Date: Tue, 12 Apr 94 10:29:21 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V4#051 Computer Privacy Digest Tue, 12 Apr 94 Volume 4 : Issue: 051 Today's Topics: Moderator: Leonard P. Levine Getting social-security numbers Neat Tricks! Clipper Teaches Public to Encode? Phone Privacy-Dispatch from Canada Dave Barry Responds to E-Mail Hacking Charges Flow Tracing Clipper Let your Fingers do the Walking on the Internet Hide & Seek Computer Privacy Digest Archives Credit check only with Permission Granted Re: Call Return Re: SSN#: How Could Someone Find Out Mine Re: CNID vs. ANI The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. Back issues are available via anonymous ftp on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password "yourid@yoursite". The archives are in the directory "pub/comp-privacy". Archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: "John A. Thomas" Date: 8 Apr 94 17:18:16 CDT Subject: Getting social-security numbers Tony Austin wonders how easy it would be to get ones' social-security number. Pretty east, actually. First, it is indeed on your credit report. Second, many governmental agencies ask for it for documents that will become public records. In Texas, for example, it is requested for voter-registration certificates (first place I go if backgrounding someone), divorce petitions, and probate applications (both the applicant and the deceased!). I understand some states use the SSN as a driver's license number. Third, many private business ask for it on applications that have nothing to do with credit reporting. A clerk for the local Blockbuster video said I was the first person to object and refuse to give them the number, even though the form said "optional" in fine print. At least Radio Shack is not requesting it when you buy batteries -- yet. Those who have been through the Radio Shack "name, address, and phone number" routine will know what I mean. John A. Thomas b858jt@utarlvm1.uta.edu ------------------------------ From: glr@rci.ripco.com (Glen Roberts) Date: 8 Apr 1994 23:13:40 GMT Subject: Neat Tricks! Organization: RCI, Chicago, IL PROTECT YOURSELF WITH THE CHICAGO TRIBUNE'S TELEMARKETING TRICK The irritating telemarketing call comes in... it's the middle of dinner and some lady wants to know if we get the Chicago Tribune... I tell them, just when it comes free a couple times a week... and the delight in the back of my mind that finally I have the phone number of the agitating telemarketer! For once, it's not "out of area" on the Caller-ID display. Well, my delight in phoning the back to express my displeasure with them, quickly turned to frustration! Try it... 1-312-670-4113. It won't cost you anything. The familiar reorder tones followed by the number 670-4113 "is not in service for incoming calls!" The ultimate Caller-ID block. Why not use it to protect your privacy? Get your second line setup by the phone company that way, place all your out-going calls on it and bam no body can return call or redial your number. Yeah, the phone company will probably tell you they can't do that for you. Tell them to call 1-312-670-4113 as proof that it can be done. Also, here's another way to block caller-id. Dial 10288EEE-NNNN where EEE is your exchange and NNNN is the number. For example, from my home, if I call the surveillance hotline: (708) 356-9646... by dialing "356-9646" Caller ID gets my home phone. Yet, if I dial "10288356-9646" it comes in as out of area (yeah and I probably get billed the same as calling long distance). ------------------------------ From: terrell@sam.neosoft.com (Buford Terrell) Date: 9 Apr 1994 11:47:39 Subject: Clipper Teaches Public to Encode? Organization: South Texas College of Law One perverse (and therefore nice) result of the government's push of the Clipper legislation is that now many members of the public are aware of encripted communications who had never heard of it before. Demand should create a market that will elicit new and better encription to meet that demand. Have the Fibbies shot themselves in the foot again? Buford C. Terrell South Texas College of Law ------------------------------ From: R._Braithwaite-Lee@magic-bbs.corp.apple.com Date: 09 Apr 1994 20:09:37 EST Subject: Phone Privacy-Dispatch from Canada Organization: M A G I C Hello: With all the interest in Caller ID, blocking, &tc., I thought I'd share with you what Bell Canada is up to. Their offerings are all mandated/regulated by the Canadian Radio and Telecommunications Committee, which holds public hearings then goes ahead and does whatever it wanted to do anyways. Currently, in the Toronto area, Caller ID is very popular. Call Blocking is available, and comes in two flavours (Blocking defeats Caller ID). For a fee, you can have your phone permanently and automatically blocked. This fee is waived for woman's shelters and certain other sensitive institutions. I don't know what the complete list of waived institutions is. Per-call blocking is also available. This is where you dial *67 before placing the call. Per-call Blocking is free, you just have to contact Bell and request it for your line. This feature is kept very, very quiet. An old feature, Call Return, is being remarketed heavily. At one time Call Return was $5 per