Date: Thu, 24 Nov 94 09:44:01 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V5#066
Computer Privacy Digest Thu, 24 Nov 94 Volume 5 : Issue: 066
Today's Topics: Moderator: Leonard P. Levine
Help for a College Student
Phone Provider Hijacking
Re: Forged Internet Email
Re: Forged Internet Email
Sprint Voice Phone Card: Be Careful!
Story on Privacy Abuses & Stalking
Re: Corporate Electronic Communications Policy
Cell-Phone Ergonomics Side-effect
Essay: The Right to Privacy
Security is not Privacy
2nd Intl Conf InfoWar--Call for Registration
Info on CPD, Contributions, Subscriptions, FTP, etc.
----------------------------------------------------------------------
From: sun!gerber@uunet.uu.net (Tanja Gerber)
Date: 23 Nov 1994 04:28:28 GMT
Subject: Help for a College Student
Organization: Lewis and Clark College, Portland OR
I am writing a paper about privacy and access to information on the
Internet. I am interested in electronic medical records, credit
reports and personal privacy rights. If anyone with knowledge
concerning these topics or anything pertaining to my plight would like
to send me information- I'd appreciate the help.
------------------------------
From: zsharadg@cae.ca (Sharad Gupta)
Date: 23 Nov 94 08:20:31 EST
Subject: Phone Provider Hijacking
On the CBC News last night, they reported that rival long distance
providers are hijacking each other's customers without notice or
consent. The good news is that if this happens to you, (in Canada
anyways), you don't have to pay any bill from the hijackers. You do
have to switch back to your original provider as soon as you figure it
out though. ("But I normally charge $3000 in overseas calls every
day.")
In Canada, to find out who your provider it, dial 1-700-555-4141. The
call is free, and it does work from here, (514-land).
--
Sharad Gupta <zsharadg@cae.ca>
------------------------------
From: "Dennis G. Rears" <drears@Pica.Army.Mil>
Date: 23 Nov 94 11:31:59 EST
Subject: Re: Forged Internet Email
Somebody wrote:
From: mr.rogers@the_place_to_be_.nut
Date: 19 Nov 94 20:24:47 PST
Subject: Forged Internet Email
This is another example of how simple it is to forge messages.
What I really found as shocking was how just about anyone on a
ny kind of computer can pull it off.
To which the moderator replies: [extensive moderator comment: The
author of the above did actually sign with a name and a reasonable
looking email address. I have removed them since what I say below
could easily be considered offensive and there is no reason to put
him or her to embarassment if, in fact, the name is not that of the
actual forger.
Internet mail has always been easy to forge. I am surprised that
people are just realizing this now. That's one of the reasons why
things like digital signatures are being developed. To forge internet
mail you just open a smtp connection (telnet hostname 25) to anyhost,
use commands like helo, mail, rcpt, and data. Some people might say I
shouldn't say this but it has been public for the 10 years I have been
on the net. I got my share of forged messages when I was moderator of
this forum.
A good sysadmin can detect most forgeries by looking at the recieved
lines and dates. Of course if a person was extremely knowledgable he
could massage the headers properly.
--
dennis
------------------------------
From: <helix@solaria.mil.wi.us> "Robert Radvanovsky"
Date: 23 Nov 1994 12:49:13 -0600 (CST)
Subject: Re: Forged Internet Email
It is utterly amazing how the world of internetworking has gone this
far. And what is worse is that it has not yet reached it's crux. I
first started out on "The Net" in 1984 when it was still under the
direction of ARPA (Advanced Research Project Agency), part of the DoD
(Department of Defense) in searching new methods to sending network
traffic in a reliable and efficient manner. Part of the problem was
that hackers got a whiff of its capabilities.
I was one of them. I don't deny it, yes, I am a hacker (sounds almost
like Hacker's Anonymous, eh?). Somehow between there and here it was
decommissioned from DoD and placed into the loving hands of the NSF
(National Science Foundation). Only within the past several years has
it started to get really out of hand when the NSF has "sold" the
Internet to commericial holders.
Speaking from several observations, there is a new breed of hacker
today, one that would, could (and can be) deemed as a formed of
"network terrorist" (or if you will, a "hacker terrorist"). There are
several unwritten "codes of ethics" between hackers, many of whom play
mind games of the sort -- but between each other. You might say that
many of the perils that were (and still are) associated with hacking
belongs to a brotherhood of computer enthusiats and digital
undergrounders. The problem is that we've now opened the front door
and are very unsure about who (or what) may be lurking out there.
