Date: Thu, 03 Nov 94 19:07:35 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#057 Computer Privacy Digest Thu, 03 Nov 94 Volume 5 : Issue: 057 Today's Topics: Moderator: Leonard P. Levine Re: Electronic Eavesdropping Re: Mother's Maiden Name Re: Planting "Mistakes" to Guard Copyright Info on European Computer Privacy Laws Re: Driver's License as universal ID Re: Need help on making a computer/PC usage policy Bank Reads Cal License Mag Strip E-mail Privacy Alert South Africa Information Policy Group Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: fd@wwa.com (Glen L. Roberts) Date: 02 Nov 1994 15:18:11 -0600 Subject: Re: Electronic Eavesdropping Organization: WorldWide Access - Chicago Area Internet Services 312-282-8605 708-367-1871 olcay cirit (olcay@libtech.com) wrote: I know this probably seems like a dumb question to some of you, but what good would a TEMPEST shield do on a monitor? Are "they" going to capture the EMF emanating from the monitor and run it through some complex algorithmic scrubber so they can see what was on the screen? (Or do I have it all wrong? :) ) No, they remotely, and easily, via the EMF emitted, reconstitute your computer screen on theirs. I saw it demonstrated at surveillance expo. The reproduction isn't great... but it can be done. All they have to do to reconstitute the picture is mix in new V and H sync signals. -- Glen L. Roberts, Editor, Full Disclosure Host Full Disclosure Live (WWCR 5,065 khz - Sundays 7pm central) email fd@sashimi.wwa.com for catalog on privacy & surveillance. Does 10555-1-708-356-9646 give you an "ANI" readback? email for uuencoded .TIF of T-Shirt Honoring the FBI Remember, fd _IS FOR_ Full Disclosure! ------------------------------ From: huggins@quip.eecs.umich.edu (Jim Huggins) Date: 02 Nov 1994 21:18:40 GMT Subject: Re: Mother's Maiden Name Organization: University of Michigan EECS Dept. Stephen Northcutt wrote: So, why is my mom's maiden name getting so important? Essentially, they're using it at a password. Most credit card companies have 800 numbers you can call to speak with a helpful representative about your account, get your current balance, etc.. Of course, since credit card numbers can easily be copied, credit companies know that they need to have some way of identifying that you are, in fact, you, especially if you're asking for some significant change (e.g. change of address). So they will usually ask for pieces of information like SSNO, DOB, mother's maiden name, etc., to try and verify that you are in fact who you say you are. I've heard that most of these places will allow you to substitute any pronounceable string for mother's maiden name, since all they need is essentially a password anyways. They could ask everyone to come up with a unique password, but the number of times it is actually used is so rare (not to mention the understanding of the public about passwords being so low) that obscure pieces of information like mother's maiden name usually serve their purpose. Of course, someone who really wanted to sabotage my credit standing could spend enough time finding out all this information about me. But authenticating identity over the phone without using unique passwords is going to be an insecure process. So chalk this up as a security vs. access example. -- Jim Huggins, Univ. of Michigan huggins@eecs.umich.edu "You cannot pray to a personal computer no matter how user-friendly it is." (PGP key available upon request) W. Bingham Hunter [moderator: other people had similar responses:] From: tseaver@sam.neosoft.com (Tres Seaver) Organization: MACRO Enterprises, Inc. Presumably, someone who steals your card and tries to gain information about your account will not know this bit of info, which, again presumably, you will always be able to supply as "proof" of your identity. From: sean@sdg.dra.com (Sean Donelan) Organization: Data Research Associates, St. Louis MO For bankcard purposes your mother's maiden name can be any (non-obscene) word you want, provided you will remember it at a later date. ------------------------------ From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr) Date: 02 Nov 1994 16:32:52 -0500 Subject: Re: Planting "Mistakes" to Guard Copyright How does one tell an illegal copy from a legitimate one, when the legitimate copy contains the fictitious city? One local map printer lists important features in places where they shouldn't be. An example is the high school which is shown mixed up with an elementary school. Another is the nearest Coast Guard Station closer to a main road than the bay it sits beside. A third is an historical site is listed where a Native American Reservation is located yet neither is tied to the other in any way. -- Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 1+(516) 