Date: Thu, 12 Aug 93 16:43:10 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V3#013 Computer Privacy Digest Thu, 12 Aug 93 Volume 3 : Issue: 013 Today's Topics: Moderator: Dennis G. Rears Re: Cell Phone Fraud and New Systems Re: Digital Cellular - was Re: First Person broadcast on privacy Call for Papers IFIP SEC'94 Caribbean Re: Returned mail: Host unknown Re: Computer Privacy Digest V3#012 Encryption policy. Unrequested Remote Call Forwarding The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Thu, 12 Aug 1993 11:31:47 -0400 (EDT) From: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Reply-To: "Tansin A. Darcos & Company" <0005066432@mcimail.com> Subject: Re: Cell Phone Fraud and New Systems Jon Allen , writes in Telecom Digest: > I just got home ... see a story on new types of cell phone fraud. > thieves are using an ESN reader to read the ESNs and phone > numbers ... off the air and then program them into their own > phones to rip people off. Patrick Towson wrote: > [Moderator's Note: Yep, ESN 'readers' are the latest thing in > vogue for phreaks. It lets them hit up the cellular carriers for > a few million per year with stolen ESN's which are sold to other > unsavory types. PAT] There was an article printed in a magazine once on the subject of Cellular Fraud and the fact that there is no encryption in the system. The article was authorized for reproduction over BBSs and networks which is how I downloaded a copy once. The article mentioned that swapping ESN and MIN codes (also a serial number field) is supposed to be prohibited by the standards for cellular and doing so is supposed to disable the unit, but because the manufacturers use standard EPROM chips, it is quite easy to do and is common for field replacement of a unit. One item mentioned in the article stated that in exchange for one gram of cocaine, a cellular installer in Washington, DC put the same serial number on someone else's phone. In my Not So humble opinion I would suspect that cellular thieves are found in three flavors: those that want to make calls without paying for them; those who wouldn't mind paying for calls but want to have deniability that the calls came from them (like someone selling items the government wants to prohibit ownership of, such as certain drugs for which the pharmaceutical industry can't force people to pay high prices, cellular radio receivers or non-interceptable encryption software), and those that are reselling someone else's access code (to assist those in classes 1 and 2, of course). The article also stated that the next step for cellular thieves is the "Rolls-Royce" of theft enhancement devices: the "Cellular Cache Box" a device that acts exactly the way the "one-time pad" does in cryptography: you use an encryption key once and throw the key away. Well, the Cellular Cache Box works the same way: it listens on cellular channels for the codes being sent by a cellular phone: when you go to make a call, the Cache Box generates one of the ESNs that it has just heard, then never uses it again. The fraud is then spread over hundreds or thousands of users instead of one or two easily detected instances, and may be much harder to detect. (Would you be able to tell if someone had stolen 10 minutes of airtime use and stuck it on your bill? If you routinely use a lot of airtime, you might never notice. And if you do, how do you prove that the call wasn't yours?) Here's the kicker: The article came out at least 5 years ago! I remember reading it in California before I moved out to the DC area and I've been living here for four years. So for at least 5 years the issue has been well known enough to make the general media yet nothing has been done about it. If the Cellular Cache-Box is just now becoming noticed, either crooks are less smart than I would expect or the problem has more-or-less stayed hidden but now the cellular companies are so upset by the amounts of fraud that they are now publicising it. Since I have been proven wrong on my thought that it was not possible, it is the answer and it is what we need to do: we need Kerberos Authentication for Cellular Telephones. Anyone in the MIT Athena group care to figure out how to design it? :) Paul Robinson - TDARCOS@MCIMAIL.COM ----- The following Automatic Fortune Cookie was selected only for this message: Button: Couch potatoes have brain tubers ------------------------------ Date: Wed, 11 Aug 93 01:29 GMT From: Christopher Zguris <0004854540@mcimail.com> Subject: Re: Digital Cellular - was Re: First Person broadcast on privacy In Computer Privacy Digest V3#012 Bill Stewart writes: >Spread-spectrum techniques substantially increase privacy, though >their real value is reducing interference and power requirements, >but it's still eavesdroppable. Spread-spectrum cordless phones a >just coming out on the market, though I'm not sure I'd be willing Okay, so if you have a fully digital system without encryption using spread-spectrum (by spread-spectrum I assume you mean frequencies are changed very often during the call), how long would it take