Date: Wed, 26 Aug 92 17:53:35 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V1#074 Computer Privacy Digest Wed, 26 Aug 92 Volume 1 : Issue: 074 Today's Topics: Moderator: Dennis G. Rears Re: Feds seek customer records on "Grow-lamps" Re: Computer Privacy Digest V1#073 Re: Court Ruling on SocSec# at Rutgers, info needed Re: use of SocSec# as student ID [Computer Privacy Digest V1#073] NBC's Secret Service The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.200]. ---------------------------------------------------------------------- Date: Mon, 24 Aug 92 15:59:28 MDT From: David Wade Subject: Re: Feds seek customer records on "Grow-lamps" Clearly you don't see the good that these cash-registers are doing. They are making records which can be examined to prove that you committed a crime, just as soon as we get around to that particular crime... We all know that there are crimes so heinous that the people who perpetrate these crimes must be caught and punished. > From: Dan Veditz > > An AP story in today's paper (21 Aug 1992) date-lined > San Francisco states that Federal prosecutors sought court > orders yesterday to force three local businesses to turn over > their customer lists, sales receipts and shipping records > for indoor "Growing lights" since the start of 1990. They > also want copies of any correspondence mentioning marijuana. This particular ploy has been being used in the "war on drugs" for so long that reporting on it used to be a regular feature of "High Times", and even that venerable olde ragg "Rolling Stone". It seems that similar methods were used to determine which people fit into this group of people, (i.e. those people who would actually "burn their draft-card" before running off to Canada...). Back when all this started, everyone knew that you could easily cultivate these "magic mushrooms" (i.e. "cow-paddy mushrooms") and, you could trivially get your "get-high" merchandise. Now, it has become "fashionable" and "politically-correct" to be "clean". Times Change. Here in New Mexico you can buy 4oz of Paragoric with Opium "over the counter", every other day. Or 4oz of Cough Syrup with Codeine "over the counter" every other day... (Unless, of course, you can find two drug stores with Pharmacists who don't know each other...) Oh, yeah, it's really hard to separate the Codeine from the cough syrup... (You put it in the refrigerator, the white stuff that settles out is the codeine.) So now it is easy to impress the illiterati by lots of press coverage on how you "logically deduced" that people with "grow lamps" or people who answered the "Grow Marijuana in the privacy of your basement" ads in "High Times" are evil. The only truly evil people I've ever met spent absolutely no time in determining the difference between "yours" and "mine". It had nothing to do with drugs. I lost several friends when I discovered they didn't even consider that something was "mine" and not theirs. (We're talking wives&children and lifestyles here, not guns&autos...) And we're talking My Privacy and your "right to know"... My Privacy is my most jealously guarded right. You may think that I am being strange here. Since I have a "Q" clearance, and the government re-investigates me every five years, and I provide them with a signed list of affiliations and addresses... But I don`t see it that way. I just don't understand what makes people/police feel that they have the "right" to step into my life whenever they wish. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& I promised myself ( when I turned 21, ) that I wouldn't ever again do anything just once. I think that solves a lot of problems; no high speed crashes into bridge abutments, no one-night stands, etc. &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& ------------------------------ Date: Mon, 24 Aug 92 20:21:32 EDT From: uunet!Camex.COM!kent@uunet.uu.net Subject: Re: Computer Privacy Digest V1#073 Edward A. Bertsch (eab@msc.edu) wonders about my reaction to By Way of Deception: >I don't understand. It made you want to start encrypting your personal >communications, or it made you worry what people would think if you >were encrypting your personal communications ? (or did it make you >worry if you were encrypting your personal communications with a >strong enough algorithm on a secure machine with coresident software >you could trust and a bios the feds hadn't gotten their fingers >into?) et cetera. Well, I had made the mistake of arriving in Las Vegas for a tradeshow without enough reading material. Being the kind of town it is, there are very few books available within walking distance of the Riveria, so I was very happy to find By Way of Deception--and sad once I finished it. The visceral effect of reading a modern, practical book on spying in a place like Las Vegas can be significant. One result is that I suspect my hotel room hiding place for small valuables ('slick' I think is the technical term) was much better than it otherwise would have been. The book generally made we see things as a spy might, it made me see spy-like puzzles everywhere. The best puzzle was wondering how I could send a secure message to, say, my mother. We do email (don't all of you have grayhaired mothers online?, mine is at "borgh@aol.com"), I had a Mac in my room--but I assumed that anything I sent by modem or voice calls was "in the open". I also assumed that Stuffit 1.5.1's "NewDE Encrypt" is pretty secure. (Is it??) OK, I could send an encrypted message, but how do I get a secure key to my mother? I emailed it, in plain text, simple prose--but in a form that only she would understand. I dredged through my memory. I needed a clue, something she would get, something that was not a matter of public or private record, something that could not be weazeled out of her in a "chance meeting" at the grocery store. When she got it she thought I was acting a bit crazy, didn't know where to begin, and sent email asking for more help. Before she got my coy response, she had figured it out. We