Date: Mon, 24 Oct 94 15:15:39 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#052
Computer Privacy Digest Mon, 24 Oct 94 Volume 5 : Issue: 052
Today's Topics: Moderator: Leonard P. Levine
Logging Entry and Exit.
Re: TEMPEST Source
Re: TEMPEST Source
Re: How to Verify Your Phone Number
Re: How to Verify Your Phone Number
Cellular Phone Fraud Revisited
Re: Question: Post Office Package Inspection
Current Legislation on Information Policy
Re: Calling Number ID Debate
The Mother of All Utility Bills
Re: AOL Sells its Subscriber List
FBI Dir. to seek Banning of all Non-clipper Crypto?
O.J. Simpson Trial Jury Questionnaires
Info on CPD, Contributions, Subscriptions, FTP, etc.
----------------------------------------------------------------------
From: ttw@beta.lanl.gov (Tony Warnock)
Date: 21 Oct 1994 17:17:46 GMT
Subject: Logging Entry and Exit.
Organization: Los Alamos National Laboratory
There is a legimate use for logging legal comings and goings. If an
intruder can bypass the usual logging stuff, then the uncertainty in
the time of a break-in may be narrowed. This is the same idea as having
a night watchman log his rounds. The applicability of such an log
depends on circumstances (as though other things didn't). Your own home
- not useful. Office - not very useful. Jewel vault - useful. Level 4
virus containment - very useful. Office building during working hours -
not useful. Office building during off-hours - useful. Etc.
There is a trade-off between privacy and the necessity of logging
times. The individual should be allowed to make the choice. Employers
may make logging a condition of employment but the employee can walk if
not satisfied.
--
Tony Warnock ttw@lanl.gov
505-667-2225
------------------------------
From: Dave Moore <davem@garnet.spawar.navy.mil>
Date: 21 Oct 1994 14:57:50 -0400 (EDT)
Subject: Re: TEMPEST Source
Joel McNamara said: I just finished Winn Schwartau's "Information
Warfare." In the van Eck chapter, a source makes the following
statement, "In the United States, it is illegal for an individual
to take effective countermeasures against Tempest surveillance."
I would be interested in finding such a reference because it sounds
ludicrous to me. FCC class specifications set maximum limits on RF
emanation. Tempest simply shields to a much higer level (lower
emanation) than normal commercial standards. It's inconceivable that
anyone could claim it illegal to suppress RF noise too well.
This sounds like BS to me.
------------------------------
From: cntrspy@ix.netcom.com (Chris Hall)
Date: 24 Oct 1994 01:51:40 GMT
Subject: Re: TEMPEST Source
Organization: Netcom
joelm@eskimo.com (Joel McNamara) writes: I just finished Winn
Schwartau's "Information Warfare." In the van Eck chapter, a
source makes the following statement, "In the United States, it is
illegal for an individual to take effective countermeasures against
Tempest surveillance." This is attributed to a privately
circulated document by Christopher Seline, titled "Eavesdropping on
the Electro- magnetic Emanations of Digital Equipment: The Laws of
Canada, England, and the United States" (June 7, 1990).
This strikes me as VERY interesting since many "ham" radio operators
find surplus tempest cases complete with rf chokes and cables in which
to mount their computers.
There are two surplus companies in California that sell tempest
resistant cases for PC's.
Is there any statute or case law listed in the book. I met Winn, and
while he is a nice guy, some of his facts and reality base are a little
off.
--
===============================================================
Chris Hall, Chief Operating Officer
Executive Protection Associates, Inc.
Worldwide Investigations, Privacy Protection Strategies, Second
Passport Agents, Off-shore Banking and Trust Agents.
e-mail: cntrspy@ix.netcom.com, PGP key available.
Opions Expressed are those of the Author and not of EPAI.
===============================================================
------------------------------
From: dwinfrey@cpcug.digex.net (David Winfrey)
Date: 22 Oct 1994 01:41:52 GMT
Subject: Re: How to Verify Your Phone Number
Organization: Capital PC User Group, Inc., Rockville, Maryland, USA
1 800 MY-ANI-IS yields the correct number from here in 301-land.
