Date: Fri, 10 Dec 93 16:03:32 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#005 Computer Privacy Digest Fri, 10 Dec 93 Volume 4 : Issue: 005 Today's Topics: Moderator: Leonard P. Levine Help finding code of practice Re: Is PGP really Uncrackable? Re: Is PGP really Uncrackable? Re: Is PGP really Uncrackable? Re: Is PGP really Uncrackable? Re: Is PGP really Uncrackable? Re: Is PGP really Uncrackable? Re: Right To Search Floppy Disks? Re: Right To Search Floppy Disks? Re: Right To Search Floppy Disks? Re: Guns Control/Registration/Confiscation "Sneakers" (long) The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Kasthuri Jayaraman 61-89-895280 Date: Fri, 10 Dec 93 10:43:08 CST Subject: Help finding code of practice hi, Our computing section has informed me that a Code of practice on computer security has been published jointly this week by the UK government and the industry and they would like a copy of it. We don't know the Bibliographic details to order this item. Could you please fax me the details? The reference appeared in the NEW SCIENTIST, 2 OCT 1993 issue on page 12. thanking you for your help kasthuri ------------------------------ From: matt@ra.oc.com (Matthew Lyle) Date: Tue, 7 Dec 1993 23:52:19 GMT Subject: Re: Is PGP really Uncrackable? Organization: OpenConnect Systems, Dallas, TX Chris Burris writes: >I have heard recently that the author of PGP was forced by the NSA to >insert a trapdoor into PGP. He was allegedly charged with traffiking >narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain. >Is this true? Sounds like fiction to me. The authors of the current versions of PGP are not US citizens or residents of the USA. -- Matthew Lyle matt@oc.com matt@utdallas.bitnet OpenConnect System, Dallas, Texas (214) 888-0474 ------------------------------ From: Richard Roda Date: Wed, 8 Dec 1993 01:24:12 GMT Subject: Re: Is PGP really Uncrackable? Organization: North Carolina State University, Project Eos In article Chris Burris writes: >I have heard recently that the author of PGP was forced by the NSA to >insert a trapdoor into PGP. He was allegedly charged with traffiking >narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain. >Is this true? > No. The article made obvious mistakes. It said "Paul Zimmerman" when the author of PGP is Phil Zimmerman. It was 99 44/100% Pure BS. -- -- PGP 2.3 Public key by mail | Richard E. Roda Disclaimer------------------------------------------------------------- | The opinons expressed above are those of a green alien who spoke to | | me in a vision. They do not necessarly represent the views of NCSU | | or any other person, dead or alive, or of any entity on Earth. | ----------------------------------------------------------------------- ------------------------------ From: fec@arch4.ho.att.com (F E Carey +1 908 949 8049) Date: Tue, 7 Dec 93 20:49:39 EST Subject: Re: Is PGP really Uncrackable? >I have heard recently that the author of PGP was forced by the NSA to >insert a trapdoor into PGP. He was allegedly charged with traffiking >narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain. >Is this true? As crazy as this sounds it has a certain "Inslaw/Reconosciuto" ring. Frank Carey at Bell Labs f.e.carey@att.com ------------------------------ From: kkruse@enterprise.ksu.ksu.edu (Korey J. Kruse) Date: Wed, 8 Dec 93 03:03:20 CST Subject: Re: Is PGP really Uncrackable? Chris Burris writes: >I have heard recently that the author of PGP was forced by the NSA to >insert a trapdoor into PGP. He was allegedly charged with traffiking >narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain. >Is this true? Nope. PGP is distributed with source code. You can examine it all you want. Numerous experts in cryptography have (check out sci.crypt) and determined that the program does not have any "trap doors" This story has been circulating on many newsgroups...it originally started as prank. Unfortunately too many people take the news they read as the word of God and then propogate misinformation. You have been a victim of this. -- _ _ _ _ _ _ kkruse@ksuvm.bitnet |/ | | |_) |_ \ / | |/ |_) | | (_` |_ kkruse@ksuvm.ksu.edu |\ |_| | \ |_ | (_| |\ | \ |_| ._) |_ kkruse@matt.ksu.edu ------------------------------ From: WHMurray@dockmaster.ncsc.mil Date: Wed, 8 Dec 93 09:16 EST Subject: Re: Is PGP really Uncrackable? >I have heard recently that the author of PGP was forced by the NSA to >insert a trapdoor into PGP. He was allegedly charged with traffiking >narcotics and the NSA forced him to put the trapdoor into PGP as plea >bargain. >Is this true? No. This myth is the result of a satirical (and irresponsible) post. The satire was lost on the uninitiated. William Hugh Murray, Executive Consultant, Information System