Date: Tue, 12 Apr 94 10:29:21 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V4#051
Computer Privacy Digest Tue, 12 Apr 94 Volume 4 : Issue: 051
Today's Topics: Moderator: Leonard P. Levine
Getting social-security numbers
Neat Tricks!
Clipper Teaches Public to Encode?
Phone Privacy-Dispatch from Canada
Dave Barry Responds to E-Mail Hacking Charges
Flow Tracing Clipper
Let your Fingers do the Walking on the Internet
Hide & Seek
Computer Privacy Digest Archives
Credit check only with Permission Granted
Re: Call Return
Re: SSN#: How Could Someone Find Out Mine
Re: CNID vs. ANI
The Computer Privacy Digest is a forum for discussion on the effect
of technology on privacy. The digest is moderated and gatewayed into
the USENET newsgroup comp.society.privacy (Moderated). Submissions
should be sent to comp-privacy@uwm.edu and administrative requests
to comp-privacy-request@uwm.edu. Back issues are available via
anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp"
with password "yourid@yoursite". The archives are in the directory
"pub/comp-privacy". Archives are also held at ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
From: "John A. Thomas" <B858JT@UTARLVM1.UTA.EDU>
Date: 8 Apr 94 17:18:16 CDT
Subject: Getting social-security numbers
Tony Austin wonders how easy it would be to get ones'
social-security number. Pretty east, actually.
First, it is indeed on your credit report.
Second, many governmental agencies ask for it for documents that will
become public records. In Texas, for example, it is requested for
voter-registration certificates (first place I go if backgrounding
someone), divorce petitions, and probate applications (both the
applicant and the deceased!). I understand some states use the SSN as
a driver's license number.
Third, many private business ask for it on applications that have
nothing to do with credit reporting. A clerk for the local Blockbuster
video said I was the first person to object and refuse to give them the
number, even though the form said "optional" in fine print.
At least Radio Shack is not requesting it when you buy batteries --
yet. Those who have been through the Radio Shack "name, address, and
phone number" routine will know what I mean.
John A. Thomas
b858jt@utarlvm1.uta.edu
------------------------------
From: glr@rci.ripco.com (Glen Roberts)
Date: 8 Apr 1994 23:13:40 GMT
Subject: Neat Tricks!
Organization: RCI, Chicago, IL
PROTECT YOURSELF WITH THE CHICAGO TRIBUNE'S TELEMARKETING TRICK
The irritating telemarketing call comes in... it's the middle of dinner
and some lady wants to know if we get the Chicago Tribune... I tell
them, just when it comes free a couple times a week... and the delight
in the back of my mind that finally I have the phone number of the
agitating telemarketer! For once, it's not "out of area" on the
Caller-ID display.
Well, my delight in phoning the back to express my displeasure with
them, quickly turned to frustration! Try it... 1-312-670-4113. It won't
cost you anything. The familiar reorder tones followed by the number
670-4113 "is not in service for incoming calls!" The ultimate Caller-ID
block.
Why not use it to protect your privacy? Get your second line setup by
the phone company that way, place all your out-going calls on it and
bam no body can return call or redial your number. Yeah, the phone
company will probably tell you they can't do that for you. Tell them to
call 1-312-670-4113 as proof that it can be done.
Also, here's another way to block caller-id. Dial 10288EEE-NNNN where
EEE is your exchange and NNNN is the number. For example, from my home,
if I call the surveillance hotline: (708) 356-9646... by dialing
"356-9646" Caller ID gets my home phone. Yet, if I dial "10288356-9646"
it comes in as out of area (yeah and I probably get billed the same as
calling long distance).
------------------------------
From: terrell@sam.neosoft.com (Buford Terrell)
Date: 9 Apr 1994 11:47:39
Subject: Clipper Teaches Public to Encode?
Organization: South Texas College of Law
One perverse (and therefore nice) result of the government's push of
the Clipper legislation is that now many members of the public are
aware of encripted communications who had never heard of it before.
