Date:       Thu, 27 Jun 96 18:55:15 EST
Errors-To:  Comp-privacy Error Handler <owner-comp-privacy@uwm.edu>
From:       Computer Privacy Digest Moderator  <comp-privacy@uwm.edu>
To:         Comp-privacy@uwm.edu
Subject:    Computer Privacy Digest V8#051

Computer Privacy Digest Thu, 27 Jun 96              Volume 8 : Issue: 051

Today's Topics:			       Moderator: Leonard P. Levine

                              Re: Cookies
                              Re: Cookies
                    RISKS: IRS and DOD, Bad Coupling
                           Re: US Export Law
                           Re: US Export Law
                Re: Marketing on the Information Highway
              Discussion Forum on Privacy on the Internet
              Re: Privacy while Downloading from Newsgroup
                        Re: Privacy in Politics
                      White House--Database [long]
               RISKS: FBI Surveillance of Library Patrons
                       NorthStar: PGP Jump Start
                 Info on CPD [unchanged since 11/22/95]

----------------------------------------------------------------------

From: Scott Wyant <scott_wyant@loop.com>
Date: 24 Jun 1996 16:12:13 -0700
Subject: Re: Cookies

This list has seen discussion about the little "cookie" that a Netscape
server hands to your browser.  Have you wondered how someone might use
it to make some money?

Here's how.  (This will take a while, but I think it's worth it.)

Using Find File, look for a file called cookie.txt (or MagicCookie if
you have a Mac machine).  Using a text editor, open the file and take a
look.  If you've been doing any browsing, the odds are about 80/20 that
you'll find a cookie in there from someone called "doubleclick.net."

If you're like me, you never went to a site called "doubleclick."  So
how did they give you a cookie?  After all, the idea of the cookie,
according to the specs published by Netscape, is to make a more
efficient connection between the server the delivers the cookie and the
client machine which receives it.  But we have never connected to
"doubleclick."

Close MagicCookie, connect to the Internet, and jump to
<www.doubleclick.net> Read all about how they are going to make money
giving us cookies we don't know about, collecting data on all World
Wide Web users, and delivering targeted REAL TIME marketing based on
our cookies and our profiles.

Pay special attention to the information at:
<www.doubleclick.net/advertising/howads.htm>

You'll see that the folks at "doubleclick" make the point that this
entire transaction (between their server and your machine) is
"transparent to the user."  In plain English, that means you'll never
know what hit you.

So what's happening is, subscribers to the doubleclick service put a
"cookie request" on their home page FOR THE DOUBLECLICK COOKIE.  When
you hit such a site, it requests the cookie and take a look to see who
you are, and any other information in your cookie file.  It then sends
a request to "doubleclick" with your ID, requesting all available
marketing information about you.  (They're very coy about where this
information comes from, but it seems clear that at least some of it
comes from your record of hitting "doubleclick" enabled sites.)  You
then receive specially targetted marketing banners from the site.  In
other words, if Helmut Newton and I log on to the same site at the
exact same time, I'll see ads for wetsuits and basketballs, and Helmut
will see ads for cameras.

If you log in to a "doubleclick" enabled site, and it sends a request
for your "doubleclick" cookie, and you don't have one, why each and
every one of those sites will hand you a "doubleclick" cookie.

Neat, huh?  And you can bet they're going to be rolling in the cookie
dough.  Me, I edit my cookie file each and every time I go to a new
site.  (Despite the dire warning at the top of the file, you can edit
it with no adverse consequences.)

Oh, and one other thing.  If you edit your cookie file BEFORE you
connect to "doubleclick," and then jump around at the site, you'll
notice that they DON'T hand you a cookie.  I probed the site pretty
carefully, checking the MagiCookie file, and nothing happened.

Until I closed Netscape.  The LAST thing the 'doubleclick" site did
was....  You guesed it.  They handed me a cookie.  So much for making
the client-server negotiation more efficient.  (In fairness, that
cookie may have been in memory until I closed Netscape -- I can't tell
for sure.) Scott Wyant Spinoza Ltd.


------------------------------

From: John <jpp@netcom.com>
Date: 26 Jun 1996 08:32:13 -0700
Subject: Re: Cookies
Organization: The Rock of Ages Home for Unix Hackers
References: <comp-privacy8.39.5@cs.uwm.edu>

    lihou@ms2.hinet.net wrote: It seems to me that these cookies are
    cookies files from people using Netscape Navigator and MSIE.  If
    so, how we can prevent others from getting our 'cookies'? I mean,
    any other way except manually deleting them every time we use a
    browser.  Is 'history' file also dowloadable from unsuspicious
    user's PC?

This is a joke right?  Cookies in this context == fortune cookies.
Neither the cookies.txt or history files are downloadable from hard
drives under MSIE or Netscape.

Think of cookies as membership cards.  When you visit a site it gives
you a membership card (a cookie) when you come back your browser says
aha I have a membership card (cookie) for this site I'll show it to
them.   What is written on the card is up to the site but one site
can't see cookies from another.

Cookies add an important feature to the web - state tracking - if you
want to buy somthing from a site it's important to be able to track
from page to page (so the order form can know which product you were
looking at).  The thing that has people bent out of shap is the option
to make cookies persistant (i.e make them live beyond one session).
This is easy to fix by making your cookies files read only.

John


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 24 Jun 1996 21:36:28 -0500 (CDT)
Subject: RISKS: IRS and DOD, Bad Coupling
Organization: University of Wisconsin-Milwaukee

Taken from RISKS-LIST: Risks-Forum Digest  Monday 24 June 1996  Volume
18 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED
SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy,
Peter G. Neumann, moderator

    From: "Richard L. Wexelblat" <rwex@CLARK.NET> 
    Date: 20 Jun 1996 21:38:14 -0400 
    Subject: DoD and IRS tax systems

Special note:  I work for the IRS and have a work-related vested
	       interest in _not_ having the Department of Defense
	       involved in contracting for IRS software and systems.
	       Therefore, despite any claims of non-bias below, I am
	       clearly "interested" in the classical sense of the
	       word.

