Date: Thu, 24 Aug 95 19:12:08 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V7#016 Computer Privacy Digest Thu, 24 Aug 95 Volume 7 : Issue: 016 Today's Topics: Moderator: Leonard P. Levine Health Privacy Bibliography [long] Security Mailing Lists [very long] Info on CPD [unchanged since 08/01/95] ---------------------------------------------------------------------- From: Robert Gellman Date: 23 Aug 1995 18:36:31 -0400 (EDT) Subject: Health Privacy Bibliography [long] I recently prepared a short bibliography on health privacy, and I thought that someone might find it useful. + + + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman rgellman@cais.com + + Privacy and Information Policy Consultant + + 431 Fifth Street S.E. + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + + + Health Confidentiality Bibliography Prepared by Robert Gellman August 23, 1995 rgellman@cais.com Supreme Court Cases United States v. Miller, 425 U.S. 435 (1976). Whalen v. Roe, 429 U.S. 589 (1977). Reporters Committee for Freedom of the Press v. Department of Justice, 489 U.S. 749 (1989). U.S. Department of Defense v. F.L.R.A., 114 S. Ct. 1006 (1994). Congressional Materials Privacy of Medical Records, Hearings before a Subcomm. of the House Comm. on Government Operations, 96th Cong., 1st Sess. (1979). Legislation to Protect the Privacy of Medical Records, Hearings before the Senate Committee on Governmental Affairs, 96th Cong. 1st Sess. (1979). House Committee on Government Operations, Federal Privacy of Medical Information Act, H.R. Rep. No 96-832 Part 1, 96th Cong., 2d Sess. (1980). Data Protection, Computers, and Changing Information Practices, Hearing before the Subcomm. on Government Information, Justice, and Agriculture, House Comm. on Government Operations, 101st Cong., 2d Sess. (1990). Health Reform, Health Records, Computers and Confidentiality, Hearing before the Information, Justice, Transportation, and Agriculture Subcomm. of the House Committee on Government Operations, 103rd Cong., 1st Sess. (1993). Fair Health Information Practices Act of 1994, Hearings before the Information, Justice, Transportation, and Agriculture Subcomm. of the House Committee on Government Operations, 103rd Cong., 2d Sess. (1994). House Committee on Government Operations, Health Security Act, H.R. Rep. No 103-601 Part 5, 103rd Cong., 2d Sess. (1994). Regulations Confidentiality of Alcohol and Drug Abuse Patient Records, 42 CFR Part 2, 52 Federal Register 21796 (1987). Protection of Human Subjects, 45 CFR Part 46 (1994). Books, Articles, and Studies Department of Health Education, & Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (1973). Alan F. Westin, Computers, Health Records, and Citizen's Rights (U.S. Department of Commerce) (1976). Privacy Protection Study Commission, Personal Privacy in an Information Society (1977). Robert Gellman, Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy, 62 North Carolina Law Review 255 (1984). National Conference of Commissioners on Uniform State Laws, Uniform Health Care Information Act 9 (Part I) U.L.A. 475 (1985 & Supp. 1994). David Flaherty, Protecting Privacy in Surveillance Societies (1989). Institute of Medicine, The Computer-Based Patient Record (1991). Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (1992). Jeffrey Rothfeder, Privacy For Sale (1992). Workgroup for Electronic Data Interchange, Report to Secretary of U.S. Department of Health and Human Services (1992). Robert Gellman, Fragmented, Incomplete, and Discontinuous: The Failure of Federal Privacy Regulatory Proposals and Institutions, VI Software Law Journal 199 (1993). Office of Technology Assessment, Protecting Privacy in Computerized Medical Information (1993). Louis Harris & Associates, Health Information Privacy Survey 1993 (1993). Institute of Medicine, Health Data in the Information Age: Use, Disclosure, and Privacy (1994). H. Jeff Smith, Managing Privacy: Information Technology and Corporate America (1994). Robert Gellman, Fair Health Information Practices, 4 Behavioral Healthcare Tomorrow 65 (1995). George Annas et al, The Genetic Privacy Act and Commentary (1995). Paul Schwartz, The Protection of Privacy in Health Care Reform, 48 Vanderbilt Law Review 295 (1995). Priscilla Regan, Legislating Privacy: Technology, Social Values, and Public Policy (1995). International Materials Royal Commission of Inquiry into the Confidentiality of Health Records in Ontario (Canada), Report of the Commission of Inquiry into the Confidentiality of Health Information (1980) (3 vols.). Organization for Economic Cooperation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1981). Council of Europe, Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (1981). Privacy Commissioner of Canada, AIDS and the Privacy Act (1989). Privacy Commissioner of Canada, Genetic Testing and Privacy (1992). Note: This is not intended to be a complete bibliography, but it identifies many basic medical confidentiality documents and some related privacy materials. For a comprehensive bibliography that focuses broadly on the ethical, legal and social implications of the Human Genome Project, see Michael Yesley, ELSI Bibliography (1993) (U.S. Department of Energy). ------------------------------ From: Christopher Klaus Date: 24 Aug 1995 17:50:37 +1494730 (PDT) Subject: Security Mailing Lists [very long] This was put together to hopefully promote greater awareness of the security lists that already exist. Most security mailing lists have been only announced once and it was only word of mouth that it would acquire new members. This list should hopefully make the membership grow for each mailing list. If you know of any mailing lists that have been skipped, please e-mail cklaus@iss.net with the info. The newest updates for this will be on http://iss.net/. This web site also