Date: Fri, 23 Feb 96 16:49:56 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#017 Computer Privacy Digest Fri, 23 Feb 96 Volume 8 : Issue: 017 Today's Topics: Moderator: Leonard P. Levine Re: Anonymous Remailers are a Virus Spreading Online Re: Anonymous Remailers are a Virus Spreading Online Re: Anonymous remailers are a virus spreading online! Re: Anonymous Remailers are a Virus Spreading Online Europe Data Protection Directive Re: Your Computer Is Watching You Trojan Horse Screensaver Re: Access to DMV Records by Rental Car Companies Strange Telemarketing Call Privacy Effects of CDA Caller ID: Ameritech -> MCI JavaScript in Netscape 2.0 Shouldn't Let Me Do This It's Time To Clarify The Bill of Rights Northwestern's EECS may be Censoring Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: roman@portal.stwing.upenn.edu (Roman Gollent) Date: 21 Feb 1996 15:42:56 GMT Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: University of Pennsylvania References: wrote: One (too?) obvoius defence is to use a remailer in another country. I greatly doubt if the US Govt. has subverted a remailer in, say, Finland. The Finnish Govt. might have something to say about that. Please explain that to the admin of anon.penet.fi. If the Church of Scientology can bully admins of systems on foreign soil into giving out real names and addresses, what's to stop the US government from doing the same? While I have no doubt that the Church and its mobs of lawyers has a great deal of power, I'm still under the impression (perhaps mistaken) that the US government wields even more influence, especially on an international level. It hasn't happened yet, but it could. -- This .sig is a fucking protest. Don't let the assholes in Congress get away with this abortion of Justice. Feel free to duplicate, modify and redistribute this .sig, under the condition that the content remains "indecent". http://www.vtw.org [moderator: I will leave this signature file in this time, but intend to censor gratuitous indecent material in the future. Not that I fear the government but it offends my personal taste.] ------------------------------ From: bruno@cerberus.csd.uwm.edu (Bruno Wolff III) Date: 21 Feb 1996 18:43:48 GMT Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: University of Wisconsin - Milwaukee Using multiple remailers is no guarenty of safety even if none of the machines is compromised. You can still do traffic analysis to connect anonymous messages to their senders. Delaying messages may help disguise where traffic is coming from to some extent, but if you send out anonymous messages that can be identified as being from the same person, you are giving people a lot of information to work with. Using sites in over countries is no guarenty either. Governments often have incentives to cooperate on such matters. The particular example of Finland was interesting because one of the sites there was forced to turn over some records matching email addresses to anonymous id numbers (used for replies). ------------------------------ From: fyoung@oxford.net (F Young) Date: 22 Feb 96 01:56:18 EST Subject: Re: Anonymous remailers are a virus spreading online! Stanton McCandlish said: Only if the message is encrypted - if not, any users who use a sting remailer as the first one in the chain are busted. This could hobble the use of remailers for any public postings in which anonymity is essential. If the chained message is PGP encrypted in layers (single-receipients) for the individual remailers in the chain, the first remailer would only be able to decrypt the top layer, revealling another encrypted layer and a Request-Remailing-To: field pointing to another remailer. If the message is a plain text one, then the last remailer will be able to see the message and the receipient. IMO, if the message is intended for a known person, then it should be PGP encrypted also, i.e. if it has to be so secret that it is sent through a chain of remailers. ------------------------------ From: arno@ira.uka.de (Arno Wagner) Date: 23 Feb 1996 22:05:16 GMT Subject: Re: Anonymous Remailers are a Virus Spreading Online Organization: University of Karlsruhe, Germany References: Roy M. Silvernail (roy@sendai.cybrspc.mn.org) wrote: That's the reason behind chaining your message through several remailers. The first remailer in the chain knows your address, but not the ultimate destination of the traffic. A single uncompromised remailer in the chain will break the traceability of your message. Unfortunately that is untrue. If the first and the last remailer coperate, they can compare the messages routed and discover source and destination. If it was an anonymous news posting, the first remailer being corrupt is sufficiently to compromise the sender, as this server could