That part out of the way, I'd like to say (as a private citizen, a
tax-and-spend liberal, and an almost-always defender of free speech and
the right of the citizen to privacy) that the present initiative by
Congress to have DoD become the contracting agent for IRS system and
software development is a clear and present danger to privacy in the
Republic in which we stand.

The initiative referred to above is in the "Subcommittee Mark" of the
proposed next year's budget.  It's just a House Subcommittee so it's
not law, but it's a bad idea in my mind, even to consider it
seriously.  Is the Department of Star Wars and the $700 toilet seat
really so excellent a contracting agency that they are the clear choice
to handle IRS business?

Well, that's my biased opinion, and I'd like very much to hear from
others who may have a more valid claim to disinterest!

Dick Wexelblat,         Acting Lead Architect << asa APbA   IRS

 ------------------------------


------------------------------

From: centauri@crl.com (Charles Rutledge)
Date: 24 Jun 1996 20:00:09 -0700
Subject: Re: US Export Law
Organization: CRL Dialup Internet Access
References: <comp-privacy8.49.10@cs.uwm.edu>

    Glenn Benson (Glenn.Benson@zfe.siemens.de) wrote: I am trying to
    understand US export law and its motivations.  It is fairly easy to
    locate the wording of US law but I am having some trouble
    identifying its intention.

Join the club.  I doubt that anyone outside of the NSA really
understands what they are trying to accomplish.

    Is the law really intended to prevent non-US residents from
    obtaining access to high-grade cryptography?  Is the law's
    intention to control domestic use of cryptography?  Does the
    government have an official :  position defining intent?

As written, the law is intended to prevent the transfer of cryptography
technology to people and organizations outside the United States.  (It
would seem that prime component of this law would be the acceptance as
fact the idea that non-US residents would not develop their own
cryptography technology.)  The law is not meant to control domestic use
of cryptographic, although this loophole is currently being addressed
by the White House, FBI, and certain members of Congress.  It is my
understanding that an early attempt by the FBI to outlaw all use of
cryptography within the US (except for government use, of course)
failed because it also would have prevented US banks from making
international wire fund transfers, which by treaty must be encrypted.

The Clipper Chip is being pushed by the White House as the answer to
private cryptography while still allowing the government to read the
encrypted messages.  They also want to give this technology (along with
the US government backdoor) to everybody in the world.  Naturally, many
countries have declined this generous offer.

    What is the current status of US-implemented applications that
    invoke a cryptography API, e.g., Microsoft's CryptoAPI?  Can these
    applications be exported?

from what I've read, the Microsoft Crypto API is being developed with
the full cooperation and blessing of the NSA.  In exchange, the
Microsoft will be allowed to export the software and programs that use
the API can also be exported.

-- 
Charles Rutledge    |    Liberty is a tenuous gift.  Hard to win, easy
centauri@crl.com    |    to give away, and no will protect it for you.


------------------------------

From: bernie@fantasyfarm.com (Bernie Cosell)
Date: 25 Jun 1996 03:09:04 GMT
Subject: Re: US Export Law
Organization: Fantasy Farm Fibers
References: <comp-privacy8.49.10@cs.uwm.edu>

    "Glenn Benson" <Glenn.Benson@zfe.siemens.de> wrote: I am trying to
    understand US export law and its motivations.  It is fairly easy to
    locate the wording of US law but I am having some trouble
    identifying its intention.

The law in question is referred to a "ITAR".  The International Trade
in ARMs Regulations.  They cover the export of materials which would be
useful to an enemy of the US in a time of war.  They go back to [at
least] world war 2 [I've asked this before and never gotten a straight
answer: does anyone know the actual _original_ legislation and its
history up to the current ITARs?  We struggled with it in the 60s,
other manufacturers dealt with it in the 50s.  But I don't know when it
all got started.]

    Is the law really intended to prevent non-US residents from
    obtaining access to high-grade cryptography?  Is the law's
    intention to control domestic use of cryptography?

No, and in fact the law says *NOTHING* about 'domestic use of
cryptography'.  That's been the point I've been trying to raise: if US
citizens, all 300 or whatever million of us, really cared about this
stuff, *we*could*have*it*.  Perfectly legal, and moreover almost
certainly protected by the Constitution!

The law covers "arms" in its most general sense: items of technology
that could be used against us by our enemies in a time of war.  Only
the most naive [or ill-informed] don't realize the crypto technology is
among the *MOST* valuable and most jealously guarded.  The restriction
on crypto export *is*not*new* --- it has been there all along.

    What is the current status of US-implemented applications that
    invoke a cryptography API, e.g., Microsoft's CryptoAPI?  Can these
    applications be exported?

As far as I know, "API"s do *not* come under ITAR, only the actual
underlying cryptosystem.  And so you can export your API and provide it
with an approvedly-weak cryptosystem, and your overseas customers are
free to plug in something else if they wish.  [note: you can *sell*
your domestic customers anything you please.  I use SCO unix and its
normal package includes only a weak crypto system... BUT: by signing a
statement that my system will not be exported I received a copy of a
very-strong crypto system on a floppy. Nothing sinister, nothing
difficult.

-- 
Bernie Cosell                     Fantasy Farm Fibers
bernie@fantasyfarm.com            Pearisburg, VA
    -->  Too many people, too few sheep  <--          


------------------------------

From: bernie@fantasyfarm.com (Bernie Cosell)
Date: 25 Jun 1996 03:09:14 GMT
Subject: Re: Marketing on the Information Highway
Organization: Fantasy Farm Fibers
References: <comp-privacy8.49.11@cs.uwm.edu>

    Rose M Daitsman <daitsman@csd.uwm.edu> wrote: New tools for
    marketing products are ready for sale.  However, the price of
    convenience of renting videos by computer and making purchases of
    clothing, appliances,etc. via tv is a serious loss of privacy.  The
    insidious aspect of this is that people will voluntarily accept
    opening their lives, habits, idiosyncracies, tastes, needs to the
    marketers  [ ...] How do we change it?