282-3093 FAX 1+(516) 282-7688 ------------------------------ From: MIKE@HTI.dnet.hac.com Date: 02 Nov 94 17:24:42 PST Subject: Info on European Computer Privacy Laws I have the task of designing a large networked training scheduling system for use in Europe. Since the computer and network privacy laws and acceptable practices of the European countries where it will be used will have an affect on its design and implementation, I've been looking for information. But I haven't had much success. I have some anecdotal stories of the computer privacy laws of Germany, but nothing on any other countries. I haven't had success with archie and gopher searches either. So I would really appreciate it if anyone could give me some pointers to European news groups or bulletin boards (non-English is OK) that deal in privacy issues, or some sites with data or FAQs on European computer privacy laws and practices. I'll post a summary to this group if there is any interest. Thanks in advance, -- Mike Robkin MIKE@HTI.DNET.HAC.COM Hughes Training, Inc. ------------------------------ From: Dave Moore Date: 03 Nov 1994 09:45:23 -0500 (EST) Subject: Re: Driver's License as universal ID My brother has an ID card from Virginia which uses a full color front image and magnetic stripe on the back. I have one of those too. I'm not aware of any use for the magnetic stripe on the license. They can't be too useful because they're such a delicate storage medium. They can be inadvertantly wiped simply by leaving them sit on your dashboard black stripe up on a hot summer day. This causes the magnetic material to reach its Curie temperature and demagnitize. Then there's the high tech hazards of de-gaussing coils and very powerful magnetic fields. I can't imagine a law that would require that all your magnetic domains remain intact. ------------------------------ From: "Prof. L. P. Levine" Date: 03 Nov 1994 09:41:55 -0600 (CST) Subject: Re: Need help on making a computer/PC usage policy Organization: University of Wisconsin-Milwaukee This was taken from the ethics mailing list and addresses the appropriate use policies for various educational groups. It may be interesting to us to be able to look at the gopher information. From: CK/P Assessment Date: 31 Oct 1994 12:51:59 GMT Subject: Re: Need help on making a computer/PC usage policy Organization: Pittsburgh Public School District Most of the online acceptable uses policies I'm aware of are education related, but I don't see why those can't be useful to you (many of the same issues arise). If you can gopher, try gophering to 1) chico.rice.edu (Rice University) then to Other Gopher & Info. Servers then to Armadillo--The Texas Studies Gopher then to More About Armadillo & Other Gophers then to Acceptable and Unacceptable Use of Net Resources (K12)/ which is a directory containing 28 files and other directories. Some examples: 1. Acceptable and Appropriate Use from Tenet. 3. ALA Bill of Rights/ 10. Acceptable Use fro NeuvaNet (California). 16. EFF Gopher Service (Background Material)/ 28. William Aberhart HS User Guidelines. I checked two other gophers and both had pointers to the same list of 28: 2) nysernet.org (path: 11. Special Collections: Empire Internet Schoolhouse (K-12)/ 5. K-12 on the Internet/ 3. Acceptable and Unacceptable Uses of Net Resources (K12)/ 3) copernicus.bbn.com (path: 5. K-12 on the Internet/ 3. Acceptable and Unacceptable Uses...etc./ I hope that helps. There may also be some info. available via World Wide Web but I have little experience with that and haven't spent the time exploring it yet. -- Gail Futoran journal@pps.pgh.pa.us Common Knowledge: Pittsburgh ------------------------------ From: idela!markb@ide.com (Mark Bells Home Account) Date: 03 Nov 94 09:13:47 PST Subject: Bank Reads Cal License Mag Strip I was in a Bank of America branch and ran my ATM card through the little reader at the teller window as ID. Upon entering my PIN she cashed a $1000 check with no further ado. So that is a pretty good system. But as I glanced at the man at the next window I saw him run his Calif driver's license through the reader. "Whoa," I thought, "what is this?" So I ran my Calif license through the reader at my window and asked her what she saw on her display. She said that all it gave was my driver's license number. I asked her if my name or SSN appeared and she said no. She said all they use it for is a quick way to read the number. So I thought you'd want to know! Mark Bell markb@ide.com ------------------------------ From: Date: 02 Nov 1994 22:49:22 GMT Subject: E-mail Privacy Alert Organization: University of Colorado at Boulder Recent news accounts have emphasized the importance of password safety for e-mail accounts. Crackers have broken into mail accounts and messaged