Date: Tue, 01 Jun 93 16:42:32 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#047 Computer Privacy Digest Tue, 01 Jun 93 Volume 2 : Issue: 047 Today's Topics: Moderator: Dennis G. Rears Re: Calif requires ID? CPSR Seeks Clipper Docs SS#s Re: P.O. Boxes Retaliatory Crimes The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Fri, 28 May 1993 12:50:07 -0400 (EDT) From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Subject: Re: Calif requires ID? From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring, MD USA ----- bjones@weber.ucsd.edu (Bruce Jones) wrote to Comp Privacy: > A couple of nights ago on the local TV news I heard > that California now requires that all adults carry > identification at all times. > > Can anyone offer any pointers to more information on > this subject? > > Bruce Jones - bjones@ucsd.edu > > [ I have never heard of such a requirement here in > California! If anyone knows otherwise on this topic, > we'd like to hear about it! -- MODERATOR ] [Moderator's Note: That wasn't my comment. I don't live in California I wish I did though :-) ._dennis ] I used to live there and I know what the actual story is, and what may have been misunderstood. In the following article I have to make specific identification of someone by race for the purposes of explaining what happened; it is not meant to convey the gentleman was doing anything wrong. It was reported that there was this young, black man, who liked to walk around a lot, because he liked to get the fresh air and exercise. In an unrelated book called "Going Public," by David Westheimer, this young man stumbled upon a basic problem in certain areas. He was noticed by local persons and by police in areas where "loitering or appearance by persons of his particular pigmentation are strongly discouraged." In several cases he was stopped by police and asked his reasons for being in a specific area, and asked to show identification. Since he had done nothing wrong, he refused to do so and in at least one instance he was arrested. California has a law on the books requiring anyone who is stopped by police to show identification upon request; this essentially is the law he was charged with violating. (This is separate and different from the one requiring the operator of a motor vehicle to carry his or her license on their person at all times while operating a motor vehicle and to show it when involved in an accident or stopped by a police officer). I think he was convicted or he fought the law in court, but it was reported on some tabloid talk show a few years ago: the California Supreme Court struck down the law as unconstitutional because it violated the right to privacy. About two years ago when I moved to DC I wanted to get a copy of the Vehicle Code. In California, the DMV sells copies for $3.50; it's a slightly large paperback and is about 500 pages. In DC, the Department of Public Works (the agency that issues Drivers Licenses) does not sell copies of the Municipal Regulations: those are sold over at the District Building on the other side of town at 13 1/2th Street. (I kid you not about the number of the street; the building is six blocks from the White House at 1350 Pennsylvania Ave., N.W., at the corner of Penn. and 13 1/2 St.) The municipal regulations confirm what I later saw on the back of a copy of an ID card issued by the Bureau of Public works. The regulations state very clearly that the obtaining of an ID card is a voluntary measure for the convenience of the person who obtains it and no person is required to be carrying identification or to obtain an identification card. ----- Paul Robinson -- TDARCOS@MCIMAIL.COM ------------------------------ Organization: CPSR Civil Liberties and Computing Project From: Dave Banisar Date: Fri, 28 May 1993 14:30:44 EST Subject: CPSR Seeks Clipper Docs CPSR Seeks Clipper Docs PRESS RELEASE May 28, 1993 CPSR Seeks Clipper Documents - Brings Suit Against NSA and National Security Council Washington, DC -- Computer Professionals for Social Responsibility filed suit today in federal district court seeking information about the government's controversial new cryptography proposal. The "Clipper" proposal, announced by the White House at an April 16 press conference, is based on a technology developed by the National Security Agency that would allow the government to intercept computer encoded information. Law enforcement agencies say that capability this is necessary to protect court ordered wire surveillance. But industry groups and civil liberties organizations have raised questions about the proposal. They cite the risk of abuse, the potential loss in security and privacy, costs to US firms and consumers, and the difficulties enforcing the policy. Marc Rotenberg, CPSR Washington office director, said "The Clipper plan was developed behind a veil of secrecy. It