contains info for the following security issues: Vendor security contacts Security Patches What to do if you are compromised Set up Anon ftp securely Sniffers attacks and solutions Security Mailing Lists The following FAQ is a comprehensive list of security mailing lists. These security mailing lists are important tools to network administrators, network security officers, security consultants, and anyone who needs to keep abreast of the most current security information available. General Security Lists * 8lgm (Eight Little Green Men) * Academic-Firewalls * Best of Security * Bugtraq * Computer Privacy Digest (CPD) * Computer Underground Digest (CuD) * Cypherpunks * Cypherpunks-Announce * Firewalls * Intruder Detection Systems * Phrack * PRIVACY Forum * Risks * Sneakers * Virus * Virus Alert Security Products * Tiger * TIS Firewallk Toolkit Vendors and Organizations * CERT * CIAC * HP * Sun ------------------------------------------------------------------------------- 8lgm (Eight Little Green Men) To join, send e-mail to majordomo@8lgm.org and, in the text of your message (not the subject line), write: subscribe 8lgm-list Group of hackers that periodically post exploit scripts for various Unix bugs. ------------------------------------------------------------------------------- Academic Firewalls To join, send e-mail to majordomo@net.tamu.edu and, in the text of your message (not the subject line), write: SUBSCRIBE Academic-Firewalls This is an unmoderated list maintained by Texas A&M University. Its purpose is to promote the discussion and use of firewalls and other security tools in an academic environment. It is complementary to the Firewalls list maintained by Brent Chapman (send subscription requests to Majordomo@GreatCircle.COM) which deals primarily with firewall issues in a commercial environment. Academic environments have different political structures, ethical issues, expectations of privacy and expectations of access. Many documented incidents of cracker intrusions have either originated at or passed through academic institutions. The security at most universities is notoriously lax or even in some cases completely absent. Most institutions don't use firewalls because they either don't care about their institution's security, they feel firewalls are not appropriate or practical, or they don't know the extent to which they are under attack from the Internet. At Texas A&M University we have been using a combination of a flexible packet filter, intrusion detection tools, and Unix security audit utilities for almost two years. We have found that simple firewalls combined with other tools are feasible in an academic environment. Hopefully the discussion on this list will begin to raise the awareness of other institutions also. ------------------------------------------------------------------------------- Best of Security To join, send e-mail to best-of-security-request@suburbia.net with the following in the body of the message: subscribe best-of-security REASONS FOR INCEPTION In order to compile the average security administrator it was found that the compiler had to parse a foreboding number of exceptionally noisy and semantically-content-free data sets. This led to exceptionally high load averages and a dramatic increase in core entropy. Further, the number, names and locations of this data appears to change on an almost daily basis; requiring tedious version control on the part of the mental maintainer. Best-of-Security is at present an un-moderated list. That may sound strange given our stated purpose of massive entropy reduction; but because best often equates with "vital" and the moderator doesn't have an MDA habit it is important that material sent to this list be delivered to its subscribers' in as minimal period of time as is (in)humanly possible. If you find *any* information from *any* source (including other mailinglists, newsgroups, conference notes, papers, etc) that fits into one of the acceptable categories described at the end of this document then you should *immediately* send it to "best-of-security@suburbia.net". Do not try and predict whether or not someone else will send the item in question to the list in the immediate future. Unless your on a time-delayed mail vector such as polled uucp or the item has already appeared on best-of-security, mail the info to the list! Even if it is a widely deployed peice of information such as a CERT advisory the proceeding argument still applies. If the information hasn't appeared on this list yet, then SEND IT. It is far better to run the risk of minor duplication in exchange for having the information out where it is needed than act conservatively about occasional doubling up on content. ------------------------------------------------------------------------------- Bugtraq To join, send e-mail to LISTSERV@NETSPACE.ORG and, in the text of your message (not the subject line), write: SUBSCRIBE BUGTRAQ This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vunerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: * Information on Unix related security holes/backdoors (past and present) * Exploit programs, scripts or detailed processes about the above * Patches, workarounds, fixes * Announcements, advisories or warnings * Ideas, future plans or current works dealing with Unix security * Information material regarding vendor contacts and procedures * Individual experiences in dealing with above vendors or security organizations * Incident advisories or informational reporting ------------------------------------------------------------------------------- Computer Privacy Digest To join, send e-mail to comp-privacy-request@uwm.edu and, in the text of your message (not the subject line), write: subscribe cpd The Computer PRIVACY Digest (CPD) (formerly the Telecom