month and the way it worked was that if someone called you and you didn't answer, then you pressed a few keys and the phone automatically dialed their number for you. It seems that the market ignored this service; Bell is now marketing the service with a new twist. Instead of paying a monthly fee, it is now $.50 per use, up to a maximum of $5.00. And the new feature-of-the-month is called PrimeLine. This is a virtual phone number, which costs $15 per month. Paging and Messaging options are $5 and $6 extra. PrimeLine is a special phone number not attached to any physical location--you call in and forward it to whatever phone you wish to use to accept calls. A timer is included, so you can do things like forward it to your messaging for an hour then have it switch to your office (handy during the morning commute). PrimeLine has a Call Screening feature which can be turned on and off at will. Callers are told to state their name and business. The system records this, then puts them on hold. Now your phone rings and you hear the caller's recorded greeting. You have the option of accepting the call, sending them to messaging, or disconnecting them. The caller only hears 'so-and-so is not available at this time. You might not be taking the call, or perhaps you couldn't come to the phone. At my home (which is also my office) I have plain-jane service w/o Caller ID. I activated per-call Call Blocking, which I used to torture my friends that have Caller ID. I choose not to use it regularly. I just purchased PrimeLine, and plan to use it aggressively to manage my calls while I'm out and about. R._Braithwaite-Lee@magic-bbs.corp.apple.com Public Key Fingerprint: D8 B8 C1 D0 DD 56 20 B4 06 A2 81 83 87 E8 8B 64 (Send message with subject "HELP" to pgp-public-keys@pgp.ox.ac.uk) ------------------------------ From: "Prof. L. P. Levine" Date: 10 Apr 1994 08:39:37 -0500 (CDT) Subject: Dave Barry Responds to E-Mail Hacking Charges Organization: University of Wisconsin-Milwaukee This is taken from CPSR/PDX(7:4): Dave Barry Responds to E-Mail Hacking Charges: CPSR/PDX received the following letter from syndicated columnist Dave Barry's office: Let me tell you what happened, and you can decide how immoral it was. During the Olympics, a lot of rumors about Tonya Harding were floating around the press center. One of these was that some numbers were Tonya Harding's e-mail code. A lot of people punched these into the computer to see if they were. I was one of those. As soon as I saw the numbers worked, I signed off, _without_ reading any e-mail. Perhaps you wouldn't have done what I did. I respect that. But Iview what I did as checking out a rumor, and no more. I never saw any private correspondence, nor, as far as I know, did other reporters. When some reporters' names surfaced in connection with this, I volunteered the information that a lot of people, including me, had tried those numbers. I was trying to put what happened into perspective; Unfortunately, the quotes that were printed made it sound as though I was defending the practice of reading other people's mail. I wasn't. Sincerely, Dave Barry DB/js ------------------------------ From: ajh@panix.com (A. H.) Date: 10 Apr 1994 21:29:46 GMT Subject: Flow Tracing Clipper Organization: Panix Public Access UNIX and Internet A thought has occured to me, perhaps it was mentioned before. But does the use of clipper automatically identifie who, down to the purchased hardware, is making a communication? My reasoning is as follows, I hope I am wrong: Am I correct in assuming it would be trivial for anyone who has access to monitor a medium of communication to scan the messages and obtain the LEAF? If that is the case, then would it not even be more trivial to look that up on reference table and see who originated it? And would not that same person already have access to the destination of the message? If that is the case, then does not clipper, in effect, create a log of communication flows? ------------------------------ From: Paul Robinson Date: 11 Apr 1994 03:47:29 -0400 (EDT) Subject: Let your Fingers do the Walking on the Internet Organization: Tansin A. Darcos & Company, Silver Spring, MD USA Saturday I was over at Micro Center, a computer store in Vienna, Virginia. Visiting the book department, I spotted a new set of three books, highlighted in plain view, all having the word "Internet" on the cover. One was a book on things you can find, e.g. a list of sources for things such as Weather information, FTP sites for various types of files, and so on, e.g. a list of services similar to the ones on the internet, only broader and much better organized. It was also about an inch thick, which meant it was about 500 pages long. I didn't have much chance to look at it since I don't have that much interest in the services on the Internet. I know they are comprehensive, I just never thought about it. The second book was printed on yellow paper and I think it referred to itself as "The Internet Yellow Pages". In essence it was a topic and subject cross reference for news groups and mailing lists. This, I think is a good idea. It's better if someone knows that, for example, Com Priv deals with the Commercialization and Privatization of the Internet and not with