and purse
in the whole school without fear of any "legal" reprisals.
------------------------------
From: Chris Burris <cburris@cap.gwu.edu>
Date: Sun, 12 Dec 1993 22:48:17 -0500 (EST)
Subject: Encryption At School
I have a question:
Suppose that I wrote a simple encryption program and
ran it at school, and the administration searched my disk.
Could the administration force me to give them the encryption key
even if i refused?
------------------------------
From: agrosso@world.std.com (Andrew Grosso)
Organization: The World Public Access UNIX, Brookline, MA
Date: Sun, 12 Dec 1993 08:13:07 GMT
Subject: Cellular Phone Security
As a federal prosecutor, I have my own opinions about cellular
phones and the legality (or illegality) of listening in on cellular phone
conversations. Please note that this is a personal opinion, not one of
the Dept. of Justice.
Unlike a phone conversation transmitted via a cable-type network,
a cellular phone from the start transmits its information over the
airwaves. There is no pretension that the information transmitted is
physically protected or secure. The means to "tap" or otherwise listen
to the information is very simple, and widespread: radio receiver type
devices. By using a cellular phone, one is consenting to having one's
conversations broadcast to an outside world, a world which has the means
to listen to those converations. It is similar to using a megaphone to
transmit your conversations.
If you want privacy, then use a phone which uses cables. There,
your information is physically secure, and you have a legitimate
*expectation of privacy* in your converstations. An unauthorized taping
is therefore properly unlawful.
People who want the law to protect their cellular conversations by
making the listening-in on such conversations illegal or unlawful are, in
my opinion, like people who want it made illegal or unlawful for others
to listen to conversations broadcast by megaphone. Since there is, and
should be, no expectation of privacy in the means used to transmit the
information, there should be nothing unlawful about listening in.
What these people are trying to do is to utilize the law in order
to achieve an unnatural result: one wants privacy, but also wants the
convenience of using an easy means to communicate which has no privacy.
As a prosecutor, I can tell you that I have much too much work to do (and
so do all other prosecutors) to prosecute a case against person A for
listening to person B's conversation when person B decided to use an
obviously insecure means of communication simply because he or she
thought it convenient at the time.
As I said, it's my personal opinion. For your further
information, I am very adamant about protecting peoples' privacy,
particularly my own. I don't use cellular phones.
------------------------------
From: news@cbnewsh.cb.att.com (NetNews Administrator)
Organization: NCR, an AT&T Company, Pleasanton CA
Date: Mon, 13 Dec 93 07:12:13 GMT
Subject: Re: Is PGP really Uncrackable?
First of all, the hoax article claiming that PGP was hosed was really
a hoax, and reasonably funny if you got all the in-jokes.
kkruse@enterprise.ksu.ksu.edu (Korey J. Kruse) writes:
> Nope. PGP is distributed with source code. You can examine it all
> you want. Numerous experts in cryptography have (check out sci.crypt)
> and determined that the program does not have any "trap doors".
That's not precisely correct. PGP does come with source, and with
reasonably good documentation, and the documentation for the major
algorithms used in the system is widely available; you can check for
yourself that the code implements the algorithms accurately if you want.
While nobody has *discovered* any trapdoors (or at least published them),
there are some potential locations they could be hidden; after all,
the point of a trap door is that only the Bad Guy knows about it,
and you don't, so you can be tricked into falling in it :-)
- the RSA public key algorithm depends primarily on the difficulty of factoring;
maybe there will be some radical new breakthrough in the next N years,
or maybe the NSA or KGB has already made it and we don't know yet.
(Not likely....)
- the IDEA encryption algorithm appears to be fairly strong, and _is_
resistant to the Differential Cryptanalysis techniques that
weaken DES and have broken FEAL and a number of other systems,
and the keys are long enough to prevent brute-force attacks,
but that doesn't mean there isn't some hole we don't know about.
The hoax said that "Paul[sic] Zimmerman" planted the trapdoor,
but perhaps the crafty Swiss researches who wrote IDEA really
did it for their military intelligence service. (Not likely..... :-)
- the MD-5 Message Digest algorithm (used for hashing files for signatures)
doesn't have any known ways to break it, but if there are,
signatures may not be trustable, which risks the security of
the key certification process a bit. Again, unknown, but unlikely.
- the NSA could have broken into your computer and tampered with your
C compiler, or installed a radio transmitter that leaks out
your private key at night when you're not looking - check for
dirty fingerprints around the motherboard, and extra antennas...
- All the "experts" who've said it's good stuff may be Tentacles of
M.E.D.U.S.A., Inc. Trust no one, and keep your phaser handy....
