Date: Wed, 02 Nov 94 13:44:45 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#056
Computer Privacy Digest Wed, 02 Nov 94 Volume 5 : Issue: 056
Today's Topics: Moderator: Leonard P. Levine
Re: Planting "Mistakes" to Guard Copyright
Re: Planting "Mistakes" to Guard Copyright
Re: Planting "Mistakes" to Guard Copyright
Re: Digitized Signatures
Re: Digitized Signatures
Re: Digitized Signatures
Re: Digitized Signatures
Re: Electronic Eavesdropping
Re: Again, Securest Cordless Phones?
Email privacy
Re: Need help on making a computer/PC usage policy
Re: Need help on making a computer/PC usage policy
Email
Re: Drivers license as universal ID?
Re: License Plates
Re: License Plates
Mother's maiden name
Dr. Denning says that non-escrowed crypto may be restricted
Info on CPD, Contributions, Subscriptions, FTP, etc.
----------------------------------------------------------------------
From: pryluck@vm.temple.edu (Cal)
Date: 30 Oct 94 15:34:54 EST
Subject: Re: Planting "Mistakes" to Guard Copyright
Organization: Temple University
How does one tell an illegal copy from a legitimate one, when
the legitimate copy contains the fictitious city?
Well, since it's supposed to be the same technique as seeding a
mailing list and watching for false hits, I assume they have people
parked out in the desert, waiting for the lost tourists...
Awh common. It ain't that complicated.
Suppose you decide to publish a RandMcNally map under your own name.
False city? Gottcha.
------------------------------
From: goudreau@dg-rtp.dg.com (Bob Goudreau)
Date: 31 Oct 1994 10:20:53 -0500
Subject: Re: Planting "Mistakes" to Guard Copyright
How does one tell an illegal copy from a legitimate one, when
the legitimate copy contains the fictitious city?
Well, since it's supposed to be the same technique as seeding a
mailing list and watching for false hits, I assume they have people
parked out in the desert, waiting for the lost tourists...
I think you're missing the point. The goal is to plant some
information which, when copied by a competitor in the course of
publishing *his* map, will readily prove that he violated your
copyright. So, all you have to do is buy your competitors' wares and
scan them for the bogus data you planted in your maps.
--
Bob Goudreau Data General Corporation
goudreau@dg-rtp.dg.com 62 Alexander Drive
+1 919 248 6231 Research Triangle Park, NC 27709, USA
------------------------------
From: "/DD.ID=OVMAIL1.WZR014/G=DANIEL/S=STICKA/"@EDS.DIAMONDNET.sprint.com
Date: 31 Oct 1994 13:23:25 -0500
Subject: Re: Planting "Mistakes" to Guard Copyright
How does one tell an illegal copy from a legitimate one, when the
legitimate copy contains the fictitious city?
Map publisher A produces an atlas and plants fictitious cities. Map
publisher B produces an atlas, but instead of researching survey
records or whatever they should do to get the geographic info, they
just use publisher A's atlas for thier source. If publisher B is too
lazy to do the proper research in the first place, they probably won't
bother to find and remove all fictitious cities. When B's atlas goes
on the market, A has proof that they copied because only A knows about
the fictitious cities.
--
Dan Sticka Electronic Data Systems -- Dallas
------------------------------
From: Maryjo Bruce <sunshine@netcom.com>
Date: 30 Oct 1994 18:19:24 -0800 (PST)
Subject: Re: Digitized Signatures
I overheard a "new procedures" training session given by a shop owner
to a sales clerk. Electronically sending in a charge has an additional
step now, she said. So many people are trying to alter the information
on the magnetic tape on their credit cards that first they check to see
if it has been tampered with. When they receive verification that it
has not, they complete the charge procedure.
--
Sunny
Mary Jo Bruce, M.S., M.L.S.
------------------------------
From: "/DD.ID=OVMAIL1.WZR014/G=DANIEL/S=STICKA/"@EDS.DIAMONDNET.sprint.com
Date: 31 Oct 1994 15:21:46 -0500
Subject: Re: Digitized Signatures
Another Sears experience: I had some automotive work done over the
weekend at the Plano, TX, Sears location. I paid using Visa (not
SearsCharge or Discover) and was invited to sign the receipt using an
electronic pen on black pad. I asked for a real pen, but was told I
had to sign on the black pad. I said I do not, and won't. He handed
me a ball-point and I signed the paper receipt.
