Date: Mon, 15 May 95 11:28:34 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#045 Computer Privacy Digest Mon, 15 May 95 Volume 6 : Issue: 045 Today's Topics: Moderator: Leonard P. Levine Re: What are the VISA Codes? Death Lists for Junk Mailers National Caller ID Re: Could What You Post be Used to Profile You? Nautilus foils wiretaps Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 11 May 1995 07:50:59 GMT Subject: Re: What are the VISA Codes? Organization: The National Capital FreeNet, Ottawa, Ontario, Canada Mike Leach (mleach@equity2.sbi.com) writes: Recently, a senior citizen friend of mine may have been the intended victim of a phone scam. The caller said my friend had won (at least) $2500 worth of prizes... The grand prize was a car and she was one of only 5 finalists. All that was required was a small ($750) purchase made with her (my friend's) visa card. Sounds like it was a sure bet for a Scam, not just a may be. I mentioned this over a year ago when the previous moderator expressed a lack of concern about Caller ID/ANI revealing home phone numbers. If someone has your unlisted number, captured from a call to an unrelated number and peddled to a scammer, it makes it sound much more credible. Since then it's been in the news here repeatedly and the national "Phone Buster" operation continues to get lots of calls from people who've been scammed. Some of these end up over $100K before people realize it is a case of kissing their money goodbye. Valerie McLean, head of the Vancouver Better Business Bureau, has said several times that this racket has sucked over a billion $ out of the bank accounts of Canadian business people and seniors, who for some reason are the preferred suckers on these lists. I suppose it's because they are people who tend to have money available to spend. It's surprising the business people seem to be such easy targets, I'd have expected that someone who can keep a business going would we more careful with their money and a little more practical about sending such large amounts to strangers without any checking. Often the business people get onto the sucker lists after a mail type scam involving contests involving the purchase of pens, keychains or other "promotional" items with the company name or logo on them. These are over priced and the prizes are junk or non-existent. ------------------------------ From: Paschos Mandravelis Date: 11 May 95 10:52:35 +0300 Subject: Death Lists for Junk Mailers Junk mail groups demand updates of death lists (by Diane Summers Financial Times, International Edition, 5/10/95) Direct marketing companies in UK (...) are lobbying the government for a change in the law which will allow them access to daily lists of deaths. (...) According to Mr. Colin Lloyd Direct Marketing Association chief executive "a significant proportion of the 800.000- 900.000 people who die each year must be on a database somewhere" (...) A change in the law will be needed for the office of Population Censuses and Surveys, the body which holds the names and addresses of those who have died, to be allowed to give them to commercial organisations. ------------------------------ From: QBKY95A@prodigy.com (Charles Pinck) Date: 11 May 1995 20:01:50 GMT Subject: National Caller ID Organization: Prodigy Services Company 1-800-PRODIGY Two weeks ago, before the FCC announced its approval of national caller ID (which I presume will take some time to implement), I received a call in Washington, DC from a friend in San Francisco and her number appeared on my caller id unit. Has anyone else had a similiar experience? - CHARLES PINCK QBKY95A@prodigy.com ------------------------------ From: wtangel@cais.cais.com (Bill Angel) Date: 13 May 1995 17:50:45 GMT Subject: Re: Could What You Post be Used to Profile You? Organization: Capital Area Internet Service info@cais.com 703-448-4470 Jeff Brown wrote: My company is downsizing, and someone from a Contract Programmer firm called me to solicit me to join them. So I guess they heard of the downsizing, and somehow got a list of employees, and perhaps of employees in Information Technology. I suspect the latter, but I don't know their information source. I work for a technical services firm as a contract programmer, and these firms are continually soliciting their employees as to whether they know anyone who might be interested in going to work for them as programmer/analysts. This firm will even pay $500 to their employees if they provide them with a referral that leads to a new hire for the company. So it is quite possible that someone at your company who is actually an employee ofa technical services firm who works at your site on a contract referred you to his own employer as a possible hire. -- Bill Angel ------------------------------ From: starman@moa.com (Starman) Date: 13 May 95 05:12:36 GMT Subject: Nautilus foils wiretaps Organization: Sonnet Networking - Stockton Modesto Sonora (800)664-1958 I was told today of a piece of software called "Nautilus". It is supposed to take the PGP idea into the voice communication arena. Whereas I give you a Public Key feed yours into Nautilus and then make a voice call using my modem. I have never heard of it and I was wondering if and how it works and or