Date: Mon, 13 Dec 93 19:44:11 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#006 Computer Privacy Digest Mon, 13 Dec 93 Volume 4 : Issue: 006 Today's Topics: Moderator: Leonard P. Levine SSN's in Mail Addresses Re: Gun Control/Registration/Confiscation Re: Guns Control/Registration/Confiscation Re: Right To Search Floppy Disks? Re: Right To Search Floppy Disks? Encryption At School Cellular Phone Security Re: Is PGP really Uncrackable? ALERT: FBI's Wiretap Bill is Back! CPSR Letter on Clipper (long) The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: Brinton Cooper Organization: The US Army Research Laboratory Date: Fri, 10 Dec 93 18:33:15 GMT Subject: SSN's in Mail Addresses The following appeared in the Weekly Bulletin (sent to all employees) of this installation. I offer it without comment: "9. USE OF WINDOW ENVELOPES FOR PAY RELATED ACTIONS: Quote from a 14 Mar 77 letter from Treasury's Bureau of Public Debt: "Until a bond sent through the mails is delivered to the addressee as legally defined by the Postal statues, only employees of the U.S. Government, its agents, or the Postal Service in performance of their official duties, have access to the social security number. Thus, the number is not being disclosed indiscriminately to the public. Further, as the Postal Service is bound, under the Privacy Act, to not disclose any information relating to the individual, we fell that the visibility of an individual's number through the envelope does not result in his privacy being impinged upon." Treasury's Assistant Secretary for Legislative Affairs reiterated this position in a 17 May 90 response to a Congressional Inquiry. Considering all this, the visibility of a social security number thru a window envelope does not create a violation of the Privacy Act. In fact, Treasury's Regional Disbursing Officers (RDOs) use window envelopes which are designed so that the addressee's social security number does show, thus allowing for faster rerouting of misaddressed mail." ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: Sat, 11 Dec 93 07:01:07 EST Subject: Re: Gun Control/Registration/Confiscation In Volume 4, Issue 5 steele!basile@uunet.uu.net (Steve Basile) writes: >A Brady Bill-induced five day waiting period is of little consequence. My >permit is NOT valid in the 5 Boroughs (counties) that make up NYC. >Permits there require a psychiatric evaluation, and NYPD commissioner >approval, and must be renewed every year. And after what happened on the Long Island Railroad on December 7, 1993, the Brady Bill has proved worthless. A man got on a train and proceeded to kill five people and injure about 20 more. He used a 9mm pistol that was purchased legally in California. So much for a 5-day waiting period. California has a 15-day one and this guy checked out clean. So far, the public here knows that he came from Jamaica, formed an intense dislike for blacks, whites and asians for unknown reasons; moved to Louisiana and the to California where he rented a motel room until he could satisfy the permit waiting period and then proceeded to purchase the gun. Following that, he came to Brooklyn, boarded a commuter train and started shooting about 1 hour later. Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ From: mcinnis@vnet.ibm.com Organization: IBM Austin Date: Mon, 13 Dec 1993 17:05:30 GMT Subject: Re: Guns Control/Registration/Confiscation Of course, the lesson to be learned here is to move to NY City where the gun laws keep the steets free of crime and to avoid lawless areas of the country like Texas. ------------------------------ From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse) Organization: Kansas State University Date: Sat, 11 Dec 1993 18:33:03 -0600 Subject: Re: Right To Search Floppy Disks? nevin@cs.arizona.edu (Nevin Liber) writes: >In article , >Here is a thought: suppose the disk in question had a virus on it, and >the administration confuscates the disk and tries to read the disk, >thus invoking the virus. Reading a disk does not invoke a virus. In order for a virus to infect a system an executable has to be run. It is possible that the computers in question might already be "infected" and a virus could recognize a disk read of a floppy to start some damaging process, but anyway the kind of protection the school is relying on is not very good. ------------------------------ From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse) Organization: Kansas State University Date: Sat, 11 Dec 1993 18:44:44 -0600 Subject: Re: Right To Search Floppy Disks? bitbug@netcom.com (James Buster) writes: >ranck@joesbar.cc.vt.edu (Wm. L. Ranck) writes: >>Actually I think folks seem to have a basic misconception here. It is >>precisely *because* they are not the police that they can do locker searches, >>etc. The police are held to a higher standard for probable cause to search. >That is, precisely, the problem. In most(all?) public schools, school >administrators are government employees. I think that *all* government >employees should be held to the same standard of conduct as police officers. >Otherwise you have the current intolerable situation where "Oh, she's not a >*police officer*, she's an *administrator*.". Just wait until some idiot >bureaucrat figures this out, and sends administrators to illegally search >your home: "It's ok, they're not police officers.". The reason locker searches are o.k. is because the lockers are the property of the school. The reason backpack, purse searches, and body searches are o.k. is because children under the age of 18 are not granted the same Constitutional rights as adults. The Supreme Court has already determined that the safety of the children in schools far more important than their personal rights. This is why schools are allowed to ban certain