say, Private Compost heap management. (Although some people who read that group might think the latter is more accurate.) Or that the Bitnet list ETHICS-L@VM.GMD.DE deals with the ethics of computer programming and computer-related ethical issues, rather than it being a general ethics list. This too, was a Phone Book sized tome, about 3/4 inch thick, and it also mentioned that it covers about 2700+ newsgroups, which doesn't make it comprehensive (as someone corrected me earlier this month, the worldwide set of public newsgroups is currently over 8,000 and runs close to 100 megabytes a day.) What I found most interesting was the third book, also about an inch thick, e.g. phone book sized, and what could probably be called "The Internet White Pages". Someone started collecting E-Mail addresses and names for people from public messages, probably those posted on newsgroups and heavily circulated mailing lists and put them in alphabetical order. A practice very similar to that done by the address lookup program on rtfm.mit.edu (formerly "pit-manager"). Apparently the compiler of the book collected some 100,000 people's names and printed them up. This book is fairly recent but not that much. As with most people, I looked myself up. While it does have my address on access.net and MCI Mail, it does not have my address here on TDR.COM, which implies that it stopped collecting before I started using it almost exclusively, which would be before December 5, 1993, which is when the TDR.COM domain is listed as last updated via WHOIS. Some people seem to have gotten upset over the collection of E-Mail addresses for advertising. Now, here, someone has generally collected everyone's address off public messages, and published them in a book that is sold over the counter in a computer store. I wonder how people feel about this issue. The author said in the preface quite frankly that he had started "surrepticiously" collecting E-Mail addresses for a while. I put that word in quotes because I think that was his term, not mine. I am trying to avoid being judgemental here, because I don't see it as that big a problem. My E-Mail address is not my street address and doesn't tell you where I live or what I do or how much money I make or how educated I am. But this practice does annoy some people and I wanted to let some people know that if you are worried about the collection of names and E-Mail addresses, you are a little late, someone's already done a White Pages that anyone can purchase. And if it's successful, I'll bet there will be new issues, as well as possibly competitors. Seriously, I have a full newsgroup feed coming into the site I use, there's nothing that says I couldn't set up a cron job that runs several times a day to scan the spool files and collect addresses for subsequent publication. Anyone who has access to a full news feed could have done the same thing. Here's some questions to think about: What do you think about the practice? Is it right or wrong and why? Does this impact people's security? Are there risks involved if your E-Mail address becomes well known or if it is misprinted in a published "white pages"? Are there other considerations to think about? -- Paul Robinson - Paul@TDR.COM ------------------------------ From: shaggy@phantom.com (the KrAziEst KaT) Date: 11 Apr 1994 07:38:23 -0500 (CDT) Subject: Hide & Seek Organization: [MindVox] / Phantom Access Technologies / (+1 800-MindVox) hide-and-seek are a pair of "stegonography" programs to hide and then extract data out of GIF files. by doing so one is able to place an extra layer of security for ones data between oneself and anyone who one wants to deny access too....it is possible to keep the very existence of data unknown! by subtly altering GIF files, the program stores up to 19K of data in a 256-color or greyscale GIF, in a way that is hard to detect but easy to reverse. it can be thought of as a kind of camouflage. a greyscale GIF will be changed by HIDE in a way that is invisible to the naked eye. [MODERATOR The .uue file (for the PC) has been placed in the directory '/pub/comp-privacy/library' at 'ftp.cs.uwm.edu'. Feel free to take a copy. If you have a problem with ftp from your site, I will be glad to email you a copy. See next note for some details.] ------------------------------ From: "Prof. L. P. Levine" Date: 11 Apr 1994 12:25:21 -0500 (CDT) Subject: Computer Privacy Digest Archives Organization: University of Wisconsin-Milwaukee CPD (Computer Privacy Digest) maintains an archive site for material of general interest that is too long to post. I also maintain all back issues of CPD for those who wish to peruse issues that have passed. These issues are ordered by Volume and Issue number. Ftp Access into ftp.cs.uwm.edu with userid 'ftp' and password 'yourid@yoursite' will open up the directory. The archives are in the directory "pub/comp-privacy". Archives are also held at the address of the former moderator, Dennis Rears, ftp.pica.army.mil [129.139.160.133]. Within the directory pub/comp-privacy a 'dir' command will show the following: drwxr-xr-x 2 levine ftp 512 Apr 11 11:15 library drwxr-xr-x 2 levine ftp 2048 Mar 8 09:53 volume1 drwxr-xr-x 2 levine ftp 1024 Mar 8 09:54 volume2 drwxr-xr-x 2 levine ftp 1536 