exists. It would have to run over digital lines in packet format, wouldnt it? [moderator: This was taken from RISKS-LIST: Risks-Forum Digest Saturday 13 May 1995 Volume 17 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator] From: simsong@acm.org (Simson L. Garfinkel) Date: 11 May 1995 15:43:02 -0400 Subject: Nautilus foils wiretaps PC SOFTWARE FOILS WIRETAPS 5/10/95 By SIMSON L. GARFINKEL Special to the Mercury News As the U.S. Senate debates granting the Federal Bureau of Investigation new powers to wiretap personal communications, three West Coast computer programmers have planned their own preemptive strike: a free program, distributed on the Internet, that renders legal and illegal wiretaps useless. The programmers, Bill Dorsey of Los Altos, Pat Mullarky of Bellevue, Wash., and Paul Rubin of Milpitas, plan to release today a program that turns ordinary IBM-compatible personal computers into an untappable secure telephone. It uses an encryption algorithm called ''triple-DES'' that is widely believed to be unbreakable. ''Electronic surveillance by the government is on the rise,'' says Dorsey, the group's lead programmer. ''There also exists an equally large threat from the private sector as well: industrial espionage. Foreign governments are interested in wiretapping and getting information out of our high-tech firms.'' Called Nautilus, the program is being released as an attack on the Clinton administration's national encryption standard, the Clipper chip. Civil rights groups have criticized the Clipper initiative, since the federal government holds a copy of every chip's master key and can use that key to decrypt -- or decode -- any Clipper-encrypted conversation. But since the keys used by Nautilus to encrypt conversations are created by users, the government does not have a copy. A nod to Jules Verne Nautilus has another advantage over Clipper: Whereas AT&T's Clipper-equipped Telephone Security Devices Model 3600 costs $1,100, Nautilus is free program. ''You don't need any special expensive hardware for it. You just use ordinary PCs,'' says Rubin. The name ''Nautilus'' was taken from Captain Nemo's submarine in the Jules Verne novel, ''20,000 Leagues Under the Sea.'' But whereas Nautilus the sub was used to sink Clipper ships, the programmers hope that their creation will sink Clipper chips. To use Nautilus, both participants must have a copy of the program and an IBM PC-compatible computer equipped with a Sound Blaster card and a high-speed modem. The two participants must also agree upon a series of words called a ''pass phrase,'' which is used to encrypt the conversation. Both participants run the program and type in the pass phrase; one person instructs their computer to place the telephone call, the other instructs their computer to answer. Once the call is in progress, either user must press a key on their computer in order to speak, similar to using a hand-held radio. But unlike walkie-talkies, the users can interrupt each other. Could help criminals Such innovations could lead to conversations that would be practically foolproof from eavesdropping, either by pranksters or the government. It could become invaluable in future years to financial institutions and other corporations involved in sensitive negotiations. ''It will certainly be beneficial to many citizens and many other users of it,'' says Jim Kallstrom, assistant director of the Federal Bureau of Investigation's New York field office. ''I suspect that it also will be beneficial, unfortunately, to criminals. ''I would hope the extremely enterprising and smart people that we have in this country would work toward solutions that would not only protect the communication of citizens . . . but would also allow the law enforcement objectives to be maintained.'' Rubin stressed that while Nautilus was a challenge to write, it ''isn't rocket science.'' Much of the program, in fact, was assembled from parts that already were available on the Internet, the worldwide network of computer networks. It will even be easier to construct programs similar to Nautilus once Microsoft releases its computer telephony system for Windows 95. ''It will be impossible to keep a program like Nautilus out of the hands of people who want it,'' Rubin said. Gene Spafford, a professor of computer science at Purdue University who is an expert on computer security, said: ''It will be interesting to see what reaction this provokes from the government.'' Nevertheless, Spafford said, in order for encryption to be widely adopted, it will have to be ''built into the phones.'' Dorsey said that anybody in the United States who has Internet access can download the program. For the instructions, use the Internet FTP command to connect to the computer FTP.CSN.ORG. Change to the ''mpj'' directory and retrieve the file called README. Use a text editor to read the README file, which contains some fairly complex instructions on how to get the actual Nautilus file. This computer has been set up so that the program cannot be downloaded by people located outside the United States. ''I intend to follow all laws regarding the release of cryptography,'' he said. ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #045 ****************************** .