Date: Mon, 15 Apr 96 06:24:36 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#032 Computer Privacy Digest Mon, 15 Apr 96 Volume 8 : Issue: 032 Today's Topics: Moderator: Leonard P. Levine Re: Robert Arkow vs CompuServe and CompuServe Visa Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Re: USENET Reposters: Privacy and Copyright Concerns Re: Copyright of Usenet Articles Re: Copyright of Usenet Articles Re: Caller ID in California Re: Increasingly Intrusive Capability Deja News JAVA Re: White Pages on the Net Re: White Pages on the Net Recent Primenet Spam Conferences/Events of Interest FAQ on Where to get PGP Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: prvtctzn@aol.com (Prvt Ctzn) Date: 12 Apr 1996 00:02:28 -0400 Subject: Re: Robert Arkow vs CompuServe and CompuServe Visa Organization: America Online, Inc. (1-800-827-6364) References: I am looking for information on Robert Arkow and his lawsuit against CompuServe and CompuServe Visa. The information I have to date is that the lawsuit was filed, however I need to know what the outcome was or if it is still pending. Do you have such information, and if so, could you please let me know where I can find it? As a member of Private Citizen, Inc. Robert Arkow has, to date, collected over $8,000 from organizations as a result of telemarketing related issues. The matter concerning Compuserve that you are inquiring about is no longer pending. Mr. Arkow's e-mail address is rarkow@themall.net -- Robert Bulmash Private Citizen, Inc. http://webmill.com/prvtctzn/home ------------------------------ From: rj.mills@pti-us.com (Dick Mills) Date: 12 Apr 1996 09:12:34 -0400 Subject: Re: USENET Reposters: Privacy and Copyright Concerns andypajta@aol.com (AndyPajta) wrote: But, while we can argue about fair use of reposting, certainly if someone takes my thoughts and puts them on a CD and sells it, that's some sort of infringement. Yes? What if you post your thoughts on the bulletin board at the supermarket, them someone photographs the whole bulletin board and publishes that? What if someone publishes a photo of the sidewalk view of the movie theater, capturing images of the copyrighted playbills posted thereto? Surely copyright disputes must be interpreted in accordance to the total content and purpose of the allegedly infringing work. An anthology that includes your short story without permission would overstep the line of what is permitted. AltaVista, which archives and indexes everyone's posts, does not overstep the line. At least IMHO. However, I'm not a lawyer so my HO doesn't count for much. -- Dick Mills +1(518)395-5154 O- http://www.pti-us.com AKA dmills@albany.net http://www.albany.net/~dmills ------------------------------ From: forags@nature.Berkeley.EDU (Al Stangenberger) Date: 12 Apr 1996 15:57:02 GMT Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: U.C. Forestry & Resource Mgt. References: Patrick Crumhorn (patrik@io.com) wrote: The problem here is that "middle C" is not a composition, but a frequency (of 256 Hertz, if memory serves correctly). And over the past several years, the US government has ruled that actual ownership of specific frequencies is indeed legal, and protected by law. [...] The bottom line, though, is that if Mr. Sherman were alive today, he very well *could* get the legal rights to the frequency of 256 Hz, and anyone attempting to modulate a signal on that frequency might very well have to pay a license fee to Mr. Sherman. So his whimsy has bme reality. There's a basic difference between the government's legal right to allocate electromagnetic signals and the question of copyrighting a sound wave of a specific frequency. If I wanted to get rich, I would file for copyright of the sound frequency of 60 hertz -- get royalties from every humming power transformer and fluorescent light ballast in the country! -- Al Stangenberger Univ. of California at Berkeley forags@nature.berkeley.edu Dept. of Env. Sci., Policy, & Mgt. BITNET: FORAGS AT UCBNATUR 145 Mulford Hall # 3114 (510) 642-4424 FAX: (510) 643-5438 Berkeley, CA 94720-3114 ------------------------------ From: peter@nmti.com (Peter da Silva) Date: 12 Apr 1996 01:36:24 