I later called a manager and asked what the deal was. She said they
are using the system to verify signatures (she didn't know how that
worked). She assured me that customers will always be able to sign a
paper receipt with a pen, that a special code on the terminal bypasses
the digital signature function. She also said that they can get a
signature downloaded from Visa anytime they wanted to. Is this true?
--
Dan Sticka Electronic Data Systems -- Dallas
------------------------------
From: Bob Bales <74774.1326@CompuServe.COM>
Date: 01 Nov 1994 03:39:48 GMT
Subject: Re: Digitized Signatures
Organization: National Computer Security Association
I have an interesting paper, written by noted attorney, author and
electronic commerce expert Benjamin Wright. It provides a commonsense
counterpoint to the mad rush to require digital signatures for
everything. If you would like a copy of this paper sent to you, simply
send me an EMail to which I can "reply" without modification. Request
"Plaintext Signatures: The Verdict is In".
FYI, Ben is conducting an on-line seminar entitled "Law of Electronic
Commerce". Send me an EMail if you would like more information about
this seminar.
--
Bob Bales | CompuServe InfoSec Forum: GO NCSA
Natl Computer Security Assoc| Phone: 717-258-1816
10 South Courthouse Avenue | Fax: 717-243-8642
Carlisle, PA 17013 | Email: 74774.1326@compuserve.com
------------------------------
From: stark@rtsg.mot.com (George Stark)
Date: 02 Nov 1994 04:58:20 GMT
Subject: Re: Digitized Signatures
Organization: Motorola Cellular Infrastructure Group
Maryjo Bruce (sunshine@netcom.com) wrote: I don't get out much, and
I may be the last person on earth to know this, but yesterday I
went to Sears and bought a shovel and charged it on my Visa card.
The clerk inspected my card, found it wanting because [snip]..
Gee, that's all we need now, a digitized version of out signatures that
can be hammered onto documents we've never seen before. What sort of
privacy protection is going on those signatures?
--
______________________________________________________________________________
George Stark (708) 285-7205 | WAR IS PEACE; FREEDOM IS SLAVERY
stark@rtsg.mot.com | IGNORANCE IS STRENGTH.
Motorola-Aftermarket Support Center | - George Orwell
------------------------------
From: olcay@libtech.com (olcay cirit)
Date: 30 Oct 94 19:42:16 PST
Subject: Re: Electronic Eavesdropping
I know this probably seems like a dumb question to some of you, but
what good would a TEMPEST shield do on a monitor? Are "they" going to
capture the EMF emanating from the monitor and run it through some
complex algorithmic scrubber so they can see what was on the screen?
(Or do I have it all wrong? :) )
------------------------------
From: "Jongsma, Ken" <kjongsma@p06.dasd.honeywell.com>
Date: 30 Oct 94 11:02:00 PST
Subject: Re: Again, Securest Cordless Phones?
CHRISDENNIS@delphi.com writes: A few weeks ago, there was a small
discussion of the most secure cordless phones available to
consumers. However, I don't believe much else was said other than
the new Motorola "secure" phones can be easily scanned.
I, and other readers I'm sure, would like to know what is the
securest on the market in the 900MZ range. And preferably under
$300 street! ;-) Or at least please point me in the right direction
on where to look for this info.
There are no absolutes when you ask a question like this. What you need
to do is:
1) Identify the threat or who you are trying to counter.
2) Identify what type of equipment they are likely to use.
3) Figure out how much you want to spend to counter.
4) Realize that you aren't going to get a perfect solution
or one that is going to be permanent.
In order as presented:
1) Are you trying to counter your neighbour scanner? The local
police? The state police? The FBI? The NSA? Just about anyone
above your neighbour or local police unit is going to have access
to the physical wire that your phone is attached to, so trying to
protect the link between your phone and the base unit is pointless
when the majority of the link is open.
2) 49MHz scanners are cheap and all over the place. 900MHz
scanners are not as common, but becoming more so each day. 900
MHz scanners that are capable of decoding proprietary digital
signals (Tropez, etc) don't exist on the consumer market and I
haven't seen any in the more specialized markets. Even more so for
ones capable of following a frequency agile or spread spectrum
signal.
3) How much are you willing to pay to protect against your
neighbor or the local cops listening? I doubt that you can afford
to protect against anyone more sophisticated than that.
4) Until Voice PGP comes along, I'm happy with making my cordless
phone almost as secure as my wall phone. That means I don't want
my neighbor listening, nor the local bored cop that has a
scanner. I realize that if I have attracted the interest of
anyone at a higher level, my phone line is not a secure means of
communication and I wouldn't use the wall phone, much less a
cordless phone.