Why do you think that such a thing is even possible or that anyone
wants to?  US citizens have voted [with their feet and with their
dollars!] over and over, _consistenty_, that they place essentially no
value on the 'privacy' that the drum thumpers laud so highly.  If a
'secure' item costs even a little bit more than its 'open' colleague,
it is doomed in the marketplace [e.g., secure cordless phones].  If
someone offers a person an amazingly small amount of money (or a little
bit of convenience) in exchange for a bit of their privacy, they opt
for the money/convenience every time.  For good or ill, the US consumer
just does *NOT* represent a market that is terribly concerned about
privacy issues.  That's observable fact [and I've never even heard much
of an anecdote to the contrary...  mostly just handwringing in forums
like this one by folk who _wish_ that their neighbors and colleagues
cared about this stuff...]

-- 
Bernie Cosell                     Fantasy Farm Fibers
bernie@fantasyfarm.com            Pearisburg, VA
    -->  Too many people, too few sheep  <--          


------------------------------

From: Berliner Datenschutzbeauftragter <dsb@datenschutz-berlin.de>
Date: 25 Jun 1996 10:48:14 -0700
Subject: Discussion Forum on Privacy on the Internet
Organization: Technical University of Berlin, Germany

The International Working Group on Data Protection in
Telecommunications is currently working on Data Protection and Privacy
on the Internet.

The Group was founded in 1983 and has been initiated by Data Protection
Commissioners from different countries in order to improve Data
Protection and Privacy in Telecommunications. The Secretariat of the
Group is located at the Berlin Data Protection Commissioners Office,
Berlin, Germany.

At its spring meeting 1996 in Budapest the Group has agreed on a Draft
Report and Guidance on Data Protection on the Internet. It was agreed
to publish the Report on the Net in order to receive comments from the
network community.

The Secretariat of the Working Group has initiated a discussion forum
located at the WWW-Server of the Berlin Data Protection Commissioner
(http://www.datenschutz-berlin.de/diskus/).

The comments received will be published on the server.

We are looking forward to your comments on the report.

--
Yours sincerely,

Hansjürgen Garstka
(Chairman of the Group)


------------------------------

From: rwh@best.com (Dick Hein)
Date: 25 Jun 1996 14:14:23 -0700
Subject: Re: Privacy while Downloading from Newsgroup
Organization: Best Internet Communications, on-ramp to the ISH.

    beardawg@usa.pipeline.com () wrote; Let me admit right upfront -
    I'm a newbie. That said - Who, other than my ISP, has access to
    what I may be downloading from the newsgroups?

    acar@vcn.bc.ca (Al Acar) I can think of 3 possibilities (And I'm
    sure there're more...)

    1- People hacking into your ISP from outside,

    2- People who use the same ISP as you do and have found a way to
    access other user's account info (internal hackers, if you will)

Does this not assume a shell-based newsreader?  Or do you include the
possibility of a packet sniffer for TCP/IP (PC-based) clients?

--
Dick Hein / rwh@best.com / Mountain View, California.


------------------------------

From: blanchar@mail1.sas.upenn.edu (Jean-Marc F. Blanchard)
Date: 26 Jun 1996 22:10:08 GMT
Subject: Re: Privacy in Politics
Organization: University of Pennsylvania
References: <comp-privacy8.50.6@cs.uwm.edu>

    Charles R. Smith (softwa19@us.net) wrote: Privacy is now an issue.
    Recent events at the White House have placed personal privacy as a
    major concern before Congress and the people.  The current resident
    of 1600 Pennsylvania Avenue has made his political success by
    claiming to be the friend of the common people.  However, his
    claims fall far short of his actions.

I am a supporter of President Clinton, but agree with Mr. Smith that
Clinton has failed as an advocate of individual privacy rights.
Unfortunately, this is a problem with all of the candidates--I did a
survey of the Clinton, Bush, and Perot campaigns in 1992 and NONE of
the candidates had anything to say (either in terms of their respective
campaign platforms or in response to specific questions) with respect
to measures that should be taken to protect individual privacy rights.

--
Jean-Marc F. Blanchard
Prisonership Editor
Once Upon A Time


------------------------------

From: David Kennedy <76702.3557@CompuServe.COM>
Date: 27 Jun 96 12:52:29 EDT
Subject: White House--Database [long]

Courtesy of Associated Press via CompuServe's Executive News Service:

			  White House-Database

AP US & World  6/27/96  2:08 AM

    By KAREN GULLO Associated Press Writer WASHINGTON (AP) -- The White
    House keeps nearly 200,000 computer files on everyone from
    lawmakers to political donors to people who get holiday cards from
    the president, a senior aide revealed.

o	The White House listed some of uses for the db:

	Invitations (including a list of past events invited to)
	Christmas Cards
	Receiving "the President's views on issues."
	Whether people are personal friends
	Whether they've contributed money (Less than half the names)
	Specifically not used as "an intelligence tool"

    The system, which took a year and a half to build and was completed
    in 1995, is available to about 90 White House aides who need the
    information for their jobs, such as social office, public liaison
    and intergovernmental affairs employees, said >Toiv.

[DMK: Senior Advisor to Chief of Staff Leon Panetta, Barry Toiv.]

o       The Democratic National Committee, the re-election campaign
organizations and other government agencies, except the Secret Service
cannot access the system.  The Secret Service has access to assist in
White House access control.

o       Republicans have jacked up the rhetoric that was already at a
moderate volume over the "Filesgate" issue.  No one has called for
Congressional hearings.  Yet.  Rep. John Boehner, R-Ohio  asked
theWhite Housee to release to individual Republican congresmembersrs
his or her personal file.

o       Most files are of government officials, governors, Congress
members, mayors and other people who have contacted the Clinton's on
political issues.

    The Clinton White House once included race and ethnicity in the
    files, but that practice was discontinued, Toiv said.

    "In the past a person's ethnicity would be listed because it might
    determine their interest in an issue," he said. The White House
    later decided that race shouldn't be included.

    The Washington Times, which first reported on the database, said
    sexual preference once was included in the files. Toiv denied that
    and said it was never part of the files.

*********

    "If a person was interested in gay and lesbian issues that would be
    noted," he said. Social security numbers are included for people
    who have visited the White House. FBI and tax records are not in
    the files, he said.