Privacy digest) is run by Leonard P. Levine. It is gatewayed to the USENET newsgroup comp.society.privacy. It is a relatively open (i.e., less tightly moderated) forum, and was established to provide a forum for discussion on the effect of technology on privacy. All too often technology is way ahead of the law and society as it presents us with new devices and applications. Technology can enhance and detract from privacy. ------------------------------------------------------------------------------- Computer Underground Digest To join, send e-mail to LISTSERV@VMD.CSO.UIUC.EDU and, in the text of your message (not the subject line), write: SUB CUDIGEST CuD is available as a Usenet newsgroup: comp.society.cu-digest Covers many issues of the computer underground. ------------------------------------------------------------------------------- Cypherpunks To join, send e-mail to majordomo@toad.com and, in the text of your message (not the subject line), write: SUBSCRIBE cypherpunks The cypherpunks list is a forum for discussing personal defenses for privacy in the digital domain. It is a high volume mailing list. ------------------------------------------------------------------------------- Cypherpunks Announce To join, send e-mail to majordomo@toad.com and, in the text of your message (not the subject line), write: SUBSCRIBE cypherpunks-announce There is an announcements list which is moderated and has low volume. Announcements for physical cypherpunks meetings, new software and important developments will be posted there. ------------------------------------------------------------------------------- Firewalls To join, send e-mail to majordomo@greatcircle.com and, in the text of your message (not the subject line), write: SUBSCRIBE firewalls Useful information regarding firewalls and how to implement them for security. This list is for discussions of Internet "firewall" security systems and related issues. It is an outgrowth of the Firewalls BOF session at the Third UNIX Security Symposium in Baltimore on September 15, 1992. ------------------------------------------------------------------------------- Intrusion Detection Systems To join, send e-mail to majordomo@uow.edu.au with the following in the body of the message: subscribe ids The list is a forum for discussions on topics related to development of intrusion detection systems. Possible topics include: * techniques used to detect intruders in computer systems and computer networks * audit collection/filtering * subject profiling * knowledge based expert systems * fuzzy logic systems * neural networks * methods used by intruders (known intrusion scenarios) * cert advisories * scripts and tools used by hackers * computer system policies * universal intrusion detection system ------------------------------------------------------------------------------- Phrack To join, send e-mail to phrack@well.com and, in the text of your message (not the subject line), write: SUBSCRIBE Phrack Phrack is a Hacker Magazine which deals with phreaking and hacking. ------------------------------------------------------------------------------- PRIVACY Forum To join, send e-mail to privacy-request@vortex.com and, in the text of your message (not the subject line), write: information privacy The PRIVACY Forum is run by Lauren Weinstein. He manages it as a rather selectively moderated digest, somewhat akin to RISKS; it spans the full range of both technological and non-technological privacy-related issues (with an emphasis on the former). ------------------------------------------------------------------------------- Risks To join, send e-mail to risks-request@csl.sri.com and, in the text of your message (not the subject line), write: SUBSCRIBE Risks is a digest that describes many of the technological risks that happen in today's environment. ------------------------------------------------------------------------------- Sneakers To join, send e-mail to majordomo@CS.YALE.EDU and, in the text of your message (not the subject line), write: SUBSCRIBE Sneakers The Sneakers mailing list is for discussion of LEGAL evaluations and experiments in testing various Internet "firewalls" and other TCP/IP network security products. * Vendors are welcome to post challenges to the Internet network security community * Internet users are welcome to post anecdotal experiences regarding (legally) testing the defenses of firewall and security products. * "Above board" organized and/or loosely organized wide area tiger teams (WATTs) can share information, report on their progress or eventual success here. There is a WWW page with instructions on un/subscribing as well as posting, and where notices and pointers to resources (especially if I set up an archive of this list) may be put up from time to time: http://www.cs.yale.edu/HTML/YALE/CS/HyPlans/long-morrow/sneakers.html ------------------------------------------------------------------------------- Virus To join, send e-mail to LISTSERV@lehigh.edu and, in the text of your message (not the subject line), write: SUBSCRIBE virus-l your-name It is an electronic mail discussion forum for sharing information and ideas about computer viruses, which is also distributed via the Usenet Netnews as comp.virus. Discussions should include (but not necessarily be limited to): current events (virus sightings), virus prevention (practical and theoretical), and virus related questions/answers. The list is moderated and digested. That means that any message coming in gets sent to me, the editor. I read through the messages and make sure that they adhere to the guidelines of the list (see below) and add them to the next digest. Weekly logs of digests are kept by the LISTSERV (see below for details on how to get them). For those interested in statistics, VIRUS-L is now up to about 2400 