GMT Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: Network/development platform support, NMTI References: paul@TDR.COM (Paul Robinson) writes: If you posted an article that you are the owner, it would presume that you gave permission for its distribution. AndyPajta wrote: Yes, to a SPECIFIC site You requested (yes, requested) that your message be distributed all over the world, to sites you have never heard of, and now you want us to believe that you didn't want that to happen, that you only wanted your posts to be on one site (America Online, I assume). Your analogy of a USA Today letter further substantiates my point because they say.. ALL LETTERS BECOME PROPERTY OF USA TODAY AltaVista doesn't claim to hold the copyright to your postings. They are simply a news server that lets anyone read and has no expire. Web pages are a different matter, because they were intended to be read from one site. Usenet type broadcasting is a different matter. -- Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard Bailey Network Management 'U` Sugar Land, TX 77487-5013 +1 713 274 5180 "Har du kramat din varg idag?" USA Bailey pays for my technical expertise. My opinions probably scare them ------------------------------ From: bcn@world.std.com (Barry C Nelson) Date: 15 Apr 1996 07:07:36 GMT Subject: Re: USENET Reposters: Privacy and Copyright Concerns Organization: The World Public Access UNIX, Brookline, MA References: paul@TDR.COM (Paul Robinson) writes: If you posted an article that you are the owner, it would presume that you gave permission for its distribution. AndyPajta wrote: Yes, to a SPECIFIC site--I choose my audience and that is what *I allowed*. Any other use was *NOT* authorized. When you publish, even for free, you should expect your words to make it to every possible reader. Most publishers even hope for wider dissemination. Nobody needs permission to forward a broadcast message, since we're all just part of the expectable method of broadcast the sender initiated. an author must explicity give-up copyright. There is noting implied in copyright law. True, but copyright and contacts go hand in hand. A contract can be implied. A license to make copies can be an implied contract: you give me the information and I'll distribute it for free, if you promise to distribute my information for free when I give it to you. The NII white paper and legislation propose making the digital transmission equivalent to copying (reproduction), the exclusive right of the owner. We're not talking clip art here; we're talking about digital transmission of entertainment which is currently worth billions of dollars, be it music, movies, real-audio, or games. -- BCNelson (not a lawyer) ------------------------------ From: peter@nmti.com (Peter da Silva) Date: 12 Apr 1996 01:46:40 GMT Subject: Re: Copyright of Usenet Articles Organization: Network/development platform support, NMTI References: Martin Kealey wrote: To me, this means that after 2 years I can expect to publish another article with the same message-id, and that it will circulate with out any problem. Then I recommend that you make a habit of doing so and seeing if it breaks DejaNews. I would also like to remind everyone of one of the features of usenet distribution that seems to have been overlooked in the hue and cry about DejaNews: the "Expires" header. You can set the lifetime of your message by including an "Expires" header. Yes, and most sites have treated it as a hint, or outright ignored it, for many years. However, it is reasonable to claim that this is in fact a limit on your requested distribution (requested distribution, not license... when you post to Usenet, it's the service of carrying your message that is being licensed) and that a system like DejaNews honor it. * include !dejanews.com! somewhere in the "Path" header * keep a store of 2-year-old message IDs and deliberately reuse them (we aren't under any obligation to make indexing easy after all) * include an Expires header Excellent ideas. Use Usenet as it exists, don't pretend it's something it isn't. In addition, you can get your collection of clever message-IDs from DejaNews itself! -- Peter da Silva (NIC: PJD2) `-_-' 1601 Industrial Boulevard Bailey Network Management 'U` Sugar Land, TX 77487-5013 +1 713 274 5180 "Har du kramat din varg idag?" USA Bailey pays for my technical expertise. My opinions probably scare them ------------------------------ From: skg@sadr.com (Keith Graham) Date: 12 Apr 1996 20:19:53 GMT Subject: Re: Copyright of Usenet Articles Organization: MindSpring Enterprises References: martin@kcbbs.gen.nz (Martin Kealey) writes: [lots deleted about ways to legally prevent DejaNews from distributing material] However, if there's a market in "tracking specific user's postings for HR purposes", to give an example, then companies could keep those profiles and sell them to any buyer. ("Give us an email address and we'll give you summaries of their posts!") It's all legal since they aren't redistributing the posts, and locks out us mundane people from doing searches. And that assumes that companies wouldn't do the archive internally (which also gives them internal search capability for other subjects.) In the meantime, I can go pull all the quotes that a company representative made (with the company's account). This is a worthwhile use, even though it does track a specific user name. One of the things that should happen, is that college and possibly local newsgroups shouldn't be archived (and perhaps not even distributed outside of the college.) That would allow "young minds" to express themselves, work on their debating style, and "grow up", without having it come back to haunt them. (I'd hate to think some of my rants on BBSes and private discussion groups 10 years ago would surface now.) But once you've made posts to public, international newsgroups, you're published, and should take responsibility for that publication. (And for now at least, you can always change your account and claim that the posts were from a "different Keith Graham". :-) ) This also stresses the need for anonymous remailers, etc. If you're posting something you don't want attributed to yourself for privacy reasons, you shouldn't publish under your real name. But I don't believe copyright is the way to go about "solving" this "problem". -- Keith Graham skg@sadr.com ------------------------------ From: hermit@cats.UCSC.EDU (William R. Ward) Date: 12 Apr 1996 21:56:19 GMT Subject: Re: Caller ID in California Organization: Computing and Telecommunications Services, UCSC References: Beth Givens writes: The Clearinghouse offers an 8-page guide called "Caller ID and My Privacy." Consumers can call (800) 773-7748 (California only, elsewhere 619-298-3396) to order. The guide provides an in-depth discussion of the many privacy implications of Caller ID. Wouldn't it be funny if they use the 800 ANI information to identify callers? -- William R Ward Bay View Consulting http://www.bayview.com/~hermit/ hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072 hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862 ------------------------------ From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning) Date: 13 Apr 1996 01:19:40 GMT Subject: Re: Increasingly Intrusive Capability Organization: The National Capital FreeNet References: Robert Ellis Smith (0005101719@mcimail.com) writes: How can people who work daily with computers and know their capabilities simply shrug whenever a new application comes along that threatens privacy? "So, what else is new?" they ask. Like Michael Well, some do and some don't. There has been at least 1 posting in this group from a "Willis Ware". I never did discover whether this was the same Willis Ware, member of the Association for Computing Machinery, who chaired the US HEW Secretary's Advisory Committee the wrote "Records, Computers and the Rights of Citizens". Hasn't your newsletter identified this report as providing the basis of the 1974 US Federal Privacy Act, and of much State Privacy law in the US? I also recall going to a Canadian Information Processing Society meeting back in the 70s and hearing the speaker tell the audience that if they were asked to work on a computer system that did something they felt was morally questionable they should consider just saying no. He said that they may find someone