monitor all newsgroups and recognize messages routed by it. This schemes needn't use full messages for an initial compare and could store the full messages on a slow and cheap media like DAT-tapes. -- Arno Wagner ------------------------------ From: Jacques Lemieux <72470.1055@CompuServe.COM> Date: 23 Feb 1996 20:34:56 GMT Subject: Europe Data Protection Directive Organization: LSE I am looking for any comment on the European Data Protection Directive. Any hints for me? -- Thanks J. Lemieux, 72470.1055@compuserve.com ------------------------------ From: "anonymous" Date: 21 Feb 1996 20:25:18 GMT Subject: Re: Your Computer Is Watching You Organization: anonymous References: Please remove my id from this message. But many PC users may take a dim view of Netscape's failure to draw their attention to the fact that their behaviour may be tracked i this way. Moreover, there appears to be only one way to disable the facility: by manually amending or deleting the COOKIE.TXT file containing all the cookies. fyoung@oxford.net (F Young) writes: Is that all? I'm not overlooking the potential privacy problem with this Netscape implementation, but someone can write a very simple script to do a DEL COOKIE.TXT say everytime Netscape is loaded or unloaded. Would that solve the problem? Since finding out about this I've deleted the cookies in the file and made the file read only (using DOS attrib). This allows the software to rad an empty file. So far this technique is working. ------------------------------ From: taxhaven@ix.netcom.com (Adam Starchild ) Date: 22 Feb 1996 04:56:30 GMT Subject: Trojan Horse Screensaver Organization: Netcom Taken from Information Week for February 19, 1996: Charge It? Not So Fast First Virtual Holdings has devised a PC application that masquerades as a screen saver but actually steals the user's credit-card number as it's typed into the computer. The purpose of this ruse, says Nathaniel Borenstein, chief scientists at First Virtual in San Diego, is to highlight vulnerabilities in online services that let folks make purchases over the Internet. First Virtual markets electronic commerce services and software that encrypts sensitive transactions that travel on the Internet and the World Wide Web. The First Virtual program is only one step away from being able to actually grab credit-card numbers and transmit them over the Net for nefarious purposes, one analyst says. "We thought only the National Security Agency could do this," said a government official after a recent demo. Which begs the question: Why would Uncle Sam want to do that? -- Posted by Adam Starchild Asset Protection & Becoming Judgement Proof at http://www.catalog.com/corner/taxhaven ------------------------------ From: PHILS@RELAY.RELAY.COM (Philip H. Smith III, (703) 506-0500) Date: 22 Feb 96 07:26:50 EST Subject: Re: Access to DMV Records by Rental Car Companies References: (Bernie Cosell) said: [and on the other hand, considering the nature of rental cars and the competition therein, I can't imagine that some rental car agency won't offer a deal like that [or just not check driving records at all] --- you may not be able to rent from Hertz and friends, but I"d guess that you'll still be able to get something from one of the small fry outfits... Actually, while this might be true, I'd be surprised. The smaller outfits tend to be *more* restrictive due to liability issues (this is, of course, making the assumption that a bad driving record implies an increased chance of you doing something that will result in a lawsuit; I'm not prepared to debate or defend that, and would argue with it myself in some circumstances, but neither insurance companies nor car rental agencies are likely to dispute it). For example, Hertz has a (probably several) blanket policies such that if you refuse the extra coverage and run over a kindergarten class, and 20+ parents sue both you AND HERTZ (which they will!), there will be an insurance company involved on Hertz's behalf. Small companies, on the other hand, can't afford these policies (or at least not as large policies) and thus tend to require more in the way of proof of insurance from renters. ObTrueStory: In August '95 I was in Orlando at a conference. Made reservation myself with National; travel agent (and friend) said she could perhaps do better, so I said fine, no problem. She called back and said she had an "off-airport" rental, was that OK? I said sure, I'll try it *this once* (having been advised against same in the past). To make a long story semi-short (leaving out the logistical problems with it being off-airport), I was in line behind a family at the alleged car rental agency. When it was their turn, the agent demanded proof of insurance. They didn't have it with them, and were, um, not