Demand should create a market that will elicit new and better
encription to meet that demand. Have the Fibbies shot themselves in
the foot again?
Buford C. Terrell
South Texas College of Law
------------------------------
From: R._Braithwaite-Lee@magic-bbs.corp.apple.com
Date: 09 Apr 1994 20:09:37 EST
Subject: Phone Privacy-Dispatch from Canada
Organization: M A G I C
Hello:
With all the interest in Caller ID, blocking, &tc., I thought I'd share
with you what Bell Canada is up to. Their offerings are all
mandated/regulated by the Canadian Radio and Telecommunications
Committee, which holds public hearings then goes ahead and does
whatever it wanted to do anyways.
Currently, in the Toronto area, Caller ID is very popular. Call
Blocking is available, and comes in two flavours (Blocking defeats
Caller ID). For a fee, you can have your phone permanently and
automatically blocked. This fee is waived for woman's shelters and
certain other sensitive institutions. I don't know what the complete
list of waived institutions is. Per-call blocking is also available.
This is where you dial *67 before placing the call. Per-call Blocking
is free, you just have to contact Bell and request it for your line.
This feature is kept very, very quiet.
An old feature, Call Return, is being remarketed heavily. At one time
Call Return was $5 per month and the way it worked was that if someone
called you and you didn't answer, then you pressed a few keys and the
phone automatically dialed their number for you. It seems that the
market ignored this service; Bell is now marketing the service with a
new twist. Instead of paying a monthly fee, it is now $.50 per use, up
to a maximum of $5.00.
And the new feature-of-the-month is called PrimeLine. This is a virtual
phone number, which costs $15 per month. Paging and Messaging options
are $5 and $6 extra. PrimeLine is a special phone number not attached
to any physical location--you call in and forward it to whatever phone
you wish to use to accept calls. A timer is included, so you can do
things like forward it to your messaging for an hour then have it
switch to your office (handy during the morning commute).
PrimeLine has a Call Screening feature which can be turned on and off
at will. Callers are told to state their name and business. The system
records this, then puts them on hold. Now your phone rings and you hear
the caller's recorded greeting. You have the option of accepting the
call, sending them to messaging, or disconnecting them. The caller only
hears 'so-and-so is not available at this time. You might not be taking
the call, or perhaps you couldn't come to the phone.
At my home (which is also my office) I have plain-jane service w/o
Caller ID. I activated per-call Call Blocking, which I used to torture
my friends that have Caller ID. I choose not to use it regularly. I
just purchased PrimeLine, and plan to use it aggressively to manage my
calls while I'm out and about.
R._Braithwaite-Lee@magic-bbs.corp.apple.com
Public Key Fingerprint: D8 B8 C1 D0 DD 56 20 B4 06 A2 81 83 87 E8 8B 64
(Send message with subject "HELP" to pgp-public-keys@pgp.ox.ac.uk)
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 10 Apr 1994 08:39:37 -0500 (CDT)
Subject: Dave Barry Responds to E-Mail Hacking Charges
Organization: University of Wisconsin-Milwaukee
This is taken from CPSR/PDX(7:4): Dave Barry Responds to E-Mail Hacking
Charges: CPSR/PDX received the following letter from syndicated
columnist Dave Barry's office:
Let me tell you what happened, and you can decide how immoral it
was. During the Olympics, a lot of rumors about Tonya Harding were
floating around the press center. One of these was that some
numbers were Tonya Harding's e-mail code. A lot of people punched
these into the computer to see if they were. I was one of those.
As soon as I saw the numbers worked, I signed off, _without_
reading any e-mail. Perhaps you wouldn't have done what I did. I
respect that. But Iview what I did as checking out a rumor, and no
more. I never saw any private correspondence, nor, as far as I
know, did other reporters. When some reporters' names surfaced in
connection with this, I volunteered the information that a lot of
people, including me, had tried those numbers. I was trying to put
what happened into perspective; Unfortunately, the quotes that were
printed made it sound as though I was defending the practice of
reading other people's mail. I wasn't.