Security 49 Locust Avenue, Suite 104; New Canaan, Connecticut 06840 1-0-ATT-0-700-WMURRAY; WHMurray at DOCKMASTER.NCSC.MIL ------------------------------ From: mch@sqwest.wimsey.bc.ca (Mark C. Henderson) Date: Wed, 8 Dec 1993 22:28:58 GMT Subject: Re: Is PGP really Uncrackable? Organization: SoftQuad Inc. (POSTER IS NOT A SPOKESPERSON FOR SOFTQUAD INC.) In article Chris Burris writes: >I have heard recently that the author of PGP was forced by the NSA to >insert a trapdoor into PGP. He was allegedly charged with traffiking >narcotics and the NSA forced him to put the trapdoor into PGP as plea bargain. >Is this true? Not quite. They just killed Phil "aka Paul" Zimmerman and replaced him with an android. ;-) Now more seriously, the source code the PGP is publically available. Any attempt to insert a back door into the "official" source code would almost certainly be detected. Mark -- Mark Henderson, SoftQuad Inc., 108-10070 King George Hwy, Surrey, B.C. V3T 2W4 Internet: mch@sqwest.wimsey.bc.ca, markh@wimsey.bc.ca Voice: +1 604 585 8394 Fax: +1 604 585 1926 RIPEM MD5OfPublicKey: F1F5F0C3984CBEAF3889ADAFA2437433 ViaCrypt PGP Key Fingerprint: 21 F6 AF 2B 6A 8A 0B E1 A1 2A 2A 06 4A D5 92 46 ------------------------------ From: nevin@cs.arizona.edu (Nevin Liber) Date: 7 Dec 1993 18:21:43 -0700 Subject: Re: Right To Search Floppy Disks? Organization: University of Arizona CS Department, Tucson AZ In article , Justin Fidler wrote: >It's a bit of a unique situation. Students purchase the disks from the >school for $1.00 or may bring in their own. The student must keep this disk >in a classroom disk box that the school provides that is locked at the end of >the class. The reason for not letting students to take disks home, they >claim, is that students could bring viruses onto the network. Here is a thought: suppose the disk in question had a virus on it, and the administration confuscates the disk and tries to read the disk, thus invoking the virus. Who is responsible for this? Does the responsibility change if the student wrote the virus as an intellectual exercise but never intended to invoke it? Suppose the damage was accidental due to a buggy program? Now who is responsible? I doubt that schools have "clean" machines that they test these disks on. I doubt that most school administrators would even think about protecting themselves from this threat. -- Nevin ":-)" Liber nevin@cs.arizona.edu (602) 293-2799 ^^^ (520) after 3/95 ------------------------------ From: swd_lrr@genb.cca.cr.rockwell.com () Date: Wed, 8 Dec 93 16:59:38 GMT Subject: Re: Right To Search Floppy Disks? Organization: Rockwell International >>Dick Murtagh (8-465-4916) wrote: >>Disclaimer: I am not a lawyer. Do not take this as legal advice : >>It's a matter of who owns the disks. Are they borrowed from the school >>or were they purchased by the student ? If they belong to the school, >>then the school can search them at any time (like the lockers). > So, if I borrow a sheet of paper from a friend, that friend "owns" > whatever I have written on it?? I do not believe that that is a > reasonable expectation. If it is, I'll loan all my favorite authors > all the paper they want. :-_ Not so. However, that person has a right to read anything legible thereon when you return it, even if he demands you return it with no notice. Lance ==)-------- -=[ Floccipaucinihilipification is worthless! ]=- -- --==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-- Lance.Reichert@f120.n283.z1.fidonet.org || -or- swd_lrr@afds.cca.cr.rockwell.com || Don't believe everything you read. 8E03 8D25 7D69 07F4 8845 6CCA 28E8 67CF|| Whatever you _do_ believe, make BOMBREAKGBORDERESERVENCRYPTARGETRAITORSA|| sure you DON'T believe the opinions PGPRESIDENTWACKENHUTFEMARSHALLETHALAJFBI|| embodied herein are Rockwell's! EXPOSECRETFEDERALIASCIASSASINATEDEAGUNSA|| --==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-- ------------------------------ From: bitbug@netcom.com (James Buster) Date: Thu, 9 Dec 1993 00:27:51 GMT Subject: Re: Right To Search Floppy Disks? Organization: Lynx Real-Time Systems, Inc. In article ranck@joesbar.cc.vt.edu (Wm. L. Ranck) writes: >Actually I think folks seem to have a basic misconception here. It is >precisely *because* they are not the police that they can do locker searches, >etc. The police are held to a higher standard for probable cause to search. That is, precisely, the problem. In most(all?) public schools, school administrators are government employees. I think that *all* government employees should be held to the same standard of conduct as police officers. Otherwise you have the current intolerable situation where "Oh, she's not a *police officer*, she's an *administrator*.". Just wait until some idiot