Date: Mon, 22 May 95 13:07:49 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V6#048
Computer Privacy Digest Mon, 22 May 95 Volume 6 : Issue: 048
Today's Topics: Moderator: Leonard P. Levine
Re: Health Privacy
Re: What are the VISA Codes?
Re: Nautilus, PLEASE....
Re: Nautilus, PLEASE. [long]
Info on CPD [unchanged since 12/29/94]
----------------------------------------------------------------------
From: Robert Gellman <rgellman@cais.cais.com>
Date: 21 May 1995 22:54:09 -0400 (EDT)
Subject: Re: Health Privacy
Peter Marshall posted a very interesting message about the consequences
of consenting to the disclosure of medical records that are part of
standard auto policies. The problem is even worse than he (and the
author of the posted message) suggested.
By consenting to the disclosure of your medical record in this
(coerced) fashion, you may also have waived any physician-patient
privilege that may have been available to protect your privacy. Since
you have consented to a disclosure in some way, you have also waived
your interest in confidentiality and therefore waived the privilege.
The standard consent forms for submitting payment claims to health
insurers are also typically very broadly written to favor the rights of
the insurance company.
That is the bad news. The perverse good news is that the privilege
isn't really worth much of anything so you are not losing much. The
privilege offers NO protection against routine disclosures of medical
records to public health officials, law enforcement agencies,
employers, inspectors general, auditors, health database organizations,
researchers, cost containers, outcomes researchers, computer service
companies, and other major institutions that make regular use of
identifiable health records.
For whatever it is worth, a proposed federal bill (Fair Health
Information Practices Act -- H.R. 435) would make many consents to
disclosure only valid for 30 days.
Bob Gellman Privacy and Information Policy Consultant Washington,
DC rgellman@cais.com
------------------------------
From: gmcdouga@arn.net (Gerald)
Date: 22 May 1995 03:39:31 GMT
Subject: Re: What are the VISA Codes?
Organization: ARNet, Inc.
bo774@freenet.carleton.ca says: The caller said my friend had won
(at least) $2500 worth of prizes... The grand prize was a car and
she was one of only 5 finalists. All that was required was a small
($750) purchase made with her (my friend's) visa card.
And I'll bet she hadn't even entered any contest.
There is an unbelievable number of gullible people out there. I truly
feel sorry for them, yet they DO ask for it.
On one of the night-time news shows last week they had a con\verave on
various phone scams of this nature. A couple of the victims were
scammed 2 or 3 times.
Remember the glorious line in "The Magnificant Seven" (Eli Wallach) "If
God didn't want them shorn, why did He make them sheep."
Too often these poor suckersa forget that "If it sounds too good to be
true, it probably IS." They let "something for nothing" blank out the
only true slogan in this are "There ain't no such thing as a free
lunch"
This seems like a classic scam - newer but nonetheless classic. But
people still bite for the "pidgeon Drop" and the "Gypsy Switch" every
day.
------------------------------
From: banisar@epic.org (Dave Banisar)
Date: 22 May 1995 08:37:53 -0400
Subject: Re: Nautilus, PLEASE....
Organization: EPIC
Tsled@aol.com wrote: About a week and a half ago I read an article
about a program called NAUTILUS. I am trying to find where it can
be found, can you help me P-L-E-A-S-E !!! I thank you ahead of
time for your help in this matter.
Nautilus and several other popular encryption programs are available from
ftp://FTP.CSN.ORG/mpj/README or http://epic.org/privacy/tools.html.
--
Dave Banisar
EPIC
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 22 May 1995 08:39:38 -0500 (CDT)
Subject: Re: Nautilus, PLEASE. [long]
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Saturday 13 May 1995
Volume 17 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS
AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and
Public Policy, Peter G. Neumann, moderator
Date: 11 May 1995 15:43:02 -0400
From: simsong@acm.org (Simson L. Garfinkel)
Subject: Nautilus foils wiretaps
PC SOFTWARE FOILS WIRETAPS 5/10/95
By SIMSON L. GARFINKEL
Special to the Mercury News
As the U.S. Senate debates granting the Federal Bureau of Inves-
tigation new powers to wiretap personal communications, three
West Coast computer programmers have planned their own preemptive
strike: a free program, distributed on the Internet, that renders
legal and illegal wiretaps useless.
