Date: Fri, 21 Oct 94 10:09:50 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#051 Computer Privacy Digest Fri, 21 Oct 94 Volume 5 : Issue: 051 Today's Topics: Moderator: Leonard P. Levine Re: How to Verify Your Phone Number Re: How to Verify Your Phone Number SSN on Drivers License in VA SSN on Drivers License in NY Question: Post Office Package Inspection TEMPEST Source Re: Eastwood Door Problem Calling Number ID Debate Cellular Phone Fraud Operator Arrested Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: 18 Oct 94 13:09:47 EDT Subject: Re: How to Verify Your Phone Number dawson@world.std.com (Keith Dawson) wrote: from 508 land dialing 1-800-MY-ANI-IS got me "We're sorry, we cannot complete your call as dialed." It worked from 516 (Long Island) and when I called it from my job's PBX, it gave a number on the outgoing trunk which is what I suspected. -- Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093 ------------------------------ From: Bruce Steinberg Date: 21 Oct 94 2:45:38 PDT Subject: Re: How to Verify Your Phone Number dawson@world.std.com (Keith Dawson) wrote: from 508 land dialing 1-800-MY-ANI-IS got me "We're sorry, we cannot complete your call as dialed." Works okay in 408 (at least in Santa Cruz, CA area). FYI, B* ------------------------------ From: matt@aol.net (Matt Lyle) Date: 18 Oct 1994 18:11:38 GMT Subject: SSN on Drivers License in VA Organization: America Online Is the Social Security Number actually legally required in Virginia, or is it truely optional and they just don't tell you that? ------------------------------ From: clc0314@is.NYU.EDU Date: 20 Oct 94 15:36:16 -0400 Subject: SSN on Drivers License in NY that reminds me, in NY, you only have to give your SSN if you are applying for a commercial licence. ------------------------------ From: "Houston, James A." Date: 18 Oct 94 16:42:33 Subject: Question: Post Office Package Inspection I was wondering if any of the computer-privacy subscribers can enlighten me on the U.S. Post Office's policy on mail/package inspection. Do they inspect packages randomly? Do they inspect packages at a centralized location? Does sending mail/packages via express mail provide any more or less security? Does a package traveling overnight have less chance of being inspected (for what ever reason)? Is there any way, or are there any measures one can take to ensure his/her mail/package is not selected for scrutiny by postal clerks/mail handlers? -- James Houston (jh2@scires.com) -atlanta- ------------------------------ From: joelm@eskimo.com (Joel McNamara) Date: 19 Oct 1994 15:19:21 GMT Subject: TEMPEST Source Organization: Eskimo North (206) For-Ever I just finished Winn Schwartau's "Information Warfare." In the van Eck chapter, a source makes the following statement, "In the United States, it is illegal for an individual to take effective countermeasures against Tempest surveillance." This is attributed to a privately circulated document by Christopher Seline, titled "Eavesdropping on the Electro- magnetic Emanations of Digital Equipment: The Laws of Canada, England, and the United States" (June 7, 1990). Does anyone know where I can get a copy of this paper? Also, any other pointers to U.S. laws regarding the use of both Tempest surveillance and counter-surveillance techniques. I know Tempest collection tends to be passive and very unobtrusive, but am curious if legal charges have ever been filed against anyone in the U.S. for using or countering Tempest collection devices. -- Joel McNamara joelm@eskimo.com ------------------------------ From: genghis@ilces.ag.uiuc.edu (Scott Coleman) Date: 20 Oct 94 01:39:55 GMT Subject: Re: Eastwood Door Problem Organization: University of Illinois at Urbana Christopher Zguris <0004854540@mcimail.com> writes: Why does information need to be stored at all? Enter the valid key codes (and whatever restrictions they may have) into the computer and leave it at that. The security system is merely access control, when or if a key is used is not important. If I have a valid key I should get in, it's nobody's business -- and no records need be kept -- of when I come and go. My thoughts exactly. Knowing when LEGITIMATE users enter a given doorway provides absolutely NO information which would be valuable to a police officer investigating a break-in. If my apartment is broken into, does that make all my neighbors into suspects? And even in the unlikely event that is *was* my neighbor who broke into my apartment, there would be no record in the log of that neighbor's entry because he would presumably ALREADY have been inside the bulding for an unknown length of time. Thus, since the keeping of such records serves no useful purpose, but CAN be easily misused and abused, the ethical design approach is to simply *not* *record* the identity of a legitimate access. Now, as mentioned in the original post, if an INVALID key is presented, that event should most definitely be logged, since no harm can come of such records (although since the system would NOT have admitted the invalid keyholder, no security breach would have occurred, and therefore the system logs are again useless). Keep the system simple like the manual key it is supposed to replace and leave it at that. Why is it _everything_ digital _must_ keep logs? Indeed! -- Scott Coleman, President ASRE (American Society