*67 1 800 MY-ANI-IS also yields the correct number. Apparently *67
blocks only local Caller ID.
------------------------------
From: Jim Cooper <w2jc@ritz.mordor.com>
Date: 22 Oct 1994 12:50:34 -0400
Subject: Re: How to Verify Your Phone Number
Organization: Mordor International BBS
dwn@dwn.ccd.bnl.gov (Dave Niebuhr) wrote: It worked from 516 (Long
Island) and when I called it from my job's PBX, it gave a number
on the outgoing trunk which is what I suspected.
And in 201 area (Bergen County, at least!)
In many areas, simply dialing 958 will get you a readback of the number
of the phone you are using.
I wonder if they record the numbers of everyone who called? and then
maybe sell them on a list of 'those who are curious'!!
------------------------------
From: vin@shore.net (Vin McLellan)
Date: 22 Oct 1994 02:18:04 -0500
Subject: Cellular Phone Fraud Revisited
Paul Robinson <PAUL@tdr.com> made some thoughtful comments (20 Oct
1994) on the technical options for protecting cellular phone calls
against fraud and eavesdropping. He also said, however, that:
...Cellular Companies have been notorious for evading security
problems in their phones. Rather than spend the money to add
encryption in their switch software, they got a law passed to make
it illegal to listen to cellular frequencies and to build equipment
that can monitor cellular bands.
I think Mr. Robinson aims at the wrong target when he blames the
cellular phone companies (either the hardware or the service vendors)
for the lack of simple protection (encryption) on the "air" link
(phone-to-cell) of a cellular call. I'm a real fan of one-time password
technologies, but simple encryption here is much more straightforward,
easy, and cost-effective. I would argue -- and I'm certain that a
through inquiry into the standards-making process would confirm -- that
the phone and service vendors not only could, but *would* have added
encryption to that open phone link if they could. The technology is
trivial; the chip-cost in volume, pennies; and the marketing advantages
apparent to all.
To understand the lack of this privacy technology in cellular air
links, I brashly suggest we must turn to the same federal agencies
which have so consistently refused to support stronger-than-DES and
"public key" encryption. When an industry acts against its own
interest (as the cellular industry did in leaving the air links
unprotected) and there is no substantive technical or financial issues
involved, we must look to the government's fingers in the
standard-making process that defined the market.
It's important to note that even if the cellular air link was
encrypted, the cops could always have access to the actual conversation
with a court order, since a "common carrier" firm has to have the key
to manage their end of the link. That fact that this was not enough --
the fact that someone wants these coversations utterly accessible,
wholly unprotected -- says a great deal about the politics of privacy
in US.
In Europe, it has been reported that various European intelligence
agencies were much more open in acknowledging their interest, as they
too blocked the use of encryption in cellular air links. In the US,
unfortunately, public policy is shaped in the shadows, debated only
among informed insiders -- because, thus far, the government has not
dared to acknowledge its interests in the face of public skepticism and
concern.
Was there any logic for why we got legislation outlawing simple radio
sets which can hear to these unprotected calls, rather than protecting
those calls with cheap encryption? There was (and is) no financial,
technical, or marketing logic -- and by outlawing common technology it
stood traditional communications law on its head. This situation is
patently the result of an unacknowledged public policy initiative by
someone who had an interest in leaving citizens' communications
unprotected and available. Yet, it seems to flirt with images of
paranoia and extremism to ask, "Who did this to us, and why?"
The apparent illogic with which a major privacy issue was resolved
insults our intelligence. Such is often the case.
Privacy is the historic "wild card" among our constitutional rights --
the only "right" which was defined first by John Q. Public's
intepretation of how the Constitution's inherent individualism was to
be protected in an era of mass communications. Congress and the Courts
only belatedly caught up with the popular understanding of this
Americanism -- and the cops and spooks, on the front lines in their
battles to protect us all, have never seen privacy as a matter of
principle, only a question of procedures. And, as any bureaucrat
knows, procedures exist to define ways to evade them.
I believe the impassioned claims about FBI/police restraint on
(perfectly legal) wiretapping and the unprotected gaps (like the
cellular air link) in our info/communications systems are intertwined.