your average person with a scanner to tune around trying to follow the call? It would seem like most of the time would be spent on tuning and little on listening! Or are the bulk of the eavesdroppers out there using hacked cellular phones that would automatically follow the freq. shifts to provide continuous coverage like the real phone? Isn't one of the other benefits of the digital system the ability to eliminate cloning of ESN (it's ESN for a cellular right? so many abbreviations for serial numbers), if the ESN is protected than a hacked phone would be more difficult, or there'd be no benefit in eliminating fraud which is the cellular industrys' main goal with digital right? Christopher Zguris CZGURIS@MCIMail.com ------------------------------ Date: Wed, 11 Aug 1993 01:58 +0100 From: fortrie@cipher.nl Subject: Call for Papers IFIP SEC'94 Caribbean ================================================================= Call for Papers IFIP SEC'94 - updated information August 1993 ================================================================= *************************************************************** C A L L F O R P A P E R S *************************************************************** Technical Committee 11 - Security and Protection in Information Processing Systems - of the UNESCO affiliated INTERNATIONAL FEDERATION FOR INFORMATION PROCESSING - IFIP, announces: Its TENTH INTERNATIONAL INFORMATION SECURITY CONFERENCE, IFIP SEC'94 TO BE HELD IN THE NETHERLANDS ANTILLES (CARIBBEAN), FROM MAY 23 THROUGH MAY 27, 1994. Organized by Technical Committee 11 of IFIP, in close cooperation with the Special Interest Group on Information Security of the Dutch Computer Society and hosted by the Caribbean Computer Society, the TENTH International Information Security Conference IFIP SEC'94 will be devoted to advances in data, computer and communications security management, planning and control. The conference will encompass developments in both theory and practise, envisioning a broad perspective of the future of information security. The event will be lead by its main theme "Dynamic Views on Information Security in Progress". Papers are invited and may be practical, conceptual, theoretical, tutorial or descriptive in nature, addressing any issue, aspect or topic of information security. Submitted papers will be refereed, and those presented at the conference, will be included in the formal conference proceedings. Submissions must not have been previously published and must be the original work of the author(s). Both the conference and the five tutorial expert workshops are open for refereed presentations. The purpose of IFIP SEC'94 is to provide the most comprehensive international forum and platform, sharing experiences and interchanging ideas, research results, development activities and applications amongst academics, practitioners, manufacturers and other professionals, directly or indirectly involved with information security. The conference is intended for computer security researchers, security managers, advisors, consultants, accountants, lawyers, edp auditors, IT, adminiatration and system managers from government, industry and the academia, as well as individuals interested and/or involved in information security and protection. IFIP SEC'94 will consist of a FIVE DAY - FIVE PARALLEL STREAM - enhanced conference, including a cluster of SIX FULL DAY expert tutorial workshops. In total over 120 presentations will be held. During the event the second Kristian Beckman award will be presented. The conference will address virtually all aspects of computer and communications security, ranging from viruses to cryptology, legislation to military trusted systems, safety critical systems to network security, etc. The six expert tutorial workshops, each a full day, will cover the following issues: Tutorial A: Medical Information Security Tutorial B: Information Security in Developing Nations Tutorial C: Modern Cryptology Tutorial D: IT Security Evaluation Criteria Tutorial E: Information Security in the Banking and Financial Industry Tutorial F: Security of Open/Distributed Systems Each of the tutorials will be chaired by a most senior and internationally respected expert. The formal proceedings will be published by Elsevier North Holland Publishers, including all presentations, accepted papers, key-note talks, and invited speeches. The Venue for IFIP SEC'94 is the ITC World Trade Center Convention Facility at Piscadera Bay, Willemstad, Curacao, Netherlands Antilles. A unique social program, including formal banquet, giant 'all you can eat' beach BBQ, island Carnival night, and much more will take care of leisure and relax time. A vast partners program is available, ranging from island hopping, boating, snorkeling and diving to trips to Bonaire, St. Maarten, and Caracas. A special explorers trip up the Venezuela jungle and the Orinoco River is also available. For families a full service kindergarten can take care of youngsters. The conference will be held in the English language. Spanish translation