of Reverse Engineers) asre@uiuc.edu Life is temporally limited - drive velocitously!! ------------------------------ From: "Prof. L. P. Levine" Date: 19 Oct 1994 22:30:30 -0500 (CDT) Subject: Calling Number ID Debate Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: RISKS-FORUM Digest Weds 19 October 1994 Volume 16 : Issue 46 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 13 Oct 1994 14:13:13 -0700 From: Phil Agre Subject: Calling Number ID debate Calling-Number ID (abbreviated CNID [and sometimes misnamed Caller ID]) is a technology that enables your telephone to digitally send its phone number to the telephone of anybody you call. Controversy about privacy issues in CNID has swirled for years. The NYT has an article on the subject: Matthew L. Wald, A privacy debate over Caller ID plan, *The New York Times*, 13 October 1994. The United States Federal Communications Commission recently proposed rules, due to go into effect in April, to create uniform CNID protocols across state lines. While the FCC plan does protect privacy in some ways, e.g., preventing a business that captures your phone number from selling it to others without your permission, it does not mandate per-line blocking, which is necessary if you never want to send out your phone number, or if you only want to send it out when you enter a special code. The article states clearly that the real reason for CNID is commercial. Privacy advocates have been saying this for years, and for a long time they have gotten patronizing lectures about how CNID is for residential use in catching harassing phone callers. But CNID is a poor way to catch harassing phone callers. Moreover, that single application wouldn't nearly make CNID profitable. The point is that CNID is a good way to let companies collect marketing information and automate service interactions. Which is fine. Hardly anybody opposes CNID outright. But in order for CNID to avoid inadvertently giving away the phone number of someone who is being stalked, or who otherwise needs to keep their number a secret, it needs a few simple features: * per-line blocking -- a simple, no-cost way to declare that this telephone should not send out its number when dialling * per-line unblocking -- a simple, no-cost way to declare that this telephone now *should* send out its number when dialling * per-call blocking -- a simple, no-cost way to declare that, regardless of whether this line is blocked, this particular call should not include the calling number * per-call unblocking -- a simple, no-cost way to declare that, regardless of whether this line is blocked, this particular call *should* include the calling number In order for people to get the benefit of these commands, some further rules are needed: * All four of these commands should be entered with *different* codes. * Most especially, the blocking and unblocking commands should not be implemented with toggle commands (for example, *67 blocks the line and then another *67 unblocks it -- or, wait!, did the first *67 unblock the line so that the next *67 blocked it?). * All of these commands (or at least the per-call ones) should take effect instantly, without requiring a pause before dialling a number, so that phone numbers stored in modems can include the codes. * All of the commands should be standardized everywhere. * All of the commands should be clearly and concisely explained in some convenient place in the phone book. If at all possible, the commands should be listed on a simple cue card that can be attached to the telephone alongside the emergency numbers. (Of course, if a telephone had a real user interface then cue cards would not be necessary.) Don't all of these rules sound like common sense? Of course they do. They allow everyone complete freedom of choice. If you like CNID then you can turn it on and forget about it. If you want to refuse calls that do not include caller numbers then you're free to do that. If you don't care to call anyone who requires a caller number then you're free to adopt that policy as well. If you never want to send out your number because you're being stalked or are running a shelter then you can do that. Free choice. So why do proponents of CNID go to extraordinary lengths to defeat these simple, ordinary protections? Because they're afraid that large numbers of people would use per-line blocking, thus making the system less attractive to the businesses who want to capture lots of phone numbers. Like many schemes for using personal information, then, CNID is founded on trickery -- that is, on the gathering and use of information without free choice, full informed consent, and convenient, easily understood mechanisms for opting out. You might ask, "doesn't per-call blocking alone provide the necessary choice?" No, it doesn't. Per-call blocking is like saying, "every single time you drive your car into a gas station, your car instantly becomes the property of the gas station unless you remember to say abracadabra before you start pumping your gas." In each case, the cards are stacked against your ability to maintain control over something of yours, whether your car or your information. What can you do? Write a letter to the FCC, with a copy to your state attorney general and public utilities commission and to your local newspaper. Send them the list of CNID