types of clothing, all kinds of speech, and other things. The police could just as easily be involved in the locker search or any other search. Whether the person is an admin. really has nothing to do with it. Often times police are called by the admin to help with searches by bringing in dogs or equipment. The issue of administators of schools coming to your house for a routine search is a joke. You don't have to let anyone in your house unless they have a search warrant. Basically your argument that there is some kind of legal distinction between police and school administation searches is wrong. If the safety of the students in the school is in question the police could search every backpack, locker, and purse in the whole school without fear of any "legal" reprisals. ------------------------------ From: Chris Burris Date: Sun, 12 Dec 1993 22:48:17 -0500 (EST) Subject: Encryption At School I have a question: Suppose that I wrote a simple encryption program and ran it at school, and the administration searched my disk. Could the administration force me to give them the encryption key even if i refused? ------------------------------ From: agrosso@world.std.com (Andrew Grosso) Organization: The World Public Access UNIX, Brookline, MA Date: Sun, 12 Dec 1993 08:13:07 GMT Subject: Cellular Phone Security As a federal prosecutor, I have my own opinions about cellular phones and the legality (or illegality) of listening in on cellular phone conversations. Please note that this is a personal opinion, not one of the Dept. of Justice. Unlike a phone conversation transmitted via a cable-type network, a cellular phone from the start transmits its information over the airwaves. There is no pretension that the information transmitted is physically protected or secure. The means to "tap" or otherwise listen to the information is very simple, and widespread: radio receiver type devices. By using a cellular phone, one is consenting to having one's conversations broadcast to an outside world, a world which has the means to listen to those converations. It is similar to using a megaphone to transmit your conversations. If you want privacy, then use a phone which uses cables. There, your information is physically secure, and you have a legitimate *expectation of privacy* in your converstations. An unauthorized taping is therefore properly unlawful. People who want the law to protect their cellular conversations by making the listening-in on such conversations illegal or unlawful are, in my opinion, like people who want it made illegal or unlawful for others to listen to conversations broadcast by megaphone. Since there is, and should be, no expectation of privacy in the means used to transmit the information, there should be nothing unlawful about listening in. What these people are trying to do is to utilize the law in order to achieve an unnatural result: one wants privacy, but also wants the convenience of using an easy means to communicate which has no privacy. As a prosecutor, I can tell you that I have much too much work to do (and so do all other prosecutors) to prosecute a case against person A for listening to person B's conversation when person B decided to use an obviously insecure means of communication simply because he or she thought it convenient at the time. As I said, it's my personal opinion. For your further information, I am very adamant about protecting peoples' privacy, particularly my own. I don't use cellular phones. ------------------------------ From: news@cbnewsh.cb.att.com (NetNews Administrator) Organization: NCR, an AT&T Company, Pleasanton CA Date: Mon, 13 Dec 93 07:12:13 GMT Subject: Re: Is PGP really Uncrackable? First of all, the hoax article claiming that PGP was hosed was really a hoax, and reasonably funny if you got all the in-jokes. kkruse@enterprise.ksu.ksu.edu (Korey J. Kruse) writes: > Nope. PGP is distributed with source code. You can examine it all > you want. Numerous experts in cryptography have (check out sci.crypt) > and determined that the program does not have any "trap doors". That's not precisely correct. PGP does come with source, and with reasonably good documentation, and the documentation for the major algorithms used in the system is widely available; you can check for yourself that the code implements the algorithms accurately if you want. While nobody has *discovered* any trapdoors (or at least published them), there are some potential locations they could be hidden; after all, the point of a trap door is that only the Bad Guy knows about it, and you don't, so you can be tricked into falling in it :-) - the RSA public key algorithm depends primarily on the difficulty of factoring; maybe there will be some radical new breakthrough in the next N years, or maybe the NSA or KGB has already made it and we don't know yet. (Not likely....) - the IDEA encryption algorithm appears to be fairly strong, and _is_ resistant to the Differential Cryptanalysis techniques that weaken DES and have broken FEAL and a number of other systems, and the keys are long enough to prevent brute-force attacks, but that doesn't mean there isn't some hole we don't know about. The hoax said that "Paul[sic] Zimmerman" planted the trapdoor, but perhaps the crafty Swiss researches who wrote IDEA really did it for their military intelligence service. (Not likely..... :-) - the MD-5 Message Digest algorithm (used for hashing files for signatures) doesn't have any known ways to break it, but if there are, signatures may not be trustable, which risks the security of the key certification process a bit. Again, unknown, but unlikely. - the NSA could have broken into your computer and tampered with your C compiler, or installed a radio transmitter that leaks out your private key at night when you're not looking - check for dirty fingerprints around the motherboard, and extra antennas... - All the "experts" who've said it's good stuff may be Tentacles of M.E.D.U.S.A., Inc. Trust no one, and keep your phaser handy.... But if you've got the time, after you've installed Spook Repellant on your keyboard, do check out the documentation and maybe the code and some of the algorithm references. ------------------------------ From: mech@eff.org (Stanton McCandlish) Organization: EFF mail-news gateway Date: 10 Dec 1993 19:35:32 -0500 Subject: ALERT: FBI's Wiretap Bill is Back! (Originally from EFFector Online 6.07 (Stanton McCandlish), summarized from Communications Daily 12/09/93 (Brock Meeks).) Digital Telephony Threat Returns According to FBI Dir. Louis Freeh, the development of sophisticated digital telecom and networking technology threatens the ability of the Feds to wiretap. In a Dec. 8 speech at Washington's National Press Club, Freeh annouced a renewal of the FBI's 'Digital Telephony' legislation scheme: the return of the controverial 'Wiretap Bill'. The bill is strongly opposed by organizations and individuals concerned about privacy, as well as the telecommunications and computing industries at large. The FBI's 'need' for this legislative action is under review by the Administration as part of it's examination of security and encryption issues. The reappearance of this Bureau effort contradicts statements by Special Agent Barry Smith of the FBI's Congressional Affairs Office, who stated less than a month ago that the 'Wiretap Bill' had been tabled. According to classified documents released under the Freedom of Information Act (FOIA), the FBI and the Electronic Communications Service Provider Committee or ECSPC (an ad hoc industry working group, which formed in March), are attempting to decide if technical solutions can be found to satisify law enforcement. According to a Nynex representative co-chairing the group, Kenneth Raymond, no solution has yet been found, but that FBI has yet to prove any solution is needed at all. Raymond likened Freeh's tactics to "yelling out the window" - an attention-getting move that needs some sort of clarifying followup. Though the ECSPC claims to be attempting to evaluate the problem and to solve it "in some reasonable way that is consistent with cost and demand", Raymond indicated that the group considers one 'solution' to be building wiretap access into future telecom hardware - like the Clipper chip backdoor, but a 'feature' of all switch specifications for phone and data lines. This news was just received, and a more detailed analysis and statement from EFF will follow soon. -- Stanton McCandlish mech@eff.org 1:109/1103 EFF Online Activist & SysOp O P E N P L A T F O R M C R Y P T O P O L I C Y O N L I N E R I G H T S N E T W O R K I N G V I R T U A L C U L T U R E I N F O : M E M B E R S H I P @ E F F . O R G ------------------------------ From: Dave Banisar Organization: CPSR Washington Office Date: Thu, 9 Dec 1993 17:10:20 EST Subject: CPSR Letter on Clipper (long) CPSR Letter on Clipper On December 6, the Digital Privacy and Security Working Group, a "coalition of over 50 communications and computer companies and associations, and consumer and privacy advocates" coordinated by the Electronic Frontier Foundation, sent a letter to President Clinton concerning cryptography policy. The letter states, "In our discussions with Administration officials, we have expressed the Coalition's tentative acceptance of the Clipper Chip's encryption scheme (as announced on April 16, 1993), but only if it is available as a voluntary alternative to widely- available, commercially-accepted, encryption programs and products." The Washington Office of Computer Professionals for Social Responsibility (CPSR) has sent the following letter to the President. We believe that the position stated in this letter continues to represent the views of the vast majority of network users, as reflected in the overwhelmingly critical comments submitted to the National Institute of Standards and Technology in response to its recent solicitation of public comments on the Clipper proposal. ================================================================== December 8, 1993 The President The White House Washington, DC 20500 Dear Mr. President, We are writing to you regarding the Clipper cryptography proposal now under consideration by the White House and a letter you may have received about the proposal from a group called the "Digital Privacy and Security Working Group." This group wrote to you recently and expressed their "tentative acceptance" of the Clipper Chip encryption scheme. We disagree with their views. This group has made a grave mistake and does not speak for the many users of computer networks and developers of network services who have vigorously opposed this proposal. We are very much concerned about the Clipper proposal. At its core is the dubious premise that the government should have the authority to design communications networks that facilitate wire surveillance. The plan was developed in secret by the National Security Agency over the objection of U.S. firms, professional associations and public interest organizations. Key details about the proposal remain classified. This proposal must not be endorsed. The development of open, unclassified standards is critical for the future of the nation's communications infrastructure. Progress and innovation depend on the free exchange of scientific and technical information. It is essential to the integrity of the scientific process that standards are openly created and available for public review. There is also a great need to ensure that future networks are designed with the highest levels of privacy and security possible. As our country becomes ever