Date: Sun, 26 May 96 14:59:09 EST
Errors-To: Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From: Computer Privacy Digest Moderator <comp-privacy@uwm.edu>
To: Comp-privacy@uwm.edu
Subject: Computer Privacy Digest V8#042
Computer Privacy Digest Sun, 26 May 96 Volume 8 : Issue: 042
Today's Topics: Moderator: Leonard P. Levine
Re: A Privacy Scenario
Re: Privacy Phone Guard
Re: Privacy Phone Guard
Re: Privacy Phone Guard
Re: Biometric Encryption
Re: Biometric Encryption
Re: Biometric Encryption
Re: Biometric Encryption
Announcement: Privacy Legislation in Canada
BC Voters Can Have Addresses Suppressed
Re: Automated Toll Collection
Re: Automated Toll Collection
Equifax for Employee Background Checks
Credit Cards with Internet Fraud Insurance
Re: Georgia Law Could Prohibit Web Links
New Posters Please Take Note
Where to get PGP FAQ [long]
Info on CPD [unchanged since 11/22/95]
----------------------------------------------------------------------
From: bob@rattlesnake.com (Robert J. Chassell)
Date: 23 May 1996 18:51:42 -0400
Subject: Re: A Privacy Scenario
Organization: Rattlesnake Enterprises
References: <comp-privacy8.41.11@cs.uwm.edu>
(Martina Schollmeyer) asks whether ... some new browsers allow web
sites to execute programs on the computer that is accessing the web
site, possibly without the computer owner's knowledge. This
feature allowed the music store to get your friend's login name and
computer address to determine the complete e-mail address.
Several issues here:
* whether a program was executed on the computer owner's machine
(the goal of JAVA).
* whether a web site can collect info from browsers
* whether this is a good idea.
Collecting the info may not require running a program on the user's
machine. According to the documentation for `url-privacy-level' in GNU
Emacs W3 mode,
HTTP/1.0 has header fields for various information about the user,
including operating system information, email addresses, the last
page you visited, etc.
Thus a browser that meets the standard could provide that information.
Incidentally, in W3 mode, the `url-privacy-level' variable controls how
much of this information is actually provided. You can specify a
variety of levels. I myself specify the level that says `Don't send
anything'.
------------------------------
From: Michael Shreeve <plsed011.mshree01@eds.com>
Date: 23 May 1996 18:13:18 -0500
Subject: Re: Privacy Phone Guard
Organization: Technical Consulting Continuum
References: <comp-privacy8.38.2@cs.uwm.edu> <comp-privacy8.41.7@cs.uwm.edu>
Charles Bryant wrote: If you are demanding a *right*, the burden
should be on you to prove the legitimacy of that right.
Here, I have options (each costs money, of course). If I want to
identify the caller, I can purchase caller ID. If a caller doesn't want
me to identify them, they can purchase caller ID blocking. If I don't
want to receive "anonymous" calls, I don't have to. I can even have
anonymousized calls automatically blocked. Everyone can choose the
amount of intrusion, or information given out.
RE: Demanding rights. I don't think that it is unreasonable when
someone is seeking admission into your home (even if it is just by
voice) to want to know who it is. I sympathize with those who have
unpublished/unlisted numbers who see caller ID as a privacy invasion
against them (when they make outgoing calls), however, I consider not
being able to identify the incoming call an equal privacy invasion, and
am glad that the service is available to curtail that invasion.
--
Michael
Disclaimers: My opinions are my own, and free. You get what you pay for.
EDS may or may not agree with these opinions.
E-mail advertisements will be spell-checked for a $200 fee. Sending an
advertisement to this address is acceptance of these terms.
------------------------------
From: EricF@microhouse.com (Eric Fowler)
Date: 23 May 1996 23:37:52 GMT
Subject: Re: Privacy Phone Guard
Organization: Microhouse
References: <comp-privacy8.38.2@cs.uwm.edu>
chazl@leonardo.lmt.com says... Do you worry that your phone number
is very likely available to anyone who knows your name and has
access to a phone book, regardless of whether or not you EVER CALL
THEM? I really do not understand all the hullabaloo about how
CallerID allegedly violates one's privacy. Here's the way I view
it:
Well, the hullabaloo *I* make about clrID is due to the fact that it
can automate the collection of a lot of information about who I call,
and can make it available to third parties. I don't mind if someone
knows I'm talking to a friend. I do mind when they write down who
initiated the conversation, when it took place, and how long it lasted.
I especially mind when I don't know when I am being so observed; and I
especially, especially mind if someone were to follow me around all day
long collecting this kind of information.
