Date: Thu, 24 Nov 94 09:44:01 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V5#066 Computer Privacy Digest Thu, 24 Nov 94 Volume 5 : Issue: 066 Today's Topics: Moderator: Leonard P. Levine Help for a College Student Phone Provider Hijacking Re: Forged Internet Email Re: Forged Internet Email Sprint Voice Phone Card: Be Careful! Story on Privacy Abuses & Stalking Re: Corporate Electronic Communications Policy Cell-Phone Ergonomics Side-effect Essay: The Right to Privacy Security is not Privacy 2nd Intl Conf InfoWar--Call for Registration Info on CPD, Contributions, Subscriptions, FTP, etc. ---------------------------------------------------------------------- From: sun!gerber@uunet.uu.net (Tanja Gerber) Date: 23 Nov 1994 04:28:28 GMT Subject: Help for a College Student Organization: Lewis and Clark College, Portland OR I am writing a paper about privacy and access to information on the Internet. I am interested in electronic medical records, credit reports and personal privacy rights. If anyone with knowledge concerning these topics or anything pertaining to my plight would like to send me information- I'd appreciate the help. ------------------------------ From: zsharadg@cae.ca (Sharad Gupta) Date: 23 Nov 94 08:20:31 EST Subject: Phone Provider Hijacking On the CBC News last night, they reported that rival long distance providers are hijacking each other's customers without notice or consent. The good news is that if this happens to you, (in Canada anyways), you don't have to pay any bill from the hijackers. You do have to switch back to your original provider as soon as you figure it out though. ("But I normally charge $3000 in overseas calls every day.") In Canada, to find out who your provider it, dial 1-700-555-4141. The call is free, and it does work from here, (514-land). -- Sharad Gupta ------------------------------ From: "Dennis G. Rears" Date: 23 Nov 94 11:31:59 EST Subject: Re: Forged Internet Email Somebody wrote: From: mr.rogers@the_place_to_be_.nut Date: 19 Nov 94 20:24:47 PST Subject: Forged Internet Email This is another example of how simple it is to forge messages. What I really found as shocking was how just about anyone on a ny kind of computer can pull it off. To which the moderator replies: [extensive moderator comment: The author of the above did actually sign with a name and a reasonable looking email address. I have removed them since what I say below could easily be considered offensive and there is no reason to put him or her to embarassment if, in fact, the name is not that of the actual forger. Internet mail has always been easy to forge. I am surprised that people are just realizing this now. That's one of the reasons why things like digital signatures are being developed. To forge internet mail you just open a smtp connection (telnet hostname 25) to anyhost, use commands like helo, mail, rcpt, and data. Some people might say I shouldn't say this but it has been public for the 10 years I have been on the net. I got my share of forged messages when I was moderator of this forum. A good sysadmin can detect most forgeries by looking at the recieved lines and dates. Of course if a person was extremely knowledgable he could massage the headers properly. -- dennis ------------------------------ From: "Robert Radvanovsky" Date: 23 Nov 1994 12:49:13 -0600 (CST) Subject: Re: Forged Internet Email It is utterly amazing how the world of internetworking has gone this far. And what is worse is that it has not yet reached it's crux. I first started out on "The Net" in 1984 when it was still under the direction of ARPA (Advanced Research Project Agency), part of the DoD (Department of Defense) in searching new methods to sending network traffic in a reliable and efficient manner. Part of the problem was that hackers got a whiff of its capabilities. I was one of them. I don't deny it, yes, I am a hacker (sounds almost like Hacker's Anonymous, eh?). Somehow between there and here it was decommissioned from DoD and placed into the loving hands of the NSF (National Science Foundation). Only within the past several years has it started to get really out of hand when the NSF has "sold" the Internet to commericial holders. Speaking from several observations, there is a new breed of hacker today, one that would, could (and can be) deemed as a formed of "network terrorist" (or if you will, a "hacker terrorist"). There are several unwritten "codes of ethics" between hackers, many of whom play mind games of the sort -- but between each other. You might say that many of the perils that were (and still are) associated with hacking belongs to a brotherhood of computer enthusiats and digital undergrounders. The problem is that we've now opened the front door and are very unsure about who (or what) may be lurking out there. Many of the older hacks that still lurk out there, are listening and shaking their heads as to what has been going on within the past several years. The problem is is that children (and even some adults that haven't grown out of their childhood) now have reached the stage of "playing" (and I do mean this literally) from a single stand-alone computer to a multiple-connection networked computer port. Instead of playing "Ms. Pacman" or "Donkey