Sincerely,
Dave Barry
DB/js
------------------------------
From: ajh@panix.com (A. H.)
Date: 10 Apr 1994 21:29:46 GMT
Subject: Flow Tracing Clipper
Organization: Panix Public Access UNIX and Internet
A thought has occured to me, perhaps it was mentioned before.
But does the use of clipper automatically identifie who, down to the
purchased hardware, is making a communication? My reasoning is as
follows, I hope I am wrong:
Am I correct in assuming it would be trivial for anyone who has access
to monitor a medium of communication to scan the messages and obtain
the LEAF?
If that is the case, then would it not even be more trivial to look
that up on reference table and see who originated it? And would not
that same person already have access to the destination of the
message?
If that is the case, then does not clipper, in effect, create a log of
communication flows?
------------------------------
From: Paul Robinson <PAUL@TDR.COM>
Date: 11 Apr 1994 03:47:29 -0400 (EDT)
Subject: Let your Fingers do the Walking on the Internet
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
Saturday I was over at Micro Center, a computer store in Vienna,
Virginia.
Visiting the book department, I spotted a new set of three books,
highlighted in plain view, all having the word "Internet" on the
cover.
One was a book on things you can find, e.g. a list of sources for
things such as Weather information, FTP sites for various types of
files, and so on, e.g. a list of services similar to the ones on the
internet, only broader and much better organized. It was also about an
inch thick, which meant it was about 500 pages long. I didn't have
much chance to look at it since I don't have that much interest in the
services on the Internet. I know they are comprehensive, I just never
thought about it.
The second book was printed on yellow paper and I think it referred to
itself as "The Internet Yellow Pages". In essence it was a topic and
subject cross reference for news groups and mailing lists. This, I
think is a good idea. It's better if someone knows that, for example,
Com Priv deals with the Commercialization and Privatization of the
Internet and not with say, Private Compost heap management. (Although
some people who read that group might think the latter is more
accurate.) Or that the Bitnet list ETHICS-L@VM.GMD.DE deals with the
ethics of computer programming and computer-related ethical issues,
rather than it being a general ethics list.
This too, was a Phone Book sized tome, about 3/4 inch thick, and it
also mentioned that it covers about 2700+ newsgroups, which doesn't
make it comprehensive (as someone corrected me earlier this month, the
worldwide set of public newsgroups is currently over 8,000 and runs
close to 100 megabytes a day.)
What I found most interesting was the third book, also about an inch
thick, e.g. phone book sized, and what could probably be called "The
Internet White Pages". Someone started collecting E-Mail addresses and
names for people from public messages, probably those posted on
newsgroups and heavily circulated mailing lists and put them in
alphabetical order. A practice very similar to that done by the
address lookup program on rtfm.mit.edu (formerly "pit-manager").
Apparently the compiler of the book collected some 100,000 people's
names and printed them up. This book is fairly recent but not that
much. As with most people, I looked myself up. While it does have my
address on access.net and MCI Mail, it does not have my address here on
TDR.COM, which implies that it stopped collecting before I started
using it almost exclusively, which would be before December 5, 1993,
which is when the TDR.COM domain is listed as last updated via WHOIS.
Some people seem to have gotten upset over the collection of E-Mail
addresses for advertising. Now, here, someone has generally collected
everyone's address off public messages, and published them in a book
that is sold over the counter in a computer store. I wonder how people
feel about this issue.
The author said in the preface quite frankly that he had started
"surrepticiously" collecting E-Mail addresses for a while. I put that
word in quotes because I think that was his term, not mine. I am
trying to avoid being judgemental here, because I don't see it as that
big a problem. My E-Mail address is not my street address and doesn't
tell you where I live or what I do or how much money I make or how
educated I am. But this practice does annoy some people and I wanted
to let some people know that if you are worried about the collection of
names and E-Mail addresses, you are a little late, someone's already
done a White Pages that anyone can purchase. And if it's successful,
I'll bet there will be new issues, as well as possibly competitors.
