Date: Thu, 11 Jan 96 17:22:15 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#005
Computer Privacy Digest Thu, 11 Jan 96 Volume 8 : Issue: 005
Today's Topics: Moderator: Leonard P. Levine
FLASH: Phil Zimmermann Case Dropped!
Privacy, DBMS's and Client Server
Re: Spy Viruses
Re: Breasts on AOL
Re: Checking Account Status is Public
Canadian Social Insurance Number
Re: Gas Station Receipts
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: Declan McCullagh <declan@eff.org>
Date: 11 Jan 1996 14:36:09 -0800 (PST)
Subject: FLASH: Phil Zimmermann Case Dropped!
This is FABULOUS news! Please distribute widely!
--
Declan
// declan@eff.org // My opinions are not in any way those of the EFF //
From: Philip Zimmermann <prz@acm.org>
Date: 08 Jan 1996 03:35:46 -0700 (MST)
Subject: Zimmermann case is dropped.
-----BEGIN PGP SIGNED MESSAGE-----
My lead defense lawyer, Phil Dubois, received a fax this morning from
the Assistant US Attorney in Northern District of California, William
Keane. The letter informed us that I "will not be prosecuted in connection
with the posting to USENET in June 1991 of the encryption program
Pretty Good Privacy. The investigation is closed."
This brings to a close a criminal investigation that has spanned the
last three years. I'd like to thank all the people who helped us in
this case, especially all the donors to my legal defense fund. Apparently,
the money was well-spent. And I'd like to thank my very capable defense
team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow, Tom Nolan, and Bob
Corn-Revere. Most of the time they spent on the case was pro-bono. I'd
also like to thank Joe Burton, counsel for the co-defendant.
There are many others I can thank, but I don't have the presence of mind
to list them all here at this moment. The medium of email cannot express
how I feel about this turn of events.
-Philip Zimmermann
11 Jan 96
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9
pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda
Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw
MfUiYaMREu4=
=9CJW
-----END PGP SIGNATURE-----
------------------------------
From: kkirk@compumedia.com
Date: 09 Jan 1996 02:29:24 GMT
Subject: Privacy, DBMS's and Client Server
Organization: Compumedia, Inc.
I am putting together an article on the 'new' issues of Client Server
database access to corporate databases/warehouses.
One of the major issues is security.
Example: Joe User has access to public records at a school district,
including name, address and phone number information.
Joe User downloads this information into an Access database, makes a
copy to a ZIP drive, and takes it home to work with.
Joe User's kid gets ahold of this information and makes copies... and
passes them out at school.
Joe Abuser gets a hold of the database, which contains information on
where his estranged wife is hiding.... and....
What I'm looking for is actual, published and documented cases where a
company or organization became liable either civilly or criminally for
releasing information that is considered private and protected.
If you have any references please email me at kkirk@compumedia.com.
Please, no rumours or non-public information.
Appreciate your help!
------------------------------
From: bo774@freenet.carleton.ca (Kelly Bert Manning)
Date: 09 Jan 1996 06:55:54 GMT
Subject: Re: Spy Viruses
Organization: The National Capital FreeNet
References: <comp-privacy8.4.4@cs.uwm.edu>
"Prof. L. P. Levine" (levine@blatz.cs.uwm.edu) writes: Syndicated
columnist Gina Smith predicts a proliferation of computer "spy"
viruses similar to Microsoft Windows 95's registration wizard that
can zip around your CPU and determine whether you've legally
registered all the software you've got loaded on there: "It's
already possible to do this sort of scanning without alerting the
user, so it doesn't take much of a futurist to imagine the same
sort of stealth technology being used on unknowing bulletin board
and Internet users. In fact, I think a trend away from
juvenile-prank computer viruses to information-seeking `spy'
viruses isn't merely likely, it's inevitable." (Popular Science
Dec 95 p12)
According to a CBC Radio "Quirks and Quarks" segment from a few weeks
back a Vancouver company called "Absolute Software" is planning to
offer a "PC Phone Home" product to deter or alleviate theft.
The cure seems to create a worse problem than it solves.
The spokesman for the product claimed that it would work even if parts
of the PC were disassembled and recombined into more than 1 new box.
The claim was that whatever is added in would look for a modem port and
dial a special 1-800- number during idle periods, in such a way that it
wouldn't be noticed by the user of the stolen system.
In fact it would do this on a preset schedule just to verify that it
was working correctly!
If it got stolen CNID/ANI or simply the call billing details would
reveal where it had been moved to. Sounded not too bad up to that
point, but then the spokesman went on to talk about how data from
stolen hard drives could be recovered by phone during one of these
calls, without the user of the stolen drive being aware of the call
being made or the transfer taking place.
I can't imagine an individual or a company with any concern about data
confidentiality that would seriously consider putting something inside
their boxes that is designed to surreptiously dial out without the user
knowing, and which has the added bonus of covertly dumping data over
the phone line.
--
notice: by sending advertising/solicitations to this account you will be
indicating your consent to paying me $70/hour for a minimum of 2 hours for
my time spent dealing with it
------------------------------
From: gmcgath@mv.mv.com (Gary McGath)
Date: 09 Jan 1996 12:08:14 GMT
Subject: Re: Breasts on AOL
Organization: Conceptual Design
References: <comp-privacy8.4.2@cs.uwm.edu>
fyoung@oxford.net (F Young) wrote: Does AOL allow members to use
PGP to encrypt their e-mails?