Kong" on their lone 286 turbo-thrusted, 3gy-x11 super-glorified, exponentionally enhanced VGA with super 800x640 super VGA graphics on a French toast bun these hackers have gone to playing MUD games at MIT, bounced through Berkeley, then Taiwan, then the South Pole, then through Finland, then finally to MIT via their 986 super-duper enhanced in-yo-face-and-yer-moma all-American TCP/IP SLIP (wooooo-wooooo) via 96.45612341 KB modem on a vanilla toast crunch bar with 24 hours of Coke (yup, the REAL thing) to top it off. Whew! I feel that a good chunk of these "hackers" still feel that they are playing games. What took me a long time to get right within my whittle bwain was that (and I quote) "... if you want something REALLY bad, just ASK FOR IT!". Many folks feel that they want to bypass the system. By doing so, not only are they hurting those who are their victims (eventually), but the system as a whole as there would have to be additional security measures, costs, etc. placed into effect to prevent future situations from occurring again. Secondly, in many cases, it is probably better just to pay the stinking $0.29 cents than to spend $3.50 to avoid paying for a postage stamp. What's wrong with this picture boys and girls? I'm just throwing up some numbers from an example of a fellow gent who bragged about "beating the system". Is it really worth it? To some, the answer is "yes". To some, they feel that the risk of skirting the "feds" and avoiding jail is the ultimate thrill. Personally, I'd rather live a life being content and spending time with a loved one than having worry about which route to take to avoid being caught. DISCLAIMER: My opinions are my own and do not reflect those opinions and/or thoughts of my current employer. ------------------------------ From: John Kwiatkowski <0007152212@mcimail.com> Date: 23 Nov 94 18:13 EST Subject: Sprint Voice Phone Card: Be Careful! I recently received my first voice phone card from Sprint about two weeks ago or so.I called the 800 number and set it up. After about a week of using it,I decided to really put it to the test. Since the literature says that voice prints are unique and no one would ever be able to steal your voice,I gave the number to a trusted friend of mine and on three way we called the 800 number to place a call. Only instead of me saying my voice phone card number,my friend did. The Sprint Voice system responded "..PLACE CALL...". I almost fell off the chair! So we tried it again...worked! We called another person with a totally whiny voice that we know and she tried it. IT WORKED AGAIN! I called Sprint.They said that what I told them is impossible.It can not happen! So,the Sprint representative tried it for herself.IT WORKED AGAIN! She was all embarrassed.She said she'd have my account reset and I should re-set up my initial voice recognition procedure again. I did! I used the card for another week and a half...a lot. Today we tried to fool the system again..IT WORKED! WE FOOLED IT AGAIN. The Sprint Voice Phone Card is a scam! They charge you extra per month just to have this "securest phone card that exists" and absolutely anyone can use it if they have your phonecard number and the 800 number to use. Also,when calling about my account,the representative I talked to just gave away info on my account like the person talking to her was absolutely,undoubtedly me and not an imposter.She never verified anything before giving out info on the account. BE CAREFUL OF THE SPRINT VOICE PHONE CARD!IT IS NOT SECURE! -- John Kwiatkowski ------------------------------ From: wdiv@aol.com (WDIV) Date: 23 Nov 1994 12:30:07 -0500 Subject: Story on Privacy Abuses & Stalking Organization: America Online, Inc. (1-800-827-6364) We are a television news crew working on a two part series that details victims of electronic stalking and other invasions of their privacy. We would like to hear from people who have suffered from these types of abuses. We're also interested in what software and hardware is available to the general public to harass, stalk or rip-off others throught their computer. Please call us at 313-222-0520 ask for Mary Ann. Or send private E-mail. We would appreciate any and all help that we could get. ------------------------------ From: ingramm@cognos.COM (Mark Ingram) Date: 07 Nov 1994 16:41:38 -0500 Subject: Re: Corporate Electronic Communications Policy rj.mills@pti-us.com (Dick Mills) writes: The following is a corporate policy proposed for adoption at my company. The purpose of the policy is to protect the company from lawsuits. The fear of lawsuits was prompted by press reports of workers in California who sued because their company had inspected their "private" email records. What do followers of comp-privacy have to say about this policy as written? Hmmmmm. Aren't you forgetting the hidden microphones and video cameras in the bathroom? After all, that's company property too. -- Mark. ------------------------------ From: "Prof. L. P. Levine" Date: 24 Nov 1994 08:12:07 -0600 (CST) Subject: Cell-Phone Ergonomics Side-effect Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: RISKS-FORUM Digest Tuesday 22 November 1994 Volume 16 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 16 Nov 94 16:52:30 EST