Date: Fri, 21 Oct 94 10:09:50 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#051
Computer Privacy Digest Fri, 21 Oct 94 Volume 5 : Issue: 051
Today's Topics: Moderator: Leonard P. Levine
Re: How to Verify Your Phone Number
Re: How to Verify Your Phone Number
SSN on Drivers License in VA
SSN on Drivers License in NY
Question: Post Office Package Inspection
TEMPEST Source
Re: Eastwood Door Problem
Calling Number ID Debate
Cellular Phone Fraud Operator Arrested
Info on CPD, Contributions, Subscriptions, FTP, etc.
----------------------------------------------------------------------
From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
Date: 18 Oct 94 13:09:47 EDT
Subject: Re: How to Verify Your Phone Number
dawson@world.std.com (Keith Dawson) wrote: from 508 land dialing
1-800-MY-ANI-IS got me "We're sorry, we cannot complete your call
as dialed."
It worked from 516 (Long Island) and when I called it from my job's
PBX, it gave a number on the outgoing trunk which is what I suspected.
--
Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred)
niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093
------------------------------
From: Bruce Steinberg <bruces@sco.COM>
Date: 21 Oct 94 2:45:38 PDT
Subject: Re: How to Verify Your Phone Number
dawson@world.std.com (Keith Dawson) wrote: from 508 land dialing
1-800-MY-ANI-IS got me "We're sorry, we cannot complete your call
as dialed."
Works okay in 408 (at least in Santa Cruz, CA area). FYI, B*
------------------------------
From: matt@aol.net (Matt Lyle)
Date: 18 Oct 1994 18:11:38 GMT
Subject: SSN on Drivers License in VA
Organization: America Online
Is the Social Security Number actually legally required in Virginia, or
is it truely optional and they just don't tell you that?
------------------------------
From: clc0314@is.NYU.EDU
Date: 20 Oct 94 15:36:16 -0400
Subject: SSN on Drivers License in NY
that reminds me, in NY, you only have to give your SSN if you are
applying for a commercial licence.
------------------------------
From: "Houston, James A." <JH2@scires.com>
Date: 18 Oct 94 16:42:33
Subject: Question: Post Office Package Inspection
I was wondering if any of the computer-privacy subscribers can
enlighten me on the U.S. Post Office's policy on mail/package
inspection. Do they inspect packages randomly? Do they inspect
packages at a centralized location? Does sending mail/packages via
express mail provide any more or less security? Does a package
traveling overnight have less chance of being inspected (for what ever
reason)? Is there any way, or are there any measures one can take to
ensure his/her mail/package is not selected for scrutiny by postal
clerks/mail handlers?
--
James Houston
(jh2@scires.com)
-atlanta-
------------------------------
From: joelm@eskimo.com (Joel McNamara)
Date: 19 Oct 1994 15:19:21 GMT
Subject: TEMPEST Source
Organization: Eskimo North (206) For-Ever
I just finished Winn Schwartau's "Information Warfare." In the van Eck
chapter, a source makes the following statement, "In the United States,
it is illegal for an individual to take effective countermeasures
against Tempest surveillance." This is attributed to a privately
circulated document by Christopher Seline, titled "Eavesdropping on the
Electro- magnetic Emanations of Digital Equipment: The Laws of Canada,
England, and the United States" (June 7, 1990).
Does anyone know where I can get a copy of this paper? Also, any other
pointers to U.S. laws regarding the use of both Tempest surveillance
and counter-surveillance techniques. I know Tempest collection tends
to be passive and very unobtrusive, but am curious if legal charges
have ever been filed against anyone in the U.S. for using or countering
Tempest collection devices.
--
Joel McNamara
joelm@eskimo.com
------------------------------
From: genghis@ilces.ag.uiuc.edu (Scott Coleman)
Date: 20 Oct 94 01:39:55 GMT
Subject: Re: Eastwood Door Problem
Organization: University of Illinois at Urbana
Christopher Zguris <0004854540@mcimail.com> writes: Why does
information need to be stored at all? Enter the valid key codes
(and whatever restrictions they may have) into the computer and
leave it at that. The security system is merely access control,
when or if a key is used is not important. If I have a valid key I
should get in, it's nobody's business -- and no records need be
kept -- of when I come and go.
My thoughts exactly.
Knowing when LEGITIMATE users enter a given doorway provides absolutely
NO information which would be valuable to a police officer
investigating a break-in. If my apartment is broken into, does that
make all my neighbors into suspects? And even in the unlikely event
that is *was* my neighbor who broke into my apartment, there would be
no record in the log of that neighbor's entry because he would
presumably ALREADY have been inside the bulding for an unknown length
of time.