else to do it, but then again they might not. The ACM has had a Canon of Ethics for a long time, which has been identified as dealing with the privacy issue. The Institute of Electrical and Electronics Engineers, whose Computer Society is in a dead heat with ACM for being "The First Society in Computing", also has a Code of Ethics which applies to the privacy issue. In my own career I'm much more proactive. When I come across privacy issues I make a declaration of how it will impact my own privacy and inform my immediate superiors of what action I plan to take, such as filing a complaint with the ombudsman. At the same time I continue to provide my usual level of technical support, doing things quickly and simply that others say can only be done slowly or with great complexity and effort. The sad fact is that they will usually find someone to get their job done, so it would be pointless, as well as unethical, to say that it can't be done, or that it is going to be really hard and difficult. What needs to be done is to identify this as a moral issue and establish that a decision is being made and who is responsible for making it. Don't make it easy for them to get rid of a critic by saying that you are foot dragging or failing to do your best. Also don't bypass normal reporting channels. I first got in a situation like this back in the 80s when I was working for a service bureau. I sent the client a courtesy copy of my letter of complaint, and found that they sent a copy of their initial response to the president of the corporation I worked for. Well that made the issue visible at the highest level, but not because I'd bypassed anyone in the hierarchy. Another difficulty may be the lack of patience that many technical types have with long drawn out bureaucratic struggles. This issue is still unresolved, although it should be dealt with during 1996. In the interim we've seen a report on the issues come out of the Ombudsman's office and be adopted in large part for a bill that died when the government got voted out of power, only to resurface and get passed in modified form by the new government, then going on to a transition and implementatiion period before taking full effect. This has not been without it's lighter side. I was a bit disconcerted to hear the word "ombudsman" mentioned in a loud and disparaging tone when I emerged from an IBM Guided Learning Course study room to get a cup of coffee. This came from a group of IBM SEs down the corridor, who looked startled and scattered to their cubicles when I started walking toward them. I found this a bit disconcerting, as the person making the remark had no reason that I knew of the be aware that I had filed a complaint. It also seemed at odds with what I've read about IBM policy on privacy and information technology. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: jenny simmonds Date: 13 Apr 96 12:37:03 GMT Subject: Deja News Organization: Myorganisation I am writing an article about Deja News and am interested in hearing from anyone who thinks it breaches their privacy. In the interests of fairness, I'd also like to hear from those who don't think it breaches privacy :-) ^^^^^ --| Jenny Simmonds, Overseas Jobs Express Net columnist | | Send overseas jobs news to jenny@porky.demon.co.uk | | Visit our home page at http://www.ahoy.com/oje/ | ------------------------------ From: geosys@digital.net (George) Date: 13 Apr 1996 13:58:10 GMT Subject: JAVA Organization: FLORIDA ONLINE, Florida's Premier Internet Provider Does JAVA and similar programming languages pose a security problem or a virus risk? As I understand it, these languages are a modified "C" which are downloaded with a web page and then execute on the local (terminal) computer. What to stop this from implanting a virus? or from sending information on the system to a remote site? Seems risky to me. -- George ------------------------------ From: bo774@FreeNet.Carleton.CA (Kelly Bert Manning) Date: 13 Apr 1996 22:16:00 GMT Subject: Re: White Pages on the Net Organization: The National Capital FreeNet References: "Richard Schroeppel" (rcs@cs.arizona.edu) writes: A nation-wide white pages has been