CallerID by itself means very little. What happens when the
calling/receiving phone numbers are indexed into one database? I don't
want such a record of my calls to exist, and I really have nothing to
hide. As with much personal information, each datum means little, but
the collection of much data can adversely affect your privacy. This
technology makes possible the (eventual) collection of extensive
records of individual's calling patterns. This is not happening yet
but mark my words, it will.
------------------------------
From: wjanssen@cs.vu.nl (Wouter Janssen)
Date: 24 May 1996 13:13:53 GMT
Subject: Re: Privacy Phone Guard
Organization: Fac. Wiskunde & Informatica, VU, Amsterdam
References: <comp-privacy8.38.2@cs.uwm.edu>
chazl (chazl@leonardo.lmt.com) wrote: Do you worry that your phone
number is very likely available to anyone who knows your name and
has access to a phone book, regardless of whether or not you EVER
CALL THEM?
Yes.
If you walked up to my door and rang the doorbell with a bag over
your head, would you be surprised that I would be unlikely to let
you in? Is it be a violation of your privacy for me to request that
you identify yourself before I decide whether to open the door?
No, not at all, but when I ring your doorbell without that bag and came
to ask you how to get to the railwaystation would you still ask me for
some ID ?
Why should my phone [which is another means into my home and life]
be any different? Someone calls me and wants to talk to me. Why
shouldn't I have the right to know who that individual is before I
decide whether or not to grant that request?
Because I wouldn't like the idea of you putting me into some sort of
database and then sending me add's about the things you/your company
sells.
I don't understand why you should always know who you're talking to.
If someone on the street asks you something, do you ask his/er name,
phone# and an ID as well? I don't..
Why do you want the phone system to reveal the other calling party?
Because you don't want to ask for the ID of the other person calling
yourself or do you think they won't be honest to you? (Gee, I thought I
was paranoid ;-) )
I hope I wasn't offensive, because I didn't intend to be, I just wanted
to clarify some of us like to keep some info about ourselves for
ourselves.
Fortunately, in Holland one can still choose whether or not your
name,address and phone # are listed in the phone directory and
callers-ID is a nono here.
---------------------------------------------------------------------
In real life : Wouter Janssen | mail to wjanssen=pgp@cs.vu.nl
E-mail : wjanssen@cs.vu.nl | for my pgp-key
URL: http://www.cs.vu.nl/~wjanssen/|
---------------------------------------------------------------------
------------------------------
From: wiltshir@sover.net (Gary A. Wiltshire)
Date: 23 May 1996 23:23:17 GMT
Subject: Re: Biometric Encryption
Organization: SoVerNet, Inc.
References: <comp-privacy8.38.10@cs.uwm.edu> <comp-privacy8.41.5@cs.uwm.edu>
Phil Agre <pagre@weber.ucsd.edu> wrote: ...fingerprint
biometrics... I am curious if anybody knows of any criticisms of
this approach.
Charles Bryant <ch@chch.demon.co.uk> wrote: Two possible problems
seem obvious. Firstly, it is very easy to get someone's
fingerprints. We can't avoid leaving prints on vast numbers of
everyday objects (e.g. drinks cans, door handles). Secondly, it
seems that if it were widely used, muggers would start cutting off
people's fingers when stealing their cards to be sure of being able
to generate the fingerprints.
That goes for retina-recognition too! The movie Demolition Man had the
bad guy gouge out the warden's eye to get through a locked door.
--
Gary Wiltshire
------------------------------
From: lihou@ms2.hinet.net (Lee)
Date: 24 May 1996 07:20:20 GMT
Subject: Re: Biometric Encryption
Organization: SEEDNET InterNetNews News System
References: <comp-privacy8.38.10@cs.uwm.edu> <comp-privacy8.41.5@cs.uwm.edu>
Phil Agre <pagre@weber.ucsd.edu> wrote: ...fingerprint biometrics...
I am curious if anybody knows of any criticisms of this approach.
Charles Bryant <ch@chch.demon.co.uk> wrote: Two possible problems
seem obvious. Firstly, it is very easy to get someone's
fingerprints. We can't avoid leaving prints on vast numbers of
everyday objects (e.g. drinks cans, door handles). Secondly, it
seems that if it were widely used, muggers would start cutting off
people's fingers when stealing their cards to be sure of being able
to generate the fingerprints.
I wouldn't say it's so easy to outwit those devices. I saw some that
1. measure temperature of the finger (cutting a finger doesn't work)
2. measure humidity (I'm not sure how this one works, maybe they
measure reflection of sweat covering the finger) of the finger
3. request a password too Have some additional features.