But if you've got the time, after you've installed Spook Repellant on
your keyboard, do check out the documentation and maybe the code and
some of the algorithm references.
------------------------------
From: mech@eff.org (Stanton McCandlish)
Organization: EFF mail-news gateway
Date: 10 Dec 1993 19:35:32 -0500
Subject: ALERT: FBI's Wiretap Bill is Back!
(Originally from EFFector Online 6.07 (Stanton McCandlish), summarized
from Communications Daily 12/09/93 (Brock Meeks).)
Digital Telephony Threat Returns
According to FBI Dir. Louis Freeh, the development of sophisticated digital
telecom and networking technology threatens the ability of the Feds to
wiretap. In a Dec. 8 speech at Washington's National Press Club, Freeh
annouced a renewal of the FBI's 'Digital Telephony' legislation scheme:
the return of the controverial 'Wiretap Bill'. The bill is strongly
opposed by organizations and individuals concerned about privacy, as well
as the telecommunications and computing industries at large. The FBI's
'need' for this legislative action is under review by the Administration
as part of it's examination of security and encryption issues.
The reappearance of this Bureau effort contradicts statements by Special
Agent Barry Smith of the FBI's Congressional Affairs Office, who stated
less than a month ago that the 'Wiretap Bill' had been tabled.
According to classified documents released under the Freedom of
Information Act (FOIA), the FBI and the Electronic Communications Service
Provider Committee or ECSPC (an ad hoc industry working group, which
formed in March), are attempting to decide if technical solutions can
be found to satisify law enforcement. According to a Nynex representative
co-chairing the group, Kenneth Raymond, no solution has yet been found, but
that FBI has yet to prove any solution is needed at all. Raymond likened
Freeh's tactics to "yelling out the window" - an attention-getting move
that needs some sort of clarifying followup.
Though the ECSPC claims to be attempting to evaluate the problem and to
solve it "in some reasonable way that is consistent with cost and demand",
Raymond indicated that the group considers one 'solution' to be building
wiretap access into future telecom hardware - like the Clipper chip
backdoor, but a 'feature' of all switch specifications for phone and data
lines.
This news was just received, and a more detailed analysis and statement
from EFF will follow soon.
--
Stanton McCandlish mech@eff.org 1:109/1103 EFF Online Activist & SysOp
O P E N P L A T F O R M C R Y P T O P O L I C Y O N L I N E R I G H T S
N E T W O R K I N G V I R T U A L C U L T U R E
I N F O : M E M B E R S H I P @ E F F . O R G
------------------------------
From: Dave Banisar <banisar@washofc.cpsr.org>
Organization: CPSR Washington Office
Date: Thu, 9 Dec 1993 17:10:20 EST
Subject: CPSR Letter on Clipper (long)
CPSR Letter on Clipper
On December 6, the Digital Privacy and Security Working
Group, a "coalition of over 50 communications and computer
companies and associations, and consumer and privacy advocates"
coordinated by the Electronic Frontier Foundation, sent a letter
to President Clinton concerning cryptography policy. The letter
states, "In our discussions with Administration officials, we have
expressed the Coalition's tentative acceptance of the Clipper
Chip's encryption scheme (as announced on April 16, 1993), but
only if it is available as a voluntary alternative to widely-
available, commercially-accepted, encryption programs and
products."
The Washington Office of Computer Professionals for Social
Responsibility (CPSR) has sent the following letter to the
President. We believe that the position stated in this letter
continues to represent the views of the vast majority of network
users, as reflected in the overwhelmingly critical comments
submitted to the National Institute of Standards and Technology in
response to its recent solicitation of public comments on the
Clipper proposal.
==================================================================
December 8, 1993
The President
The White House
Washington, DC 20500
Dear Mr. President,
We are writing to you regarding the Clipper cryptography
proposal now under consideration by the White House and a
letter you may have received about the proposal from a group
called the "Digital Privacy and Security Working Group."
This group wrote to you recently and expressed their
"tentative acceptance" of the Clipper Chip encryption scheme.
We disagree with their views. This group has made a grave
mistake and does not speak for the many users of computer
networks and developers of network services who have
vigorously opposed this proposal.
We are very much concerned about the Clipper proposal.
At its core is the dubious premise that the government
should have the authority to design communications networks
that facilitate wire surveillance. The plan was developed in
secret by the National Security Agency over the objection
of U.S. firms, professional associations and public interest
organizations. Key details about the proposal remain
classified.
This proposal must not be endorsed. The development of
open, unclassified standards is critical for the future of the
nation's communications infrastructure. Progress and
innovation depend on the free exchange of scientific and
technical information. It is essential to the integrity of
the scientific process that standards are openly created and
available for public review.