Many of the older hacks that still lurk out there, are listening and
shaking their heads as to what has been going on within the past
several years. The problem is is that children (and even some adults
that haven't grown out of their childhood) now have reached the stage
of "playing" (and I do mean this literally) from a single stand-alone
computer to a multiple-connection networked computer port. Instead of
playing "Ms. Pacman" or "Donkey Kong" on their lone 286 turbo-thrusted,
3gy-x11 super-glorified, exponentionally enhanced VGA with super
800x640 super VGA graphics on a French toast bun these hackers have
gone to playing MUD games at MIT, bounced through Berkeley, then
Taiwan, then the South Pole, then through Finland, then finally to MIT
via their 986 super-duper enhanced in-yo-face-and-yer-moma all-American
TCP/IP SLIP (wooooo-wooooo) via 96.45612341 KB modem on a vanilla toast
crunch bar with 24 hours of Coke (yup, the REAL thing) to top it off.
Whew!
I feel that a good chunk of these "hackers" still feel that they are
playing games. What took me a long time to get right within my whittle
bwain was that (and I quote) "... if you want something REALLY bad,
just ASK FOR IT!". Many folks feel that they want to bypass the
system. By doing so, not only are they hurting those who are their
victims (eventually), but the system as a whole as there would have to
be additional security measures, costs, etc. placed into effect to
prevent future situations from occurring again. Secondly, in many
cases, it is probably better just to pay the stinking $0.29 cents than
to spend $3.50 to avoid paying for a postage stamp. What's wrong with
this picture boys and girls? I'm just throwing up some numbers from an
example of a fellow gent who bragged about "beating the system".
Is it really worth it? To some, the answer is "yes". To some, they
feel that the risk of skirting the "feds" and avoiding jail is the
ultimate thrill. Personally, I'd rather live a life being content and
spending time with a loved one than having worry about which route to
take to avoid being caught.
DISCLAIMER:
My opinions are my own and do not reflect those opinions and/or
thoughts of my current employer.
------------------------------
From: John Kwiatkowski <0007152212@mcimail.com>
Date: 23 Nov 94 18:13 EST
Subject: Sprint Voice Phone Card: Be Careful!
I recently received my first voice phone card from Sprint about two
weeks ago or so.I called the 800 number and set it up. After about a
week of using it,I decided to really put it to the test. Since the
literature says that voice prints are unique and no one would ever be
able to steal your voice,I gave the number to a trusted friend of mine
and on three way we called the 800 number to place a call. Only
instead of me saying my voice phone card number,my friend did. The
Sprint Voice system responded "..PLACE CALL...". I almost fell off the
chair! So we tried it again...worked! We called another person with a
totally whiny voice that we know and she tried it. IT WORKED AGAIN!
I called Sprint.They said that what I told them is impossible.It can
not happen! So,the Sprint representative tried it for herself.IT
WORKED AGAIN! She was all embarrassed.She said she'd have my account
reset and I should re-set up my initial voice recognition procedure
again. I did! I used the card for another week and a half...a lot.
Today we tried to fool the system again..IT WORKED! WE FOOLED IT
AGAIN. The Sprint Voice Phone Card is a scam! They charge you extra
per month just to have this "securest phone card that exists" and
absolutely anyone can use it if they have your phonecard number and the
800 number to use. Also,when calling about my account,the
representative I talked to just gave away info on my account like the
person talking to her was absolutely,undoubtedly me and not an
imposter.She never verified anything before giving out info on the
account. BE CAREFUL OF THE SPRINT VOICE PHONE CARD!IT IS NOT SECURE!
--
John Kwiatkowski
------------------------------
From: wdiv@aol.com (WDIV)
Date: 23 Nov 1994 12:30:07 -0500
Subject: Story on Privacy Abuses & Stalking
Organization: America Online, Inc. (1-800-827-6364)
We are a television news crew working on a two part series that details
victims of electronic stalking and other invasions of their privacy.
We would like to hear from people who have suffered from these types of
abuses. We're also interested in what software and hardware is
available to the general public to harass, stalk or rip-off others
throught their computer. Please call us at 313-222-0520 ask for Mary
Ann. Or send private E-mail. We would appreciate any and all help
that we could get.