effectively available for 40 years. Chicago 1955: The biggest downtown department store, Marshall Fields, maintains a bank of >20 public pay phones on the third floor. Next to the phones is a set of phone directories for the cities of the US and Canada. They are well used. Not to mention the entrepreneur who shipped copies of Canadian Phone books to the Philliipines for key entry and digital mastering, about 3 years before Lotus cancelled plans for a US white pages CD. However you got lucky. The problem with ANI and Caller ID is that it the phone numbers(and geographic location) of the 30 to 60% of homes or businesses that are not in the Telco Directory. ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 15 Apr 1996 03:41:22 GMT Subject: Re: White Pages on the Net Organization: DVL Software Limited References: I don't see what the problem is with white pages on the Net. It just speeds things up that used to be manually done. Is this really an issue? I mean, it's public information anyways? It doesn't inlude unlisted numbers. -- Dan Langille DVL Software Limited ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 15 Apr 1996 01:35:09 -0400 Subject: Recent Primenet Spam When I complained to the postmaster about this MMF spam I got an automated reply saying that the account had been hosed and the client was being billed for labor for dealing with the spam fallout. My initial request was for ID of the spammer, so that I could pass along my bill for $140. There was another account address provided for people who want personal replies. Following that up might have 2 beneficial effects: make it more expensive to SPAM make it more labor intensive for ISPs to deal spammers, helping to build a case for applying spam recognition filters that would halt them when they go over a threshold of recipients and suspend the account -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: Susan Evoy Date: 13 Apr 1996 00:01:59 -0700 Subject: Conferences/Events of Interest [moderator: this is an edited form of this posting.] CPSR Members and Friends, If you are planning to attend one of these conferences, or another that may be related to CPSR's work, please contact CPSR at cpsr@cpsr.org or (415) 322-3778 for easy ways for you to be a presence for CPSR. CONFERENCE /EVENT SCHEDULE Technological Assaults on Privacy, Rochester, NY, April 18-20, 1996. Contact: privacy@rit.edu 716 475-6643 716 475-7120 (fax) Electronic Government: Opportunities in Conducting the People's Business on the Internet, Fairmont Hotel, San Jose, CA, April 19 Contact: 510 464-7973 http://www.abag.ca.gov Public Access to the Internet via Libraries: The Promise, Problems, and Prospects, Harvard University, Cambridge, MA, April 22. Contact: 508 467-4480 moore@rdvax.enet.dec.com Security and Privacy, IEEE Symposium, Oakland, CA, May 6-8, 1996. Contact: sp96@cs.pdx.edu http://www.cs.pdx.edu/SP96 Visions of Privacy for the 21st Century: A Search for Solutions, Victoria, BC, CANADA, May 9-11, 1996. Contact: http://www.cafe.net./gvc.foi Public Access Goes Digital: Building our Communities in the Information Age, May 10-12, Burlington, VT. Contact: marisa@cctv.org 802 862-1645 Business Ethics Conference, The Waldorf-Astoria, New York, NY, May 22-24. Contact: 212 339-0345 Society and the Future of Computing (SFC'96), Snowbird, UT, June 16-20. Contact: rxl@lanl.gov http://www.lanl.gov/SFC Australasian Conference on Information Security and Privacy, New South Wales, AUSTRALIA, June 24-26. Contact: jennie@cs.uow.edu.au The Privacy Laws & Business, Cambridge, ENGLAND, July 1-3. Contact: 44 181 423 1300 44 181 423 4536 (fax) Advanced Surveillance Technologies II. Ottawa, ON, CANADA, Sept. 17. Contact: pi@privacy.org ------------------------------ From: mpj@csn.net (Michael Johnson) Date: 13 Apr 1996 01:27:14 -0600 Subject: FAQ on Where to get PGP Organization: The Web of Trust WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ Revised 11 February 1996 Disclaimer -- I haven't recently verified all of the information in this file, and much of it is probably out of date. For questions not covered here, please read the documentation that comes with PGP, get one of the books