Date: Wed, 02 Nov 94 13:44:45 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#056 Computer Privacy Digest Wed, 02 Nov 94 Volume 5 : Issue: 056 Today's Topics: Moderator: Leonard P. Levine Re: Planting "Mistakes" to Guard Copyright Re: Planting "Mistakes" to Guard Copyright Re: Planting "Mistakes" to Guard Copyright Re: Digitized Signatures Re: Digitized Signatures Re: Digitized Signatures Re: Digitized Signatures Re: Electronic Eavesdropping Re: Again, Securest Cordless Phones? Email privacy Re: Need help on making a computer/PC usage policy Re: Need help on making a computer/PC usage policy Email Re: Drivers license as universal ID? Re: License Plates Re: License Plates Mother's maiden name Dr. Denning says that non-escrowed crypto may be restricted Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: pryluck@vm.temple.edu (Cal) Date: 30 Oct 94 15:34:54 EST Subject: Re: Planting "Mistakes" to Guard Copyright Organization: Temple University How does one tell an illegal copy from a legitimate one, when the legitimate copy contains the fictitious city? Well, since it's supposed to be the same technique as seeding a mailing list and watching for false hits, I assume they have people parked out in the desert, waiting for the lost tourists... Awh common. It ain't that complicated. Suppose you decide to publish a RandMcNally map under your own name. False city? Gottcha. ------------------------------ From: goudreau@dg-rtp.dg.com (Bob Goudreau) Date: 31 Oct 1994 10:20:53 -0500 Subject: Re: Planting "Mistakes" to Guard Copyright How does one tell an illegal copy from a legitimate one, when the legitimate copy contains the fictitious city? Well, since it's supposed to be the same technique as seeding a mailing list and watching for false hits, I assume they have people parked out in the desert, waiting for the lost tourists... I think you're missing the point. The goal is to plant some information which, when copied by a competitor in the course of publishing *his* map, will readily prove that he violated your copyright. So, all you have to do is buy your competitors' wares and scan them for the bogus data you planted in your maps. -- Bob Goudreau Data General Corporation goudreau@dg-rtp.dg.com 62 Alexander Drive +1 919 248 6231 Research Triangle Park, NC 27709, USA ------------------------------ From: "/DD.ID=OVMAIL1.WZR014/G=DANIEL/S=STICKA/"@EDS.DIAMONDNET.sprint.com Date: 31 Oct 1994 13:23:25 -0500 Subject: Re: Planting "Mistakes" to Guard Copyright How does one tell an illegal copy from a legitimate one, when the legitimate copy contains the fictitious city? Map publisher A produces an atlas and plants fictitious cities. Map publisher B produces an atlas, but instead of researching survey records or whatever they should do to get the geographic info, they just use publisher A's atlas for thier source. If publisher B is too lazy to do the proper research in the first place, they probably won't bother to find and remove all fictitious cities. When B's atlas goes on the market, A has proof that they copied because only A knows about the fictitious cities. -- Dan Sticka Electronic Data Systems -- Dallas ------------------------------ From: Maryjo Bruce Date: 30 Oct 1994 18:19:24 -0800 (PST) Subject: Re: Digitized Signatures I overheard a "new procedures" training session given by a shop owner to a sales clerk. Electronically sending in a charge has an additional step now, she said. So many people are trying to alter the information on the magnetic tape on their credit cards that first they check to see if it has been tampered with. When they receive verification that it has not, they complete the charge procedure. -- Sunny Mary Jo Bruce, M.S., M.L.S. ------------------------------ From: "/DD.ID=OVMAIL1.WZR014/G=DANIEL/S=STICKA/"@EDS.DIAMONDNET.sprint.com Date: 31 Oct 1994 15:21:46 -0500 Subject: Re: Digitized Signatures Another Sears experience: I had some automotive work done over the weekend at the Plano, TX, Sears location. I paid using Visa (not SearsCharge or Discover) and was invited to sign the receipt using an electronic pen on black pad. I asked for a real pen, but was told I had to sign on the black pad. I said I do not, and won't. He handed me a ball-point and I signed the paper receipt. I later called a manager and asked what the deal was. She said they are using the system to verify signatures (she didn't know how that worked). She assured me that customers will always be able to sign a paper receipt with a pen, that a special code on the terminal bypasses the digital signature function. She also said that they can get a signature downloaded from Visa anytime they wanted to. Is this true? -- Dan Sticka Electronic