commands I provided above. Spell it out for them, and provide answers for the obvious pro-CNID arguments. Your state regulators might even agree with you already, in which case they need your support. For more information, send a message that looks like this: To: rre-request@weber.ucsd.edu Subject: archive send cnid Or contact the organizations that are working on this issue: * Computer Professionals for Social Responsibility, cpsr@cpsr.org * Electronic Privacy Information Center, epic@epic.org * Electronic Frontier Foundation, eff@eff.org Or start something of your own. The best way to predict the future, after all, is to create it yourself. Phil Agre, UCSD ------------------------------ From: Paul Robinson Date: 20 Oct 1994 21:37:55 -0500 (EST) Subject: Cellular Phone Fraud Operator Arrested Organization: Tansin A. Darcos & Company, Silver Spring, MD USA The following article summary is followed by some comments: In a Front Page article appearing in the Wed 19 Oct 1994 {Washington (DC) Times} entitled "High-Tech sleuthing busts cellular phone fraud ring" reporter Doug Abrahms tells us that Clinton Watson and two other persons were arrested Monday for selling cellular phones with altered serial numbers, causing the charges to be sent to legitimate cellular users. According to an Indictment in U.S. District Court in San Jose, when police raided Watson's house, they found 30 phones with counterfeit ID, 16 altered memory chips and 600 mobile phone numbers which could be used for fraudulent calls. Some of Mr. Watson's phones had as many as 12 different ID numbers, thus spreading usage patterns over a large area. Other phones were designed to allow the ID to be changed at will. Police and cellular companies have turned to using more sophisticated means to find illegal cellular phones, including helicopters, voice prints and traffic analysis. Mr. Watson is a Computer Programmer who designed his own software to program integrated circuts to include numbers read from scanners used on the cellular band. The phones so set up were referred to as "lifetime" phones since they never got a bill. They sold for $1,200 to $1,500 and have been found all over North America, according to Ron Nessen of the Cellular Telecommunications Industry Association (CTIA), which estimates that cellular fraud is a $1 million a day problem, with people stealing cellular IDs by waiting near tunnels, airports and parking lots to snatch the ID code transmitted. New York's NYNEX is introducing a PIN code on cellular calls. The Mayor and Police Commissioner of New York City have had the IDs for their cellular phones stolen six times this year. A division of TRW is developing a means to prevent calls unless the user's voice print matches the print on file. Comments: 1. Cellular Companies have been notorious for evading security problems in their phones. Rather than spend the money to add encryption in their switch software, they got a law passed to make it illegal to listen to cellular frequencies and to build equipment that can monitor cellular bands. 2. Cellular phones transmit call information in the clear, so a thief can just use someone else's number and steal a few minutes of airtime from them; if you bleed 10,000 customers of ten extra minutes a month, almost none of them individually will recognize that their bill is ten minutes too high. Unless customers complain, the Cellular Company won't care. 3. A typical practice of an aerospace/military contracting company like TRW is to try an implement and expensive complicated system such as voice print matching instead of something simple and cheap like a device to implement either Kerberos validation, S/Key style one-time passwords, or MD-4/MD-5 arithmetic checksum of some stored value. Putting such methods in as an inexpensive box like a Radio Shack tone dialer might cost users $20 and installing it in new phones might cost an extra $2 or $3. Persons having portable PCs could run a program to generate the code. Since everything is done without a secret being transferred, the software to do this can be public and nothing is compromised. 4. Does using a biometric validation system on a communications network scare anyone? I can think of a half-dozen reasons to dislike it, including: - use of the system to track and locate dissidents and anyone the people who run the government don't like; - my sister wants me to call someone for her and find out something without them knowing it's her asking; I don't match her car phone profile; - I borrow her car to do an errand; I can't call her back to let her know what I found out for her; - Bugs in the software might not recognize the owner with a cold, after an accident that damages their throat, or after some forms of surgery; - Checking voice prints will require very heavy processing capability, quite likely slowing down call connection times; - I bug someone's car and simply play back the recording to unlock their phone. I think that this is an attempt to "kill flies with nuclear weapons," e.g. excessive overkill. There are cheaper alternatives such as mathematical verification that will probably be quite effective without using a system that requires expensive and complicated subsystems such as voice print recognition. ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #051 ****************************** .