The public's worries about privacy have forced the FBI and other
agencies to minimize their apparent involvement with electronic
eavesdropping and wiretapping. These agencies and their advocates have
addressed their intelligence needs by using their influence to maintain
unprotected public communication links which they can listen to, or pay
others to listen to... without bothering with any permissions.
The issue is fudged because the reality cannot (yet) withstand public
scrutiny, but we are still left whispering our secrets on a party
line. "Insiders" make fundamental decisions for us all, and US public
policy debates about privacy issues echo of Alice and the Red Queen
over tea.
--
Vin McLellan
The Privacy Guild
------------------------------
From: Jim Cooper <w2jc@ritz.mordor.com>
Date: 22 Oct 1994 12:50:40 -0400
Subject: Re: Question: Post Office Package Inspection
Organization: Mordor International BBS
"Houston, James A." <JH2@scires.com> wrote: I was wondering if any
of the computer-privacy subscribers can enlighten me on the U.S.
Post Office's policy on mail/package inspection. Do they inspect
packages randomly?
It is my understanding that FIRST CLASS mail is not inspected, unless
they have a search warrant for some reason.
4th class mail has always carried the caveat "may be opened for postal
inspection if necessary" -- though I'm not sure that is still true for
the 'quasi government' present postal 'service'..
------------------------------
From: ghodur@netcom.com (Gayle Hodur)
Date: 23 Oct 1994 01:07:52 GMT
Subject: Current Legislation on Information Policy
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
A friend and I are graduate students writing a paper on information
policy. We need information, preferably a list of some sort, on the
current status of legislation in the area of information policy. We are
especially interested in legislation regarding:
Copyright Act
Freedom of Information Act
Paperwork Reduction Act
Intellectual property
Privacy
Telecommunications
Fair Credit Reporting Act
We would like to be able to track the changes over the past few years,
how amendments have been added and any new legislation proposed in
these areas. If you have info. or know where we can get it, please
email to:
Gayle Hodur and Mary Gale
at ghodur@netcom.com
THANKS!
--
ghodur@netcom.com
------------------------------
From: goudreau@dg-rtp.dg.com (Bob Goudreau)
Date: 24 Oct 1994 09:23:46 -0400
Subject: Re: Calling Number ID Debate
Phil Agre writes:
But in order for CNID to avoid inadvertently giving away the
phone number of someone who is being stalked, or who otherwise
needs to keep their number a secret, it needs a few simple features:
* per-line blocking -- a simple, no-cost way to declare that this
telephone should not send out its number when dialling
* per-line unblocking -- a simple, no-cost way to declare that this
telephone now *should* send out its number when dialling
* per-call blocking -- a simple, no-cost way to declare that,
regardless of whether this line is blocked, this particular call
should not include the calling number
* per-call unblocking -- a simple, no-cost way to declare that,
regardless of whether this line is blocked, this particular call
*should* include the calling number
In order for people to get the benefit of these commands, some
further rules are needed:
* All four of these commands should be entered with *different* codes.
....
I'm confused.
While I agree about the need for distinct codes for per-call blocking
and unblocking, why do we need dynamic codes to change the per-*line*
setting? This could actually be dangerous to someone who zealously
guards his number, as a guest or other casual caller from his home
could turn off the per-line blocking without the owner knowing about
it. If the guest forgot to turn blocking back on and forgot to inform
his host of the change, the host will thenceforth be under the mistaken
impression that his calls will be unidentified, even though this is no
longer the case.
However, I still feel that your feature set should still include four
distinct commands:
* per-call blocking (as above)
* per-call unblocking (as above)
* per-line Anonymous Call Rejection -- declares that all subsequent
incoming calls whose CLID information is marked "PRIVATE" will be
rejected without actually ringing this line. The would-be caller
will hear a telco message instructing him to unblock his number and
redial if he wants the call to go through. Note that calls from
places that don't support Caller ID would be marked "OUT OF AREA",
not "PRIVATE", and will thus go through.
* per-line Anonymous Call Acceptance -- declares that all subsequent
incoming calls will cause the line to ring, regardless of the amount
of CLID information they divulge.