Data Systems -- Dallas ------------------------------ From: Bob Bales <74774.1326@CompuServe.COM> Date: 01 Nov 1994 03:39:48 GMT Subject: Re: Digitized Signatures Organization: National Computer Security Association I have an interesting paper, written by noted attorney, author and electronic commerce expert Benjamin Wright. It provides a commonsense counterpoint to the mad rush to require digital signatures for everything. If you would like a copy of this paper sent to you, simply send me an EMail to which I can "reply" without modification. Request "Plaintext Signatures: The Verdict is In". FYI, Ben is conducting an on-line seminar entitled "Law of Electronic Commerce". Send me an EMail if you would like more information about this seminar. -- Bob Bales | CompuServe InfoSec Forum: GO NCSA Natl Computer Security Assoc| Phone: 717-258-1816 10 South Courthouse Avenue | Fax: 717-243-8642 Carlisle, PA 17013 | Email: 74774.1326@compuserve.com ------------------------------ From: stark@rtsg.mot.com (George Stark) Date: 02 Nov 1994 04:58:20 GMT Subject: Re: Digitized Signatures Organization: Motorola Cellular Infrastructure Group Maryjo Bruce (sunshine@netcom.com) wrote: I don't get out much, and I may be the last person on earth to know this, but yesterday I went to Sears and bought a shovel and charged it on my Visa card. The clerk inspected my card, found it wanting because [snip].. Gee, that's all we need now, a digitized version of out signatures that can be hammered onto documents we've never seen before. What sort of privacy protection is going on those signatures? -- ______________________________________________________________________________ George Stark (708) 285-7205 | WAR IS PEACE; FREEDOM IS SLAVERY stark@rtsg.mot.com | IGNORANCE IS STRENGTH. Motorola-Aftermarket Support Center | - George Orwell ------------------------------ From: olcay@libtech.com (olcay cirit) Date: 30 Oct 94 19:42:16 PST Subject: Re: Electronic Eavesdropping I know this probably seems like a dumb question to some of you, but what good would a TEMPEST shield do on a monitor? Are "they" going to capture the EMF emanating from the monitor and run it through some complex algorithmic scrubber so they can see what was on the screen? (Or do I have it all wrong? :) ) ------------------------------ From: "Jongsma, Ken" Date: 30 Oct 94 11:02:00 PST Subject: Re: Again, Securest Cordless Phones? CHRISDENNIS@delphi.com writes: A few weeks ago, there was a small discussion of the most secure cordless phones available to consumers. However, I don't believe much else was said other than the new Motorola "secure" phones can be easily scanned. I, and other readers I'm sure, would like to know what is the securest on the market in the 900MZ range. And preferably under $300 street! ;-) Or at least please point me in the right direction on where to look for this info. There are no absolutes when you ask a question like this. What you need to do is: 1) Identify the threat or who you are trying to counter. 2) Identify what type of equipment they are likely to use. 3) Figure out how much you want to spend to counter. 4) Realize that you aren't going to get a perfect solution or one that is going to be permanent. In order as presented: 1) Are you trying to counter your neighbour scanner? The local police? The state police? The FBI? The NSA? Just about anyone above your neighbour or local police unit is going to have access to the physical wire that your phone is attached to, so trying to protect the link between your phone and the base unit is pointless when the majority of the link is open. 2) 49MHz scanners are cheap and all over the place. 900MHz scanners are not as common, but becoming more so each day. 900 MHz scanners that are capable of decoding proprietary digital signals (Tropez, etc) don't exist on the consumer market and I haven't seen any in the more specialized markets. Even more so for ones capable of following a frequency agile or spread spectrum signal. 3) How much are you willing to pay to protect against your neighbor or the local cops listening? I doubt that you can afford to protect against anyone more sophisticated than that. 4) Until Voice PGP comes along, I'm happy with making my cordless phone almost as secure as my wall phone. That means I don't want my neighbor listening, nor the local bored cop that has a scanner. I realize that if I have attracted the interest of anyone at a higher level, my phone line is not a secure means of communication and I wouldn't use the wall phone, much less a cordless phone. Consumer electronics has about a 5 year life. That doesn't mean that it won't work longer than that, but that in 5 years something