Seriously, I have a full newsgroup feed coming into the site I use,
there's nothing that says I couldn't set up a cron job that runs
several times a day to scan the spool files and collect addresses for
subsequent publication. Anyone who has access to a full news feed
could have done the same thing.
Here's some questions to think about: What do you think about the
practice? Is it right or wrong and why? Does this impact people's
security? Are there risks involved if your E-Mail address becomes well
known or if it is misprinted in a published "white pages"? Are there
other considerations to think about?
--
Paul Robinson - Paul@TDR.COM
------------------------------
From: shaggy@phantom.com (the KrAziEst KaT)
Date: 11 Apr 1994 07:38:23 -0500 (CDT)
Subject: Hide & Seek
Organization: [MindVox] / Phantom Access Technologies / (+1 800-MindVox)
hide-and-seek are a pair of "stegonography" programs to hide and then
extract data out of GIF files. by doing so one is able to place an
extra layer of security for ones data between oneself and anyone who
one wants to deny access too....it is possible to keep the very
existence of data unknown! by subtly altering GIF files, the program
stores up to 19K of data in a 256-color or greyscale GIF, in a way that
is hard to detect but easy to reverse. it can be thought of as a kind
of camouflage. a greyscale GIF will be changed by HIDE in a way that is
invisible to the naked eye.
[MODERATOR The .uue file (for the PC) has been placed in the directory
'/pub/comp-privacy/library' at 'ftp.cs.uwm.edu'. Feel free to take a
copy. If you have a problem with ftp from your site, I will be glad
to email you a copy. See next note for some details.]
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 11 Apr 1994 12:25:21 -0500 (CDT)
Subject: Computer Privacy Digest Archives
Organization: University of Wisconsin-Milwaukee
CPD (Computer Privacy Digest) maintains an archive site for material of
general interest that is too long to post. I also maintain all back
issues of CPD for those who wish to peruse issues that have passed.
These issues are ordered by Volume and Issue number.
Ftp Access into ftp.cs.uwm.edu with userid 'ftp' and password
'yourid@yoursite' will open up the directory. The archives are in the
directory "pub/comp-privacy". Archives are also held at the address
of the former moderator, Dennis Rears, ftp.pica.army.mil
[129.139.160.133].
Within the directory pub/comp-privacy a 'dir' command will show the
following:
drwxr-xr-x 2 levine ftp 512 Apr 11 11:15 library
drwxr-xr-x 2 levine ftp 2048 Mar 8 09:53 volume1
drwxr-xr-x 2 levine ftp 1024 Mar 8 09:54 volume2
drwxr-xr-x 2 levine ftp 1536 Mar 8 09:55 volume3
drwxr-xr-x 2 levine ftp 1024 Apr 8 08:17 volume4
and within the directory pub/comp-privacy/library you will find the
following:
-rw-r--r-- 1 levine ftp 290932 Apr 11 11:14 hideseek.uue
-rw-r--r-- 1 levine ftp 61126 Jan 19 14:17 net-privacy-part1
-rw-r--r-- 1 levine ftp 50905 Jan 19 14:17 net-privacy-part2
-rw-r--r-- 1 levine ftp 43002 Jan 19 14:17 net-privacy-part3
-rw-r--r-- 1 levine ftp 26986 Jan 7 13:32 ssn-privacy
-rw-r--r-- 1 levine ftp 6090 Feb 7 08:54 ssn-structure
Please come and access what you wish.