Thus, since the keeping of such records serves no useful purpose, but
CAN be easily misused and abused, the ethical design approach is to
simply *not* *record* the identity of a legitimate access. Now, as
mentioned in the original post, if an INVALID key is presented, that
event should most definitely be logged, since no harm can come of such
records (although since the system would NOT have admitted the invalid
keyholder, no security breach would have occurred, and therefore the
system logs are again useless).
Keep the system simple like the manual key it is supposed to
replace and leave it at that. Why is it _everything_ digital _must_
keep logs?
Indeed!
--
Scott Coleman, President ASRE (American Society of Reverse Engineers)
asre@uiuc.edu
Life is temporally limited - drive velocitously!!
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 19 Oct 1994 22:30:30 -0500 (CDT)
Subject: Calling Number ID Debate
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: RISKS-FORUM Digest Weds 19 October 1994 Volume
16 : Issue 46 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann,
moderator
Date: 13 Oct 1994 14:13:13 -0700
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: Calling Number ID debate
Calling-Number ID (abbreviated CNID [and sometimes misnamed Caller ID])
is a technology that enables your telephone to digitally send its phone
number to the telephone of anybody you call. Controversy about privacy
issues in CNID has swirled for years. The NYT has an article on the
subject:
Matthew L. Wald, A privacy debate over Caller ID plan, *The New York
Times*, 13 October 1994.
The United States Federal Communications Commission recently proposed
rules, due to go into effect in April, to create uniform CNID protocols
across state lines. While the FCC plan does protect privacy in some
ways, e.g., preventing a business that captures your phone number from
selling it to others without your permission, it does not mandate
per-line blocking, which is necessary if you never want to send out
your phone number, or if you only want to send it out when you enter a
special code.
The article states clearly that the real reason for CNID is
commercial. Privacy advocates have been saying this for years, and for
a long time they have gotten patronizing lectures about how CNID is for
residential use in catching harassing phone callers. But CNID is a
poor way to catch harassing phone callers. Moreover, that single
application wouldn't nearly make CNID profitable. The point is that
CNID is a good way to let companies collect marketing information and
automate service interactions.
Which is fine. Hardly anybody opposes CNID outright. But in order for
CNID to avoid inadvertently giving away the phone number of someone who
is being stalked, or who otherwise needs to keep their number a secret,
it needs a few simple features:
* per-line blocking -- a simple, no-cost way to declare that this
telephone should not send out its number when dialling
* per-line unblocking -- a simple, no-cost way to declare that this
telephone now *should* send out its number when dialling
* per-call blocking -- a simple, no-cost way to declare that,
regardless of whether this line is blocked, this particular call
should not include the calling number
* per-call unblocking -- a simple, no-cost way to declare that,
regardless of whether this line is blocked, this particular call
*should* include the calling number
In order for people to get the benefit of these commands, some further rules
are needed:
* All four of these commands should be entered with *different* codes.
* Most especially, the blocking and unblocking commands should not be
implemented with toggle commands (for example, *67 blocks the line
and then another *67 unblocks it -- or, wait!, did the first *67
unblock the line so that the next *67 blocked it?).
* All of these commands (or at least the per-call ones) should take
effect instantly, without requiring a pause before dialling a number,
so that phone numbers stored in modems can include the codes.
* All of the commands should be standardized everywhere.
* All of the commands should be clearly and concisely explained in some
convenient place in the phone book. If at all possible, the commands
should be listed on a simple cue card that can be attached to the
telephone alongside the emergency numbers. (Of course, if a
telephone had a real user interface then cue cards would not be
necessary.)
Don't all of these rules sound like common sense? Of course they do.
They allow everyone complete freedom of choice. If you like CNID then
you can turn it on and forget about it. If you want to refuse calls
that do not include caller numbers then you're free to do that. If you
don't care to call anyone who requires a caller number then you're free
to adopt that policy as well. If you never want to send out your
number because you're being stalked or are running a shelter then you
can do that. Free choice.
So why do proponents of CNID go to extraordinary lengths to defeat
these simple, ordinary protections? Because they're afraid that large
numbers of people would use per-line blocking, thus making the system
less attractive to the businesses who want to capture lots of phone
numbers. Like many schemes for using personal information, then, CNID
is founded on trickery -- that is, on the gathering and use of
information without free choice, full informed consent, and convenient,
easily understood mechanisms for opting out.
You might ask, "doesn't per-call blocking alone provide the necessary
choice?" No, it doesn't. Per-call blocking is like saying, "every
single time you drive your car into a gas station, your car instantly
becomes the property of the gas station unless you remember to say
abracadabra before you start pumping your gas." In each case, the
cards are stacked against your ability to maintain control over
something of yours, whether your car or your information.