newer, cheaper, better, whatever will come along. I don't believe that digital scanners will be available to the general public for most if not all of that timeframe, so I'm happy with my Tropez for $189. It's 900MHz, so that limits the universe of who can listen to it. It's digital, so that really limits the universe of who can listen to it. Paying another $150 to get spread spectrum just doesn't buy enough additional privacy to be worth it. In 5 years, I'll re-evaluate things and see if I need to make any changes. Actually, I'll do that continually, but I don't expect to have to do anything for 5 years. ------------------------------ From: babb@ucssun1.sdsu.edu (J. Babb) Date: 01 Nov 1994 04:17:39 -0800 Subject: Email privacy Organization: Usually Post-it notes and a Larsen calendar How well protected are email rights? Specifically, how well is my right to email privacy protected at the university that supplies my email account. Since the conputing services dept provides it, do they have a right to look at my email. How about the dept I work for? They provide no money to maintain my email acct. Do they have a right to look at my email? Is there a paper on this somewhere -- Jeff Babb, Programmer/Analyst Well I used to be disgusted, now I try to be amused - E. Costello babb@ucssun1.sdsu.edu Flames to dev/null/heatsink/asbestos ------------------------------ From: Bob Bales <74774.1326@CompuServe.COM> Date: 01 Nov 1994 03:45:29 GMT Subject: Re: Need help on making a computer/PC usage policy Organization: National Computer Security Association "COAST" at Purdue is excellent source: open coast.cs.purdue.edu cd pub/doc dir quit drwxrwsr-x 3 142 10030 1024 Oct 27 21:01 law+ethics drwxrwsr-x 2 142 10030 512 Aug 3 00:33 passwords drwxrwsr-x 2 142 10030 512 Oct 27 21:01 policy drwxrwsr-x 2 142 10030 512 Oct 27 21:02 privacy drwxrwsr-x 2 142 10030 512 Oct 27 22:20 social These are just a few of the applicable directories on this host. -- Bob Bales | CompuServe InfoSec Forum: GO NCSA Natl Computer Security Assoc| Phone: 717-258-1816 10 South Courthouse Avenue | Fax: 717-243-8642 Carlisle, PA 17013 | Email: 74774.1326@compuserve.com ------------------------------ From: Jones Michael <3mj13@qlink.queensu.ca> Date: 31 Oct 1994 13:44:29 -0500 Subject: Re: Need help on making a computer/PC usage policy Canadian appropriate use policies are available from Electronic Frontier Canada. gopher: gopher.ee.mcgill.ca 7/ Community Information 2/ EFC - Electronic Frontier Canada 10/ Universities - Policies etc. etc. -- Michael Jones Queen's University, Kingston, Ont. Sociology/Communications 3mj13@qlink.queensu.ca ------------------------------ From: babb@ucssun1.sdsu.edu (J. Babb) Date: 01 Nov 1994 23:26:20 -0800 Subject: Email Organization: Usually Post-it notes and a Larsen calendar Please point me to an "authoritative" article on what right employees & employers have regarding email accounts provided by the employer. -- Jeff Babb, Programmer/Analyst Well I used to be disgusted, now I try to be amused - E. Costello babb@ucssun1.sdsu.edu Flames to dev/null/heatsink/asbestos ------------------------------ From: Paul Robinson Date: 01 Nov 1994 17:14:48 -0500 (EST) Subject: Re: Drivers license as universal ID? Organization: Tansin A. Darcos & Company - Silver Spring MD USA John Sullivan , writes: Minnesota is just introducing a new drivers license, with new security features, as well as a bar code and a magnetic strip (with full name, date of birth, and license number). The photo and signature are digitized, and presumably stored by the state as well as being printed on the card. It has been announced that California went to this system about four years ago. My brother has an ID card from Virginia which uses a full color front image and magnetic stripe on the back. Maryland switched over to the full system, including bar code, about 18 months ago after a man murdered another, then applied for a replacement license using the dead man's name. The killer was not of the same race as the man he killed, which is a reason for digitizing the original photo. It's interesting that I came from California, and the license I had from there was California's "Old" style, which is a photograph of the person and the information from the driver's license card. This is only slightly laminated, on the front of the card. (Question: how do I know the whole license is a photograph? On the back of the California license is a watermark for photographic paper, "This paper manufactured by Kodak.") I traded an "old" style California license, just as it was expiring, for an "old" style Maryland license, just before they switched systems. All Maryland licenses issued which came out about 3 months