Date:       Thu, 03 Nov 94 19:07:35 EST
Errors-To:  Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From:       Computer Privacy Digest Moderator  <comp-privacy@uwm.edu>
To:         Comp-privacy@uwm.edu
Subject:    Computer Privacy Digest V5#057

Computer Privacy Digest Thu, 03 Nov 94              Volume 5 : Issue: 057

Today's Topics:			       Moderator: Leonard P. Levine

                      Re: Electronic Eavesdropping
                        Re: Mother's Maiden Name
               Re: Planting "Mistakes" to Guard Copyright
                 Info on European Computer Privacy Laws
                  Re: Driver's License as universal ID
           Re: Need help on making a computer/PC usage policy
                    Bank Reads Cal License Mag Strip
                          E-mail Privacy Alert
                 South Africa Information Policy Group
          Info on CPD, Contributions, Subscriptions, FTP, etc.

----------------------------------------------------------------------

From: fd@wwa.com (Glen L. Roberts)
Date: 02 Nov 1994 15:18:11 -0600
Subject: Re: Electronic Eavesdropping
Organization: WorldWide Access - Chicago Area Internet Services 312-282-8605 708-367-1871

    olcay cirit (olcay@libtech.com) wrote: I know this probably seems
    like a dumb question to some of you, but what good would a TEMPEST
    shield do on a monitor? Are "they" going to capture the EMF
    emanating from the monitor and run it through some complex
    algorithmic scrubber so they can see what was on the screen? (Or do
    I have it all wrong? :) )

No, they remotely, and easily, via the EMF emitted, reconstitute your
computer screen on theirs.

I saw it demonstrated at surveillance expo. The reproduction isn't
great...  but it can be done. All they have to do to reconstitute the
picture is mix in new V and H sync signals.

-- 
Glen L. Roberts, Editor, Full Disclosure
Host Full Disclosure Live (WWCR 5,065 khz - Sundays 7pm central)
email fd@sashimi.wwa.com for catalog on privacy & surveillance.
Does 10555-1-708-356-9646 give you an "ANI" readback?
email for uuencoded .TIF of T-Shirt Honoring the FBI
Remember, fd _IS FOR_ Full Disclosure!


------------------------------

From: huggins@quip.eecs.umich.edu (Jim Huggins)
Date: 02 Nov 1994 21:18:40 GMT
Subject: Re: Mother's Maiden Name
Organization: University of Michigan EECS Dept.

    Stephen Northcutt <snorthc@relay.nswc.navy.mil> wrote: So, why is
    my mom's maiden name getting so important?

Essentially, they're using it at a password.  Most credit card
companies have 800 numbers you can call to speak with a helpful
representative about your account, get your current balance, etc..

Of course, since credit card numbers can easily be copied, credit
companies know that they need to have some way of identifying that you
are, in fact, you, especially if you're asking for some significant
change (e.g. change of address).  So they will usually ask for pieces
of information like SSNO, DOB, mother's maiden name, etc., to try and
verify that you are in fact who you say you are.

I've heard that most of these places will allow you to substitute any
pronounceable string for mother's maiden name, since all they need is
essentially a password anyways.  They could ask everyone to come up
with a unique password, but the number of times it is actually used is
so rare (not to mention the understanding of the public about passwords
being so low) that obscure pieces of information like mother's maiden
name usually serve their purpose.

Of course, someone who really wanted to sabotage my credit standing
could spend enough time finding out all this information about me.  But
authenticating identity over the phone without using unique passwords
is going to be an insecure process.  So chalk this up as a security vs.
access example.

-- 
Jim Huggins, Univ. of Michigan                          huggins@eecs.umich.edu
"You cannot pray to a personal computer no matter how user-friendly it is."
(PGP key available upon request)                             W. Bingham Hunter

[moderator: other people had similar responses:]

    From: tseaver@sam.neosoft.com (Tres Seaver)
    Organization: MACRO Enterprises, Inc.

Presumably, someone who steals your card and tries to gain information about 
your account will not know this bit of info, which, again presumably, you will 
always be able to supply as "proof" of your identity.

    From: sean@sdg.dra.com (Sean Donelan)
    Organization: Data Research Associates, St. Louis MO

For bankcard purposes your mother's maiden name can be any (non-obscene)
word you want, provided you will remember it at a later date.  


------------------------------

From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)
Date: 02 Nov 1994 16:32:52 -0500
Subject: Re: Planting "Mistakes" to Guard Copyright

    How does one tell an illegal copy from a legitimate one, when the
    legitimate copy contains the fictitious city?

One local map printer lists important features in places where they
shouldn't be.  An example is the high school which is shown mixed up
with an elementary school.  Another is the nearest Coast Guard Station
closer to a main road than the bay it sits beside.  A third is an
historical site is listed where a Native American Reservation is
located yet neither is tied to the other in any way.