From: rstanley@sybase.com (Robert Stanley) Subject: Cell-phone ergonomics side-effect Yesterday evening I returned home from work and, as usual, checked the answering machine on my normal voice telephone. Much to my surprise, I heard a somewhat muffled background conversation that I soon identified as that afternoon's conference in the office. This filled the tape to the end, and had caused several later calls to be rejected. [aside #1: I hate these damn micro-cassette systems that only allow ten or fifteen minutes of message time, but they have become ubiquitous!] Two aspects of this message puzzled me: how had it found its way to my answering machine, and why was it so muffled? The office has just completed installing a high-tech AT&T digital phone system with all sorts of fancy features, but I know that the trunk-to-trunk transfer features have all been disabled for security reasons. It is therefore not possible for our conference call link to another office to have been forwarded to my home phone. The only possible way for my phone to have been included in the conference would have been for it to have initiated the call (and then worked its way through a set of control codes.) [aside #2: my former answering machine, which used real C-90 cassettes, did have the unfortunate habit of occasionally calling back the last number to have dialed it! Another story, and one which can wait for a rainier day to tell.] [aside #3: the idea of disabling trunk-to-trunk switching to prevent improper (read: malicious cracker) usage really demonstrates the lack of thought that goes into much of what today passes for the design process. Hey, just compile it and debug it, that way you'll be *doing* something...] Investigation at the office yielded disbelief followed by stunned surprise. No one had forwarded the phone, and my home phone number was not programmed onto any button in the system. However, we all rush to the documentation to check into just how the remote monitor feature works, and try to recall whether any visible telltales had been lit to indicate monitoring. Finally, light dawns. A colleague's tiny Nokia cell-phone in his shirt breast pocket. He had called me at home earlier, and the phone has a last number redial button. The phone, non-folding, slipped into his shirt pocket with the controls outermost, had somehow had that button tripped, and had happily held the line open to my answering machine. The muffled broadcast was entirely attributable to the small microphone and the cotton pocket between it and our conference table. However, it is an extraordinarily sobering experience to hear a sensitive work discussion issuing hours later from the speaker of your home voice messaging system. A number of risks here, but the predominant one seems to be the conflict between added function and reduced footprint of portable cell-phones leading to the creation of unergonomic control systems. This is exacerbated by the novel situations to which the diminished footprint can give rise. This is surely the first generation of cell-phones that are sufficiently small (a) to be droppable into a toilet, and (b) actually flushed out of reach... Robert Stanley - robert.stanley@sybase.com ------------------------------ From: gmcgath@condes.MV.COM (Gary McGath) Date: 22 Nov 1994 23:18:41 GMT Subject: Essay: The Right to Privacy Organization: Conceptual Design Defining and Upholding the Right to Privacy By Gary McGath The right to privacy is less clear in many people's minds than such rights as freedom of speech and ownership of property, and of late it has come under attack by elements of our government which claim that fighting crime requires compromising people's privacy. But as I propose to show in this essay, the right to privacy is as important a part of our liberties as any other guarantee in the Bill of Rights. All rights must be understood as growing out of, and existing in the context of, the need of each individual to act autonomously in furtherance of one's own existence. Ayn Rand wrote: "A 'right' is a moral principle defining and sanctioning a man's freedom of action in a social context. There is only *one* fundamental right (all the others are its consequences or corollaries): a man's right to his own life." Derivative rights include liberty (including freedom of speech, the press and religion) and property rights (the right to keep and use what one has produced or acquired in trade). What freedom of action is subsumed by the right of privacy? The freedom to withhold information from others. Living successfully requires being able to withhold information from those who might use it injuriously (for example, not letting robbers know that you are carrying a lot of money) and being able to use one's knowledge and its products in trade (for example, being able to sell the source code to a computer program, which would not be possible if potential buyers already had access to it). Like any right, the right to privacy exists within a context of rights: one's own and those of others. It does not apply when one has freely waived one's privacy as part of a contract, nor does it apply when its exercise entails a violation of the rights of others. For example, a vendor selling tainted food