very happy to be refused the rental. I was feeling smug, as mine was in my wallet; imagine my surprise when *I* was refused the rental because my insurance card didn't specify that I carry comprehensive!!! The agent refused to call GEICO to answer his questions (interesting -- I could, of course, print myself a nice card saying I have a billion$ of liability and comp and forth, but he wouldn't make a phone call to verify it), and kept saying "This isn't proof of insurance", despite the fact that it *is* (as verified by police a few months later when I was in a car accident). The denouement is that I (eventually) got back to the terminal, walked up to National, used my alt.reservation, and was in a car in 5 minutes (two hours after the flight landed, however). Moral: never, never, never, never rent off-airport unless you (a) can't afford a real car rental agency (b) have lots of time and (c) have proof of lots of insurance. It's also worth noting -- not directly relevant to this discussion, but wrt competition among car rental agencies -- that in 10+ years of fairly heavy travel, I've *never* been able to figure out what "competition" means in that business. Call 5 companies (say, Hertz, Avis, National, Alamo, Dollar) for the same reservation and get 5 *wildly* differing prices (by a factor of 2, sometimes!) -- with no consistency, i.e., Hertz is sometimes the highest, sometimes the lowest. But I digress. -- phsiii ------------------------------ From: Mark.E.Anderson@att.com (Mark Anderson) Date: 22 Feb 1996 13:26:24 -0600 Subject: Strange Telemarketing Call The other day I received this very strange telemarketing call that I thought might interest this list. Unlike some people, for some reason I don't get too many of these calls. It could be because I'm somewhat careful about giving out personal information. Anyway, this person calls asking me to participate in some market research and insists he didn't want to sell me anything. He claimed he wanted my 'ideas' about photography. This instantly set off a few alarms inside of me since I'm currently setting up a studio and have recently purchased a lot of photo equipment. I agreed to do the survey if he told me where he got my name from. He hemmed and hawed (sp?) and said "Kodak" in a way that indicated it was the only photo company he could think of. So he transfers me to another person who will be my 'interviewer.' The interviewer then announces that in order for him not to have to take notes he wanted to record the conversation. I told him to take notes. He then started to get nasty and insisted that the conversation be recorded and that it would be totally "confidential." At that point I terminated the conversation since they seemed to be getting awfully legalistic for a lousy survey. Plus, they knew me and I wasn't quite sure whether they lied about their identity. Has anyone else heard of a market research survey that had to be recorded? I've done telephone recordings for insurance depositions before but it seems odd to cold call someone and demand of them to be recorded. -- Mark Anderson mea@ihgp.att.com ------------------------------ From: arobson@case.cyberspace.com (Andrew Robson) Date: 22 Feb 1996 13:38:04 -0800 (PST) Subject: Privacy Effects of CDA I have seen relatively little on the privacy impacts of the CDA which may be as important as the chilling effects on free speech. This was brought home when I read: In RISKS DIGEST 17.74 padgett@tccslr.dnet.mmc.com (A. Padgett Peterson) wrote: Along the way we are going to need some sort of Internet "proof of age"- in the form of a cryptographic ID in which some agency verifies that the holder is of legal age in the state of residence. True, there will be screams from the rabid right but is necessary like a drivers license - you do not have to have one, but if you want to drive a car... Indeed, if "adult" is not the default condition for network access, every access of questionable material will be traceable to the individual. There is no way to separate proof of age from one's identity. Collecting data on accesses to web sites is done now for marketing reasons; see the recent posting "Tracking Sales Leads on the Internet" in comp.society.privacy. If available, personal identification information would no doubt be retained for its value in correlating interests. Some issuers of the proof of age might promise to delete the linkage, but that would cease to be blind as soon as you took any action, such as buying something, that would tie the proof of age certificate to a name and address. Andy ------------------------------ From: cbarnard@cs.uchicago.edu (Christopher L. Barnard) Date: 23 Feb 1996 03:09:49 GMT Subject: Caller ID: Ameritech -> MCI Organization: Univ. of Chicago Computer Science Dept. Just