still use this password. My mother has spent enough time reading spy novels that I trust that she didn't write it down anywhere, and didn't and wouldn't tell anyone. The password itself is the initial letters of a short phrase. I think my clue said how many words long it was, but beyond that it was pretty obscure. (I don't want to risk repeating it here without looking up my exact original wording--no point in offering more clues to the NSA.) Have I fooled myself about how secure this is? I don't think so. First--at least until I posted this--I can't believe I am worth spying on. Second, once they do start bugging me, I don't believe the available spies are particularly competent. Third, I only offer high odds on the security, I am not convinced 100%. The weakest link is my mother's computer and keyboard. It could be physically bugged; or, because it is not tempest quality, it could be tuned in on the radio. They would still need to get her to type the password--and because we mostly don't encrypt mail, this is not trivial, sending a bogus mail message is pretty risky, word of it would likely get back to me. My primary computer these days is a notebook. It is smaller and so a lot harder to bug; it is low power and it moves, so it is harder to tune in by radio. Sure, given sufficient resources, *I* could crack something like this, but it would be hard and risky. If it turns out Stuffit 1.5.1 is not secure?, all bets are off. This all makes me want a secure public system of public key cryptography. Too bad Apple doesn't dare put RSA for messages into their coming O.C.E., instead they only use it for digital signatures--though even signatures also would make it more of a pain to a spy trying to break things, for it makes "social engineering" so much harder if you cannot spoof messages. >Edward A. Bertsch (eab@msc.edu) Minnesota Supercomputer Center, Inc. Hi from a former Minnesotan! -- Kent Borg kent@camex.com or kentborg@aol.com H:(617) 776-6899 W:(617) 426-3577 As always, things look better when some costs are left out. -Economist 3-28-92 p. 94 ------------------------------ From: "Carl M. Kadie" Subject: Re: Court Ruling on SocSec# at Rutgers, info needed Date: Tue, 25 Aug 1992 14:02:04 GMT (This excerpt is available on-line. Access information follows.) ================= law/ferpa ================= Excerpts from _College and University Student Records: A Legal Compendium_, Edited by Joan E. Van Tol, 1989. Details the Family Education Rights and Privacy Act's (Buckley Amendment's) provisions on directory information. Van Tol's book is very good. ================= ================= These document(s) are available by anonymous ftp (the preferred method) and by email. To get the file(s) via ftp, do an anonymous ftp to ftp.eff.org (192.88.144.4), and get file(s): pub/academic/law/ferpa To get the file(s) by email, send email to archive-server@eff.org. Include the line(s) (be sure to include the space before the file name): send acad-freedom/law ferpa -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign [Moderator's Note: Thanks for the info. If possible can you provide an index of privacy related files available there for our readers. ._dennis ] ------------------------------ Subject: Re: use of SocSec# as student ID [Computer Privacy Digest V1#073] Date: Tue, 25 Aug 92 13:19:09 -0400 From: Ed Frankenberry Dave Grabowski writes: > One could say that the school could come up with some kind of new > ID scheme, but wouldn't that basically come back to the same problem? Many colleges/universities use 9-digit student ID numbers. Mostly for the sake of convenience, schools routinely request incoming students to disclose their social security number to use the SSN as their student ID number. However not all students have an SSN (e.g. foreign nationals) and some of us who do don't want to have it abused in this manner. When I enrolled in grad. school the registrar was able to provide a student ID number, just like they do for incoming foreign students. In my case it looks like a fake SSN (it begins with a 9), and the registrar assigns them sequentially. Because it involves no extra effort, the school may prefer to use your SSN, but they should assign you a student ID number if you request it. Ed Frankenberry ------------------------------ Date: 25 Aug 92 21:12:41 EDT From: Gordon Meyer <72307.1502@compuserve.com> Subject: NBC's Secret Service The August 23, 1992 episode of NBC's "Secret Service" had a couple of scenes that should make _any_ American cringe, but may likely escape notice by many as they become a part of routine law enforcement tactics. The story was about counterfeiting, and featured a glorified scene where an undercover agent was "arrested" with the suspects, and then strategically placed in their holding cell so he could tell them that they (the suspects) had squealed on each other during questioning. Resulting in them virtually confessing their crimes (a murder in connection with the fake bills) in front of the undercover agent. It's unclear that the two were so stupid to refuse legal counsel, or if they had even been given the opportunity. Earlier in the same show, after a 'high technology' examination of a counterfeit bill, an SS scientist pronounces that the paper used to print the bill was "similar" to one sold by a Paper Mill in Oregon. But he also noted that the ink and all other elements of the bill seemed to point to South American origin. Ignoring the latter, the agent in charge immediately pronounced that they would 'obtain the customer list from the Paper Mill.' Obviously, in a show like this the line between fiction and reality is easily blurred. But in this case it's a safe assumption that these tactics, while glossed over by the drama, are not fictional. And I wonder how many people viewing that night even blinked at what at this invasion of privacy? Gordon R. Meyer Internet: 72307.1502@compuserve.com ------------------------------ End of Computer Privacy Digest V1 #074 ******************************