bureaucrat figures this out, and sends administrators to illegally search your home: "It's ok, they're not police officers.". -- James Buster bitbug@netcom.com ------------------------------ From: steele!basile@uunet.uu.net (Steve Basile) Date: 8 Dec 1993 01:20:48 GMT Subject: Re: Guns Control/Registration/Confiscation Organization: I Don't Speak For...Tivoli Systems, Inc. - Austin, TX In article David Horvath writes: >> I have been taking all of this Brady Bill info in with utter amazement >> at the NRA stand, which is that once an instant background check is >> available, the waiting period should be phased out. Am I missing >> something here? An instant background check sounds to me like a >> [more stuff about registering and confiscation of firearms that in >> theory should be protected by the 2nd admendment DELETED] > >> Where is the NRA's head at with this, anyway? This whole "instant, >> computerized" nonsense scares me more than any stupid waiting period (which >> by the way, we have had here in Minnesota for years). > > While I share many of these same concerns, I feel it *would* be >possible to implement such a system without identifying *what* or *how >many* you were buying. A simple NCIC check would show if you were a >convicted felon and the addition of a 'mental stability' flag to the >database would be a simple matter. > > > In order to get a permit to concealed-carry a handgun in Pennsylvania, >you have to supply references, answer a questionaire (are you a drunkard, >etc), supply 2 passport sized photos, and pay a fee. The references, the >local police (who better to know if you're a trouble maker), and often >your neighbors are contacted. I assume a lookup is done in the NCIC. > I just moved to TX from NY, and am now more aware of the VARIETY of gun control laws that exist. In NY (UPState, not NYC) I applied for a permit to carry in September, 1981. I got it in late November that year, after submitting: 1. Five sets of fingerprints (for local, county, state, FBI, BATF) 2. Five photographs (for same police departments, agencies) 3. Three signed affidavits from references who are not related and have known me more than three years, attesting to my good character. 4. Evidence that I have successfully completed a pistol safety course (sponsored and delivered by an NRA chapter, BTW) 5. An application listing all biographical info, previous address info, employer and a reason for wanting a gun (protection) Three MONTHS later, I was called before a County Court judge who signed my permit. I was allowed at that point to purchase ONE weapon. Additional weapons require a trip to the county courthouse, fill out an application, then wait a week or so for them to process the app during which time, assumedly, they ascertain you are not a crook. Hence... A Brady Bill-induced five day waiting period is of little consequence. My permit is NOT valid in the 5 Boroughs (counties) that make up NYC. Permits there require a psychiatric evaluation, and NYPD commissioner approval, and must be renewed every year. In Texas, all I have to do is show a drivers' license, fill out a form (that is not even sent in to a central bureau, but kept in the store) and then pay cash, check or credit card. The only "check" done in TX is a credit check. Big difference. No concealed weapon permits are available here though, unless you are a "peace officer." Bottom line: when I buy a sofa with a credit card, the cashier knows within 30 seconds whether or not I have sufficient credit. If I am turned down, the cashier does not know whether I am a deadbeat, or if there is a network problem, or if I just missed a payment. The NCIC check should be similarly implemented, and I would welcome it. "Sorry sir/ma'am, your transaction was denied. You'll have to check with your local PD (like checking with your bank) to clear this up, then we'll be glad to sell you this handgun." No "authorization code" no gun. Bad news though. Even in tough-gun-law central, NYC, if I have about $150.00 and a little time (3o minutes or so) I can get a cheap revolver near Union Square park or over on 8th Avenue with NO paperwork. Laws address the law-abiding folks, sorry... -- Stephen Basile |"If you stay in Beverly Hills too long, A Cog In The Machine | you become a Mercedes" --R. Redford ____ Tivoli Systems Inc. | \ / basile@tivoli.COM | DISCLAIMER: _MY_ thoughts, OUR world. \/ ------------------------------ From: roberts@decus.arc.ab.ca (Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067) Date: 9 Dec 1993 14:43:12 -0600 Subject: "Sneakers" Organization: UTexas Mail-to-News Gateway MVSNEAKR.RVW 931028 "Sneakers", Universal Pictures In trying to come up with a computer film festival after "Colossus," "War Games" and "Sneakers," we quickly ran out of ideas. (The electronic communications in "Jack Flash" were important, but not a major part of the story.) "Sneakers" received a lot of publicity on the net at its release, not least because of the "technical advice" given to the movie by a famous hacker and phone phreak. (It is not for nothing that there are so many references to "Captain Crunch" in the movie. He took his nom-de-guerre from the discovery that a prize whistle which came in boxes of the cereal gave out the 2600 hertz tone which could be used to command older telephone switches.) ("2600" magazine also takes its name from this fact. The tone, not the cereal.) Falling generally into the thriller, rather than science fiction, genre, "Sneakers" will not likely become either a cinematic or a cult classic. While not, perhaps, of the first rank, it should nonetheless hold a reasonably high place in the second rank of recent movies. (Readers are free, of course, to consider this scant praise.) Character development is scant, and social, as well as technical, absurdities are present. At one point the bad guys are tipped off by a supposed mismatch in a couple purportedly assigned by a computer dating service: any normal human would know that a meat market is a meat market, regardless of any hype over computerization. There are other places where the logical takes second place to the visual. Seminar speakers do *not* stand where the overhead can shine in their eyes. Teachers (particularly in the U.S.) do *not* have apartments out of "Better Homes and Gardens." Security guards do not pull random wires out of security camera clusters. Continuity could use some work, too. At one point, literally hundreds of armed guards pour out of the rhododendrons, enough to fill all the corridors and stairways in the complex: within five minutes the heroes are able to run the length of the complex (and up the stairway where the guard was so suspicious of the wiring) without seeing a soul. (In counterpoint to some unutterably bleak scenes, most of the movie contains wit and humour. The negotiations between the hackers and the NSA are hilarious. Unrealistic, with three people facing you carrying machine guns, but hilarious.) In comparative terms the technical detail is fairly reasonable. The story hinges on the existence of a "universal" code breaker. For existing encryption and decryption techniques, it is known just how difficult it is to break a given code. However, as the inventor states in the movie, "What if there is another way?" We do not yet know enough about information to say that there is *not* another way to extract the meaning from encrypted data. (It is unlikely, but not absolutely impossible.) This does, however, preclude the reasoning in the film that such a device would not be of use for different types of codes. Universal is universal. (It would probably make for great translation software, too ...) The technical trappings of the movie, though, again suffer from the dictates of the artistic director. I actually do own an acoustic coupler modem, obtained when I bought a computer for its historical value. (I have no idea whether or not it actually still works.) A computer display at one point purports to show the progress of a telephone call being traced: it bears a striking resemblance to the (equally unrealistic) "burning fuses" used to light off explosives in other thrillers. Decryption is unlikely to result in letters tumbling and falling into place like slot machine wheels, and it is equally unlikely that decrypted text suddenly becomes a graphical map. (Then again, text versus graphical representation *is* an aspect of meaning ... ) A Cray XMP-3 doesn't run Windows (although it is probably the only platform that could give you that kind of response time). The composition of the "tiger team" is very realistic in that the diverse skill sets would be very useful. Getting them to work together is another matter. The prevalence of criminal records would seriously hamper their ability to get contracts, but all indications in the movie are that they aren't exactly flush anyway. (The ubiquity of Chinese take-out food and the difficulty in finding a girlfriend willing to play Mata Hari are also realistic. As, interestingly, is the association of mathematical and musical skill.) "Sneakers" is by no means perfect, but it shows a welcome trend towards a more realistic treatment of technology in popular entertainment. copyright Robert M. Slade, 1993 MVSNEAKR.RVW 931028 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 DECUS Symposium '94, Vancouver, BC, Mar 1-3, 1994, contact: rulag@decus.ca ------------------------------ End of Computer Privacy Digest V4 #005 ****************************** .