[DMK: SSN are Privacy Act protected information.  OMB Circular A-130
includes the following, "Within the Executive Office of the President,
the term (agency) includes only OMB and the Office of Administration."
If this system is under the control of the Office of Administration,
OMB A-130 applies, begging the question is the system protected to "C2"
or better?  If the system is not in the Office oAdministrationon, what
prudent, common sense precautions are being taken to protect Privacy
Act information?]

Dave Kennedy [CISSP] InfoSec Recon Team Chief, National Computer
Security Assoc.


------------------------------

From: jwarren@well.com (Jim Warren)
Date: 27 Jun 1996 13:08:14 -0700
Subject: RISKS: FBI Surveillance of Library Patrons

It seems appropriate to recap this past(?) FBI surveillance practice --
given the:

* FBI's half-billion-dollar national wiretap system (mandated by the
Democrats in 1994 legislation),

* FBI's and Clinton's continuing *vehement* opposition to widespread
use of robust privacy protection (standardized uncrackable crypto), and

* White House's past (Watergate) and apparently-ongoing use of
confidential FBI files compiled on an administration's political
opponents.

The following is a response that I received to some private dialogue re
the FBI's snooping on "suspicious" library patrons and what they read.
It is from, Jim Schmidt, past President of the American Library
Association's stellar legal-action arm, the Freedom-to-Read
Foundation.  He is currently in academic librarianship at San Jose
State Univerity.

-- Jim Warren, GovAccess list-owner/editor, advocate & columnist
(jwarren@well.com) 345 Swett Rd., Woodside CA 94062;
voice/415-851-7075; fax/<# upon request>

[puffery FWIW:  Hugh M. Hefner First-Amendment Award, Playboy Foundation;
James Madison Freedom-of-Information Award, Soc.of Prof.Journalists-Nor.Cal.;
Pioneer Award, Electronic Frontier Foundation (its first year, 1992);
founded InfoWorld, DataCast, Computers, Freedom & Privacy confs, etc. :-).]

    Date:         26 Jun 96 12:33:14 PDT
    From: jim <SCHMIDTC%SJSUVM1.BitNet@pucc.PRINCETON.EDU>
    Subject:      Re: Librarys
    To: Jim Warren <jwarren@well.com>

Jim

I am one of the two living experts on the FBI's Library Awareness
Program; the other one wrote a book about it.  A short recap below.

In 1970 (give or take) after the bombing which cause at least one death
of the computer center at U Wisc - Madisson, FBI and ATF folks asked
the Milwaukee Public Lib for names of persons who had recently checked
out or who still had library books on plastic explosives.  From this
incident arose the Amer Lib Assoc's first policy on confidentiality of
lib recs.

The FBI's so-called "Library Awarness Program" was an initiative of the
latter 80's, represented by the Agency as limited to scientific and
technical libraries and primarily run out of the NY regional office.
Given reported visits across the country and not only to scientific and
technical libraries we know that the Bureau's characterization of the
program is incorrect.

>From testimony of bureau employees and from documents secured under
FOIA, we know that the program of the 80's was in fact a resurrection
of one that operated in the 70's, and we have inferential (strongly
suggestive)evidence that library visits occurred in the 60's too.

The 80's version was the Bureau's contribution to an interagency
program coordinated by the CIA, specifically initiated at the behest of
the CIA deputy one Adm Bobby Inman (ret), to limit technology transfer
from US to other countries (remember the commodities list, licences
required from Dept of Commerce, NSA monopoly re encryption research,
etc?) of which Zimmerman's problems with PGP are vestiges as are those
that the grad student at Berkeley had to go to court about.

As a result of the 80's program, now 46 states have statutes
specifically protecting personally identifiable information in library
records (there were 38 when news broke in Sept 87 of the FBI's visit to
the Math Lib at Columbia).

Automated library systems currently do attach at least a patron's name
to items he or she has checked out, i.e. still has not returned.
Virtually all such systems strip personnally identifiable data from the
transaction records when the items are returned.  I won't vouch for
whether a forensic data specialist (or hacker) could with some amount
of work reconstruct who borrowed what but it wouldn't be easy and
getting access to a library's system to do it would be another matter.

I think the consciousness of libraries was greatly raised in the 80's
and I feel comfortable, especially given the wonderful way the library
staff in Montana responded in re Kaczynski, in saying that the staffs
won't willingly permit access and that they go to some lengths to
assure that access cannot be gained.

Jim Schmidt
San Jose State

== I asked for & received Jim's permission for arbitrary re-distribution ==

    Date:         27 Jun 96 10:43:07 PDT
    From: jim <SCHMIDTC%SJSUVM1.BITNET@pucc.PRINCETON.EDU>
    Subject:      Re: Librarys
    To: Jim Warren <jwarren@well.com>

you may recirculate to your heart's desire.


------------------------------

From: mthompson@asu.edu (M Thompson)
Date: 26 Jun 1996 08:22:25 GMT
Subject: NorthStar: PGP Jump Start
Organization: Arizona State University

NorthStar 
A Guiding Light on Internet Issues 
 
Newsletter of the Internet Users Consortium 

To heighten the NorthStar experience, subscribe to the HTML Version of
NorthStar.

NorthStar is a guiding light to help you focus on the primary issues
which threaten our Internet Freedom. In this Newsletter we let Internet
Users know what the necessary issues and actions are to defend the
Internet.  We sincerely invite your participation at all levels, from
discussion to action.  Rethink what Activism means - Isn't it just
participation?

NorthStar #20   Sunday 6/23/96
Director..........proteios@iuc.org 
Editor..............wtj@primenet.com 
Author.............John Whitman <75211.2147@compuserve.com>

Update:   Internet Users Consortium 

WE'VE MOVED!!!!  The NEW HomePage for the Internet Users Consortium is
at:  http://www.iuc.org/ The NEW HomePage for NORTHSTAR is at:
http://www.iuc.org/northstar.html Update your bookmarks, links and most
especially your link to the latest addition of NorthStar can ALWAYS be
found at:  http://www.iuc.org/current.html This URL will never change
and will always link you to the current issue of NorthStar.