--
Sean Lee
lihou@ms2.hinet.net
Taipei
------------------------------
From: Chris Kocur <ckocur@jcpenney.com>
Date: 24 May 1996 09:29:35 -0500
Subject: Re: Biometric Encryption
Organization: JCPenney Company, Inc.
References: <comp-privacy8.38.10@cs.uwm.edu> <comp-privacy8.41.5@cs.uwm.edu>
Phil Agre <pagre@weber.ucsd.edu> wrote: ...fingerprint
biometrics... I am curious if anybody knows of any criticisms of
this approach.
Charles Bryant wrote: Two possible problems seem obvious. Firstly,
it is very easy to get someone's fingerprints. We can't avoid
leaving prints on vast numbers of everyday objects (e.g. drinks
cans, door handles). Secondly, it seems that if it were widely
used, muggers would start cutting off people's fingers when
stealing their cards to be sure of being able to generate the
fingerprints.
This covers two of my three objections. My third is that if something
happens to my finger so that my fingerprint is altered or unavailable
(i.e. mugger cut it off) I can no longer access my own data/devices.
--
Regards, Chris
ckocur@jcpenney.com (work), ckocur@plano.net (home)
------------------------------
From: Phil Gilbert <pgilbert@earthlink.net>
Date: 25 May 1996 23:47:20 -0700
Subject: Re: Biometric Encryption
Organization: Earthlink Network, Inc.
References: <comp-privacy8.41.6@cs.uwm.edu>
IMHO--don't place to much value on the pass phrase. personal
experience has lead me to conclude that humans cannot keep secrets even
under ideal condiditions. this includes any secret or bit of
information that a human might want to keep secret, not just gossip.
any effort will have to have several authentication methods each with
equal value in the shut down/won't work if equation. imagine the
difficulty in trying to tell the difference between a real and severed
finger. sound like a step in the right direction though.
------------------------------
From: Colin Bennett <cjb@uvic.ca>
Date: 23 May 1996 19:34:23 -0700
Subject: Announcement: Privacy Legislation in Canada
Subscribers might be interested to learn that the Canadian federal
government today (May 23rd) announced that:
As a means to encouraging business and consumer confidence in the
Information Highway, the Ministers of Industry and Justice (after
consultation with the provinces and other stakeholders) will bring
forward proposals for a legislative framework for governing the
protection of personal data in the private sector.
This announcement was not unexpected. It follows last year's report of
the Canadian Information Highway Advisory Council.
The initiative was undoubtedly also influenced by the agreement earlier
this year of a "Model Code for the Protection of Personal Information"
under the auspices of the Canadian Standards Association. Any
legislation will probably be based upon the principles within this new
CSA standard. Those interested can obtain a copy of the standard from
the Toronto offices of the CSA [(416) 747-7000.]
There will now follow an intense period of consultation and lobbying,
over contentious questions about oversight and enforcement in the
context of the Canadian federal system. This announcement is very good
news, but there is a long way to go before Canada can claim to have
"adequate" data protection and thus satisfy the emerging international
standard set by the recent EU Directive.
------------------------------
From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning)
Date: 25 May 1996 07:10:35 GMT
Subject: BC Voters Can Have Addresses Suppressed
Organization: National Capital Freenet, Ottawa, Canada
I'd read that the Municipal Act had been amended to allow voters to
conceal their addresses, even from politicians, but I hadn't heard
whether the same applied to the provincial election act.
If memory serves the BC Information and Privacy Commissioner expressed
the view that not enough had been done to make civic voters aware of
this new way of protecting their privacy(decision 95-69). Ditto for
the provincial voters list.
When I called the 1-800 number for the election the staff who answered
didn't seem to have been trained about this, so I called the Chief
Electoral Officer phone number and asked. I was told that they no
longer peddle lists, and that addresses are severed before lists are
given to candidates. It is also possible to ask that your address be
"suppressed", which apparently means that even Elections Branch staff
can't get at it.
I have a very wide cynical streak and fully expected that the
provincial politicians would say hands off to their municipal
counterparts, but make an exception for themselves. Looks like they
decided to apply the same rule to themselves.
After the last election I started getting personalized crap mail and
dug around until I discovered that a "data extractor" had bought a copy
of the voters list and used it to create a computer database of
residents, including the 30-40% of people who pay BC Tel to keep their
addresses out of the phone books.
When I pursued it with Election Branch, pointing out risks such as anti
abortion zealots getting addresses, when they run as candiates for
family/heritage/christian fringe parties. I got the distinct impression
that they didn't consider it a priority issue and that the most they
would do would be to get anyone buying a copy of the list to sign a
pledge to do no evil with it.