If you are unfamiliar with the use of the File Transfer Protocol (ftp)
the following short summary might help. On most systems the following
procedure will work, if you have a local command named ftp:
You type: Comment on the command:
ftp ftp.cs.uwm.edu (on your system)
ftp (answer to login request)
your_userid@your_site (answer to password request)
cd pub/comp-privacy (at ftp prompt)
dir (look at what is there)
cd library (at ftp prompt)
dir (look at what is there)
get hideseek.uue (move document to your filespace)
cd .. (back to previous menu)
cd volume4 (at ftp prompt)
dir (look at what is there)
get V4#031 (move document to your filespace)
quit (back to your system)
------------------------------
From: austin@netcom.com (Tony Austin)
Date: 11 Apr 1994 18:24:58 GMT
Subject: Credit check only with Permission Granted
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
I called TRW in Orange County, California today. I asked how safe my
credit information and social security number is. They told me that
noone can look at your credit report unless you grant them permission.
A fine and a civil lawsuit was mentioned as well. Subsequently I feel a
lot safer. Is this a false feeling of security?
--
Tony Austin
------------------------------
From: tenney@netcom.com (Glenn S. Tenney)
Date: 8 Apr 1994 11:54:04 -0800
Subject: Re: Call Return
clifto@tuttoo.chi.il.us (Clifton T. Sharp) wrote: Also, the
corollary dialback service will come in handy when I get my "annual
abuse call". When I'm able to *69 and say, "I know who you are and
I know where you live <click>," the $114 I spent for the year's
service will have paid for itself, in my estimation.
Ah, but there's a catch with this service... at least here in the SF
area. I have the service, and I would estimate that of the times I've
tried to use it it has worked twice -- ie. from direct personal
experience I'd say it works less than 5% of the time.
Why?
It doesn't work from all switches is one reason. But the main reason
is that it doesn't work from any PBX -- and guess where most
telemarketing calls come from... offices with PBXs.
What's worse is that the advertising gives no clue that this is the
case. When I asked PacBell for detailed information on when it won't
work, the phone company could not even tell me what exchanges
technically were incapable of working. Plus, they could not estimate
the percentage of phones in the area that won't work with call return.
In a nutshell: Call Return is a marketing scam.
---
Glenn Tenney
tenney@netcom.com Amateur radio: AA6ER
(415) 574-3420 Fax: (415) 574-0546
------------------------------
From: cntrspy@netcom.com (Executive Protection Assoc)
Date: 9 Apr 1994 18:23:11 GMT
Subject: Re: SSN#: How Could Someone Find Out Mine
Organization: NETCOM On-line Communication Services (408 241-9760 guest)
Tony Austin (austin@netcom.com) wrote: I read the SSN# FAQ and it
was a wonderfully written article. What I can't understand is how
an individual, like a detective or such, could find out what my
SSN# is.
Is my SSN# so vulnerable that someone could do a credit check on me
and find out what my SSN# is?
If I know your general location, I can spend $12 and do a computer
on-line check and come up with it.
If I know you as a target I would just dumpster dive your garbage and
I'm sure there is enough information in there to lead me to it. It's
QUITE simple. Credit header info (which is NOT FCRA regulated) would
reveal it also for about $10 and a 2 minute phone call.
SSN privacy and security is a myth.
Chris Hall
Operations Director
Executive Protection Associates, Inc.
------------------------------
From: watrous@athos.rutgers.edu (Don Watrous)
Date: 11 Apr 94 17:46:16 GMT
Subject: Re: CNID vs. ANI
Organization: Rutgers Univ., New Brunswick, N.J.
gibbs@husc4.harvard.edu (James Gibbs) writes: And if you don't want
your phone number to be given by ANI to the owner of an 800 number,
call the operator and ask him/her to dial the 800-number for you.
They can still get your number, but they probably won't go through
the extra hassle to get it.
It is my understanding that 800 lines are actually an aliasing scheme
for regular (non-800 area code) numbers. If you can discover the
regular number associated with an 800 number and dial that instead,
does that deny the ANI information to the 800 supplier?
Is it possible to find out what non-800 number is associated with an
800 line? (I originally wondered about this when hearing about a
Canadian trying to call a US 800 number which was not set up for use
from Canada.)
--
Don
{backbone}!cs.rutgers.edu!watrous watrous@cs.rutgers.edu
------------------------------
End of Computer Privacy Digest V4 #051
******************************
.