direct subscribers. Of those, approximately 10% are local redistribution accounts with an unknown number of readers. In addition, approximately 30,000-40,000 readers read comp.virus on the USENET. ------------------------------------------------------------------------------- Virus Alert To join, send e-mail to LISTSERV@lehigh.edu and, in the text of your message (not the subject line), write: SUBSCRIBE valert-l your-name What is VALERT-L? It is an electronic mail discussion forum for sharing urgent virus warnings among other computer users. Postings to VALERT-L are strictly limited to warnings about viruses (e.g., "We here at University/Company X just got hit by virus Y - what should we do?"). Followups to messages on VALERT-L should be done either by private e-mail or to VIRUS-L, a moderated, digested, virus discussion forum also available on this LISTSERV, LISTSERV@LEHIGH.EDU. Note that any message sent to VALERT-L will be cross-posted in the next VIRUS-L digest. To preserve the timely nature of such warnings and announcements, the list is moderated on demand (see posting instructions below for more information). What VALERT-L is *not*? A place to to anything other than announce virus infections or warn people about particular computer viruses (symptoms, type of machine which is vulnerable, etc.). ------------------------------------------------------------------------------- Security Products ------------------------------------------------------------------------------- Tiger To join, send e-mail to majordomo@net.tamu.edu and, in the text of your message (not the subject line), write: SUBSCRIBE tiger Discussion list for the UNIX security audit tool TIGER This is the TIGER users mailling list. It is for: 1. Update announcements 2. Reporting bugs in TIGER. 3. Discussing new features for TIGER. 4. Discussing use of TIGER. 5. Discussing anything else about TIGER. What is TIGER? TIGER is a set of shell scripts, C code and configuration files which are used to perform a security audit on UNIX systems. The goals for TIGER are to make it very robust and easy to use. TIGER was originally developed for checking hosts at Texas A&M University following a break in in the Fall of 1992. The latest version of TIGER is always available from the directory net.tamu.edu:/pub/security/TAMU. In addition, updated digital signature files for new platforms and new security patches will be maintained in the directory: net.tamu.edu:/pub/security/TAMU/tiger-sigs. ------------------------------------------------------------------------------- TIS Firewall Toolkit To join, send e-mail to fwall-users-request@tis.com and, in the text of your message (not the subject line), write: SUBSCRIBE Discussion list for the TIS firewall toolkit ------------------------------------------------------------------------------- Vendors and Organizations ------------------------------------------------------------------------------- CERT (Computer Emergency Response Team) Advisory mailing list. To join, send e-mail to cert@cert.org and, in the text of your message (not the subject line), write: I want to be on your mailing list. Past advisories and other information related to computer security are available for anonymous FTP from cert.org (192.88.209.5). ------------------------------------------------------------------------------- The CIAC (Computer Incident Advisory Capability) of DoE CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. To join, send e-mail to ciac-listproc@llnl.gov and, in the text of your message (not the subject line), write any of the following examples: subscribe ciac-bulletin LastName, FirstName PhoneNumber subscribe ciac-notes LastName, FirstName PhoneNumber subscribe spi-announce LastName, FirstName PhoneNumber subscribe spi-notes LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ------------------------------------------------------------------------------- HP, Hewlett Packard To join, send e-mail to support@support.mayfield.hp.com and, in the text of your message (not the subject line), write: subscribe security_info The latest digest of new HP Security Bulletins will be distributed directly to your mailbox on a routine basis. ------------------------------------------------------------------------------- Sun Security Alert To join, send e-mail to security-alert@sun.com and, in the subject of your message write: SUBSCRIBE CWS your-email-addr The message body should contain affiliation and contact information. ------------------------------------------------------------------------------- Copyright This paper is Copyright (c) 1995 by Christopher Klaus of Internet Security Systems, Inc. Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium excluding electronic medium, please ask the author for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Address of Author Please send suggestions, updates, and comments to: Christopher Klaus of Internet Security Systems, Inc. Internet Security Systems, Inc. Internet Security Systems, Inc, located in Atlanta, Ga., specializes in the developement of security scanning software tools. Its flagship product, Internet Scanner, is software that learns an organization's network and probes every device on that network for security holes. It is the most comprehensive "attack simulator" available, checking for over 100 security vulnerabilities. -- Christopher William Klaus Voice: (770)441-2531. Fax: (770)441-2431 Internet Security Systems, Inc. "Internet Scanner lets you find 2000 Miller Court West, Norcross, GA 30071 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do." ------------------------------ From: "Prof. L. P. Levine" Date: 11 Aug 1995 09:39:43 -0500 (CDT) Subject: Info on CPD [unchanged since 08/01/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V7 #016 ****************************** .