I have no idea what changed their minds, apart from the legislative
changes. The legislative changes were quite surprising, because when I
raised the issue in a submission to the Jones committee that reviewed
the FOI/POP act it seemed to dismiss release of voter addresses as
nothing to spend a lot of time on.
The only immediate result of my submission was that I started getting
junk mail from the BC Freedom of Information and Privacy Association.
That made me glad I'd used a PO box address. I had already formed quite
a poor opinion of FIPA after hearing their spokesman object to
proposals such as setting statutory fees for land title searches so
high that no organization or consortium could acquire a complete copy
of a DB piecemeal, except at a cost that would be prohibitive. FIPA
thought that the cost of the disk or tape media would be more
appropriate.
After the second FIPA solicitation I reported this to the BC Attorney
General, who seemed to take the matter seriously in his reply and
assured me that FIPA would be required to give up the address list it
had created from Jones Committee submissions.
--
notice: by sending advertising/solicitations to this account you will be
indicating your consent to paying me $70/hour for a minimum of 2 hours for
my time spent dealing with it
------------------------------
From: dgillmor@netcom.com (Dan Gillmor)
Date: 24 May 1996 05:05:37 GMT
Subject: Re: Automated Toll Collection
Organization: San Jose Mercury News
References: <comp-privacy8.41.3@cs.uwm.edu>
John R Levine (johnl@iecc.com) wrote: Everything I've seen says
that losses from credit card usage on the net are slightly lower
than for regular 800-based mail order.
Is there any remotely authoritative data on this?
--
Dan Gillmor, Computing Editor E-mail: dgillmor@sjmercury.com
San Jose Mercury News Voice: 408-920-5016
750 Ridder Park Drive Fax: 408-920-5917
San Jose, CA 95190 http://www.sjmercury.com/homepage/gillmor/
------------------------------
From: johnl@iecc.com (John R Levine)
Date: 24 May 96 03:10 EDT
Subject: Re: Automated Toll Collection
Organization: I.E.C.C., Trumansburg, N.Y.
References: <comp-privacy8.37.2@cs.uwm.edu> <comp-privacy8.38.6@cs.uwm.edu> <comp-privacy8.39.3@cs.uwm.edu>
As things stand today, without encryption, sending personal
information is foolish. ...
Simpson's article was indeed interesting, and I'd encourage everyone to
read it. If you do read it, you'll discover that First Virtual's
attack was a virus-like program that intercepted keytrokes at the PC
BIOS level, which means it wouldn't make a bit of difference how much
encryption you used over your network link, since their attack is on
the user's PC, not the network.
It also pointed out that First Virtual's attack was pretty far-fetched,
since to be useful to a bad guy they'd have to send the captured card
info back to the bad guy, presumably over a network link, and it'd be
extremely hard to do much of that without people noticing. (Their
point was that FV's system is immune to this particular attack, since
they tie your account to your credit card number over the phone, so you
never type in your credit card number, just your FV account number.)
If you plan to do business with anyone, ever, you have to be prepared
to accept some risk of fraud. (I mean, how do you know that the cans
and boxes you buy at the grocery store actually contain food?) I've
never seen any evidence that the risks of doing credit card commerce
over the net, even in the absence of encryption, are out of line with
those of doing credit card commerce in person or over the phone.
It's also worth considering that credit card security works from both
directions: they go to some effort to make it hard to make bogus
charges, e.g. the rarely enforced rule that the merchant is supposed to
compare signatures, but there's at least as much security due to the
auditability of the system. I have on my desk a credit card terminal
into which I can type any old credit card number I want, with an
amount, and in a few seconds that amount is charged to that card. But
it wouldn't do me much good, because the customer can contest the
charge, and merchants who have more than a few percent of contested
charges get their accounts cancelled.
--
John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869
johnl@iecc.com "Space aliens are stealing American jobs." - Stanford econ prof
------------------------------
From: axinar@one.net (Axinar)
Date: 25 May 1996 05:06:51 GMT
Subject: Equifax for Employee Background Checks
Organization: OneNet Communications HUB News Server
Recently I learned of a company who is going to begin doing background
checks on future employees through Equifax.
Of course I've known that Equifax provides credit information to banks,
etc, but what sorts of services do they provide other than credit
information that would be useful in doing an employee background check
and just how the heck are they getting this information?