mentioned below, or search for other relevant FAQ documents at rtfm.mit.edu and on the alt.security.pgp news group. WHAT IS THE LATEST VERSION OF PGP? Viacrypt PGP (commercial version): 2.7.1 (4.0 is due out Real Soon Now) MIT & Philip Zimmermann (freeware, USA-legal): 2.6.2 Staale Schumacher's International variant: 2.6.3i for non-USA; 2.6.3 for USA WHERE CAN I GET VIACRYPT PGP? Just call 800-536-2664 and have your credit card handy. WHERE IS PGP ON THE WORLD WIDE WEB? http://web.mit.edu/network/pgp-form.html (U. S. PGP primary distribution site) http://web.mit.edu/network/pgpfone (PGP Fone primary distribution site) http://www.ifi.uio.no/pgp (International PGP primary distribution site) http://www.csua.berkeley.edu/cypherpunks/home.html WHERE CAN I FTP PGP IN NORTH AMERICA? If you are in the USA or Canada, you can get PGP by following the instructions in any of: ftp://net-dist.mit.edu/pub/PGP/README ftp://ftp.csn.net/mpj/README.MPJ ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp/ ftp://ftp.gibbon.com/pub/pgp/README.PGP ftp://ftp.wimsey.bc.ca/pub/crypto/software/README WHERE IS PGP ON COMPUSERVE? GO NCSAFORUM. Follow the instructions there to gain access to Library 12: Export Controlled. AOL Go to the AOL software library and search "PGP" or ftp from ftp://ftp.csua.berkeley.edu/pub/cypherpunks/pgp or another site listed above. It is possible to get PGP from ftp sites with hidden directories with the following trick: (1) View the README file with the hidden directory name in it, then quickly (2) Start a new ftp connection, specifiying the hidden directory name with the ftp site's address, like ftp.csn.net/mpj/I_will_not_export/crypto_xxxxxxx (where the xxxxxxx is replaced with the current character string). WHAT BULLETIN BOARD SYSTEMS CARRY PGP? MANY BBS carry PGP. The following carry recent versions of PGP and allow free downloads of PGP. US 303-343-4053 Hacker's Haven, Denver, CO 303-772-1062 Colorado Catacombs BBS, Longmont CO 8 data bits, 1 stop, no parity, up to 28,800 bps. Use ANSI terminal emulation. For free access: log in with your own name, answer the questions. 314-896-9309 The KATN BBS 317-887-9568 Computer Virus Research Center (CVRC) BBS, Indianapolis, IN Login First Name: PGP Last Name: USER Password: PGP 501-791-0124, 501-791-0125 The Ferret BBS, North Little Rock, AR Login name: PGP USER Password: PGP 506-457=0483 Data Intelligence Group Corporation BBS 508-668-4441 Emerald City, Walpole, MA 601-582-5748 CyberGold BBS 612-690-5556, !CyBERteCH SeCURitY BBS! Minneapolis MN 914-667-4567 Exec-Net, New York, NY 915-587-7888, Self-Governor Information Resource, El Paso, Texas GERMANY +49-781-38807 MAUS BBS, Offenburg - angeschlossen an das MausNet +49-521-68000 BIONIC-BBS Login: PGP WHERE CAN I FTP PGP CLOSE TO ME? DE ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/pgp/ ftp://ftp.uni-kl.de/pub/aminet/util/crypt ftp://ftp.uni-paderborn.de/pub/aminet/util/crypt ES ftp://goya.dit.upm.es IT ftp://ftp.dsi.unimi.it/pub/security/crypt/PGP FI ftp://ftp.funet.fi/pub/crypt NL ftp://ftp.nl.net/pub/crypto/pgp ftp.nic.surfnet.nl/surfnet/net-security/encryption/pgp NZ ftp://ftphost.vuw.ac.nz SE ftp://leif.thep.lu.se TW ftp://nctuccca.edu.tw/PC/wuarchive/pgp/ UK ftp://ftp.demon.co.uk/pub/amiga/pgp ftp://ftp.ox.ac.uk/pub/crypto/pgp ftp://src.doc.ic.ac.uk/aminet/amiga-boing ftp://unix.hensa.ac.uk/pub/uunet/pub/security/virus/crypt/pgp ZA ftp://ftp.ee.und.ac.za/pub/crypto/pgp HOW CAN I GET PGP BY EMAIL? If you have access to email, but not to ftp, send a message saying "help" to ftpmail@decwrl.dec.com or mailserv@nic.funet.fi WHERE CAN I GET MORE PGP INFORMATION? http://www.csn.net/~mpj http://www.mit.edu:8001/people/warlord/pgp-faq.html http://www.eff.org/pub/EFF/Issues/Crypto/ITAR_export/cryptusa_paper.ps.gz ftp://ds.internic.net/internet-drafts/draft-pgp-pgpformat-00.txt ftp://ds.internic.net/internet-drafts/draft-ietf-pem-mime-08.txt http://www-mitpress.mit.edu/mitp/recent-books/comp/pgp-source.html http://web.cnam.fr/Network/Crypto/(c'est en francais) http://web.cnam.fr/Network/Crypto/survey.html(en anglais) http://www2.hawaii.edu/~phinely/MacPGP-and-AppleScript-FAQ.html http://www.pgp.net/pgp