after I got mine, are of the same type as California, and now Minnesota, e.g. "Counterfeit Proof". The news media reports that counterfeit California licenses using the "Counterfeit Proof" format that California switched to came out about 90 days after California switched to the new system. The new licenses are produced (for $1.29 apiece) by Deluxe (the check printers). How interesting. Deluxe is also a Minnesota corporation, if I remember correctly. Was perhaps part of the reason for setting this up was to assist a probably substantial contributor to local politicians? We'll probably never know. Since the magstripe can hold about 256bytes, there have been discussions about what else might be stored there. This is _old_ technology. New stuff which has been out at least five years can put 1K onto a standard mag card. (I used to work for a company that created magnetic employee identification cards.) Don Gemberling, director of MN's Public Information Policy Analysis Divison, evidently did raise the privacy issues during the planning process, noting that a "universal personal identifier ... has been consistently resisted in this country". Part of the reason - people have seen it in Europe, and fear equivalent actions here - is that the number of bad things that can be done with centralized databases of the general public far outweighs the alleged benefits which _might_ accrue due to a registration system, e.g. easier ability to catch criminals and find missing or lost children, vs. an easier means to quash dissidents, blackmail people with opposing views, and find ways to silence, and eliminate those who you don't want around, or simply cause them to be blackballed so they can't find employment. The administrator of the IRS refused to do audits on people that Nixon's people wanted harassed. Today, all that's needed is to plant some drugs in his house, then threaten him with prosecution plus a RICO forfeiture of everything he owns if he doesn't keep his mouth shut or fails to do what he is told, or is simply told to resign and they'll drop the issue, then they appoint their own yes man. If (s)he tries to talk, nobody is going to believe him, or her, because of the anti-drug hysteria. Back during World War II, Germany used registration information to round up Jews. Here, during World War II, the director of the Census refused to give up the original data so that Japanese Americans could be rounded up, but the other agencies simply used the raw published tract information (which shows nationalities) to discover how many Japanese to look for. And in a shameful action, here in Montgomery County, MD, the county used census tract information to discover where cheap "illegal" (e.g. not government taxed/regulated) housing conversions were located so the residents could be evicted and/or the owner fined. Yes, people have a reason to oppose and fear a universal personal identifier. People have a _damn good_ reason to fear a univeral personal identifier. ------------------------------ From: bsherman@sefl.satelnet.org (Bob Sherman) Date: 02 Nov 1994 03:58:25 -0500 Subject: Re: License Plates Organization: Not much! twallace@mason1.gmu.edu (Todd A Wallace) writes: I have been curious about this for a long time: How much can the average Joe (not affiliated with law enforcement) find out about be by using my license plate number on my car? In about 46 of the 50 states, just about anything that appears on your registration application form. There are databases you can subscribe to, microficsh (sp?) you can buy, etc. just filled with this type of info. -- bsherman@satelnet.org ------------------------------ From: morris@grian.cps.altadena.ca.us (Mike Morris) Date: 02 Nov 1994 08:49:35 GMT Subject: Re: License Plates Organization: College Park Software, Altadena, CA twallace@mason1.gmu.edu (Todd A Wallace) writes: I have been curious about this for a long time: How much can the average Joe (not affiliated with law enforcement) find out about be by using my license plate number on my car? It depends upon your state's motor vehicle dept, and what they will release. I suggest you call a local private investigator. I did, and found out what could be acquired above board (not much) and waht could be acquired if I didn't ask where it came from (everything) and could pay a fee to the P.I. -- Mike Morris WA6ILQ | All opinions must be my own since nobody pays PO Box 1130 | me enough to be their mouthpiece... Arcadia, CA. 91077 | ICBM: 34.12N, 118.02W | Reply to: morris@grian.cps.altadena.ca.us ------------------------------ From: snorthc@relay.nswc.navy.mil (Stephen Northcutt) Date: 02 Nov 1994 16:02:28 GMT Subject: Mother's maiden name Organization: Naval