--
Ax
------------------------------
From: wbe@psr.com (Winston Edmond)
Date: 25 May 1996 18:56:50 GMT
Subject: Credit Cards with Internet Fraud Insurance
Organization: Panther Software and Research
A few weeks ago, I got a piece of junk mail asking me to apply for a
VISA card. What made the offer unique was that it had the word WEB in
big letters on the outside envelope and a novel feature: it explicitly
said that the card holder would not be held liable for any charges
resulting from the number being stolen in the course of its use over
the Internet. This was not limited to encypted transmission.
That's clearly one way to solve the problem, and one I hadn't even seen
mentioned before: the credit card company itself indemnifies the card
holder against misuse following theft of the number via the Net.
Simple, easily understood by everyone, requires no new technology, and
a competitive advantage for their card.
--
WBE
(Sorry, no, I don't have the name of the bank any more. It was a U.S.
bank and looked like a nationwide mailing to me, so maybe others will
get a solicitation, too.)
------------------------------
From: michael@sj-coop.net (Michael Bryan)
Date: 25 May 1996 19:30:56 -0700
Subject: Re: Georgia Law Could Prohibit Web Links
Organization: San Jose Co-op Internet Services (www.sj-coop.net)
References: <comp-privacy8.40.7@cs.uwm.edu> <comp-privacy8.41.10@cs.uwm.edu>
Keith Graham <skg@sadr.com> wrote: Having read what is, I believe,
the entire law, it does no such thing.
Do you, or anybody else, know where there's an online copy of the text
of the law?
--
Michael Bryan
michael@sj-coop.net
Quicken Web Page: http://quicken.sj-coop.net/Quicken.html
------------------------------
From: Len Levine <levine@cs.uwm.edu>
Date: 25 May 1996 19:36:36 GMT
Subject: New Posters Please Take Note
From time to time people post things like the following, or even worse
they post binary files that relate to some specific word processor
language.
Although they can be decoded, they take a while to save, download into
a different processor (often a transfer from unix to dos) and then
read (or decode) and re-upload.
Please post in ASCII, please post with a 60 character line length,
please don't emphasize like this:
^^^^
Stuff like that rarely works across platforms.
begin 644 stuff.txt
M,;X```"K``````````#'`0``!0`&``8`!@`&``8`````````````````````
M``sdf234``````````````````````````````````````````````````````````
M``````````````````````````````````````````````````!3=7)V96EL
M;&%N8V4O0V]U;G1E<E-U<G9E:6QL86YC92!%<2X@1&ER96-T;W)Y#0H-"B`@
M,S`P("L@4V]U<F-E<R!O9B!(:6=H(%1E8V@L($IA;65S($)O;F0@5'EP92!%
M<2X-"@T*26YC;'5D:6YG#0H-"DYI9VAT=FES:6]N+"!$971E8W1O<G,L($)U
#`!0-
`
end
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
From: mpj@csn.net (Michael Johnson)
Date: 25 May 1996 22:54:31 -0600
Subject: Where to get PGP FAQ [long]
Organization: The Web of Trust
WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ
Revised 24 May 1996
Disclaimer -- I haven't recently verified all of the information in
this file, and much of it is probably out of date.
For questions not covered here, please read the documentation
that comes with PGP, get one of the books mentioned below, or search for
other relevant FAQ documents at rtfm.mit.edu and on the alt.security.pgp
news group.
A NOTE FROM THE FAQ MAINTAINERS
Peter Herngaard <pethern@datashopper.dk> is taking over the maintenance
of this FAQ until further notice.
Some of you sent me (Mike Johnson) corrections and suggestions for
this FAQ, and I stored them away on my hard disk to edit from. Then,
Windows 95 got indigestion (induced by a sound card) and destroyed
all of the data in that partition. If you suggested changes and they
aren't in this FAQ, please send them to Peter Herngaard
<pethern@datashopper.dk>.
WHAT IS THE LATEST VERSION OF PGP?
Viacrypt PGP (commercial version): 2.7.1 (4.0 is due out Real Soon Now)
MIT & Philip Zimmermann (freeware, USA-legal): 2.6.2
Staale Schumacher's International variant: 2.6.3i for non-USA
(2.6.3ai source code only); 2.6.3 for USA
WHERE CAN I GET VIACRYPT PGP?
Just call 800-536-2664 and have your credit card handy.
WHERE IS PGP ON THE WORLD WIDE WEB?
U.S. only availability:
PGP: http://web.mit.edu/network/pgp-form.html
PGPfone: http://web.mit.edu/network/pgpfone
International availability:
PGP and PGPfone: http://www.ifi.uio.no/pgp/
WHERE CAN I FTP PGP IN NORTH AMERICA?