objectionable material all over the Internet. If you read this message, it means that the e-mail safety debate might enter another level. This very message, and several like it, is being sent via someone else's e-mail address --- without use of a password. In our experimentation with a freely available Internet software program, we have discovered that we can use someone else's e-mail address to mail messages and post to newsgroups. Readers of those messages can reply directly to the e-mail address. The consequences seem rather broad. It is a little like Pandora's box. Anyone can use this software and send objectionable messages without the e-mail account owner's consent or knowledge. We are students from the University of Colorado at Boulder. The class, Electronic Journalism, is taught by instructor Bruce Henderson (hendersb@ucsu.colorado.edu). We look at issues involving publishing on the Internet. One aspect deals with interactive publishing, and the importance of allowing readers to interact with a publication via e-mail. What are your concerns and comments about this issue? Please e-mail course instructor Bruce Henderson at herdersb@ ucsu.colorado.edu. Responses will be posted to our newsgroup: cu.courses.jour4562. The newsgroup also can be read through the WWW at: http://bcn.boulder.co.us/campuspress/Jlist.html under the heading The Electronic Journalism Discussion Group (cu.courses.jour4562). We will also provide responses, by request, to those who cannot access the newsgroup. We are not mentioning the software program that allows this posting at this point because: 1. We are still testing how easy it is to send messages without passwords. 2. If it is easy, we will contact software developers for comment. All e-mail addresses used in this exercise are accessed WITH the permission of the students. -- Electronic Journalism students University of Colorado at Boulder Instructor Bruce Henderson ------------------------------ From: "Prof. L. P. Levine" Date: 03 Nov 1994 09:53:18 -0600 (CST) Subject: South Africa Information Policy Group Organization: University of Wisconsin-Milwaukee From: Carsten Knoch Attached is some information about a discussion group in South Africa. The IPG is currently debating various issues, such as privacy, the question of a telecomms provider imposed traffic rule (the monopoly provider seems to have problems with so-called "third party traffic" crossing leased lines, thereby curbing Internet development), and networking in schools. Regards, Carsten Knoch ---------------snip-------------------------------------------------- The Information Policy Group (IPG) is a loose and transdisciplinary group of networking, computer, and telecommunications professionals in South Africa and beyond. Its participants discuss issues revolving around an information and networking policy for South(ern) Africa. The group also attempts to find practical suggestions towards solutions of networking problems in areas such as school, university, commercial, NGO, and governmental networking. Lastly, the group fosters `human networking', and understands itself as a contact basis between people in South Africa and abroad who share its interests. The guiding principle that technology alone cannot solve all social problems, and a keen awareness of the socially responsible use of such technologies, as well as the realisation of the importance of making and implementing sound policies in these areas after the political changes in South Africa is what brought a number of networking professionals together in July 1994 to form the group as a private initiative. The group maintains contacts to a number of other organisations and individuals in South Africa, the United States, and elsewhere. It is the group's understanding that input from `the outside' is necessary and welcome. --- How to make contact with the IPG: The group maintains a mailing list <=> Usenet group gateway in which its discussions take place. Mail to info-policy-request@proxima.alt.za Subject: subscribe in order to subscribe to the mailing list. Alternatively, point your newsreader to the group `za.info-policy' to view the Usenet group. In order to unsubscribe from the mailing list, send a message to the same address, with Subject: unsubscribe Posts to the list should be addressed to info-policy@proxima.alt.za There is a gopher site at gopher.proxima.alt.za (port 70), to which either gopher or Telnet connections are accepted. When logging in using Telnet, type: `gopher' at the `login:' prompt. No password is required. ------------Carsten Knoch-------------carsten@julia.pix.za----------- ------------tel.27.11.792.5687--------fax.27.11.339.1388------------- ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #057 ****************************** .