------------------------------
From: ingramm@cognos.COM (Mark Ingram)
Date: 07 Nov 1994 16:41:38 -0500
Subject: Re: Corporate Electronic Communications Policy
rj.mills@pti-us.com (Dick Mills) writes: The following is a
corporate policy proposed for adoption at my company. The purpose
of the policy is to protect the company from lawsuits. The fear of
lawsuits was prompted by press reports of workers in California who
sued because their company had inspected their "private" email
records. What do followers of comp-privacy have to say about this
policy as written?
Hmmmmm. Aren't you forgetting the hidden microphones and video cameras
in the bathroom? After all, that's company property too.
--
Mark.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 24 Nov 1994 08:12:07 -0600 (CST)
Subject: Cell-Phone Ergonomics Side-effect
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: RISKS-FORUM Digest Tuesday 22 November 1994
Volume 16 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G.
Neumann, moderator
Date: 16 Nov 94 16:52:30 EST
From: rstanley@sybase.com (Robert Stanley)
Subject: Cell-phone ergonomics side-effect
Yesterday evening I returned home from work and, as usual, checked the
answering machine on my normal voice telephone. Much to my surprise,
I heard a somewhat muffled background conversation that I soon identified
as that afternoon's conference in the office. This filled the tape to
the end, and had caused several later calls to be rejected.
[aside #1: I hate these damn micro-cassette systems that only allow
ten or fifteen minutes of message time, but they have become
ubiquitous!]
Two aspects of this message puzzled me: how had it found its way to my
answering machine, and why was it so muffled? The office has just completed
installing a high-tech AT&T digital phone system with all sorts of fancy
features, but I know that the trunk-to-trunk transfer features have all been
disabled for security reasons. It is therefore not possible for our
conference call link to another office to have been forwarded to my home
phone. The only possible way for my phone to have been included in the
conference would have been for it to have initiated the call (and then
worked its way through a set of control codes.)
[aside #2: my former answering machine, which used real C-90 cassettes,
did have the unfortunate habit of occasionally calling back
the last number to have dialed it! Another story, and one
which can wait for a rainier day to tell.]
[aside #3: the idea of disabling trunk-to-trunk switching to prevent
improper (read: malicious cracker) usage really demonstrates
the lack of thought that goes into much of what today passes
for the design process. Hey, just compile it and debug it,
that way you'll be *doing* something...]
Investigation at the office yielded disbelief followed by stunned surprise.
No one had forwarded the phone, and my home phone number was not programmed
onto any button in the system. However, we all rush to the documentation
to check into just how the remote monitor feature works, and try to recall
whether any visible telltales had been lit to indicate monitoring.
Finally, light dawns. A colleague's tiny Nokia cell-phone in his shirt
breast pocket. He had called me at home earlier, and the phone has a last
number redial button. The phone, non-folding, slipped into his shirt pocket
with the controls outermost, had somehow had that button tripped, and had
happily held the line open to my answering machine. The muffled broadcast
was entirely attributable to the small microphone and the cotton pocket
between it and our conference table.
However, it is an extraordinarily sobering experience to hear a sensitive
work discussion issuing hours later from the speaker of your home voice
messaging system.
A number of risks here, but the predominant one seems to be the conflict
between added function and reduced footprint of portable cell-phones leading
to the creation of unergonomic control systems. This is exacerbated by the
novel situations to which the diminished footprint can give rise. This is
surely the first generation of cell-phones that are sufficiently small (a)
to be droppable into a toilet, and (b) actually flushed out of reach...
Robert Stanley - robert.stanley@sybase.com
------------------------------
From: gmcgath@condes.MV.COM (Gary McGath)
Date: 22 Nov 1994 23:18:41 GMT
Subject: Essay: The Right to Privacy
Organization: Conceptual Design
Defining and Upholding the Right to Privacy
By Gary McGath
The right to privacy is less clear in many people's minds than such rights
as freedom of speech and ownership of property, and of late it has come
under attack by elements of our government which claim that fighting crime
requires compromising people's privacy. But as I propose to show in this
essay, the right to privacy is as important a part of our liberties as
any other guarantee in the Bill of Rights.
All rights must be understood as growing out of, and existing in the
context of, the need of each individual to act autonomously in
furtherance of one's own existence. Ayn Rand wrote: "A 'right' is a
moral principle defining and sanctioning a man's freedom of action in a
social context. There is only *one* fundamental right (all the others
are its consequences or corollaries): a man's right to his own life."
Derivative rights include liberty (including freedom of speech, the
press and religion) and property rights (the right to keep and use what
one has produced or acquired in trade).