is not enough for the White House to hold a few press conferences. We need to know why the standard was developed, what alternatives were considered, and what the impact will be on privacy. " "As the proposal currently stands, Clipper looks a lot like 'desktop surveillance,'" added Rotenberg. David Sobel, CPSR Legal Counsel, said "CPSR is continuing its oversight of federal cryptography policy. These decisions are too important to made in secret, without public review by all interested parties." In previous FOIA suits, CPSR obtained records from the General Services Administration questioning the FBI's digital telephony plan, a legislative proposal to require that communications companies design wiretap capability. More recently, CPSR obtained records through the FOIA revealing the involvement of the National Security Agency in the development of unclassified technical standards in violation of federal law. CPSR is a national membership organization, based in Palo Alto, CA. Membership is open to the public. For more information about CPSR, contact CPSR, P.O. Box 717, Palo Alto, CA 9403, 415/322-3778 (tel), 415/322-3798 (fax), cpsr@cpsr.org ------------------------------ From: pbray@reed.edu Subject: SS#s Date: 29 May 1993 04:10:19 GMT Organization: Reed College, Portland, Oregon Every so often, this group (and others like it) gets a couple of posts about people refusing to give out their Social Security #s. And while the SS# FAQ does a good job of explaining how to avoid handing out your SS# (I have successfully followed its advice several times), it does not sufficiently explain *why* one should do this. Indeed, apparently information can be accessed with this number. What kind of information? Likewise, would a Mom&Pop business abuse this SS#? I doubt it; what would their motivation be? Even if they were to abuse it, how would they do so? That is, is there a 1-800 number they can phone that says "You have the SS# of someone who lives at somewhere. He likes something. He is someage and plays somegame etc."? What type of information is available with a SS#? Is it only "credit" type information? Is the warning to avoid handing out the SS# around merely because it is assumed that sometime in the future the SS# will access more information than it currently does? Is the advice a precautionary measure? Or is there something that truly needs protecting which can otherwise hurt me right now? Peter -- "Peter Bray seems to be as aptly named as any Dickens character..." - Somone on alt.atheism ------------------------------ From: David Lesher Subject: Re: P.O. Boxes Date: 29 May 1993 05:21:09 GMT Organization: NRK Clinic for habitual NetNews abusers - Beltway Annex Others said: # You need not get an actual P(ost) O(ffice) Box. Virtually all major # cities have "Mail Services". These services provide a PO style box, have # a regular street address, with your box number added. Frequently people # will call these Suites or Apt's. For example # My cost for a small box is # about $15.00/mo. # Ouch. Now we know why..... My real POB costs me $30 per YEAR....... -- A host is a host from coast to coast..wb8foz@skybridge.scl.cwru.edu & no one will talk to a host that's close............(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433 ------------------------------ Date: Tue, 1 Jun 1993 00:48:56 -0400 (EDT) From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Subject: Retaliatory Crimes Organization: Tansin A. Darcos & Company, Silver Spring, MD USA The Moderator of Telecom Digest, Pat Townson wrote on that mailing list (also known as the Usenet news group comp.dcom.telecom), some responses about some person or organization whose fax machine was seeking out fax numbers of other people by essentially trying every number in the Indianapolis area. He then discusses a response to a similar action: a cracker who, after 'trolling' for numbers to try, then using numbers that give what he wants, breaking into some company's system, presumably their computer system, their PBX, or both and a response by whoever the victim was. Feel free to edit this message to fit. I wanted to talk about the ethics (morality) of retaliatory responses in kind or the possibility of such actions being possible. For the IBM-PC lists, consider if someone could do this to you, i.e. call into your desktop computer and trash it. For the mainframe, ethics and objectivism lists I've sent this to, what is your opinion of the ethics of retaliatory responses, e.g. you break into my computer system, I break into yours and erase your files? For the readers of Telecom Digest I wonder what your opinons are: --- Original Title: Re: Autodialer Plaguing Indianapolis PT> [Moderator's Note: [material relating to suggested responses to use on a 'trolling fax machine' deleted] PT> The security department in one large corporation *is* responding PT> in a similar way to hackerphreaks they catch on their site: If PT> they capture the calling number, they wait a few days and call PT> back. [Item indicating caller then is able to access the called-party's machine directly and run a formatting program to damage their computer. The actual text appears below in another comment.] This assumes the called-party has a program running that would allow access to his computer's DOS from the telephone. I have seen reports about at least two programs that are used to hack phone numbers for making unauthorized calls. They are, in both of the cases I've seen, outbound dialing programs, and do not accept incoming calls. For some outside party to get access to my computer, the program that provides access would have to accept commands to be submitted to DOS, or allow me to shell to DOS. Just because a computer answers doesn't mean you can even get a response, let alone run a program or access the DOS prompt. The modem answers the phone. The computer can simply wait for an appropriate request string and if it doesn't get it, ignore further messages or even disconnect the call. One of the reports I read in Phrack [an on-line magazine devoted to cracking computers and telephone systems] stated that in one case, a BBS that people posted hacking material on answered the phone and left silence waiting for the CALLER to switch to answer mode. In some cases they might use a WATSON [a combined modem, touch-tone decoder and voice-mail box that allows the called computer to receive touch-tone responses] or similar device to require the caller to enter a touch-tone sequence. In short, some of these intruders have better incoming call security on THEIR online systems than the commercial sites they broke into! [This was Pat Townson's remarks about retaliation by companies that had been hit by crackers; 'they' probably refers to the corporate security people:] PT> If a computer answers, they proceed to format the hard PT> drive, and leave a single line textfile message saying "You PT> have been visited by someone who knows a lot more about PT> hacking than you will ever know!" ... self-help! .... don't PT> get mad; get even. PAT] Assuming this is true or that it happened, this is not a good idea. While the person in question (who was called back) is doing something wrong, the executives and security people who run their system risk that the person in question can turn around and file charges against them for the same thing. Further, since this is being done by the security department of a corporate entity, there is the possibility of the defendant (who might be looking at a trial anyway) whose lawyer will then file civil AND criminal charges of Conspiracy and Racketeering! There is also the doctrine of 'unclean hands'. It's going to be hard for them to claim damages against the cracker or criminal activity on his part when they are doing worse; (especially if what the incoming caller did essentially amounted to stealing computer time or phone service. In his case, it constitutes mere 'embezzlement', 'unauthorized access' or 'toll fraud'. In their case, it's 'malicious destruction of a computer system'. If someone runs unauthorized charges on my credit cards, let's say I'm stuck for the $50 fraud maximum on all of them, this will not give me permission to set fire to their car, forge documents and raid their bank account, or steal their property to make up the difference, or to break into their house and paint the inside walls black. (I've been told this is one of the worst things that can be done to someone's property is to paint their inside walls black.) Also, using retaliatory activity against someone who is alleged to commit a criminal act may *fatally damage* an attempt to prosecute them. Because if the plaintiff is doing the same thing, i.e. invading the defendant's computer system, this could be used to show that this is common practice, i.e. that the defendant didn't do anything wrong since *trained professionals* are doing the same thing, or worse. In short, unless and until a company is willing to declare the law to be nonexistent, e.g. that the government has essentially ceased to function or has become morally bankrupt, using self help is not a good idea. If you don't intend to prosecute and don't think the so-called 'victim' will, then you might get away with it. On the other hand, if it got out that the professional computer security people of a major company were involved in *intentional criminal activity*, the resulting bad publicity might be much worse. Honest professionals are not supposed to engage in 'tit-for-tat' tantrums, or 'steal from me, I burn down your house' mafia style activity. ----- Paul Robinson -- TDARCOS@MCIMAIL.COM ------------------------------ End of Computer Privacy Digest V2 #047 ******************************