As you advocate above, all these commands should have separate,
nationally standardized command codes, with no toggle interfaces.
--
Bob Goudreau Data General Corporation
goudreau@dg-rtp.dg.com 62 Alexander Drive
+1 919 248 6231 Research Triangle Park, NC 27709, USA
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 24 Oct 1994 12:38:11 -0500 (CDT)
Subject: The Mother of All Utility Bills
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: RISKS-FORUM Digest Friday 21 October 1994
Volume 16 : Issue 48 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G.
Neumann, moderator
Date: 21 Oct 1994 13:08:57 -0500 (CDT)
From: "F. Barry Mulligan" <MULLIGAN@ACM.ORG>
Subject: "The Mother of All Utility Bills."
from The Atlanta Constitution, Tues 18 Oct 1994, p.1, by
Christopher C. Warren Imagine a single monthly statement listing
all utility charges, including phone, cable, gas, electricity,
water, garbage collection and sewerage charges. It could be the
mother of all utility bills and would allow consumers to write only
a single check for all their services. One Check, as the proposal
is being touted, would ease consumer's household management by
reducing utility bills to one monthly payment, said Maureen Bailey,
vice president of public affairs with American Express, the company
proposing the service.
The article goes on to describe the pilot test being proposed for the
Atlanta metro area. The cost of the service would be shared by the
utilities and the consumer.
Risks? A little late with one payment and you're instantly in arrears
with every company in town. Billing disputes "still would be handled
through the individual utility companies", but what if the utility says
it didn't get a payment you sent to the service company? If your
combined statement is mailed on the 15th and a utility transmits a new
charge to the service bureau on the 16th, what happens to the payment
grace period? If you've ever had to rob Peter to pay Paul, how do you
deal with Peter & Paul, Amalgamated?
Perhaps the real question is 'Do I want to give a complete, itemized
description of all monthly utility consumption to American Express?'
(and pay for the privilege).
------------------------------
From: mdm@sugar.NeoSoft.COM (Michael Mondy)
Date: 24 Oct 1994 14:22:36 -0500
Subject: Re: AOL Sells its Subscriber List
Organization: NeoSoft Internet Services +1 713 684 5969
Philip H. Smith III, (703) 506-0500 wrote:
mea@intgp1.att.com (Mark E Anderson) said (re AOL selling or
renting its subscriber list): What's the difference between
selling and renting a customer list?
There's a big difference. Selling means "Hi, here's a tape with
the info, give me a big check". Renting means (at least, in my
experience) "Hi, here's a set of mailing labels, give me a smaller
check". Yes, the renter could sit down and enter all the data on
all the labels; but they're (a) expressly forbidden to do so, and
(b) it's hardly cost-effective.
Several years, the company I worked for looked into getting some
mailing lists. One option was tapes with various data upon them which
you had the right to use once. Catching people who tried to make
multiple mailouts without paying is easy to catch via a few bogus
addresses which are fronts for the mailing list company. (I believe
that encyclopedias used to (still do?) have a few minor intentional
'mistakes' to help prove theft of copyright.)
--
Mike Mondy mdm@mondy.uucp
------------------------------
From: crf@access.digex.net (Clarke Ferber)
Date: 23 Oct 1994 01:44:57 GMT
Subject: FBI Dir. to seek Banning of all Non-clipper Crypto?
Organization: I'm not organized...
Original posting taken from Alt.Privacy.
We should start working our Congress Critters now to head this off.
Washington, DC -- If private encryption schemes interfere with the
FBI's ability to wiretap, they could be outlawed, according to recent
comments made by the agency's Director Louis Freeh.
Freeh told attendees here at the recent conference on Global
Cryptography that if the Administration's Escrowed Encryption System,
otherwise known as the Clipper Chip, failed to gain acceptance, giving
way to private encryption technologies, he would have no choice but to
press Congress to pass legislation that provided law enforcement
access to *all* encrypted communications.
If, after having pushed Digital Telephony through Congress (which
hadn't yet happened when Freeh spoke at this conference), all the
Bureau ended up with during wiretaps were the scratchy hiss of digital
one's and zeros being hurled back and forth, Freeh made it clear that
he would seek a congressional mandate to solve the problem.