NEVER SAY NEVER . . . but . . . We at NorthStar 
believe so strongly in these principles that we make the 
following pledge to you, our reader and fellow Internet Activist: 
NorthStar will NEVER sell/rent/trade/share our mailing list 
NorthStar will NEVER use Government mandated encryption 
NorthStar will NEVER represent any commercial interest 
NorthStar will NEVER cooperate with any Government intrusion  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

PGP JUMP START

If you hate reading manuals -- here is the easy way to get
started with PGP (Pretty Good Privacy).  PGP JUMP START helps you
get up and running fast with PGP, so that you can exchange encrypted
e-mail messages with your friends.  This document assumes basic familiarity
with DOS, Windows and Unzipping!

STEP ONE:    DOWNLOAD PGP
STEP TWO:    DOWNLOAD PGP QuickStart (for Windows users)
STEP TWO-A:  UNCOMPRESS PGP
STEP TWO-B:  EDIT AUTOEXEC.BAT
STEP THREE:  GENERATE YOUR PGP KEY PAIR
STEP FOUR:   SIGN YOUR KEY
STEP FIVE:   EXTRACT A COPY OF YOUR KEY
STEP SIX:    REGISTER YOUR PUBLIC KEY
STEP SEVEN:  OBTAIN A PERSON'S PUBLIC KEY
STEP EIGHT:  ADD A PERSON'S KEY TO YOUR PUBLIC KEYRING
STEP NINE:   ENCRYPT A MESSAGE
STEP TEN:    SEND AN ENCRYPTED MESSAGE AS E-MAIL
STEP ELEVEN: DECRYPT AN ENCRYPTED E-MAIL MESSAGE
STEP TWELVE: READ THE DOCUMENTATION
STEP THIRTEEN:PGP THE EASY WAY

STEP ONE: DOWNLOAD PGP

If you do not already have an official copy of Phil Zimmermann's
PGP 2.6.2, then download pgp262.zip now from one of the MIT sites:
ftp://net-dist.mit.edu/pub/PGP/
http://web.mit.edu/network/pgp.html

Go ahead ~ download PGP now! ~ It's only 276 K. We'll wait for you.

STEP TWO: DOWNLOAD PGP QuickStart (for Windows users)

PGP QuickStart is a PGP install program which will automatically
perform STEP TWO-A and TWO-B listed below.  This easy-to-use
Windows program, written by Joel McNamara, is highly recommended.

EITHER download PGP QuickStart and skip to STEP THREE,
OR continue with Step TWO-A below.

Note: If you decide to use PGP QuickStart, you may want to scan
STEP TWO-A and TWO-B to get an idea of what PGP QuickStart does.

STEP TWO-A: UNCOMPRESS PGP

Create a directory for the PGP files (e.g. C:\PGP).
UNZIP pgp262.zip to the PGP directory.

This will create the files pgp262i.zip, pgp262i.asc and setup.doc.
UNZIP pgp262i.zip into the same directory.

STEP TWO-B: EDIT AUTOEXEC.BAT

Add the following lines, after the PATH statement,
to your Autoexec.bat file:

   SET PGPPATH=C:\PGP
   SET PATH=C:\PGP;%PATH%
   SET TZ=**** (**** is the timezone you are in)

  Below are some examples:
Hawaii:      SET TZ=HST10 (Hawaii never uses daylight savings time)
Alaska:      SET TZ=AST9
Los Angeles: SET TZ=PST8PDT
Denver:      SET TZ=MST7MDT
Arizona:     SET TZ=MST7 (Arizona never uses daylight savings time)
Chicago:     SET TZ=CST6CDT
New York:    SET TZ=EST5EDT
London:      SET TZ=GMT0BST
Amsterdam:   SET TZ=MET-1DST
Moscow:      SET TZ=MSK-3MSD
Auckland:    SET TZ=NZT-13

Substitute your own directory name if different from "C:\PGP"
Now reboot your computer so that these changes will take effect.

STEP THREE: GENERATE YOUR PGP KEY PAIR

You are now ready to generate your PGP Key Pair.
At the DOS prompt type:
pgp -kg  and press Enter.

STEP THREE is divided into 4 Parts.
Answer the questions when prompted by the PGP program.

STEP THREE, Part 1.
*Pick your RSA key size*
We recommend Size 2 [768 bits - High commercial grade]
as the most practical for general use.

STEP THREE, Part 2.
*Enter a user ID for your public key*
Use your full name as your userID, because then there will be less
risk of people using the wrong Public Key to encrypt messages to you.
Spaces and punctuation are allowed in the userID.
Type your full name followed by your E-mail address
in <angle brackets> like so: John Q. Smith <jqs@xyzcorp.com>

Please note:  When you use PGP, you do not have to type your
full userID when requested.  You can type any part of the userID.
If your userID were John Q. Smith <jqs@xyzcorp.com>
any of the following would work:
John
Smith
jqs
"John Q."    (Note: If there is a space, the userID must be in quotes.)
"John Q. Smith"

STEP THREE, Part 3.
*Enter pass phrase*
PGP will ask for a "pass phrase" to protect your secret key in case
it falls into the wrong hands.  Nobody can use your secret key
without this pass phrase.  The pass phrase is like a password, except
that it can be a whole phrase or sentence with many words, spaces,
punctuation, or anything else you want in it.  The pass phrase is
case-sensitive, and should not be too short or easy to guess.  The
longer and more random your pass phrase is, the more secure your key
files and encrypted files will be.  Don't leave your pass phrase
written down where someone else can see it, and don't store it on
your computer if other people can access your computer.

Here are some examples of pass phrases:
QwErTy
Omaha, Bugaha, Rugaha, 1936XYZ
hdF6kjHd4f$w%@@K#^%5%RoEihefiUwe9/f/g77E5Q7$

Although the third pass phrase is strongest, don't make the pass
phrase too complicated, since you have to type your pass phrase
EVERY time you decrypt or sign a PGP message.