Consumer electronics has about a 5 year life. That doesn't mean
that it won't work longer than that, but that in 5 years something
newer, cheaper, better, whatever will come along. I don't believe
that digital scanners will be available to the general public for
most if not all of that timeframe, so I'm happy with my Tropez for
$189.
It's 900MHz, so that limits the universe of who can listen to it.
It's digital, so that really limits the universe of who can listen
to it. Paying another $150 to get spread spectrum just doesn't buy
enough additional privacy to be worth it. In 5 years, I'll
re-evaluate things and see if I need to make any changes.
Actually, I'll do that continually, but I don't expect to have to
do anything for 5 years.
------------------------------
From: babb@ucssun1.sdsu.edu (J. Babb)
Date: 01 Nov 1994 04:17:39 -0800
Subject: Email privacy
Organization: Usually Post-it notes and a Larsen calendar
How well protected are email rights? Specifically, how well is my right
to email privacy protected at the university that supplies my email
account.
Since the conputing services dept provides it, do they have a right to
look at my email.
How about the dept I work for? They provide no money to maintain my
email acct. Do they have a right to look at my email?
Is there a paper on this somewhere
--
Jeff Babb, Programmer/Analyst
Well I used to be disgusted, now I try to be amused - E. Costello
babb@ucssun1.sdsu.edu Flames to dev/null/heatsink/asbestos
------------------------------
From: Bob Bales <74774.1326@CompuServe.COM>
Date: 01 Nov 1994 03:45:29 GMT
Subject: Re: Need help on making a computer/PC usage policy
Organization: National Computer Security Association
"COAST" at Purdue is excellent source:
open coast.cs.purdue.edu
cd pub/doc
dir
quit
drwxrwsr-x 3 142 10030 1024 Oct 27 21:01 law+ethics
drwxrwsr-x 2 142 10030 512 Aug 3 00:33 passwords
drwxrwsr-x 2 142 10030 512 Oct 27 21:01 policy
drwxrwsr-x 2 142 10030 512 Oct 27 21:02 privacy
drwxrwsr-x 2 142 10030 512 Oct 27 22:20 social
These are just a few of the applicable directories on this host.
--
Bob Bales | CompuServe InfoSec Forum: GO NCSA
Natl Computer Security Assoc| Phone: 717-258-1816
10 South Courthouse Avenue | Fax: 717-243-8642
Carlisle, PA 17013 | Email: 74774.1326@compuserve.com
------------------------------
From: Jones Michael <3mj13@qlink.queensu.ca>
Date: 31 Oct 1994 13:44:29 -0500
Subject: Re: Need help on making a computer/PC usage policy
Canadian appropriate use policies are available from Electronic
Frontier Canada.
gopher: gopher.ee.mcgill.ca
7/ Community Information
2/ EFC - Electronic Frontier Canada
10/ Universities - Policies etc. etc.
--
Michael Jones
Queen's University, Kingston, Ont.
Sociology/Communications
3mj13@qlink.queensu.ca
------------------------------
From: babb@ucssun1.sdsu.edu (J. Babb)
Date: 01 Nov 1994 23:26:20 -0800
Subject: Email
Organization: Usually Post-it notes and a Larsen calendar
Please point me to an "authoritative" article on what right employees &
employers have regarding email accounts provided by the employer.
--
Jeff Babb, Programmer/Analyst
Well I used to be disgusted, now I try to be amused - E. Costello
babb@ucssun1.sdsu.edu Flames to dev/null/heatsink/asbestos
------------------------------
From: Paul Robinson <tdarcos@tdr.com>
Date: 01 Nov 1994 17:14:48 -0500 (EST)
Subject: Re: Drivers license as universal ID?
Organization: Tansin A. Darcos & Company - Silver Spring MD USA
John Sullivan <sullivan@geom.umn.edu>, writes: Minnesota is just
introducing a new drivers license, with new security features, as
well as a bar code and a magnetic strip (with full name, date of
birth, and license number). The photo and signature are digitized,
and presumably stored by the state as well as being printed on the
card.
It has been announced that California went to this system about four
years ago. My brother has an ID card from Virginia which uses a full
color front image and magnetic stripe on the back. Maryland switched
over to the full system, including bar code, about 18 months ago after
a man murdered another, then applied for a replacement license using
the dead man's name. The killer was not of the same race as the man he
killed, which is a reason for digitizing the original photo.