What freedom of action is subsumed by the right of privacy? The freedom
to withhold information from others. Living successfully requires being
able to withhold information from those who might use it injuriously
(for example, not letting robbers know that you are carrying a lot of
money) and being able to use one's knowledge and its products in trade
(for example, being able to sell the source code to a computer program,
which would not be possible if potential buyers already had access to
it).
Like any right, the right to privacy exists within a context of
rights: one's own and those of others. It does not apply when one has
freely waived one's privacy as part of a contract, nor does it apply
when its exercise entails a violation of the rights of others. For
example, a vendor selling tainted food could not claim that the right
to privacy justifies withholding the information that the food is bad.
But in the absence of clearly countervailing requirements based on the
rights of others, one has the right to withhold any information one
possesses from other people, and to take reasonable steps to insure its
security.
The Fourth Amendment to the U.S. Constitution does not name the right
to privacy as such, but guarantees an important aspect of it: "The
right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be
violated, and no Warrants shall issue, but upon probable cause..." The
Fifth Amendment's guarantee that no person "shall be compelled in any
criminal case to be a witness against himself" also relates to this
right. Even criminals may not be required to provide the evidence to
convict themselves.
The opponents of a strong interpretation of the right to privacy argue
that it must be balanced against the requirements of law enforcement.
It is more important, they argue, to punish and restrain criminals than
it is to guarantee complete privacy to everyone. This claim can be
challenged both on ethical and practical grounds.
Ethically, such a policy is wrong because it violates the rights of the
innocent in pursuit of the guilty. A government which injures people
who have not committed any act that violates the rights of others is on
moral quicksand when it offers the excuse that it is hunting people who
do the same thing. Our government takes great pains not to jail
innocent people for the sake of making sure all the guilty ones are
convicted; but when it seeks to limit innocent people's privacy for
that reason, it is committing the same kind of evil which it works hard
to avoid in the courtroom.
On practical terms, letting the government take away our privacy for
the sake of pursuing criminals only encourages it to invent more kinds
of crimes. Crimes which involve an actual violation of people's rights
-- murder, theft, rape, and so on -- are by their nature not private
matters. They involve another person, a victim. But victimless crimes
involve only the people who consent to the illegal action. It is
primarily victimless crimes whose prosecution is aided by the denial of
the right to privacy. When governments have the means to prosecute
private actions among consenting adults, they will be more inclined to
do so than if they have no way to find out that those actions
occurred.
Compromising the right to privacy also invites a constant stream of
governmental intrusion into our lives. Once the government gets its
foot in the door by any excuse, it will by its nature expand its power
until somehow checked. Consider the U.S. Census. The Constitution made
provision for a census for two purposes: to establish representation in
Congress and to allocate taxes based on enumeration. The second of
these reasons is obsolete with today's tax structure. Two simple
questions would be enough to establish the purpose of the census: "Who
are you?" and "Where do you live?" Nor is there any good reason to
punish those who refuse to respond; they are only reducing their own
state's representation in Congress. Yet today's U.S. Census contains a
vast array of questions about private information, and those who refuse
to answer can legally be punished (though few are).
The privacy debate has taken on a new form in modern society as
computer technology has made it feasible for anyone to encrypt messages
so securely that they are virtually unbreakable. Yet the substance of
the issue has not changed. There is no real difference between
encrypting a message and hiding it away, except that the "hiding" is
done by logical rather than physical means. When one person sends a
message to another, they are under no obligation to enable third
parties to understand what is going on.
People can conceal information in messages by many means besides
mathematical encryption. They can use slang and jargon, make use of
code names, make personal allusions which are meaningless to others, or
withhold essential information which the recipient already possesses.
If it is reasonable for the government to outlaw encryption, it is
equally reasonable for it to require that people communicate only in
conventional English and to fully explicate the meaning of all their
communications for the benefit of any FBI eavesdropper.
Most people would immediately see the Draconian nature of such
requirements; but encryption is something less personal and familiar,
so they do not view it in the same way. But the same issue is involved:
the right to withhold information from those who don't have a specific
right to demand it. This is the essence of the right to privacy.
--
Gary McGath
gmcgath@condes.mv.com
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 24 Nov 1994 08:13:41 -0600 (CST)
Subject: Security is not Privacy
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: RISKS-FORUM Digest Tuesday 22 November 1994
Volume 16 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND
RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G.
Neumann, moderator
Date: 15 Nov 1994 12:04:08 -0800
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: security is not privacy
*The New York Times* has an article about an attempt by tobacco company
lawyers to subpoena reporters' travel and telephone records in an indirect
attempt to identify their sources for stories asserting that the companies
deliberately added nicotine to their cigarettes.
