Date: Sun, 19 May 96 09:06:54 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#040
Computer Privacy Digest Sun, 19 May 96 Volume 8 : Issue: 040
Today's Topics: Moderator: Leonard P. Levine
Re: Cookies
Re: Cookies
Re: An Ethical Dilema
Re: An Ethical Dilema
Re: FDA Approves At-Home HIV TEst
Re: FDA Approves At-Home HIV Test
Georgia Law Could Prohibit Web Links
Re: Automated Toll Collection
Re: Automated Toll Collection
Local Ordinaces Restrict SSN Indentifiers?
Re: Tempest Intrusion
RISKS: Discussion of Med Privacy Bill
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: Geoff Mulligan <geoff@mulligan.com>
Date: 16 May 1996 22:27:45 -0600
Subject: Re: Cookies
Sean said: Fortune program with over 66000 cookies Size
3006 K It seems to me that these cookies are cookies files from
people using Netscape Navigator and MSIE. If so, how we can
prevent others from getting our 'cookies'? I mean, any other way
except manually deleting them every time we use a browser. Is
'history' file also dowloadable from unsuspicious user's PC?
Actually these are not "cookies" as the term is used today with
browsers. The fortune program mentioned (sm186.zip) randomly selects a
witty/funny saying (a cookie) from the file a displays it. This
program is claiming to contain over 66000 of these "sayings" not
browser cookies.
[moderator: similar comments came from huggins@tarski.eecs.umich.edu
(James K. Huggins), Jim Maurer <jim@specialix.com> and ajm@mcs.com
(Alan Miller)]
------------------------------
From: Jonas Karlsson <Jonas.Karlsson@Mail.Bostaden.Umea.SE>
Date: 17 May 1996 00:04:10 +0200
Subject: Re: Cookies
Organization: Just me...
References: <comp-privacy8.39.5@cs.uwm.edu>
lihou@ms2.hinet.net wrote: Files from the winsite-win95 archive
[...] Fortune program with over 66000 cookies Size 3006 K [...] It
seems to me that these cookies are cookies files from people using
Netscape Navigator and MSIE. If so, how we can prevent others from
getting our 'cookies'?
As I can't make up my mind whether this is a troll or not, I figure I'll
answer it with a straight face. (So if it is a troll, you caught me. ;-)
Now, I haven't actually dl'd that file to check, but from the
description it seems far more likely that the 'cookies' in question
refer to 'fortune-cookies'. While this may not be apparent to non-unix
users - where the 'fortune' command is virtually ubiquious - the purpose
of 'fortune' is to print a 'fortune-cookie' style - usually humourous -
message. Most likely, this is simply a file of 66000 such messages,
probably intended to be used with some 'fortune'-equivalent windows 95
program.
As for preventing people from getting the 'cookies', well, Netscape
claim - and most likely are quite right - that *only* the one that set
the cookie can get it. And, in Atlas, you can set an option that gives
*you* control over the cookies, including the right to cancel
setting/sending them. (Now, of course, the truly paranoid know that
Netscape could of course do pretty much anything it's programmers want
to your computer (they just have to ignore their own security
precautions), if they wanted to. But then, so could, say, every other
program on your hard disk... ;-)
Is 'history' file also dowloadable from unsuspicious user's PC?
Now, as to that, if you have a suitably broken/early version of
Netscape, it's supposed to be possible. Also, given enough
Java/JavaScript trickery (or VBScript for that matter), yes, it's
probably doable. As to whether anyone is actually *doing* it, well, I
wouldn't know. The value of getting that file from all random passers-by
seems questionable. But then, I'm not a marketing person... ;-)
--
| Jonas.Karlsson@baldakinen.umea.se | I am a number, |
| 100342.3455@compuserve.com - jonask@io.com | not a man! - 42 |
------------------------------
From: hermit@cats.UCSC.EDU (William R. Ward)
Date: 16 May 1996 18:03:25 GMT
Subject: Re: An Ethical Dilema
Organization: Computing and Telecommunications Services, UCSC
References: <comp-privacy8.39.11@cs.uwm.edu>
Simon Rogerson <srog@dmu.ac.uk> writes: Problems associated with
the uniqueness of IT abound. Consider these three statements: *
Hacking is wrong [...]
There's nothing wrong with hacking. I'm a hacker, and proud of it.
That doesn't mean I do anything wrong or illegal. Just because the
press has a simplistic and inaccurate picture of what a hacker is
doesn't mean that you have to perpetuate that.
And if you don't know what I'm talking about, read Steven Levy's book
"Hackers".