If you are in the USA or Canada, you can get PGP by following the
instructions in any of:
ftp://net-dist.mit.edu/pub/PGP/README
ftp://ftp.csn.net/mpj/README.MPJ
ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/
ftp://ftp.gibbon.com/pub/pgp/README.PGP
ftp://ftp.wimsey.bc.ca/pub/crypto/software/README
WHERE IS PGP ON COMPUSERVE?
GO NCSAFORUM. Follow the instructions there to gain access to Library 12:
Export Controlled.
AOL
Go to the AOL software library and search "PGP" or ftp from
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above.
It is possible to get PGP from ftp sites with hidden directories with the
following trick: (1) View the README file with the hidden directory name in
it, then quickly (2) Start a new ftp connection, specifiying the hidden
directory name with the ftp site's address, like
ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is
replaced with the current character string).
WHAT BULLETIN BOARD SYSTEMS CARRY PGP?
MANY BBS carry PGP. The following carry recent versions of PGP and
allow free downloads of PGP.
US
303-343-4053 Hacker's Haven, Denver, CO
303-772-1062 Colorado Catacombs BBS, Longmont CO
8 data bits, 1 stop, no parity, up to 28,800 bps.
Use ANSI terminal emulation.
For free access: log in with your own name, answer the questions.
314-896-9309 The KATN BBS
317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN
Login First Name: PGP Last Name: USER Password: PGP
501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR
Login name: PGP USER Password: PGP
506-457=0483 Data Intelligence Group Corporation BBS
508-668-4441 Emerald City, Walpole, MA
601-582-5748 CyberGold BBS
612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN
914-667-4567 Exec-Net, New York, NY
915-587-7888, Self-Governor Information Resource, El Paso, Texas
GERMANY
+49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet
+49-521-68000 BIONIC-BBS Login: PGP
WHERE CAN I FTP PGP CLOSE TO ME?
IT
ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP
FI
ftp://ftp.funet.fi/pub/crypt/pgp/
NL
ftp://ftp.nl.net/pub/crypto/pgp
ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp
NO
ftp://menja.ifi.uio.no/pub/pgp/
NZ
ftp://ftphost.vuw.ac.nz
SE
ftp://leif.thep.lu.se
TW
ftp://nctuccca.edu.tw/PC/wuarchive/pgp/
UK
ftp://ftp.ox.ac.uk/pub/crypto/pgp
HOW CAN I GET PGP BY EMAIL?
If you have access to email, but not to ftp, send a message saying
"help" to ftpmail@decwrl.dec.com or mailserv@nic.funet.fi
WHERE CAN I GET MORE PGP INFORMATION?
http://www.csn.net/~mpj
http://www.mit.edu:8001/people/warlord/pgp-faq.html
http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz
ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt
ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt
http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html
http://web.cnam.fr/Network/Crypto/(c'est en francais)
http://web.cnam.fr/Network/Crypto/survey.html(en anglais)
http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html
http://www.pgp.net/pgp
http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html
http://www.ifi.uio.no/pgp/
http://inet.uni-c.dk/~pethern/privacy.html
WHAT ARE SOME GOOD PGP BOOKS?
Protect Your Privacy: A Guide for PGP Users
by William Stallings
Prentice Hall PTR
ISBN 0-13-185596-4
US $19.95
PGP: Pretty Good Privacy
by Simson Garfinkel
O'Reilly & Associates, Inc.
ISBN 1-56592-098-8
US $24.95
E-Mail Security: How to Keep Your Electronic Mail Private
"Covers PGP/PEM"
by Bruce Schneier
Wiley Publishing
The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data
Protection, and PGP PRivacy Software
by André Bacard
Peachpit Press
ISBN 1-56609-171-3
US $24.95
800-283-9444 or 510-548-4393
THE OFFICIAL PGP USER'S GUIDE
by Philip R. Zimmerman
MIT Press
April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP
Standard PGP documentation neatly typeset and bound.
PGP SOURCE CODE AND INTERNALS
by Philip R. Zimmerman
April 1995 - 804 pp. -
US $55.00 - 0-262-24039-4 ZIMPH
How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company,
Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13).
IS PGP LEGAL?
Pretty Good Privacy is legal if you follow these rules:
Don't export PGP from the USA except to Canada, or from Canada except to the
USA, without a license.
If you are in the USA, use either Viacrypt PGP (licensed for commercial use)
or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of
the USA, where RSA is not patented, you may prefer to use a version of PGP
(2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license.