could not claim that the right to privacy justifies withholding the information that the food is bad. But in the absence of clearly countervailing requirements based on the rights of others, one has the right to withhold any information one possesses from other people, and to take reasonable steps to insure its security. The Fourth Amendment to the U.S. Constitution does not name the right to privacy as such, but guarantees an important aspect of it: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause..." The Fifth Amendment's guarantee that no person "shall be compelled in any criminal case to be a witness against himself" also relates to this right. Even criminals may not be required to provide the evidence to convict themselves. The opponents of a strong interpretation of the right to privacy argue that it must be balanced against the requirements of law enforcement. It is more important, they argue, to punish and restrain criminals than it is to guarantee complete privacy to everyone. This claim can be challenged both on ethical and practical grounds. Ethically, such a policy is wrong because it violates the rights of the innocent in pursuit of the guilty. A government which injures people who have not committed any act that violates the rights of others is on moral quicksand when it offers the excuse that it is hunting people who do the same thing. Our government takes great pains not to jail innocent people for the sake of making sure all the guilty ones are convicted; but when it seeks to limit innocent people's privacy for that reason, it is committing the same kind of evil which it works hard to avoid in the courtroom. On practical terms, letting the government take away our privacy for the sake of pursuing criminals only encourages it to invent more kinds of crimes. Crimes which involve an actual violation of people's rights -- murder, theft, rape, and so on -- are by their nature not private matters. They involve another person, a victim. But victimless crimes involve only the people who consent to the illegal action. It is primarily victimless crimes whose prosecution is aided by the denial of the right to privacy. When governments have the means to prosecute private actions among consenting adults, they will be more inclined to do so than if they have no way to find out that those actions occurred. Compromising the right to privacy also invites a constant stream of governmental intrusion into our lives. Once the government gets its foot in the door by any excuse, it will by its nature expand its power until somehow checked. Consider the U.S. Census. The Constitution made provision for a census for two purposes: to establish representation in Congress and to allocate taxes based on enumeration. The second of these reasons is obsolete with today's tax structure. Two simple questions would be enough to establish the purpose of the census: "Who are you?" and "Where do you live?" Nor is there any good reason to punish those who refuse to respond; they are only reducing their own state's representation in Congress. Yet today's U.S. Census contains a vast array of questions about private information, and those who refuse to answer can legally be punished (though few are). The privacy debate has taken on a new form in modern society as computer technology has made it feasible for anyone to encrypt messages so securely that they are virtually unbreakable. Yet the substance of the issue has not changed. There is no real difference between encrypting a message and hiding it away, except that the "hiding" is done by logical rather than physical means. When one person sends a message to another, they are under no obligation to enable third parties to understand what is going on. People can conceal information in messages by many means besides mathematical encryption. They can use slang and jargon, make use of code names, make personal allusions which are meaningless to others, or withhold essential information which the recipient already possesses. If it is reasonable for the government to outlaw encryption, it is equally reasonable for it to require that people communicate only in conventional English and to fully explicate the meaning of all their communications for the benefit of any FBI eavesdropper. Most people would immediately see the Draconian nature of such requirements; but encryption is something less personal and familiar, so they do not view it in the same way. But the same issue is involved: the right to withhold information from those who don't have a specific right to demand it. This is the essence of the right to privacy. -- Gary McGath gmcgath@condes.mv.com ------------------------------ From: "Prof. L. P. Levine" Date: 24 Nov 1994 08:13:41 -0600 (CST) Subject: Security is not Privacy Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: RISKS-FORUM Digest Tuesday 22 November 1994 Volume 16 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Date: 15 Nov 1994 12:04:08 -0800 From: Phil Agre Subject: security is not privacy *The New York Times* has an article about an attempt by tobacco company lawyers to subpoena reporters' travel and telephone records in an indirect attempt to identify their sources for stories asserting that the companies