--
William R Ward Bay View Consulting http://www.bayview.com/~hermit/
hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072
hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862
------------------------------
From: dan@dvl.co.nz (Dan Langille)
Date: 19 May 1996 01:05:17 GMT
Subject: Re: An Ethical Dilema
Organization: DVL Software Limited
References: <comp-privacy8.39.11@cs.uwm.edu>
Simon Rogerson <srog@dmu.ac.uk> wrote: * Is it right to employ
hackers to develop an anonymous Internet counselling service for
the suicidal? What do you think?
Firstly, this is a posed and loaded question. One can create a similar
question using a multitude of statements such as that which preceeded
the above question.
If you are serious about counseling, there is no need to utilise
hackers to achieve your goals. There are many competent and reliable
people who will help with such projects. If it's strategy and tactics
you're after, by all means, use hackers as consultants. But by
definition, hackers won't give you the system you deserve. -- Dan
Langille DVL Software Limited - Wellington, New Zealand
------------------------------
From: briang@netcom.com (Brian Gordon)
Date: 16 May 1996 13:51:55 -0700 (PDT)
Subject: Re: FDA Approves At-Home HIV TEst
The FDA just announced that it has approved the first at-home HIV
test, manufactured by Direct Access Diagnostics, a Bridgewater, New
Jersey-based division of Johnson and Johnson. The test allows for
the collection of blood specimens in the home. The blood samples
must then be mailed to a lab for analysis. Results are available
within weeks, and the tests are allegedly anonymous, though, at
this point, it is not clear how so.
According to today's news, each kit comes with a code number. After an
appropriate wait, you call for the results from that code number. No
name, no traceability. Probably not foolproof, but pretty good.
--
Brian Gordon >briang@netcom.com<-- bgordon@isi.com
AOL: BGordon CompuServe: 70243,3012
------------------------------
From: dan@dvl.co.nz (Dan Langille)
Date: 19 May 1996 01:26:42 GMT
Subject: Re: FDA Approves At-Home HIV Test
Organization: DVL Software Limited
References: <comp-privacy8.39.1@cs.uwm.edu>
Results are available within weeks, and the tests are allegedly
anonymous, though, at this point, it is not clear how so.
from what I saw here on TV, the tests will be first released in Texas
and Florida only. I understand this is to ensure that demand does not
exceed supply (ie. the testers don't want to get overwhelmed by test
results).
One buys the test kit in the shop. Each kit contains a unique number
printed on the test card which you send to the test center. You prick
your finger, dab the blood onto a test card, and mail the card off to
be tested. You can then dial the testing centre, and enter your unique
test code. If your test is negative, you get a recorded message. If
positive, you get patched through to a counselor.
AFAIK, [As Far As I Know] the only hitch to the alleged privacy issue
is caller id. Which I believe to be a separate issue.
--
Dan Langille
DVL Software Limited - Wellington, New Zealand
------------------------------
From: Monty Solomon <monty@roscom.COM>
Date: 16 May 1996 23:59:58 -0400
Subject: Georgia Law Could Prohibit Web Links
Excerpt from 05-15-96 ACLU Newsfeed
*Georgia Law Could Prohibit Web Links*
Legislation recently signed into law by Georgia Governor Zell Miller is
aimed at preventing fraud in cyberspace, but the Chronicle of Higher
Education recently reported that critics say it could force developers
of World Wide Web pages to remove links to other pages.
The law, the Chronicle reported, makes it a crime to "falsely identify"
oneself on the Net, or to direct people to someone else's computer
without the other person's explicit permission.
The ACLU said the Georgia law raises serious questions.
"The Georgia law -- like the federal Communications Decency Act -- is
just another example of legislators rushing to criminallize
communication in the online medium before they even begin to understand
how it operates," said Ann Beeson, an ACLU expert on cyberspace.
"In the process," Beeson continued, "they have violated the free speech
rights of cybercitizens and have drastically hindered a democratizing
medium that enables people to communicate and share information around
the world in a way never previously possible."
----------------------------------------------------------------
ONLINE RESOURCES FROM THE ACLU NATIONAL OFFICE
----------------------------------------------------------------
ACLU Freedom Network Web Page: http://www.aclu.org.
America Online users should check out our live chats, auditorium events,
*very* active message boards, and complete news on civil liberties, at
keyword ACLU.
----------------------------------------------------------------
ACLU Newsfeed
American Civil Liberties Union National Office
132 West 43rd Street
New York, New York 10036
To subscribe to the ACLU Newsfeed, send a message to majordomo@aclu.org
with "subscribe News" in the body of the message. To terminate your
subscription, send a message to majordomo@aclu.org with "unsubscribe
News" in the body of the message.