The first one, a simple pass"word" will work, but it is vulnerable
to attack and may compromise your security. If you can find the
phrase in any published work then don't use it. Don't use any phrases
from your personal history or popular culture. Using "0dd sp3LLing5
and CaPitaliZaTiOn" will make your pass phrase harder to guess or
attack. Also, you must remember which letters are capitalized,
since the pass phrase is case-sensitive.

Now type your pass phrase.

STEP THREE, Part 4.
*We need to generate ___ random bits*
PGP will ask you to enter some random text to help it accumulate
random bits for key generation.  When asked, you should provide some
keystrokes that have irregular timing between strokes, and that
utilize upper case and lower case letters as well as numerals. Type
this random text on the keyboard, until you are prompted to stop.
There will then be a delay (a few seconds to a few minutes) depending
upon the speed of your computer and the RSA key size you picked.

PGP will actually generate two keys [your key pair]; your Secret key
that you keep secret and a Public key that your friends and [if you
allow it] the general public may obtain and use to send you messages.

(The public key "locks" the message; the secret key "unlocks" it.)

Your Secret key will automatically be placed into the file
C:\pgp\secring.pgp which is your Secret keyring.
Your Public key will be automatically placed into the file
C:\pgp\pubring.pgp which is your Public keyring.

To view or verify your keyring, type:
pgp -kv and press Enter.

STEP FOUR: SIGN YOUR KEY

You must sign your key for added security.
At the DOS prompt type:
pgp -ks userID  and press Enter.
(The userID is what you decided on, back in STEP THREE, Part 2)

PGP will respond by showing your Key ID and your Key fingerprint.
You don't need to worry about such things at this point.

Press y and Enter when you are asked:
"to solemnly certify that the above public key actually belongs
to the user specified by the above userID <y/N>?"
Type in your pass phrase when asked.
(The pass phrase is what you decided on, back in STEP THREE, Part 2)
You will then see, "Key signature certificate added".

STEP FIVE: EXTRACT A COPY OF YOUR KEY TO A KEYFILE

To allow others to send you encrypted messages, you must give them
your public key. To do this, you should extract a copy of your key
to an ascii keyfile.  The keyfile name should start with your
initials, followed by the word "key", and the extension "asc",
which indicates that the keyfile is an ascii file.

For example, if your name were John Q. Smith, then you would name
your keyfile, jqskey.asc.

At the DOS prompt type:
pgp -kxa userID keyfile

Below is an example of how John Q. Smith
would extract a copy of his key at the DOS prompt:
pgp -kxa John jqskey.asc
He would then see: "Key extracted to file 'jqskey.asc'"

In STEP SEVEN you can see an example of a PGP PUBLIC KEY BLOCK
that is contained in a PGP keyfile.

STEP SIX: REGISTER YOUR PUBLIC KEY

In order to receive messages encrypted with PGP, you should submit
your public key to a PGP Public Key Server, which allows PGP users
to exchange their public keys with each other.

http://www-swiss.ai.mit.edu/~bal/pks-commands.html is the URL of a
PGP Public Key Server where you can submit your public key.

Follow the simple instructions found there to add your public key
to the PGP Public Key Server's keyring.  It's as easy as using the
copy and paste commands.

The keyserver processes ADD requests every 10 minutes. After your
key has been processed the server will send a confirmation message
to your e-mail address.

Note: It is not mandatory that you register your public key.
There are alternative methods available to exchange public keys.
These methods are mentioned at the end of STEP SEVEN.

STEP SEVEN: OBTAIN A PERSON'S PUBLIC KEY 

In order to send a message encrypted with PGP to a person, you must
first obtain that person's PGP Public Key.

Go to the http://www-swiss.ai.mit.edu/~bal/pks-commands.html Website.
This is the same URL of the PGP Public Key Server mentioned above,
and is where you can extract someone else's public key.

Follow the simple step-by-step instructions found there to extract
a public key from the PGP Public Key Server's keyring. Remember,
while viewing the keyfile, highlight the entire PGP PUBLIC KEY BLOCK
with your mouse and copy.

Then paste the KEY BLOCK into a text editor and save it as a keyfile
using the same keyfile naming convention as you used in STEP FIVE to
name your own keyfile. Thus the keyfile name for John Q. Smith (whose
initials are jqs) would be jqskey.asc

Below is an example of a PGP PUBLIC KEY BLOCK that would be copied.
Be sure to highlight all the dashes "-----" at the beginning and end
of the KEY BLOCK.

 -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCtAzFdDD8AAAEFAPLLiJ+cmQEPDE7l7SFgJw/RZvRK8Z/dDprpBzTVmdGzSuwX
SORInqHH5/AADA6WWIrRctOHE5nkfaM/LUwz24NXMRXodUgreIHZQndFQz3oDe6c
eg5voBMft0NyAk23WMlU3FCiff8QW1duA0g3UXaD1ufuzYrX0avSrGbJoSS0Yw8w
5olqZkfWQtc6gWVdULyuuliZkRwOjnqxi1n7ThUABRG0KEpvaG4gV2hpdG1hbiA8
NzUyMTEuMjE0N0Bjb21wdXNlcnZlLmNvbT6JALUDBRAxXRtejnqxi1n7ThUBAQ7h
BQDAhm/C7WeH/QMhn2wePS46z86gN9Q2BmK4QnItN01yRw5unJgXhCxGF/R+RFid
m1ulc5thOCDYUktJWvUU7a+tNmwwL2rD4MZ6Z7AdTn5zeU00/FSh2B6PrWVoBZgJ
LB0TDBCQg1jkk3e9Tm0NFrjjG287GzIxyhbM4K8wq7wrXBCKJGLnjm7MnxZLD9dQ
9BfsBZvQtFvvUGxOxCHyt/yw
=KJOg
 -----END PGP PUBLIC KEY BLOCK-----

If your web browser does not support the highlighting of text with a
mouse, then do a Save As command to download the keyfile to the PGP
directory on your computer.

There are alternative methods to obtain (or deliver) a PGP Public Key:

You can simply e-mail the keyfile that contains the PGP PUBLIC KEY BLOCK
instead of using a PGP Public Key Server.