more dependent on the high-speed network, the need for secure systems will only increase. The Clipper proposal purposefully cripples the security of the network and reduces the privacy protection that users could otherwise obtain. There is another still more serious problem with the Clipper proposal. An agency with the authority to conduct wiretaps must not be allowed to impose technical standards to facilitate wire surveillance. The threat to Constitutional democracy is clear. A system of checks and balances is essential to ensure that the powerful investigative tools of government are properly controlled. We have followed the development of this proposal with great concern. We have testified before Congressional committees. We have appeared before agency panels, provided reports on wire surveillance, and debated the former FBI Director on national television. We have also sponsored conferences with full participation from across the federal government. We believe that the best policies will result from an open and unrestricted exchange of views. It is our assessment that you must not permit adoption of the Clipper technical standard, even on a voluntary basis. At a time when the country should be moving toward open standards designed for commercial networks, the Clipper proposal asks future users of the nation's information infrastructure to accept a standard intended for the Cold War era. It is a backward-looking plan that serves neither the interests of the American people nor American business. The adoption of the Clipper proposal would also ratify an unlawful process that has undermined the authority of Congress and weakened the mechanisms of government accountability. The proper authority for the development of this standard never rested with the NSA. Under the Computer Security Act of 1987, it was a civilian agency that was to develop appropriate standards for the nation's commercial networks. Through a series of secret executive orders, the NSA usurped the authority of the National Institute of Standards and Technology, substituted its own proposal for those of NIST, and effectively derailed this important policy process. When the computer user community had the opportunity to voice its position on this proposal, it rejected the plan overwhelmingly. The notice and comment process conducted by the Department of Commerce earlier this year resulted in nearly uniform opposition to the Clipper proposal. It would be hard to find a technical standard more disliked by the potential user community. While we support the relaxation of export controls on cryptography, we are not willing to concede to the NSA the right to develop secret standards. It is only because the National Security Agency also exerts influence on export control policy that the Digital Privacy coalition is prepared to endorse the Clipper standard in exchange for new opportunities to market products. It may be a good deal for the coalition members, but it is a terrible outcome for the rest of the country. We very much appreciate your efforts on behalf of open government, and your work with the Vice President and the Secretary of Commerce to develop the nation's information infrastructure. We believe that these efforts are sending our country in the right direction, helping to develop advanced technologies appropriate for a democratic nation and to preserve open and accountable government. But the Clipper proposal was not a creation of your administration. It is a relic from a period that is now moving rapidly into the history books, a time when secret agencies made secret decisions and when backroom deals with powerful, private interests sustained these arrangements. It is time to end this cynical form of policy making. We ask you to reject the deal put forward by the Digital Privacy and Security Working Group. The Clipper proposal should not go forward. We would be pleased to meet with members of your administration to discuss this matter further. Sincerely yours, Marc Rotenberg, Director David Sobel, Legal Counsel Dave Banisar, Policy Analyst CPSR Washington office cc: The Vice President Secretary Ron Brown, Department of Commerce Anthony Lake, National Security Council Computer System Security and Privacy Advisory Board ------------------------------ CPSR Cryptography Resolution Adopted by the CPSR Board of Directors, Seattle, WA October 18, 1993 WHEREAS, Digital communications technology is becoming an increasingly significant component of our lives, affecting our educational, financial, political and social interaction; and The National Information Infrastructure requires high assurances of privacy to be useful; and Encryption technology provides the most effective technical means of ensuring the privacy and security of digital communications; and Restrictions on cryptography are likely to impose significant costs on scientific freedom, government accountability, and economic development; and The right of individuals to freely use encryption technology is consistent with the principles embodied in the Constitution of the United States; and The privacy and security of digital communications is essential to the preservation of a democratic society in our information age; and CPSR has played a leading role in many efforts to promote privacy protection for new communications technologies: BE IT RESOLVED THAT Computer Professionals for Social Responsibility supports the right of all individuals to design, distribute, obtain and use encryption technology and opposes any government attempt to interfere with the exercise of that right; and CPSR opposes the development of classified technical standards for the National Information Infrastructure. ------------------------------ End of Computer Privacy Digest V4 #006 ****************************** .