deliberately added nicotine to their cigarettes. William Glaberson, A libel suit raises questions about the ability of journalists to protect sources in the electronic age, *The New York Times*, 14 November 1994, page C10. Many readers of RISKS probably remember other attempted strategic uses of the discovery process by tobacco companies, including at least one attempt to subpoena raw survey data from smoking researchers and an attempt to obtain an electronic mailing list of anti-smoking activists. (Actually, the article doesn't explicitly say that the companies want the subpoenas issued as part of the discovery phase of the trial, just that they want them and the major press organizations are trying to stop them.) In any event, this case is an excellent example of why data security, while obviously important, does not guarantee privacy. I am sure that those travel and telephone records are as secure as they need to be, but that may not provide enough protection against the legal strategies of tobacco companies. Maybe this point is obvious to Risks readers, but it is certainly not obvious to many others, including many of the politicians who make laws about such things. So remember to let these folks know: Security is not privacy. The only guarantee of privacy is anonymity. Fortunately, technologies such as digital cash to implement anonymity are on their way. Insist that they be used in any new system that gets developed near you. And spread the word, because once privacy-invasive systems get standardized and installed they're hard to regulate and even harder to change. -- Phil Agre, UCSD ------------------------------ From: "Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> Date: 22 Nov 94 22:38:23 EST Subject: 2nd Intl Conf InfoWar--Call for Registration CALL FOR REGISTRATION [Please post where appropriate.] Second International Conference on Information Warfare: Chaos on the Electronic Superhighway Conference Date: Wed-Thu 18-19 January 1995 Conference Locale: Dorval Airport Hilton Hotel Montreal, Canada 1. INTRODUCTION Cultures that depend on information systems are vulnerable to Information Warfare. Attacks on data confidentiality and possession, integrity and authenticity, and availability and utility will damage individuals, corporations and other private organizations, government departments and agencies, nation-states and supranational bodies. It is essential to erect legal, organizational, and cultural defences against information warfare. Winn Schwartau, author of the new book, _Information Warfare: Chaos on the Electronic Superhighway_, published in 1994 by Thunder's Mouth Press (ISBN 1-56025-080-1), has defined three levels of information warfare: Level one: interpersonal damage. Damage to individuals in recent cases includes impersonation in cyberspace (e.g., false attribution of damaging communications), appropriation of credit records (for fraud and theft), harassment (e.g., interruption of phone services) and loss of privacy (e.g., theft of medical records). Level two: intercorporate damage. In a recently reported case, a ring of criminal hackers stole the telephone calling cards of 100,000 subscribers to MCI, AT&T, and Sprint. These thefts are estimated to have resulted in $50 million of fraudulent long distance calls. In this case, a switch engineer working for MCI is accused of having inserted Trojan horse software to record calling-card numbers passing through MCI's telephone switching equipment. Other recent attacks include data leakage of confidential information with high competitive value in the automotive and airline industries. Level three: international and inter-trading block damage. The World Trade Center bombing caused more economic loss through interference with business communications and information processing than it did by physical damage to the building. It is inconceivable that terrorist organizations and nations are unaware of the low cost and minimal risk of attacks on information infrastructure compared with physical attacks. On a global scale, an aggressive trading block could acquire significant competitive advantage over an entire society by corrupting widely-used software (e.g., inserting code in a spreadsheet or accounting package to introduce occasional random errors) or even inserting logic bombs into microcode for new processors. The collapse of the Soviet bloc has made thousands of skilled programmers available for such subversion. [considerable material deleted by moderator] For further information, including updates on panelists, send email to 75300.3232@compuserve.com or call (514) 695-4968 or FAX (514) 695-7393 or send snailmail to JINBU Corporation 17 Merineau Kirkland, QC Canada, H9J 3V7. ------------------------------ From: "Prof. L. P. Levine" Date: 26 Sep 1994 12:45:51 -0500 (CDT) Subject: Info on CPD, Contributions, Subscriptions, FTP, etc. Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions generally are acknowledged within 24 hours of submission. An article is printed if it is relevant to the charter of the digest. If selected, it is printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the subject line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V5 #066 ****************************** .