It's interesting that I came from California, and the license I had
from there was California's "Old" style, which is a photograph of the
person and the information from the driver's license card. This is
only slightly laminated, on the front of the card. (Question: how do I
know the whole license is a photograph? On the back of the California
license is a watermark for photographic paper, "This paper manufactured
by Kodak.")
I traded an "old" style California license, just as it was expiring,
for an "old" style Maryland license, just before they switched systems.
All Maryland licenses issued which came out about 3 months after I got
mine, are of the same type as California, and now Minnesota, e.g.
"Counterfeit Proof".
The news media reports that counterfeit California licenses using the
"Counterfeit Proof" format that California switched to came out about
90 days after California switched to the new system.
The new licenses are produced (for $1.29 apiece) by Deluxe (the
check printers).
How interesting. Deluxe is also a Minnesota corporation, if I remember
correctly. Was perhaps part of the reason for setting this up was to
assist a probably substantial contributor to local politicians? We'll
probably never know.
Since the magstripe can hold about 256bytes, there have been
discussions about what else might be stored there.
This is _old_ technology. New stuff which has been out at least five
years can put 1K onto a standard mag card. (I used to work for a
company that created magnetic employee identification cards.)
Don Gemberling, director of MN's Public Information Policy Analysis
Divison, evidently did raise the privacy issues during the planning
process, noting that a "universal personal identifier ... has been
consistently resisted in this country".
Part of the reason - people have seen it in Europe, and fear equivalent
actions here - is that the number of bad things that can be done with
centralized databases of the general public far outweighs the alleged
benefits which _might_ accrue due to a registration system, e.g. easier
ability to catch criminals and find missing or lost children, vs. an
easier means to quash dissidents, blackmail people with opposing views,
and find ways to silence, and eliminate those who you don't want
around, or simply cause them to be blackballed so they can't find
employment.
The administrator of the IRS refused to do audits on people that
Nixon's people wanted harassed. Today, all that's needed is to plant
some drugs in his house, then threaten him with prosecution plus a RICO
forfeiture of everything he owns if he doesn't keep his mouth shut or
fails to do what he is told, or is simply told to resign and they'll
drop the issue, then they appoint their own yes man. If (s)he tries to
talk, nobody is going to believe him, or her, because of the anti-drug
hysteria.
Back during World War II, Germany used registration information to
round up Jews. Here, during World War II, the director of the Census
refused to give up the original data so that Japanese Americans could
be rounded up, but the other agencies simply used the raw published
tract information (which shows nationalities) to discover how many
Japanese to look for. And in a shameful action, here in Montgomery
County, MD, the county used census tract information to discover where
cheap "illegal" (e.g. not government taxed/regulated) housing
conversions were located so the residents could be evicted and/or the
owner fined.
Yes, people have a reason to oppose and fear a universal personal
identifier.
People have a _damn good_ reason to fear a univeral personal
identifier.
------------------------------
From: bsherman@sefl.satelnet.org (Bob Sherman)
Date: 02 Nov 1994 03:58:25 -0500
Subject: Re: License Plates
Organization: Not much!
twallace@mason1.gmu.edu (Todd A Wallace) writes: I have been
curious about this for a long time: How much can the average Joe
(not affiliated with law enforcement) find out about be by using my
license plate number on my car?
In about 46 of the 50 states, just about anything that appears on your
registration application form. There are databases you can subscribe
to, microficsh (sp?) you can buy, etc. just filled with this type of
info.
--
bsherman@satelnet.org
------------------------------
From: morris@grian.cps.altadena.ca.us (Mike Morris)
Date: 02 Nov 1994 08:49:35 GMT
Subject: Re: License Plates
Organization: College Park Software, Altadena, CA
twallace@mason1.gmu.edu (Todd A Wallace) writes: I have been
curious about this for a long time: How much can the average Joe
(not affiliated with law enforcement) find out about be by using my
license plate number on my car?
It depends upon your state's motor vehicle dept, and what they will
release. I suggest you call a local private investigator. I did, and
found out what could be acquired above board (not much) and waht could
be acquired if I didn't ask where it came from (everything) and could
pay a fee to the P.I.
--
Mike Morris WA6ILQ | All opinions must be my own since nobody pays
PO Box 1130 | me enough to be their mouthpiece...