For general information about the ACLU, write to info@aclu.org.
------------------------------
From: Jonathon Blake <grafolog@netcom.com>
Date: 17 May 1996 06:58:41 +0000 (GMT)
Subject: Re: Automated Toll Collection
dan@dvl.co.nz (Dan Langille) wrote: I do not feel worried about
passing my credit card details over the internet. Is there any
[documented] case of credit card details being
Do you seriously expect backing institutions to admit to that?
stolen whilst in transmission? Such transmissions must happen
Packet sniffers, located at any router between here and there. Any
large computer exposition in the US will have several packet sniffers
running.
capture data, it would be done. But it isn't easy. Sure it's
Want a packet sniffer? They are two a penny, with a tickey back for
change.
possible, but it's not probable. For that matter, encryption won't
Has anybody broken 128 bit RSA yet? 2048 bit PGP Keys? NSA isn't
talking, but I doubt they have. Can anybody to break a stenographed
message that is also encrypted with a 4096 but PGP Key, without using
TEMPEST?
--
jonathon
grafolog@netcom.com
------------------------------
From: dan@dvl.co.nz (Dan Langille)
Date: 19 May 1996 01:18:16 GMT
Subject: Re: Automated Toll Collection
Organization: DVL Software Limited
References: <comp-privacy8.37.2@cs.uwm.edu> <comp-privacy8.38.5@cs.uwm.edu> <comp-privacy8.39.4@cs.uwm.edu>
Rick Carlson <lnustoc.bzfhbg@eds.com> wrote: There is nothing to
prevent the State of VA to sell the data that they collect through
the automated toll booths. It would seem imprudent to expect that
would not eventually try to get some money into the state treasury
for this "state resource".
Hmm, it sounds to me like someone is in need of a Privacy Bill. What
we have here in NZ is a [seemingly] good piece of legistation. If
someone collects information, said information can ONLY be used for the
purpose for which it was collected. In such circumstances, the State
of VA would not be able to sell the information.
Does such legislation exist in VA?
--
Dan Langille
DVL Software Limited - Wellington, New Zealand
------------------------------
From: rgerst1026@aol.com (RGerst1026)
Date: 18 May 1996 21:50:25 -0400
Subject: Local Ordinaces Restrict SSN Indentifiers?
Organization: America Online, Inc. (1-800-827-6364)
Is anyone aware of cities or towns which have outlawed the practice of
requiring a customer to provide a social security number for commercial
transactions or for other non-official uses? If so, what does the
ordinace say? Thanks for your help.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 16 May 1996 15:22:10 -0500 (CDT)
Subject: Re: Tempest Intrusion
Organization: University of Wisconsin-Milwaukee
In a recent CPD we had a posting from SpyKing <spyking@mne.net> in
which he stated:
In 1985, a Dutch scientist Wim van Eck published a paper which was
written about in the prestigious "Computers & Security" journal,
"Electromagnetic Radiation from Video Display Units: An
Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper caused a panic
in certain government circles and was immediately classified as is
just about all TEMPEST information.
Wim van Eck's work proved that Video Display Units (CRT's) emitted
electromagnetic radiation similar to radio waves and that they
could be intercepted, reconstructed and viewed from a remote
location. This of course compromises security of data being worked
on and viewed by the computer's user. Over the years TEMPEST
monitoring has also been called van Eck monitoring or van Eck
eavesdropping.
However, I subsequently got a memo from Belden Menkus indicating:
My apologies for not having mentioned this earlier. A number of
weeks ago you including a posting which claimed that an article by
Wm Van Eck was classified and surpressed by the intelligence
community. That is not so, I wrote the article in the same issue
that explained how to reduce the problem. Neither article was
classified or surpressed by anyone! I have the clips in my
personal file.
--
BELDEN MENKUS menkus@dockmaster.ncsc.mil
POB 129, Hillsboro TN 37342 (615) 728-2421
Things are not always what they seem.