another data point for those interested in Caller ID interoperability. I phoned an 800 number from my private residence line (Ameritech) and preceded the call with *67. The 800 number was able to determine my phone number (this was an automated system I was calling). I phoned Ameritech, who identified the 1-800 number as belonging to MCI. I phoned MCI, and was bounced around for a while by a gaggle of operators who clearly didn't want to have to answer my tough questions. I finally got an operator who basically told me that it is never safe to assume that caller ID will work when crossing from one company to another. Yet another reason to never assume that caller ID blocking will actually block anything... +-----------------------------------------------------------------------+ | Christopher L. Barnard O When I was a boy I was told that | | cbarnard@cs.uchicago.edu / \ anybody could become president. | | (312) 702-8850 O---O Now I'm beginning to believe it. | | http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow | | Cyber Rights Now: Accept No Compromise. | +----------PGP public key available via finger or PGP keyserver---------+ ------------------------------ From: Ethan Munson Date: 22 Feb 1996 21:27:57 -0600 Subject: JavaScript in Netscape 2.0 Shouldn't Let Me Do This Here's a pointer to a description of yet-another hole in WWW security. --- Forwarded Message From: Tom Phelps Date: 22 Feb 1996 16:08:35 -0800 To: net.cool@ginsberg.CS.Berkeley.EDU Subject: JavaScript in Netscape 2.0 shouldn't let me do this, but it does John Robert LoVerso, OSF Research Institute After you've visited one of my pages, any of my JavaScript ought to get scrubbed out of your browser's memory. You wouldn't want that code to live on, snooping, spying, or stealing? This is a simple example where I engage some JavaScript that runs in a (mostly) hidden window. This window persists, and hence, the JavaScript I wrote persists. From then on, it wakes up every second and sees what page you are viewing. If you've changed pages, it reports where you now are back to me via a CGI, which saves information like this: (The rest at http://www.osf.org/~loverso/javascript/track-me.html) -- End of Forwarded Message ------------------------------ From: jwarren@well.com (Jim Warren) Date: 21 Feb 1996 15:20:34 -0800 Subject: It's Time To Clarify The Bill of Rights As I have gotten older, I have become increasingly loathe to invest time or energy in action unless it can have lasting or binding impact. This can! After the 1994 Democratic Congress mandated a pervasive half-billion-dollar national wiretap system, many of us helplessly howled. After the 1996 Republican Congress enacted the Communications "Decency" Act, we howled again. Some government enforcers are zealously urging prohibitions against secure personal privacy protection in the form of uncrackable cryptography. Others oppose anonymous electronic communication and publishing, even though everyone from corporate and government whistle-blowers to the still-unknown authors of the Federalist Papers have found just cause to publish anonymously. Other threats to our nation's traditional freedoms have already been proposed, under the excuse that they involve modern communications and information technologies. More of the nation's press have finally even begun to show some concern. And, responding to the vague censorship mandates of the Communications Decency Act, Senator Patrick Leahy has proposed "anti-decency" legislation to "fix" it. We need more than this small "fix." THE TIME IS NOW RIPE for us to urge him and other liberal and conservative legislators who *do* believe in a strong Bill of Rights (even in modern times) to introduce a bill that is much more appropriate -- for today and tommorrow -- and one that is much more politically defensible. With impressive foresight, it was first proposed in 1991 by Harvard Law School's Professor Laurence Tribe, who has repeatedly been mentioned as a possible Supreme Court nominee. For the first time in his entire career as a internationally-renown Constitutional scholar, he proposed a constitutional amendment: "This Constitution's protections for the freedoms of speech, press, petition, and assembly, and its protections against unreasonable searches and seizures and the deprivation of life, liberty or property without due process of law shall be construed as fully applicable without regard to the technological method or medium through which information content is generated, stored, altered, transmitted or controlled." Professor Tribe proposed that this be our 27th Amendment on 3/26/91, during his keynote address at the First Conference on Computers, Freedom & Privacy, in Burlingame CA. It was published in the conference's proceedings (now out