I've exchanged PGP encrypted E-mail with AOL users, and have never had
any problems that couldn't be attributed to the usual sources of
confusion.
What is bizarre about AOL is that, while having a fixation on "dirty
words," they will not do anything about defamatory posts. When I had a
subscription there, one nut started making posts on the Religion Forum,
falsely claiming that I was sending him obscene E-mail, and fabricating
quotations. When I complained to the forum sysop, nothing happened;
when I followed up to ask if anything was done, this sysop (known as
Sermoner1) that confidentiality rules prevented him from answering my
question -- and that incidentally *I* was violating the rules for
calling this person a "jerk." The lies continued; I cancelled my
account.
At the time, I thought that AOL figured that flamewars increased usage
of the system, while "dirty words" might drive people away, and thus
that they were increasing their revenue by having this policy. But
banning the word "breast" while allowing mildly dirty synonyms doesn't
even have this kind of twisted logic to it.
--
Gary McGath gmcgath@mv.mv.com
http://www.mv.com/users/gmcgath
I'll lift my voice in a tone unshaken
And keep on singing until I die! -- Berton Braley
------------------------------
From: tye@metronet.com (Tye McQueen)
Date: 11 Jan 1996 14:41:39 -0600
Subject: Re: Checking Account Status is Public
Organization: Texas Metronet, Inc (login info (214/705-2901))
References: <comp-privacy8.4.1@cs.uwm.edu>
"Mark W. Eichin" <eichin@mit.edu> writes: I'm told (by friends who
are customers there) that University Bank, in Palo Alto CA, also
provides this service by default; however, if you specifically ask
them about it, they'll set a "privacy flag" on your account and
will in fact refuse all such requests.
I'm shocked how many banks have tellers that will divulge any
information about an account or even allow transfers, etc. based solely
on the person knowing the account number(s) and name(s) on the
account(s). I requested my bank not allow *any* transactions on my
account without photo ID and was surprised that they always asked me
for it from then on.
But that same bank cashed a check in the amount of the full balance of
my friend's account to an unseen individual in the far drive-up lane
based on my friend's driver's license being included with the check.
No camera caught pictures usable for identifying either the car or the
driver who had stolen my friend's purse (netting the DL and check book
w/ balance).
Embarrassingly, a young relative repeatedly stole personal checks from
GrandMa then filled them out and cashed them without presenting ID. It
took several repeats before they were caught.
I also had to change the "Bank by Phone" PIN from the default SSN to
one of my choosing.
The troubling thing is that all of these ways of accessing my account
are made available by default with little notification. You can't
afford to not make use of the Bank by Phone or Customer Service Line or
Drive-Thru lanes or in-person tellers because otherwise you don't know
how easy it is for anyone to get at your account and which access holes
you need to try to have plugged.
Utilities (phone, power, etc.) are often even worse. Most customers
seem to like it this way if asked properly (thinking of convenience
before security).
--
Tye McQueen tye@metronet.com || tye@doober.usu.edu
Nothing is obvious unless you are overlooking something
http://www.metronet.com/~tye/ (scripts, links, nothing fancy)
------------------------------
From: mbesosa@drake.prometric.com (Michael Besosa)
Date: 11 Jan 1996 16:37:55 GMT
Subject: Canadian Social Insurance Number
Organization: Drake Prometric, L.P.
Can someone point me to a source of information on the Net about the
structure, validation, and permitted uses of the Canadian Social
Insurance number?
------------------------------
From: tye@metronet.com (Tye McQueen)
Date: 11 Jan 1996 14:59:57 -0600
Subject: Re: Gas Station Receipts
Organization: Texas Metronet, Inc (login info (214/705-2901 - 817/571-0400))
References: <comp-privacy8.4.9@cs.uwm.edu>
"Prof. L. P. Levine" <levine@blatz.cs.uwm.edu> writes: Over the
last few months, I have pulled up to self-serve gasoline pumps that
accept credit card payment, and noticed that a previous customer
has left behind the receipt that gets printed at the end of the
transaction. Some pumps make you explicitly hit a button to get a
receipt, but others do it automatically.
Seven Eleven Citgo stations automatically print a receipt that includes
credit card type, expiration date, and trasaction ID #. No account
number, customer name, etc.
I find this ideal. I can easilly tell which credit card I used for
that transaction, I'm not delayed by having to push a "print receipt"
button during some time window of the transaction, and my privacy is
protected if I forget or lose the receipt.
[They also always have latches so I don't have to stand stooped over in
the weather gripping freezing metal in my bare hand while my tank
fills; and my car gets better mileage than on more expensive brands; so
I'm a happy customer.]
I half wish the ubiquitous little automatted credit card systems
attached to most cash registers these days would print such benign
receipts for me to sign. However, the credit card companies insist on
the full identifying information appearing on such
receipts/authorizations (sufficient information to easilly make
fraudulent charges). They claim this helps them catch fraud but I'm
currently at loss to explain how. I say "half wish" because I fear
only including a transaction ID would lead to wider electronic
availability of details of my speding history.
Oh for wide-spread use of little cryptographic challenge/response smart
cards protected by a PIN so I could choose to require one's use before
any of my personal information could be accessed...
--
Tye McQueen tye@metronet.com || tye@doober.usu.edu
Nothing is obvious unless you are overlooking something
http://www.metronet.com/~tye/ (scripts, links, nothing fancy)
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 08 Jan 1996 14:44:49 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #005
******************************
.