--
Leonard P. Levine e-mail levine@cs.uwm.edu
Professor, Computer Science Office 1-414-229-5170
University of Wisconsin-Milwaukee Fax 1-414-229-2769
Box 784, Milwaukee, WI 53201
PGP Public Key: finger llevine@blatz.cs.uwm.edu
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 16 May 1996 13:01:22 -0500 (CDT)
Subject: RISKS: Discussion of Med Privacy Bill
Organization: University of Wisconsin-Milwaukee
Taken from RISKS-LIST: Risks-Forum Digest Wednesday 15 May 1996 Volume
18 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy,
Peter G. Neumann, moderator
From: James Love <love@tap.org>
Date: 14 May 1996 19:05:23 -0400 (EDT)
Subject: Discussion Drafts of Medical Records Privacy Legislation
[Sent to RISKS via Stanton McCandlish <mech@eff.org>. RISKS
generally eschews such postings. However, this one may have broad
appeal to readers in the U.S., and far-reaching implications. PGN]
Re: Getting Copies of "Discussion Drafts" of Med Privacy Bill Online
This is a sign-on letter to Senators Kassebaum and Warner, asking that
the Senate make copies of its "discussion drafts" of S. 1360, the
Medical Records Confidentiality Act, on the Internet. The discussion
drafts reflect the current versions of the controversial legislation,
after negotiations between various Senators and lobbyists.
Currently these drafts are only distributed in paper, and are mostly
available to Washington DC lobbyists. Senator Kassebaum controls
access to the discussion drafts, and Senator Warner is in charge of
Senate rules on topics such as public access to Senate documents.
The letter has been signed by Gary Ruskin, Director of the
Congressional Accountability Project, Lori Fena, Director of the
Electronic Frontier Foundation, James Love, Director of Consumer
Project on Technology, and Jim Warren, a well known computer journalist
and information activist. To add your name, send a note to Gary Ruskin
at gary@essential.org.
The letter follows:
Senator Nancy Kassebaum, Chair
Committee on Labor and Human Resources
428 Dirksen Senate Office Bldg
Washington, DC 20510-6300
Senator John Warner, Chair
Committee on Rules and Administration
305 Russell Senate Office Bldg
Washington, DC 20510-6325
Dear Senators Kassebaum and Warner:
We are writing to express the frustrations of many American citizens
who cannot effectively monitor the actions of the U.S. Congress,
because the Senate does not give ordinary citizens the same access to
key legislative documents that it gives to interest groups that can
afford full time lobbyists. Our immediate concern is the refusal of
the Senate Labor Committee to provide online access to a series of
discussion drafts of S. 1360, the Medical Records Confidentiality
Act. This controversial legislation seeks to pre-empt state laws in
favor of a federal system regulating access to personal medical
records. The legislation is controversial and complex and the stake
holders are many. Privacy and consumer groups say the legislation
provides too much access and too little privacy, while industry groups
are pressing for even easier access to identified medical records.
The legislation was introduced last October. Beginning in April, the
Committee on Labor and Human Resources has prepared several "discussion
drafts" for a new chairman's mark. These drafts have been given to
lobbyists, but the Committee staff has refused to make the text of the
drafts available on the Internet where they would be readily available
to the general public. As a consequence, as Equifax, IBM, Dun &
Bradstreet, TRW, Blue Cross, Aetna, and other groups with full-time
lobbyists read each and every new discussion draft, the general public
mistakenly believes the October 24, 1995 version of the bill represents
the relevant text of the legislation.
Why keep the discussion drafts from the general public? The bill is
very long, and it is costly and difficult to distribute the bill in the
paper formats. Most citizens don't have any way of even knowing that
the various discussion drafts even exist.
With efforts to push for a rapid mark-up on S. 1360 it seems urgent to
resolve this issue soon. More generally, however, the Senate should
adopt new rules about access to the various types of "unofficial"
drafts of bills, including committee prints, managers amendments,
chairman's marks, and widely disseminated discussion drafts, which are
the real stuff of the legislative process. The text of these important
documents should be placed on the Internet for the benefit of the
general public, as soon as they are made available to Washington
lobbyists.
Sincerely,
Gray Ruskin, Director, Congressional Accountability Project (Member,
Advisory Committee, Congressional Internet Caucus) gary@essential.org
Lori Fena, Director, Electronic Frontier Foundation, lori@eff.org
James Love, Director, Consumer Project on Technology, love@tap.org
Jim Warren, tech-policy columnist and open-government advocate
Government Technology Magazine, MicroTimes Magazine, etc.
345 Swett Rd., Woodside CA 94062; voice/415-851-7075 jwarren@well.com
To add your name to this letter, send a note to Gary Ruskin. His
contact info is:
Gary Ruskin gary@essential.org 202/296-2787; fax: 202/833-2406
James Love, Center for Study of Responsive Law, P.O. Box 19367,
Washington DC 20036 202/387-8030 Consumer Project on Technology;
love@tap.org with webpages.
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 May 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #040
******************************
.