of print) and in The Humanist, Sep/Oct'91, pp.15-20,39. Let us -- as individuals and through our organizations, liberal and conservative -- NOW urge our federal legislators, our congressional candidates and our presidential candidates to *promptly* introduce and pass this as a constitutional amendment, for which the need is becoming increasingly clear. Contact your Senators, Representatives and President -- and those candidates who hope to be. Contact the leaders in your professional, civic and political organizations that might give a damn about the Bill of Rights ... even in the 21st Century. -- Jim Warren, GovAccess list-owner/editor (jwarren@well.com) Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc. 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request> [puffery: Dvorak Lifetime Achievement Award (1995); James Madison Freedom- of-Information Award, Soc. of Professional Journalists - Nor.Cal. (1994); Hugh Hefner First-Amendment Award, Playboy Foundation (1994); Pioneer Award, Electronic Frontier Foundation (its first year, 1992); founded the Computers, Freedom & Privacy confs, InfoWorld; blah blah blah :-).] Apologies for the spam. It *does* seem important. Please recirculate freely. ------------------------------ From: "Prof. L. P. Levine" Date: 23 Feb 1996 12:45:30 -0600 (CST) Subject: Northwestern's EECS may be Censoring Organization: University of Wisconsin-Milwaukee I saw this on the fight censorship mailing list: From: Cecelia A Clancy Date: 21 Feb 1996 21:27:18 -0500 (EST) Subject: Northwestern's EECS may be censoring Some time ago, I noticed that an omninous notice suddely started popping up whenever I fingered anybody with an account on the Northwestern (NU) Electrical Engineering and Computer Science (EECS) host of eecs.nwu.edu. It does not matter who in EECS you finger, you get the same message. Since we have been discussing Zu"ndel, I'll show you the finger of a NU Revisionist who happens to be in EECS: =================================================================== [delta.eecs.nwu.edu] This system is for the use of authorized users only. Individuals using this computer system without authority or in the excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system or in the course of system maintenance, the activities of authorized user may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of illegal activity or violation of University regulations system personnel may provide the evidence of such monitoring to University authorities and/or law enforcement officials. Login name: butz In real life: Arthur R. Butz Directory: /homes/butz Shell: /bin/tcsh Last login Wed Feb 21 09:00 on zoobear from zoobear.eecs.nwu No unread mail No Plan. ==================================================================== Finger Butz at his general NU account, and you don't get this: ===================================================================== [casbah.acns.nwu.edu] Login name: abutz In real life: Arthur Butz Work phone: Directory: /home/u3/abutz Shell: /usr/bin/csh Never logged in. No Plan. ===================================================================== And merle.acns.nwu.edu gets: ===================================================================== [merle.acns.nwu.edu] Login name: pokey In real life: Alex Oh Directory: /home/u4/pokey Shell: /bin/csh On since Feb 20 17:12:45 on ttyr5 from jon107102.res-ha 3 hours 32 minutes Idle Time Project: Goo goo gah gah goo gee geh....goo hoo jah gah jah geh goo? Geeee! =] Plan: "For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life. For God did not send his Son into the world to condemn the world, but to save the world through him. Whoever believes in him is not condemned, but whoever does not believe stands condemned already because he has not believed in the name of God's one and only Son. This is the verdict: Light has come into the world, but men loved darkness instead of light because their deeds were evil. Everyone who does evil hates the light, and will not come into the light for fear that his deeds will be exposed. But whoever lives by the truth comes into the light, so that it may be seen plainly that what he has done has been done through God." (John 3:16-21 NIV) NOTE: My computer terminal is fused to the network, so if I do not respond to your talk requests, it is not because you are an ugly, self-righteous, stinking, immoral pagan with no purpose or direction in life, but simply because I am either asleep, eating, or at the loo... ======================================================================== -- Cecelia Clancy University of Pittsburgh ------------------------------ From: "Prof. L. P. Levine" Date: 30 Jan 1996 18:45:30 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #017 ****************************** .