There is also a great need to ensure that future networks
are designed with the highest levels of privacy and security
possible. As our country becomes ever more dependent on the
high-speed network, the need for secure systems will only
increase. The Clipper proposal purposefully cripples the
security of the network and reduces the privacy protection
that users could otherwise obtain.
There is another still more serious problem with the
Clipper proposal. An agency with the authority to conduct
wiretaps must not be allowed to impose technical standards to
facilitate wire surveillance. The threat to Constitutional
democracy is clear. A system of checks and balances is
essential to ensure that the powerful investigative tools of
government are properly controlled.
We have followed the development of this proposal with
great concern. We have testified before Congressional
committees. We have appeared before agency panels, provided
reports on wire surveillance, and debated the former FBI
Director on national television. We have also sponsored
conferences with full participation from across the federal
government. We believe that the best policies will result from
an open and unrestricted exchange of views.
It is our assessment that you must not permit adoption of
the Clipper technical standard, even on a voluntary basis. At
a time when the country should be moving toward open standards
designed for commercial networks, the Clipper proposal asks
future users of the nation's information infrastructure to
accept a standard intended for the Cold War era. It is a
backward-looking plan that serves neither the interests of the
American people nor American business.
The adoption of the Clipper proposal would also ratify an
unlawful process that has undermined the authority of Congress
and weakened the mechanisms of government accountability. The
proper authority for the development of this standard never
rested with the NSA. Under the Computer Security Act of 1987,
it was a civilian agency that was to develop appropriate
standards for the nation's commercial networks. Through a
series of secret executive orders, the NSA usurped the
authority of the National Institute of Standards and
Technology, substituted its own proposal for those of NIST,
and effectively derailed this important policy process.
When the computer user community had the opportunity to
voice its position on this proposal, it rejected the plan
overwhelmingly. The notice and comment process conducted by
the Department of Commerce earlier this year resulted in
nearly uniform opposition to the Clipper proposal. It would be
hard to find a technical standard more disliked by the
potential user community.
While we support the relaxation of export controls on
cryptography, we are not willing to concede to the NSA the
right to develop secret standards. It is only because the
National Security Agency also exerts influence on export
control policy that the Digital Privacy coalition is prepared
to endorse the Clipper standard in exchange for new
opportunities to market products. It may be a good deal for
the coalition members, but it is a terrible outcome for the
rest of the country.
We very much appreciate your efforts on behalf of open
government, and your work with the Vice President and the
Secretary of Commerce to develop the nation's information
infrastructure. We believe that these efforts are sending our
country in the right direction, helping to develop advanced
technologies appropriate for a democratic nation and to
preserve open and accountable government.
But the Clipper proposal was not a creation of your
administration. It is a relic from a period that is now
moving rapidly into the history books, a time when secret
agencies made secret decisions and when backroom deals with
powerful, private interests sustained these arrangements.
It is time to end this cynical form of policy making.
We ask you to reject the deal put forward by the Digital
Privacy and Security Working Group. The Clipper proposal
should not go forward.
We would be pleased to meet with members of your
administration to discuss this matter further.
Sincerely yours,
Marc Rotenberg, Director
David Sobel, Legal Counsel
Dave Banisar, Policy Analyst
CPSR Washington office
cc: The Vice President
Secretary Ron Brown, Department of Commerce
Anthony Lake, National Security Council
Computer System Security and Privacy Advisory Board
------------------------------
CPSR Cryptography Resolution
Adopted by the CPSR Board of Directors, Seattle, WA October 18, 1993
WHEREAS,
Digital communications technology is becoming an increasingly
significant component of our lives, affecting our educational,
financial, political and social interaction; and
The National Information Infrastructure requires high assurances of
privacy to be useful; and
Encryption technology provides the most effective technical means of
ensuring the privacy and security of digital communications; and
Restrictions on cryptography are likely to impose significant costs on
scientific freedom, government accountability, and economic
development; and
The right of individuals to freely use encryption technology is
consistent with the principles embodied in the Constitution of the
United States; and
The privacy and security of digital communications is essential to the
preservation of a democratic society in our information age; and
CPSR has played a leading role in many efforts to promote privacy
protection for new communications technologies:
BE IT RESOLVED THAT
Computer Professionals for Social Responsibility supports the right of
all individuals to design, distribute, obtain and use encryption
technology and opposes any government attempt to interfere with the
exercise of that right; and
CPSR opposes the development of classified technical standards for the
National Information Infrastructure.
------------------------------
End of Computer Privacy Digest V4 #006
******************************
.