Mar 8 09:55 volume3 drwxr-xr-x 2 levine ftp 1024 Apr 8 08:17 volume4 and within the directory pub/comp-privacy/library you will find the following: -rw-r--r-- 1 levine ftp 290932 Apr 11 11:14 hideseek.uue -rw-r--r-- 1 levine ftp 61126 Jan 19 14:17 net-privacy-part1 -rw-r--r-- 1 levine ftp 50905 Jan 19 14:17 net-privacy-part2 -rw-r--r-- 1 levine ftp 43002 Jan 19 14:17 net-privacy-part3 -rw-r--r-- 1 levine ftp 26986 Jan 7 13:32 ssn-privacy -rw-r--r-- 1 levine ftp 6090 Feb 7 08:54 ssn-structure Please come and access what you wish. If you are unfamiliar with the use of the File Transfer Protocol (ftp) the following short summary might help. On most systems the following procedure will work, if you have a local command named ftp: You type: Comment on the command: ftp ftp.cs.uwm.edu (on your system) ftp (answer to login request) your_userid@your_site (answer to password request) cd pub/comp-privacy (at ftp prompt) dir (look at what is there) cd library (at ftp prompt) dir (look at what is there) get hideseek.uue (move document to your filespace) cd .. (back to previous menu) cd volume4 (at ftp prompt) dir (look at what is there) get V4#031 (move document to your filespace) quit (back to your system) ------------------------------ From: austin@netcom.com (Tony Austin) Date: 11 Apr 1994 18:24:58 GMT Subject: Credit check only with Permission Granted Organization: NETCOM On-line Communication Services (408 241-9760 guest) I called TRW in Orange County, California today. I asked how safe my credit information and social security number is. They told me that noone can look at your credit report unless you grant them permission. A fine and a civil lawsuit was mentioned as well. Subsequently I feel a lot safer. Is this a false feeling of security? -- Tony Austin ------------------------------ From: tenney@netcom.com (Glenn S. Tenney) Date: 8 Apr 1994 11:54:04 -0800 Subject: Re: Call Return clifto@tuttoo.chi.il.us (Clifton T. Sharp) wrote: Also, the corollary dialback service will come in handy when I get my "annual abuse call". When I'm able to *69 and say, "I know who you are and I know where you live ," the $114 I spent for the year's service will have paid for itself, in my estimation. Ah, but there's a catch with this service... at least here in the SF area. I have the service, and I would estimate that of the times I've tried to use it it has worked twice -- ie. from direct personal experience I'd say it works less than 5% of the time. Why? It doesn't work from all switches is one reason. But the main reason is that it doesn't work from any PBX -- and guess where most telemarketing calls come from... offices with PBXs. What's worse is that the advertising gives no clue that this is the case. When I asked PacBell for detailed information on when it won't work, the phone company could not even tell me what exchanges technically were incapable of working. Plus, they could not estimate the percentage of phones in the area that won't work with call return. In a nutshell: Call Return is a marketing scam. --- Glenn Tenney tenney@netcom.com Amateur radio: AA6ER (415) 574-3420 Fax: (415) 574-0546 ------------------------------ From: cntrspy@netcom.com (Executive Protection Assoc) Date: 9 Apr 1994 18:23:11 GMT Subject: Re: SSN#: How Could Someone Find Out Mine Organization: NETCOM On-line Communication Services (408 241-9760 guest) Tony Austin (austin@netcom.com) wrote: I read the SSN# FAQ and it was a wonderfully written article. What I can't understand is how an individual, like a detective or such, could find out what my SSN# is. Is my SSN# so vulnerable that someone could do a credit check on me and find out what my SSN# is? If I know your general location, I can spend $12 and do a computer on-line check and come up with it. If I know you as a target I would just dumpster dive your garbage and I'm sure there is enough information in there to lead me to it. It's QUITE simple. Credit header info (which is NOT FCRA regulated) would reveal it also for about $10 and a 2 minute phone call. SSN privacy and security is a myth. Chris Hall Operations Director Executive Protection Associates, Inc. ------------------------------ From: watrous@athos.rutgers.edu (Don Watrous) Date: 11 Apr 94 17:46:16 GMT Subject: Re: CNID vs. ANI Organization: Rutgers Univ., New Brunswick, N.J. gibbs@husc4.harvard.edu (James Gibbs) writes: And if you don't want your phone number to be given by ANI to the owner of an 800 number, call the operator and ask him/her to dial the 800-number for you. They can still get your number, but they probably won't go through the extra hassle to get it. It is my understanding that 800 lines are actually an aliasing scheme for regular (non-800 area code) numbers. If you can discover the regular number associated with an 800 number and dial that instead, does that deny the ANI information to the 800 supplier? Is it possible to find out what non-800 number is associated with an 800 line? (I originally wondered about this when hearing about a Canadian trying to call a US 800 number which was not set up for use from Canada.) -- Don {backbone}!cs.rutgers.edu!watrous watrous@cs.rutgers.edu ------------------------------ End of Computer Privacy Digest V4 #051 ****************************** .