for Latin American delegates will be available. Special arrangements with a wide range of hotels and appartments complexes in all rate categories have been made to accommodate the delegates and accompanying guests. (*) The host organizer has made special exclusive arrangements with KLM Royal Dutch Airlines and ALM Antillean Airlines for worldwide promotional fares in both business and tourist class. (**) (*)(**) Our own IFIP TC11 inhouse TRAVEL DESK will serve from any city on the globe. All authors of papers submitted for the referee process will enjoy special benefits. Authors of papers accepted by the International Referee Committee will enjoy extra benefits. If sufficient proof (written) is provided, students of colleges, universities and science institutes within the academic community, may opt for student enrollment. These include special airfares, appartment accommodations, discounted participation, all in a one packet prepaid price. (Authors' benefits will not be affected) ************************** INSTRUCTIONS FOR AUTHORS ************************** Five copies of the EXTENDED ABSTRACT, consisting of no more than 25 double spaced typewritten pages, including diagrams and illustrations, of approximately 5000 words, must be received by the Program Committee no later than November 15th, 1993. We regret that electronically transmitted papers, papers on diskettes, papers transmitted by fax and handwritten papers are not accepted. Each paper must have a title page, which includes the title of the paper, full names of all author(s) and their title(s), complete address(es), including affiliation(s), employer(s), telephone/fax number(s) and email address(es). To facilitate the blind refereeing process the author(s)' particulars should only appear on the separate title page. The language of the conference papers is English. The first page of the manuscript should include the title, a keyword list and a 50 word introduction. The last page of the manuscript should include the reference work (if any). Authors are invited to express their interest in participating in the contest, providing the Program Committee with the subject or issue that the authors intend to address (e.g. crypto, viruses, legal, privacy, design, access control, etc.) This should be done preferably by email to < TC11@CIPHER.NL >, or alternately sending a faxmessage to +31 43 619449 (Program Committee IFIP SEC'94) The extended abstracts must be received by the Program Committee on or before November 15th, 1993. Notification of acceptance will be mailed to contestants on or before December 31, 1993. This notification will hold particular detailed instructions for the presentation and the preparation of camera ready manuscripts of the full paper. Camera ready manuscripts must be ready and received by the Program Committee on or before February 28, 1994. If you want to submit a paper, or you want particular information on the event, including participation, please write to: IFIP SEC'94 Secretariat Postoffice Box 1555 6201 BN MAASTRICHT THE NETHERLANDS - EUROPE or fax to: IFIP SEC'94 Secretariat: +31 43 619449 (Netherlands) or email to: < TC11@CIPHER.NL > *************************************************************** Special request to all electronic mail readers: Please forward this Call for Papers to all networks and listservices that you have access to, or otherwise know of. **************************************************************** Sincerely IFIP TC 11 Secretariat Call for Papers - updated information August 1993 ================================================================= ------------------------------ Date: Wed, 11 Aug 93 00:18:28 PDT From: Kelly Bert Manning Subject: Re: Returned mail: Host unknown Reply-To: ua602@freenet.victoria.bc.ca Someone who has lost their job would probably want to pay for a pager, rather than take a chance on missing a job offer call. I don't know what US local monthly telephone charges are, but I know one person here in Victoria who got a pager because it was cheaper than renting a telephone to receive calls. It is a lot cheaper than a cellular phone. > >I would probably have a pager. For my job I don't need it, but remember >the post I was responding to was talking about a person who had lost >his job. There is a FAQ post that shows up at our reader site periodically that covers many of these issues. I've used E-Mail at work since at least 1984 and have always assumed that anything I write might be read, and had this confirmed to me at one point. A lot of the problems seem to come out of mixing an employer provided service with personal communications. Why not get involved with getting a freenet going in your area. That is how I avoid anyone making an unwarranted connection between me and my employer. Where I work there is a rule that no personal mail can be placed in mail out baskets, even if it is stamped. The pickup was outsourced and the cost to my employer is based on the volume. Ironically this coincided with Canada Post Corp. cutting back on mail boxes and denying private individuals