The programmers, Bill Dorsey of Los Altos, Pat Mullarky of Belle-
vue, Wash., and Paul Rubin of Milpitas, plan to release today a
program that turns ordinary IBM-compatible personal computers
into an untappable secure telephone. It uses an encryption algo-
rithm called ''triple-DES'' that is widely believed to be un-
breakable.
''Electronic surveillance by the government is on the rise,''
says Dorsey, the group's lead programmer. ''There also exists an
equally large threat from the private sector as well: industrial
espionage. Foreign governments are interested in wiretapping and
getting information out of our high-tech firms.''
Called Nautilus, the program is being released as an attack on
the Clinton administration's national encryption standard, the
Clipper chip. Civil rights groups have criticized the Clipper
initiative, since the federal government holds a copy of every
chip's master key and can use that key to decrypt -- or decode --
any Clipper-encrypted conversation. But since the keys used by
Nautilus to encrypt conversations are created by users, the
government does not have a copy.
A nod to Jules Verne
Nautilus has another advantage over Clipper: Whereas AT&T's
Clipper-equipped Telephone Security Devices Model 3600 costs
$1,100, Nautilus is free program.
''You don't need any special expensive hardware for it. You just
use ordinary PCs,'' says Rubin.
The name ''Nautilus'' was taken from Captain Nemo's submarine in
the Jules Verne novel, ''20,000 Leagues Under the Sea.'' But
whereas Nautilus the sub was used to sink Clipper ships, the
programmers hope that their creation will sink Clipper chips.
To use Nautilus, both participants must have a copy of the pro-
gram and an IBM PC-compatible computer equipped with a Sound
Blaster card and a high-speed modem. The two participants must
also agree upon a series of words called a ''pass phrase,'' which
is used to encrypt the conversation. Both participants run the
program and type in the pass phrase; one person instructs their
computer to place the telephone call, the other instructs their
computer to answer.
Once the call is in progress, either user must press a key on
their computer in order to speak, similar to using a hand-held
radio. But unlike walkie-talkies, the users can interrupt each
other.
Could help criminals
Such innovations could lead to conversations that would be
practically foolproof from eavesdropping, either by pranksters or
the government. It could become invaluable in future years to
financial institutions and other corporations involved in sensi-
tive negotiations.
''It will certainly be beneficial to many citizens and many other
users of it,'' says Jim Kallstrom, assistant director of the
Federal Bureau of Investigation's New York field office. ''I
suspect that it also will be beneficial, unfortunately, to crimi-
nals.
''I would hope the extremely enterprising and smart people that
we have in this country would work toward solutions that would
not only protect the communication of citizens . . . but would
also allow the law enforcement objectives to be maintained.''
Rubin stressed that while Nautilus was a challenge to write, it
''isn't rocket science.'' Much of the program, in fact, was
assembled from parts that already were available on the Internet,
the worldwide network of computer networks. It will even be
easier to construct programs similar to Nautilus once Microsoft
releases its computer telephony system for Windows 95. ''It will
be impossible to keep a program like Nautilus out of the hands of
people who want it,'' Rubin said.
Gene Spafford, a professor of computer science at Purdue Univers-
ity who is an expert on computer security, said: ''It will be
interesting to see what reaction this provokes from the govern-
ment.'' Nevertheless, Spafford said, in order for encryption to
be widely adopted, it will have to be ''built into the phones.''
Dorsey said that anybody in the United States who has Internet
access can download the program. For the instructions, use the
Internet FTP command to connect to the computer FTP.CSN.ORG.
Change to the ''mpj'' directory and retrieve the file called
README. Use a text editor to read the README file, which contains
some fairly complex instructions on how to get the actual Nauti-
lus file.
This computer has been set up so that the program cannot be
downloaded by people located outside the United States. ''I
intend to follow all laws regarding the release of
cryptography,'' he said.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 29 Dec 1994 10:50:22 -0600 (CST)
Subject: Info on CPD [unchanged since 12/29/94]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the SUBJECT: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit or append to the text except for purely technical
reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Mosaic users will find it at gopher://gopher.cs.uwm.edu.
Older archives are also held at ftp.pica.army.mil [129.139.160.133].
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V6 #048
******************************
.