You would e-mail your keyfile to your friend, so that your friend could
encrypt messages to you, with your public key. And, your friend would
e-mail their keyfile to you, so that you could encrypt messages to them,
with their public key.

You can post your PGP PUBLIC KEY BLOCK on your web site or ftp site.
A visitor need only highlight the entire PGP PUBLIC KEY BLOCK
with their mouse and copy. They would then paste the KEY BLOCK
into a text editor and save it as a keyfile. (See STEP FIVE
for instructions on naming a keyfile). You can obtain a person's
public key from their web site or ftp site in the same manner.

STEP EIGHT: ADD A PERSON'S KEY TO YOUR PUBLIC KEYRING

After you receive an individual's public key (as in STEP SEVEN),
you must add that person's key to your public keyring (pubring.asc),
so that PGP can use it.

At the DOS prompt type:
pgp -ka keyfile
This will automatically add the person's key to your public keyring.

For example, to add John Q. Smith's key to your keyring you would type:
pgp -ka jqskey.asc

To view your key ring and verify that the key was added properly, type:
pgp -kv  at the DOS prompt.

STEP NINE: ENCRYPT A MESSAGE

Type a short test message with a text editor and save it as an
ascii file, message.txt.

To encrypt and sign your message, go to the DOS prompt and type:
pgp -seat message.txt sender_userID recipient_userID

Remember that you don't have to type the full userID, but if the
userID has a space in it, then the userID must be in quotes.

Since the message is signed, you will be asked for your pass phrase.
Type in your pass phrase that you created in STEP THREE, Part 3, and
press Enter.

The program will then state:
Transport armor file: Message.asc
Message.asc is the name of the encrypted ascii file that you will
e-mail to your friend.

Note: to see what the individual letters (-seat) instruct PGP to do,
at the DOS prompt type:
pgp -h for online help.

STEP TEN: SEND AN ENCRYPTED MESSAGE AS E-MAIL

Open the encrypted ascii file, message.asc, with your text editor.
Copy/paste the entire PGP MESSAGE block into your e-mail client,
then send your e-mail in the usual way.

Below is an example of a PGP MESSAGE that would be copied. Be sure
to highlight all the dashes "-----" at both ends of the MESSAGE.

 -----BEGIN PGP MESSAGE-----
Version: 2.6.2

pgAAATVqaqdNzOXCQBI/XNhE9nOZSUBbhGr6UuiSKty2jT/aP8/VhY8/WxLkfmsm
H1AlD5TBzoBwDMqLLQCT9SU0NozeAFCMRMzMl0c1AFB2dT/YNE5Y2hE00TfkHecM
ddggHzxVur+Xcon6C1tN0TUAQqLK+l0+aomtYBeRghVGAqTHB3nA71yK9MXeEcz2
lzEqUJuhKORCMYy6GfeW5ZRKmKloggJXHIafisF82Fw9FZXKHjbsUKtQZCYWxADR
XSs6QzedojKNu33MvxNzjqX4JGUr4w7rYSCY6L2SJWz0MROop1EsHNb0AS/cdd0t
eKNFi6JrHfG3aSBkL9QNcfqsQZiyeAjxv9/YsbJGC4h0Nxlu+Dlfq5nXajARaJNG
szmrPNYxwIO7waKIeB6Y84OE9CcMXd7TriY=
=5+NR
 -----END PGP MESSAGE-----

STEP ELEVEN: DECRYPT AN ENCRYPTED E-MAIL MESSAGE

When you receive an encrypted e-mail message save the message to
your hard drive using "asc" as the extension to the file name.
(e.g., message.asc)

To decrypt the message that you received, type:
pgp message.asc -o message.txt.

The file name "message.txt", after the -o indicates the name of the
output file that you will create and read.  You will be asked for
your secret pass phrase to decrypt the message.  After creating the
file "message.txt", read it in a text editor.

Assuming you have installed PGP, you can go back to STEP TEN,
and try to decrypt the actual PGP Message shown there. Remember,
highlight the entire PGP MESSAGE block with your mouse and copy.

Then paste the PGP MESSAGE block into a text editor and save the message
to your hard drive as "practice.asc". To decrypt the file type:
pgp practice.asc -o practice.txt at the DOS prompt.

When asked for the pass phrase type in "Zimmermann Rules", without the
quotes, and press enter. Then view the newly created file "practice.txt"
with a text editor or your favorite file viewer.

STEP TWELVE: READ THE DOCUMENTATION

PGP JUMP START is not a substitute for your reading the files,
pgpdoc1.txt and pgpdoc2.txt, which contain documentation for PGP.
Before using PGP, at least read Volume I of the PGP User's Guide,
pgpdoc1.txt. Reading the manual tends to get neglected with most
computer software, but Cryptography software is easy to misuse.
If you don't use it properly much of the security you could gain
by using it will be lost!

You might also be unfamiliar with the concepts behind public key
cryptography; the manual explains these ideas.  Even if you are
already familiar with public key cryptography, it is important that
you understand the various security issues associated with using PGP.
PGP may be an unpickable lock, but you have to install it in the door
properly or it won't provide security.

Below is a list of PGP Documentation files which come with the program:
setup.doc    - Installation guide
pgpdoc1.txt  - PGP User's Guide, Vol I: Essential Topics
pgpdoc2.txt  - PGP User's Guide, Vol II: Special Topics
pgp.hlp      - Online help file for PGP
To display the online help file, type:
pgp -h  at the DOS prompt.

You may prefer to read the hypertext version of
Phil Zimmermann's PGP Documentation files at
http://www.pegasus.esprit.ec.org/people/arne/pgp.html

After reading all the PGP documentation if you still have a
specific question you can ask the noble PGP Help Team at
http://www.well.com/user/ddt/crypto/pgp-help-team.html

STEP THIRTEEN: PGP THE EASY WAY

PGP is a DOS command line program, surviving in a Windows world.
Many computer users have no interest in using arcane DOS commands.
PGP The Easy Way means using a Windows Front-End program.