In other words: Roll your own coded communications; go to jail.
Freeh's comments, made during a question and answer session at the
conference, are the first public statements made by an Administration
official hinting at a future governmental policy that could result in
the banning of non-governmental, unbreakable encryption methods.
Freeh's remarks were first reported on the WELL by MacWorld writer and
author Steven Levy. The FBI confirmed those statements to Dispatch.
The Administration, however, continues to state that it has no plans
to outlaw or place any restrictions on private encryption methods.
A White House official said there are "absolutely no plans" on the
table to regulate domestic encryption "at the present time." He
wouldn't comment, however, as to whether the Administration would back
an FBI attempt for such legislation. "Freeh doesn't seem to need a
lot of White House support," to get things done, the official said.
FBI sources said any moves to approach Congress about regulating
private encryption are "so far out there" time wise, that the subject
"doesn't merit much ink," as one FBI source put it. "We've got to make
sure the telcos rig up their current networks according to the new
[digital wiretap] law before we go worrying about private encryption
stuff," he said.
An FBI spokesman confirmed Freeh's position that the Bureau would
aggressively seek to maintain what the spokesman called "law and order
objectives." If that meant getting laws passed so that the Bureau's
"authorized wiretap activities" couldn't be thwarted by "criminal
elements using non-governmental" encryption schemes, "then that's what
he [Freeh] would do," the spokesman said.
When the Administration went public with its Clipper Chip policy, it
stressed that the program would be mandatory. Many civil liberties
groups wondered out loud how long it would be before private
encryption was banned altogether. The White House, anxious for the
public to buy into its one-trick pony the Clipper Chip, said that
wouldn't happen.
But the Administration hedged its bet.
Buried in the background briefing papers of the original Clipper
announcement, is a statement that the White House doesn't consider the
public's right to use private encryption methods are protected
anywhere in the Constitution.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 24 Oct 1994 12:47:58 -0500 (CDT)
Subject: O.J. Simpson Trial Jury Questionnaires
Organization: University of Wisconsin-Milwaukee
Taken from PRIVACY Forum Digest Saturday, 22 October 1994 Volume 03 :
Issue 20 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex
Technology, Woodland Hills, CA, U.S.A.
O.J. Simpson Trial Jury Questionnaires now in PRIVACY Forum Archive
(Lauren Weinstein; PRIVACY Forum Moderator)
Date: 22 Oct 94 11:47 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: O.J. Simpson Trial Jury Questionnaires now in PRIVACY
Forum Archive
Greetings. The PRIVACY Forum has been sent several copies of the
complete O.J. Simpson trial questionnaires, which have already been
widely circulated in the mainstream media. These are the short
"hardship" and longer full versions (in original printed form with
space for answers, the longer version ran 75 pages).
After some consideration, I've decided that the detailed and personal
nature of the questions on these questionnaires (particularly the
longer one) makes them a valid topic for discussion in this forum.
Among the topics for possible consideration:
-- How would you feel about answering these sorts of detailed,
personal questions? Would you consider them to be an invasion
of your privacy? An acceptable invasion? Unacceptable?
-- If a potential juror was unwilling to answer any or all of these
questions, would they or should they be subject to any sanctions?
-- Do these sorts of detailed personal questions truly yield useful
information to the opposing sides in trials? Can the answers be trusted
to be honest?
-- Does the use of personal inquiry questionnaires of this sort have an
overall positive or negative impact on the legal system?
-- And so on...
To access the questionnaires, which are both in a single file
which runs about 57K in length:
Via Anon FTP: From site "ftp.vortex.com": /privacy/simpson-jq.Z
or: /privacy/simpson-jq
Via e-mail: Send mail to "listserv@vortex.com" with
the line:
get privacy simpson-jq
as the first text in the BODY of your message.
Via gopher: From the gopher server on site "gopher.vortex.com"
in the "*** PRIVACY Forum ***" area under "simpson-jq".
Via World Wide Web (WWW): Access the "PRIVACY Forum" archive
via the Vortex Technology home page at URL:
http://www.vortex.com/
--Lauren--
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #052
******************************
.