access to real P.O.s because "people can mail from work". In government jurisdictions subject to Freedom of Information statutes there is actually a legal basis for archiving a lot of E-Mail and retaining it for at least some period of time. Is the private sector so different, at least with regard to internal access? The archived E-Mail notes of Iran Contra principals gave a very enlightening account of their activities and their thinking, in their own words. The Clipper chip proposal could be viewed as a proposal to scale this up to cover all routine US Federal Government digital communications. ------------------------------ Date: Wed, 11 Aug 93 09:03:30 MDT From: David Wade Subject: Re: Computer Privacy Digest V3#012 > and that any organization that DID choose to use it for > identification not related to taxes was required to offer alternate > identification numbers upon demand. Can somebody who KNOWS answer the > following questions: > > 1) Who is allowed to demand my Social Security number, and for what > purposes? I'm curious about both governmental and non-governmental > organizations. > > 2) Is there any penalty for violation of this law, i.e. for > withholding benefits, memberships, etc. on sole grounds of refusal > to give a Social Security number? > > 3) Is there a government publication stating this? > > Thank you, > -- > Stephen Bloch &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Check out The Privacy Act of 1974, available free from your congerscritter. Just ask it for a copy. There is also an assessment of the 1974 Privacy Act which is also printed by the Gov't, thus free for the asking. It is For Sale by the Superintendent of Documents, U.S. Government printing office Washington, D.C. 20402 The Report of the Privacy Protection Study Commission Stock No. 052-003-00395-3 "Personal Privacy in an Information Society" Appendix 1 "Privacy Law in the States" Appendix 2 "The Citizen as Taxpayer" Appendix 3 "Employment Records" Appendix 4 "The Privacy Act of 1974: An Assessment" Appendix 5 "Technology and Privacy" Another source is to subscribe to "The Privacy Journal" for awhile. There is a SUBSTANTIAL student discount available. Ask your college librarian to see a copy. Were you aware that librarians are usually the people spending the most time worrying about "privacy"? Many librarians care. And yes, there is a law, with penalty. ------------------------------ From: Leo J. Irakliotis Subject: Encryption policy. Date: Thu, 12 Aug 1993 03:17:33 GMT Reply-To: irakliot@lance.colostate.edu Organization: Engineering Network Services, Colorado State University Hope I'll get some responses here. Is encryption in email legal? Is it legal for an electronic mailing list, or a usenet newsgroup to operate using encryption? If encryption is against the law, please site some references. Thanks, -- Leo J Irakliotis irakliot@longs.lance.colostate.edu ----------------------------------------------------------------- Electrical Engineering l.irakliotis@ieee.org Colorado State U (303) 491-2021 Optical Computing Lab ------------------------------ Newsgroups: pub.tdarcos.private.mail Date: Thu, 12 Aug 1993 11:20:10 -0400 (EDT) From: Paul Robinson <0005066432@mcimail.com> Reply-To: Paul Robinson <0005066432@mcimail.com> Subject: Unrequested Remote Call Forwarding Mime-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII From: Paul Robinson Organization: Tansin A. Darcos & Company, Silver Spring, MD USA ----- A posting on the Risks list discussed how an inmate at a state penetentiary was able to get some private party's phone to be enabled with Remote Call Forwarding (RCF), AND got someone from the phone company to give them the security code over the phone. I just thought about this. A while back I had two additional phone lines installed in my house to add to the two I already had. At the request of the person who wanted the extra line, I put "Ultra Call Forward" (C&P Telephone's name for RCF) on one of the lines. It just occurred to me, if I'm not mistaken, that the clerk did give me the information (800 number if long distance; local number if local) to set up the service and passcode) at the time I requested the service change even though he did not ask me for any personal identification when I placed the order. It's been said on Telecom Digest several times that inmates in prisons make calls that have to be made collect only. Are they referring to the phones provided by the correctional facility or are the pay phones set up so they cannot place calls other than collect? If prison pay phones can only call collect, then the person that did this had to have an outsider do this, or they had to be calling an 800 number (can prison phones call 1-800 numbers? If not, how do they call their lawyer if he has one?) --- Paul Robinson - TDARCOS@MCIMAIL.COM ----- The following Automatic Fortune Cookie was selected only for this message: "I didn't ask to get hatched into this family!" - Robbie, Dinosaurs ------------------------------ End of Computer Privacy Digest V3 #013 ******************************