--
Dave Niebuhr      Internet: dwn@dwn.ccd.bnl.gov (preferred)
                            niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973  1+(516) 282-3093
                                          FAX   1+(516) 282-7688


------------------------------

From: MIKE@HTI.dnet.hac.com
Date: 02 Nov 94 17:24:42 PST
Subject: Info on European Computer Privacy Laws

I have the task of designing a large networked training scheduling
system for use in Europe. Since the computer and network privacy laws
and acceptable practices of the European countries where it will be
used will have an affect on its design and implementation, I've been
looking for information. But I haven't had much success. I have some
anecdotal stories of the computer privacy laws of Germany, but nothing
on any other countries. I haven't had success with archie and gopher
searches either. So I would really appreciate it if anyone could give
me some pointers to European news groups or bulletin boards
(non-English is OK) that deal in privacy issues, or some sites with
data or FAQs on European computer privacy laws and practices.

I'll post a summary to this group if there is any interest.

Thanks in advance,

--
Mike Robkin				MIKE@HTI.DNET.HAC.COM
Hughes Training, Inc.


------------------------------

From: Dave Moore <davem@garnet.spawar.navy.mil>
Date: 03 Nov 1994 09:45:23 -0500 (EST)
Subject: Re: Driver's License as universal ID

    My brother has an ID card from Virginia which uses a full color
    front image and magnetic stripe on the back.

I have one of those too.  I'm not aware of any use for the magnetic
stripe on the license.  They can't be too useful because they're such a
delicate storage medium.  They can be inadvertantly wiped simply by
leaving them sit on your dashboard black stripe up on a hot summer
day.  This causes the magnetic material to reach its Curie temperature
and demagnitize.  Then there's the high tech hazards of de-gaussing
coils and very powerful magnetic fields.

I can't imagine a law that would require that all your magnetic domains
remain intact.


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 03 Nov 1994 09:41:55 -0600 (CST)
Subject: Re: Need help on making a computer/PC usage policy
Organization: University of Wisconsin-Milwaukee

This was taken from the ethics mailing list and addresses the
appropriate use policies for various educational groups.  It may be
interesting to us to be able to look at the gopher information.

    From: CK/P Assessment <journal@OBERON.PPS.PGH.PA.US>
    Date: 31 Oct 1994 12:51:59 GMT
    Subject: Re: Need help on making a computer/PC usage policy
    Organization: Pittsburgh Public School District

Most of the online acceptable uses policies I'm aware of are education
related, but I don't see why those can't be useful to you (many of the
same issues arise).

If you can gopher, try gophering to

1) chico.rice.edu  (Rice University) then to
    Other Gopher & Info. Servers     then to
      Armadillo--The Texas Studies Gopher   then to
        More About Armadillo & Other Gophers   then to
          Acceptable and Unacceptable Use of Net Resources (K12)/

which is a directory containing 28 files and other directories.  Some
examples:

1.  Acceptable and Appropriate Use from Tenet.
3.  ALA Bill of Rights/
10. Acceptable Use fro NeuvaNet (California).
16. EFF Gopher Service (Background Material)/
28. William Aberhart HS User Guidelines.

I checked two other gophers and both had pointers to the same list of
28:
2)  nysernet.org (path: 11. Special Collections: Empire Internet
Schoolhouse (K-12)/   5.  K-12 on the Internet/  3.  Acceptable and
Unacceptable Uses of Net Resources (K12)/

3)  copernicus.bbn.com (path: 5. K-12 on the Internet/ 3. Acceptable and
Unacceptable Uses...etc./

I hope that helps.  There may also be some info. available via World Wide
Web but I have little experience with that and haven't spent the time
exploring it yet.

--
Gail Futoran
journal@pps.pgh.pa.us
Common Knowledge: Pittsburgh


------------------------------

From: idela!markb@ide.com (Mark Bells Home Account)
Date: 03 Nov 94 09:13:47 PST
Subject: Bank Reads Cal License Mag Strip

I was in a Bank of America branch and ran my ATM card through the
little reader at the teller window as ID.  Upon entering my PIN she
cashed a $1000 check with no further ado.  So that is a pretty good
system.

But as I glanced at the man at the next window I saw him run his Calif
driver's license through the reader.  "Whoa," I thought, "what is
this?" So I ran my Calif license through the reader at my window and
asked her what she saw on her display.  She said that all it gave was
my driver's license number.  I asked her if my name or SSN appeared and
she said no.  She said all they use it for is a quick way to read the
number.

So I thought you'd want to know!

Mark Bell
markb@ide.com


------------------------------

From: <rossk@ucsu.colorado.edu>
Date: 02 Nov 1994 22:49:22 GMT
Subject: E-mail Privacy Alert
Organization: University of Colorado at Boulder

Recent news accounts have emphasized the importance of password safety
for e-mail accounts.  Crackers have broken into mail accounts and
messaged objectionable material all over the Internet.

If you read this message, it means that the e-mail safety debate might
enter another level.  This very message, and several like it, is being
sent via someone else's e-mail address --- without use of a password.