You may download a PGP Windows Front-End program
(or a PGP DOS Shell) (or even a UNIX or OS/2 or Mac Front-End)
from Scott Hauert's Website at http://www.primenet.com/~shauert/

To incorporate PGP with your e-mail client try Joel McNamara's
Private Idaho at http://www.eskimo.com/~joelm/pi.html the Windows
PGP Front-End, which facilitates sending/receiving encrypted email
messages. There's even a Windows Front-End which runs as an extension
to Eudora, called PgpEudra at http://www.xs4all.nl/~comerwel/

The most recent version of PGP JUMP START, which is always found at 
http://tucson.com/2001/pgpjumps.html, may be freely distributed for
non-commercial purposes, by any electronic means. Please leave
intact, unaltered, and fully credited. However, neither the author of this
document, nor any of its distributors are liable for any loss, damage, or
breach of security which may result from its use.

Copyright 1996
Author: John Whitman <75211.2147@compuserve.com>
Editor: William Johnson <wtj@primenet.com>

 ----------------------------------------------------------------------------
NorthStar is an Internet Distribution List provided by the Internet Users
Consortium a fiercely independent Grass Roots organization founded by
Martin Thompson and Kenneth Koldys, Jr, to inform and coordinate Internet
Users concerning
political and government actions against the complete self-actualization 
of the Internet and our Constitutional Rights in Cyberspace. 
 ----------------------------------------------------------------------------
Past issues of NorthStar are archived at the NorthStar Archive
http://www.iuc.org/www/northstar.html
on the Internet Users Consortium WWW site
 ----------------------------------------------------------------------------
***Please feel free to distribute NorthStar to as many people and relevant 
forums as possible. That is one way to inform, educate and take action. 
All we ask is that you keep NorthStar intact. It is concise for that very
reason.
***If you wish to submit an article to NorthStar, please send your 
article to northstar@iuc.org 

++++++++++++++++++++++++++++++++++++++
SUBSCRIPTION REQUESTS for NorthStar:
To: northstar@iuc.org
Subject: leave blank
Body of message: subscribe NorthStar your email (format)
*NorthStar comes in 3 formats. Note which format you wish to recieve:
html,ascii or ns mail

PUT (ascii) AS THE VERSION IF you do not have access to the World Wide 
Web or would simply prefer to receive NorthStar as a plain vanilla ascii 
email message.

PUT (html) AS THE VERSION IF you would like to see the fully-formatted 
Web version of NorthStar. In this case, you will receive NorthStar as an 
email with the HTML version ATTACHED for easy viewing in Netscape or 
other Web browser.

PUT (Netscape Mail) AS THE VERSION IF you use Netscape Mail and would 
like to see NorthStar materialize as a Web-formatted document right in 
your mail. 

To unsubscribe write: unsubscribe and your email (format)
++++++++++++++++++++++++++++++++++++++
MEMBERSHIP REQUESTS for IUC:
http://www.iuc.org/join.html
++++++++++++++++++++++++++++++++++++++

Internet Users Consortium 
7031 E. Camelback Ste 102-515 
Scottsdale, AZ 85251
Email: proteios@iuc.org
IUC: http://www.iuc.org/
NorthStar: http://www.iuc.org/northstar.html 

Rethink what activism means - Isnt it just participation?
********************************************************************


------------------------------

From: "Prof. L. P. Levine" <levine@blatz.cs.uwm.edu>
Date: 27 Jun 1996 13:19:56 -0500 (CDT)
Subject: Info on CPD [unchanged since 11/22/95]
Organization: University of Wisconsin-Milwaukee

The Computer Privacy Digest is a forum for discussion on the effect of
technology on privacy or vice versa.  The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy (Moderated).
Submissions should be sent to comp-privacy@uwm.edu and administrative
requests to comp-privacy-request@uwm.edu.

This digest is a forum with information contributed via Internet
eMail.  Those who understand the technology also understand the ease of
forgery in this very free medium.  Statements, therefore, should be
taken with a grain of salt and it should be clear that the actual
contributor might not be the person whose email address is posted at
the top.  Any user who openly wishes to post anonymously should inform
the moderator at the beginning of the posting.  He will comply.

If you read this from the comp.society.privacy newsgroup and wish to
contribute a message, you should simply post your contribution.  As a
moderated newsgroup, attempts to post to the group are normally turned
into eMail to the submission address below.

On the other hand, if you read the digest eMailed to you, you generally
need only use the Reply feature of your mailer to contribute.  If you
do so, it is best to modify the "Subject:" line of your mailing.

Contributions to CPD should be submitted, with appropriate, substantive
SUBJECT: line, otherwise they may be ignored.  They must be relevant,
sound, in good taste, objective, cogent, coherent, concise, and
nonrepetitious.  Diversity is welcome, but not personal attacks.  Do
not include entire previous messages in responses to them.  Include
your name & legitimate Internet FROM: address, especially from
 .UUCP and .BITNET folks.  Anonymized mail is not accepted.  All
contributions considered as personal comments; usual disclaimers
apply.  All reuses of CPD material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy;
publications using CPD material should obtain permission from the
contributors.  

Contributions generally are acknowledged within 24 hours of
submission.  If selected, they are printed within two or three days.
The moderator reserves the right to delete extraneous quoted material.
He may change the Subject: line of an article in order to make it
easier for the reader to follow a discussion.  He will not, however,
alter or edit the text except for purely technical reasons.

A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18].
Login as "ftp" with password identifying yourid@yoursite.  The archives
are in the directory "pub/comp-privacy".

People with gopher capability can most easily access the library at
gopher.cs.uwm.edu.

Web browsers will find it at gopher://gopher.cs.uwm.edu.

 ---------------------------------+-----------------------------------------
Leonard P. Levine                 | Moderator of:     Computer Privacy Digest
Professor of Computer Science     |                  and comp.society.privacy
University of Wisconsin-Milwaukee | Post:                comp-privacy@uwm.edu
Box 784, Milwaukee WI 53201       | Information: comp-privacy-request@uwm.edu
                                  | Gopher:                 gopher.cs.uwm.edu 
levine@cs.uwm.edu                 | Web:           gopher://gopher.cs.uwm.edu
 ---------------------------------+-----------------------------------------


------------------------------

End of Computer Privacy Digest V8 #051
******************************
.