Surface Warfare Center I have been flooded recently with "pre-approved" credit card applications. Chris Hibbert and the SSN FAQ inspired me so, I left the SSN field blank. One bank just sent me a shiny new visa gold and while I do not doubt that they have managed to acquire my SSN, they didn't get it from me :) They did call and ask my Date of Birth and my mother's maiden name. I didn't think much of it at the time. Yesterday, Discover (with whom I have had an account for 5 yrs) wrote and asked for my SSN, DOB, and mother's maiden name. So, why is my mom's maiden name getting so important? ================== Personal Mail to snorthc@us.net ======================= Those who don't keep .history files are doomed to repeat their keystrokes "Folks, This is a crazy world." John Winston. ------------------------------ From: "Shabbir J. Safdar" Date: 01 Nov 1994 09:03:47 -0500 (EST) Subject: Dr. Denning says that non-escrowed crypto may be restricted More boots are dropping; Denning suggests banning non-escrowed crypto Wiretap Watch - post-bill note November 1, 1994 Distribute Widely - (until November 30, 1994) Dr. Denning sees restrictions on non-escrowed crypto as an obvious possibility if Clipper sinks I attended the NYU Law School symposium on "rights in cyberspace" last Friday (Oct. 27, 1994) here in New York. There were three panels. On the mid afternoon panel, the topic was regulating state access to encrypted communications. Panelists included Oliver Smoot (attribution forgotten), Dr. Dorothy Denning (famous key escrow proponent), Steven Cherry (Voters Telecomm Watch spokesperson), and J Beckwith Burr (who was not a rep of the EFF, but gave a synopsis of their position). Dr. Denning gave a chillingly calm description of key escrow, and then the panelists as a whole answered questions. At one point the subject arose of just how "voluntary" Clipper really could be, seeing as the public and industry had thus far overwhelmingly rejected it. Who will use a voluntary standard that nobody likes? The consensus of the key-escrow opponents on the panel seemed to be "nobody". Dr. Denning, speaking for herself and not as a spokesperson for the Administration, stated that if alternate non-escrowed encryption became prevalent, the next step would be to implement "restrictions" on non- escrowed technology. I think its safe to assume that Dr. Denning wasn't speaking of a secret gov't. plot to ban private crypto; she was just commenting on the obvious. The Administration & Law Enforcement wants access to *all* communications. While they'll play "nice" now, they won't be so nice if you don't go along with them. It's going to get ugly down the road, and HR 5199 could be the panacea. What can you do? -Get to know your legislator. Just as the DT bill was railroaded through, there may not be a big chance of stopping 5199, a bill that could put into legislation the govt's key escrow program, making it a NIST standard. You *must* convince your legislator that a little privacy is a good thing. Non- escrowed crypto will not bring back all the privacy you've lost in the last 50 years; it will bring back some. Some is better than none, and it maintains the balance between law enforcement interests and privacy concerns. Learn who your legislators are. Put their phone numbers on a scrap of paper and keep them in your wallet or purse. This will encourage you to call next session during one of the crucial moments. The League of Women Voters often runs a legislator lookup hotline to help you find legislators. -Save your money. There are a lot of organizations around that you can join that will represent your interests in Congress. Consider whether you should instead save your money and give it directly to a legislator with a good record on privacy and cryptography. Several such legislators were recently identified in the VTW (Voters Telecomm Watch) 1993/1994 Report Card. Although both EFF & CPSR are worthy organizations, they don't give money directly to candidates because of the lobbying language of 501c3 regulations. As far as I know, the Voters Telecomm Watch is the only organization that outright encourages Americans to contribute funds to legislators with good crypto/privacy voting records. -Join the VTW announcements mailing list. Send mail to vtw@vtw.org and ask to be subscribed to vtw-announce. We will be carefully tracking HR 5199 next session with the same frenetic precision we applied to Rep. Maria Cantwell's Cryptography Exports bill and the FBI's Wiretap/Digital Telephony bill. -- Shabbir ------------------------------ From: "Prof. L. P. Levine" Date: Mon, 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #056 ****************************** .