What can you do? Write a letter to the FCC, with a copy to your state
attorney general and public utilities commission and to your local
newspaper. Send them the list of CNID commands I provided above.
Spell it out for them, and provide answers for the obvious pro-CNID
arguments. Your state regulators might even agree with you already, in
which case they need your support.
For more information, send a message that looks like this:
To: rre-request@weber.ucsd.edu
Subject: archive send cnid
Or contact the organizations that are working on this issue:
* Computer Professionals for Social Responsibility, cpsr@cpsr.org
* Electronic Privacy Information Center, epic@epic.org
* Electronic Frontier Foundation, eff@eff.org
Or start something of your own. The best way to predict the future,
after all, is to create it yourself.
Phil Agre, UCSD
------------------------------
From: Paul Robinson <PAUL@tdr.com>
Date: 20 Oct 1994 21:37:55 -0500 (EST)
Subject: Cellular Phone Fraud Operator Arrested
Organization: Tansin A. Darcos & Company, Silver Spring, MD USA
The following article summary is followed by some comments:
In a Front Page article appearing in the Wed 19 Oct 1994 {Washington
(DC) Times} entitled "High-Tech sleuthing busts cellular phone fraud
ring" reporter Doug Abrahms tells us that Clinton Watson and two other
persons were arrested Monday for selling cellular phones with altered
serial numbers, causing the charges to be sent to legitimate cellular
users.
According to an Indictment in U.S. District Court in San Jose, when
police raided Watson's house, they found 30 phones with counterfeit ID,
16 altered memory chips and 600 mobile phone numbers which could be
used for fraudulent calls. Some of Mr. Watson's phones had as many as
12 different ID numbers, thus spreading usage patterns over a large
area. Other phones were designed to allow the ID to be changed at
will.
Police and cellular companies have turned to using more sophisticated
means to find illegal cellular phones, including helicopters, voice
prints and traffic analysis.
Mr. Watson is a Computer Programmer who designed his own software to
program integrated circuts to include numbers read from scanners used
on the cellular band. The phones so set up were referred to as
"lifetime" phones since they never got a bill. They sold for $1,200 to
$1,500 and have been found all over North America, according to Ron
Nessen of the Cellular Telecommunications Industry Association (CTIA),
which estimates that cellular fraud is a $1 million a day problem, with
people stealing cellular IDs by waiting near tunnels, airports and
parking lots to snatch the ID code transmitted.
New York's NYNEX is introducing a PIN code on cellular calls. The
Mayor and Police Commissioner of New York City have had the IDs for
their cellular phones stolen six times this year. A division of TRW is
developing a means to prevent calls unless the user's voice print
matches the print on file.
Comments:
1. Cellular Companies have been notorious for evading security
problems in their phones. Rather than spend the money to add
encryption in their switch software, they got a law passed to make it
illegal to listen to cellular frequencies and to build equipment that
can monitor cellular bands.
2. Cellular phones transmit call information in the clear, so a thief
can just use someone else's number and steal a few minutes of airtime
from them; if you bleed 10,000 customers of ten extra minutes a month,
almost none of them individually will recognize that their bill is ten
minutes too high. Unless customers complain, the Cellular Company
won't care.
3. A typical practice of an aerospace/military contracting company
like TRW is to try an implement and expensive complicated system such
as voice print matching instead of something simple and cheap like a
device to implement either Kerberos validation, S/Key style one-time
passwords, or MD-4/MD-5 arithmetic checksum of some stored value.
Putting such methods in as an inexpensive box like a Radio Shack tone
dialer might cost users $20 and installing it in new phones might cost
an extra $2 or $3. Persons having portable PCs could run a program to
generate the code. Since everything is done without a secret being
transferred, the software to do this can be public and nothing is
compromised.
4. Does using a biometric validation system on a communications
network scare anyone? I can think of a half-dozen reasons to dislike
it, including:
- use of the system to track and locate dissidents and anyone the
people who run the government don't like;
- my sister wants me to call someone for her and find out something
without them knowing it's her asking; I don't match her car phone
profile;
- I borrow her car to do an errand; I can't call her back to let her
know what I found out for her;
- Bugs in the software might not recognize the owner with a cold, after
an accident that damages their throat, or after some forms of surgery;
- Checking voice prints will require very heavy processing capability,
quite likely slowing down call connection times;
- I bug someone's car and simply play back the recording to unlock
their phone.
I think that this is an attempt to "kill flies with nuclear weapons,"
e.g. excessive overkill. There are cheaper alternatives such as
mathematical verification that will probably be quite effective without
using a system that requires expensive and complicated subsystems such
as voice print recognition.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #051
******************************
.