If you are in a country where the IDEA cipher patent holds in
software (including the USA, Canada, and some countries in Europe), make
sure you are licensed to use the IDEA cipher commercially before using
PGP commercially. (No separate license is required to use the freeware
PGP for personal, noncommercial use). For direct IDEA licensing, contact
Ascom Systec:
Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83
Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45
Fax: +41 64 56 59 90
e-mail: IDEA@ascom.ch
Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland)
Viacrypt has an exclusive marketing agreement for commercial
distribution of Philip Zimmermann's copyrighted code. (Selling
shareware/freeware disks or connect time is OK). This restriction does
not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb.
If you modify PGP (other than porting it to another platform, fixing a bug,
or adapting it to another compiler), don't call it PGP (TM) or Pretty Good
Privacy (TM) without Philip Zimmermann's permission.
IMPORTANT:
Please note that there is an official distribution site for MIT
PGP and another for the International version:
WorldWideWeb references:
U.S/Canada non-commercial use: http://web.mit.edu/network/pgp-form.html
Norway/International non-commercial use: http://www.ifi.uio.no/pgp/
U.S. commercial use: http://www.viacrypt.com
WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS?
Philip Zimmermann was under investigation for alleged violation of export
regulations, with a grand jury hearing evidence for about 28 months, ending
11 January 1996. The Federal Government chose not to comment on why it
decided to not prosecute, nor is it likely to. The Commerce Secretary stated
that he would seek relaxed export controls for cryptographic products, since
studies show that U. S. industry is being harmed by current regulations.
Philip endured some serious threats to his livelihood and freedom, as well as
some very real legal expenses, for the sake of your right to electronic
privacy. The battle is won, but the war is not over. The regulations that
caused him so much grief and which continue to dampen cryptographic
development, harm U. S. industry, and do violence to the U. S. National
Security by eroding the First Ammendment of the U. S. Constitution and
encouraging migration of cryptographic industry outside of the U. S. A. are
still on the books. If you are a U. S. Citizen, please write to your U. S.
Senators, Congressional Representative, President, and Vice President
pleading for a more sane and fair cryptographic policy.
WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP?
http://www.dayton.net/~cwgeib
ftp://oak.oakland.edu/SimTel/msdos/security/apgp22b.zip
http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip
ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip
ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip
http://www.eskimo.com/~joelm(Private Idaho)
ftp://ftp.eskimo.com/~joelm
http://www.xs4all.nl/~paulwag/security.htm
http://www.LCS.com/winpgp.html
http://netaccess.on.ca/~rbarclay/index.html
http://netaccess.on.ca/~rbarclay/pgp.html
ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip
ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip
http://iquest.com/~aegisrcs
WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE?
PGP can do conventional encryption only of a file (-c) option, but
you might want to investigate some of the other alternatives if you do
this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for
DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a
few others.
Quicrypt is interesting in that it comes in two flavors: shareware
exportable and registered secure. Atbash2 is interesting in that it generates
ciphertext that can be read over the telephone or sent by Morse code. DLOCK
is a no-frills strong encryption program with complete source code. Curve
Encrypt has certain user-friendliness advantages. HPACK is an archiver (like
ZIP or ARC), but with strong encryption. A couple of starting points for your
search are:
U.S. only availability:
ftp://ftp.csn.net/mpj/qcrypt11.zip
ftp://ftp.csn.net/mpj/README
ftp://ftp.miyako.dorm.duke.edu/pub/GETTING_ACCESS
International availability:
ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/
ftp://ftp.dsi.unimi.it/pub/crypt/code/
HOW DO I SECURELY DELETE FILES (DOS)?
If you have the Norton Utilities, Norton WipeInfo is pretty good. I
use DELETE.EXE in del110.zip, which is really good at deleting existing
files, but doesn't wipe "unused" space.
US
ftp://ftp.csn.net/mpj/public/del120.zip
NL
ftp://utopia.hacktic.nl/pub/replay/pub/security/del120.zip
UK
ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip
WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE?
The nature of Windows is that it can swap any memory to disk at any
time, meaning that all kinds of interesting things could end up in your
swap file.
ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip
WHERE DO I GET PGPfone(tm)?
PGPfone is in beta test for Macintosh and Windows'9 users.
The MIT has shut down their ftp distribution of PGPfone <tm> for
Macintosh and Windows'95, so within the U.S/Canada you must obtain
PGPfone <tm> using a WorldWideWeb browser.
U.S. only availability:
http://web.mit.edu/network/pgpfone
International availability:
DK
ftp://ftp.datashopper.dk/pub/users/pethern/pgp/
NL
ftp://utopia.hacktic.nl/pub/replay/pub/voice/
NO
ftp://menja.ifi.uio.no/pub/pgp/mac/
ftp://menja.ifi.uio.no/pub/pgp/windows/
WHERE DO I GET NAUTILUS?
Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a
program called Nautilus that enables you to engage in secure voice
conversations between people with multimedia PCs and modems capable of
at least 7200 bps (but 14.4 kbps is better). See:
U.S. only availability:
ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS
ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz
ftp://ftp.csn.net/mpj/README
ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS
International availability:
ftp://ftp.ox.ac.uk/pub/crypto/misc
ftp://utopia.hacktic.nl/pub/replay/pub/voice/
The official Nautilus homepage is at:
http://www.lila.com/nautilus/
HOW DO I ENCRYPT MY DISK ON-THE-FLY?
Secure File System (SFS) is a DOS device driver that encrypts an entire
partition on the fly using SHA in feedback mode.
Secure Drive also encrypts an entire DOS partition, using IDEA, which is
patented.
Secure Device is a DOS device driver that encrypts a virtual, file-hosted
volume with IDEA.
Cryptographic File System (CFS) is a Unix device driver that uses DES.
CryptDisk is a ShareWare package for Macintosh that uses strong IDEA
encryption like PGP.
U.S. only availability:
ftp://ftp.csn.net/mpj/README
ftp://miyako.dorm.duke.edu/mpj/crypto/disk/
International availability:
http://www.cs.auckland.ac.nz/~pgut01/sfs.html
ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/
ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/
ftp://ftp.ox.ac.uk/pub/crypto/misc/
ftp://menja.ifi.uio.no/pub/pgp/mac/
ftp://utopia.hacktic.nl/pub/replay/pub/disk/
WHERE IS PGP'S COMPETITION?
RIPEM is the second most popular freeware email encryption package. I like
PGP better for lots of reasons, but if for some reason you want to check or
generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also
an exportable RIPEM/SIG.
U.S. only availability:
ftp://ripem.msu.edu/pub/GETTING_ACCESS
International availability:
ftp://ftp.dsi.unimi.it/pub/crypt/code/
HOW DO I PUBLISH MY PGP PUBLIC KEY?
Send mail to one of these addresses with the single word "help" in the
subject line to find out how to use them. These servers sychronize keys with
each other. There are other key servers, too.
pgp-public-keys@keys.pgp.net
pgp-public-keys@keys.de.pgp.net
pgp-public-keys@keys.no.pgp.net
pgp-public-keys@keys.uk.pgp.net
pgp-public-keys@keys.us.pgp.net
WWW interface to the key servers: http://www.pgp.net/pgp/www-key.html
http://www-swiss.ai.mit.edu/~bal/pks-toplev.html
For US $20/year or so, you can have your key officially certified and
published in a "clean" key database that is much less susceptible to
denial-of-service attacks than the other key servers. Send mail to
info-pgp@Four11.com for information, or look at http://www.Four11.com/
Of course, you can always send your key directly to the parties you wish to
correspond with by whatever means you wish.
CAN I COPY AND REDISTRIBUTE THIS FAQ?
Yes. Permission is granted to distribute unmodified copies of this FAQ.
Please e-mail comments to Peter Herngaard <pethern@datashopper.dk>
Look for the latest html version of this FAQ at
http://inet.uni-c.dk/~pethern/getpgp.html
------------------------------
From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 17 May 1996 09:14:50 -0600 (CST)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee
The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.
This digest is a forum with information contributed via Internet
eMail. Those who understand the technology also understand the ease of
forgery in this very free medium. Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top. Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting. He will comply.
If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution. As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.
On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute. If you
do so, it is best to modify the "Subject:" line of your mailing.
Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored. They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious. Diversity is welcome, but not personal attacks. Do
not include entire previous messages in responses to them. Include
your name & legitimate Internet FROM: address, especially from
.UUCP and .BITNET folks. Anonymized mail is not accepted. All
contributions considered as personal comments; usual disclaimers
apply. All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.
Contributions generally are acknowledged within 24 hours of
submission. If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion. He will not, however,
alter or edit the text except for purely technical reasons.
A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite. The archives
are in the directory "pub/comp-privacy".
People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.
Web browsers will find it at gopher://gopher.cs.uwm.edu.
---------------------------------+-----------------------------------------
Leonard P. Levine | Moderator of: Computer Privacy Digest
Professor of Computer Science | and comp.society.privacy
University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu
| Gopher: gopher.cs.uwm.edu
levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu
---------------------------------+-----------------------------------------
------------------------------
End of Computer Privacy Digest V8 #042
******************************
.