Arcadia, CA. 91077 |
ICBM: 34.12N, 118.02W | Reply to: morris@grian.cps.altadena.ca.us
------------------------------
From: snorthc@relay.nswc.navy.mil (Stephen Northcutt)
Date: 02 Nov 1994 16:02:28 GMT
Subject: Mother's maiden name
Organization: Naval Surface Warfare Center
I have been flooded recently with "pre-approved" credit card
applications. Chris Hibbert and the SSN FAQ inspired me so, I left the
SSN field blank. One bank just sent me a shiny new visa gold and while
I do not doubt that they have managed to acquire my SSN, they didn't
get it from me :)
They did call and ask my Date of Birth and my mother's maiden name. I
didn't think much of it at the time.
Yesterday, Discover (with whom I have had an account for 5 yrs) wrote
and asked for my SSN, DOB, and mother's maiden name.
So, why is my mom's maiden name getting so important?
================== Personal Mail to snorthc@us.net =======================
Those who don't keep .history files are doomed to repeat their keystrokes
"Folks, This is a crazy world." John Winston.
------------------------------
From: "Shabbir J. Safdar" <shabbir@panix.com>
Date: 01 Nov 1994 09:03:47 -0500 (EST)
Subject: Dr. Denning says that non-escrowed crypto may be restricted
More boots are dropping; Denning suggests banning non-escrowed crypto
Wiretap Watch - post-bill note
November 1, 1994
Distribute Widely - (until November 30, 1994)
Dr. Denning sees restrictions on non-escrowed crypto as an obvious
possibility if Clipper sinks
I attended the NYU Law School symposium on "rights in cyberspace" last
Friday (Oct. 27, 1994) here in New York. There were three panels. On
the mid afternoon panel, the topic was regulating state access to
encrypted communications.
Panelists included Oliver Smoot (attribution forgotten), Dr. Dorothy
Denning (famous key escrow proponent), Steven Cherry (Voters Telecomm
Watch spokesperson), and J Beckwith Burr (who was not a rep of the EFF,
but gave a synopsis of their position).
Dr. Denning gave a chillingly calm description of key escrow, and then
the panelists as a whole answered questions. At one point the subject
arose of just how "voluntary" Clipper really could be, seeing as the
public and industry had thus far overwhelmingly rejected it. Who will
use a voluntary standard that nobody likes?
The consensus of the key-escrow opponents on the panel seemed to be
"nobody".
Dr. Denning, speaking for herself and not as a spokesperson for the
Administration, stated that if alternate non-escrowed encryption became
prevalent, the next step would be to implement "restrictions" on non-
escrowed technology.
I think its safe to assume that Dr. Denning wasn't speaking of a secret
gov't. plot to ban private crypto; she was just commenting on the
obvious.
The Administration & Law Enforcement wants access to *all*
communications. While they'll play "nice" now, they won't be so nice
if you don't go along with them. It's going to get ugly down the road,
and HR 5199 could be the panacea.
What can you do?
-Get to know your legislator. Just as the DT bill was railroaded
through, there may not be a big chance of stopping 5199, a bill that
could put into legislation the govt's key escrow program, making it a
NIST standard. You *must* convince your legislator that a little
privacy is a good thing. Non- escrowed crypto will not bring back all
the privacy you've lost in the last 50 years; it will bring back
some. Some is better than none, and it maintains the balance between
law enforcement interests and privacy concerns.
Learn who your legislators are. Put their phone numbers on a scrap of
paper and keep them in your wallet or purse. This will encourage you
to call next session during one of the crucial moments. The League of
Women Voters often runs a legislator lookup hotline to help you find
legislators.
-Save your money. There are a lot of organizations around that you can
join that will represent your interests in Congress. Consider whether
you should instead save your money and give it directly to a
legislator with a good record on privacy and cryptography. Several
such legislators were recently identified in the VTW (Voters Telecomm
Watch) 1993/1994 Report Card.
Although both EFF & CPSR are worthy organizations, they don't give
money directly to candidates because of the lobbying language of 501c3
regulations. As far as I know, the Voters Telecomm Watch is the only
organization that outright encourages Americans to contribute funds to
legislators with good crypto/privacy voting records.
-Join the VTW announcements mailing list. Send mail to vtw@vtw.org and
ask to be subscribed to vtw-announce. We will be carefully tracking
HR 5199 next session with the same frenetic precision we applied to
Rep. Maria Cantwell's Cryptography Exports bill and the FBI's
Wiretap/Digital Telephony bill.
--
Shabbir
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: Mon, 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #056
******************************
.