In our experimentation with a freely available Internet software
program, we have discovered that we can use someone else's e-mail
address to mail messages and post to newsgroups.  Readers of those
messages can reply directly to the e-mail address.

The consequences seem rather broad.  It is a little like Pandora's
box.  Anyone can use this software and send objectionable messages
without the e-mail account owner's consent or knowledge.

We are students from the University of Colorado at Boulder.  The class,
Electronic Journalism, is taught by instructor Bruce Henderson
(hendersb@ucsu.colorado.edu).  We look at issues involving publishing
on the Internet.  One aspect deals with interactive publishing, and the
importance  of allowing readers to interact with a publication via
e-mail.

What are your concerns and comments about this issue?  Please e-mail
course instructor Bruce Henderson at herdersb@ ucsu.colorado.edu.
Responses will be posted to our newsgroup: cu.courses.jour4562.  The
newsgroup also can be read through the WWW at:
http://bcn.boulder.co.us/campuspress/Jlist.html under the heading The
Electronic Journalism Discussion Group (cu.courses.jour4562).  We will
also provide responses, by request, to those who cannot access the
newsgroup.

We are not mentioning the software program that allows this posting at
this point because:  1. We are still testing how easy it is to send
messages without passwords.  2. If it is easy, we will contact software
developers for comment.

All e-mail addresses used in this exercise are accessed WITH the
permission of the students.

--
Electronic Journalism students
University of Colorado at Boulder
Instructor Bruce Henderson


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 03 Nov 1994 09:53:18 -0600 (CST)
Subject: South Africa Information Policy Group
Organization: University of Wisconsin-Milwaukee

    From: Carsten Knoch <carsten@julia.pix.za>

Attached is some information about a discussion group in South Africa.
The IPG is currently debating various issues, such as privacy, the
question of a telecomms provider imposed traffic rule (the monopoly
provider seems to have problems with so-called "third party traffic"
crossing leased lines, thereby curbing Internet development), and
networking in schools.

Regards,
Carsten Knoch

 ---------------snip--------------------------------------------------

The Information Policy Group (IPG) is a loose and transdisciplinary
group of networking, computer, and telecommunications professionals in
South Africa and beyond. Its participants discuss issues revolving
around an information and networking policy for South(ern) Africa.  The
group also attempts to find practical suggestions towards solutions of
networking problems in areas such as school, university, commercial,
NGO, and governmental networking. Lastly, the group fosters `human
networking', and understands itself as a contact basis between people
in South Africa and abroad who share its interests.

The guiding principle that technology alone cannot solve all social
problems, and a keen awareness of the socially responsible use of such
technologies, as well as the realisation of the importance of making
and implementing sound policies in these areas after the political
changes in South Africa is what brought a number of networking
professionals together in July 1994 to form the group as a private
initiative.

The group maintains contacts to a number of other organisations and
individuals in South Africa, the United States, and elsewhere. It is
the group's understanding that input from `the outside' is necessary
and welcome.

---

How to make contact with the IPG:

  The group maintains a mailing list <=> Usenet group gateway in which
  its discussions take place. Mail to

  info-policy-request@proxima.alt.za

  Subject: subscribe

  in order to subscribe to the mailing list. Alternatively, point your
  newsreader to the group `za.info-policy' to view the Usenet group.

  In order to unsubscribe from the mailing list, send a message to the
  same address, with

  Subject: unsubscribe

  Posts to the list should be addressed to

  info-policy@proxima.alt.za

  There is a gopher site at gopher.proxima.alt.za (port 70), to which
  either gopher or Telnet connections are accepted. When logging in
  using Telnet, type: `gopher' at the `login:' prompt. No password is
  required.

 ------------Carsten Knoch-------------carsten@julia.pix.za-----------
 ------------tel.27.11.792.5687--------fax.27.11.339.1388-------------


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee

The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa.  The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.

If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution.  As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.

On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute.  If you
do so, it is best to modify the "Subject:" line of your mailing.

Contributions generally are acknowledged within 24 hours of
submission.  An article is printed if it is relevant to the charter of
the digest.  If selected, it is printed within two or three days.  The
moderator reserves the right to delete extraneous quoted material.  He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion.  He will not, however, alter or
edit or append to the text except for purely technical reasons.

A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite.  The archives
are in the directory "pub/comp-privacy".

People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.

Mosaic users will find it at gopher://gopher.cs.uwm.edu.

Older archives are also held at ftp.pica.army.mil [129.139.160.133].

 ---------------------------------+-----------------------------------------
Leonard P. Levine                 | Moderator of:     Computer Privacy Digest
Professor of Computer Science     |                  and comp.society.privacy
University of Wisconsin-Milwaukee | Post:                comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201       | Information: comp-privacy-request@uwm.edu
                                  | Gopher:                 gopher.cs.uwm.edu 
levine@cs.uwm.edu                 | Mosaic:        gopher://gopher.cs.uwm.edu
 ---------------------------------+-----------------------------------------


------------------------------

End of Computer Privacy Digest V5 #057
******************************
.