William Glaberson, A libel suit raises questions about the ability of
journalists to protect sources in the electronic age, *The New York Times*,
14 November 1994, page C10.
Many readers of RISKS probably remember other attempted strategic uses of
the discovery process by tobacco companies, including at least one attempt
to subpoena raw survey data from smoking researchers and an attempt to
obtain an electronic mailing list of anti-smoking activists. (Actually, the
article doesn't explicitly say that the companies want the subpoenas issued
as part of the discovery phase of the trial, just that they want them and
the major press organizations are trying to stop them.)
In any event, this case is an excellent example of why data security, while
obviously important, does not guarantee privacy. I am sure that those
travel and telephone records are as secure as they need to be, but that may
not provide enough protection against the legal strategies of tobacco
companies. Maybe this point is obvious to Risks readers, but it is
certainly not obvious to many others, including many of the politicians who
make laws about such things. So remember to let these folks know:
Security is not privacy.
The only guarantee of privacy is anonymity. Fortunately, technologies such
as digital cash to implement anonymity are on their way. Insist that they
be used in any new system that gets developed near you. And spread the
word, because once privacy-invasive systems get standardized and installed
they're hard to regulate and even harder to change.
--
Phil Agre, UCSD
------------------------------
From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
Date: 22 Nov 94 22:38:23 EST
Subject: 2nd Intl Conf InfoWar--Call for Registration
CALL FOR REGISTRATION
[Please post where appropriate.]
Second International Conference on Information Warfare:
Chaos on the Electronic Superhighway
Conference Date: Wed-Thu 18-19 January 1995
Conference Locale: Dorval Airport Hilton Hotel
Montreal, Canada
1. INTRODUCTION
Cultures that depend on information systems are vulnerable to
Information Warfare. Attacks on data confidentiality and
possession, integrity and authenticity, and availability and
utility will damage individuals, corporations and other private
organizations, government departments and agencies, nation-states
and supranational bodies.
It is essential to erect legal, organizational, and cultural defences
against information warfare.
Winn Schwartau, author of the new book, _Information Warfare:
Chaos on the Electronic Superhighway_, published in 1994 by
Thunder's Mouth Press (ISBN 1-56025-080-1), has defined three
levels of information warfare:
Level one: interpersonal damage. Damage to individuals in
recent cases includes impersonation in cyberspace (e.g., false
attribution of damaging communications), appropriation of credit
records (for fraud and theft), harassment (e.g., interruption of
phone services) and loss of privacy (e.g., theft of medical records).
Level two: intercorporate damage. In a recently reported case, a
ring of criminal hackers stole the telephone calling cards of
100,000 subscribers to MCI, AT&T, and Sprint. These thefts are
estimated to have resulted in $50 million of fraudulent long
distance calls. In this case, a switch engineer working for MCI is
accused of having inserted Trojan horse software to record
calling-card numbers passing through MCI's telephone switching
equipment. Other recent attacks include data leakage of
confidential information with high competitive value in the
automotive and airline industries.
Level three: international and inter-trading block damage. The
World Trade Center bombing caused more economic loss through
interference with business communications and information
processing than it did by physical damage to the building. It is
inconceivable that terrorist organizations and nations are unaware
of the low cost and minimal risk of attacks on information
infrastructure compared with physical attacks. On a global scale,
an aggressive trading block could acquire significant competitive
advantage over an entire society by corrupting widely-used software
(e.g., inserting code in a spreadsheet or accounting package to
introduce occasional random errors) or even inserting logic bombs
into microcode for new processors. The collapse of the Soviet bloc
has made thousands of skilled programmers available for such
subversion.
[considerable material deleted by moderator]
For further information, including updates on panelists,
send email to 75300.3232@compuserve.com
or call (514) 695-4968
or FAX (514) 695-7393
or send snailmail to
JINBU Corporation
17 Merineau
Kirkland, QC
Canada, H9J 3V7.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 26 Sep 1994 12:45:51 -0500 (CDT)
Subject: Info on CPD, Contributions, Subscriptions, FTP, etc.
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions generally are acknowledged within 24 hours of
submission. An article is printed if it is relevant to the charter of
the digest. If selected, it is printed within two or three days. The
moderator reserves the right to delete extraneous quoted material. He
may change the subject line of an article in order to make it easier
for the reader to follow a discussion. He will not, however, alter or
edit or append to the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V5 #066
******************************
.