http://www.sydney.sterling.com:8080/~ggr/pgpmoose.html WHAT ARE SOME GOOD PGP BOOKS? Protect Your Privacy: A Guide for PGP Users by William Stallings Prentice Hall PTR ISBN 0-13-185596-4 US $19.95 PGP: Pretty Good Privacy by Simson Garfinkel O'Reilly & Associates, Inc. ISBN 1-56592-098-8 US $24.95 E-Mail Security: How to Keep Your Electronic Mail Private "Covers PGP/PEM" by Bruce Schneier Wiley Publishing The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data Protection, and PGP PRivacy Software by André Bacard Peachpit Press ISBN 1-56609-171-3 US $24.95 800-283-9444 or 510-548-4393 THE OFFICIAL PGP USER'S GUIDE by Philip R. Zimmerman MIT Press April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP Standard PGP documentation neatly typeset and bound. PGP SOURCE CODE AND INTERNALS by Philip R. Zimmerman April 1995 - 804 pp. - US $55.00 - 0-262-24039-4 ZIMPH How to Use PGP, 61 pages, (Pub #121) from the Superior Broadcasting Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801 (about US $10-$13). IS PGP LEGAL? Pretty Good Privacy is legal if you follow these rules: Don't export PGP from the USA except to Canada, or from Canada except to the USA, without a license. If you are in the USA, use either Viacrypt PGP (licensed for commercial use) or MIT PGP using RSAREF (limited to personal, noncommercial use). Outside of the USA, where RSA is not patented, you may prefer to use a version of PGP (2.6.3i) that doesn't use RSAREF to avoid the restrictions of that license. If you are in a country where the IDEA cipher patent holds in software (including the USA, Canada, and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec: Erhard Widmer, Ascom Systec AG, Dep't. CMVV Phone +41 64 56 59 83 Peter Hartmann, Ascom Systec AG, Dep't. CMN Phone +41 64 56 59 45 Fax: +41 64 56 59 90 e-mail: IDEA@ascom.ch Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland) Viacrypt has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK). This restriction does not apply to PGP 3.0, since it is a complete rewrite by Colin Plumb. If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission. WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS? Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy. The battle is won, but the war is not over. The regulations that caused him so much grief and which continue to dampen cryptographic development, harm U. S. industry, and do violence to the U. S. National Security by eroding the First Ammendment of the U. S. Constitution and encouraging migration of cryptographic industry outside of the U. S. A. are still on the books. If you are a U. S. Citizen, please write to your U. S. Senators, Congressional Representative, President, and Vice President pleading for a more sane and fair cryptographic policy. WHERE CAN I GET WINDOWS & DOS SHELLS FOR PGP? http://www.dayton.net/~cwgeib ftp://oak.oakland.edu/SimTel/msdos/security/apgp22b.zip http://alpha.netaccess.on.ca/~spowell/crypto/pwf31.zip ftp://ftp.netcom.com/pub/dc/dcosenza/pgpw40.zip ftp://ftp.firstnet.net/pub/windows/winpgp/pgpw40.zip http://www.eskimo.com/~joelm(Private Idaho) ftp://ftp.eskimo.com/~joelm http://www.xs4all.nl/~paulwag/security.htm http://www.LCS.com/winpgp.html http://netaccess.on.ca/~rbarclay/index.html http://netaccess.on.ca/~rbarclay/pgp.html ftp://ftp.leo.org/pub/comp/os/os2/crypt/gcppgp10.zip ftp://ftp.leo.org/pub/comp/os/os2/crypt/pmpgp.zip http://iquest.com/~aegisrcs WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE? PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot. Alternatives include Quicrypt and Atbash2 for DOS, DLOCK for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others. Quicrypt is interesting in that it comes in two flavors: shareware exportable and registered secure. Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are: ftp://ftp.csn.net/mpj/qcrypt11.zip ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/file/ ftp://ftp.csn.net/mpj/README ftp://ftp.miyako.dorm.duke.edu/pub/GETTING_ACCESS HOW DO I SECURELY DELETE FILES (DOS)? If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del110.zip, which is really good at deleting existing files, but doesn't wipe "unused" space. ftp://ftp.csn.net/mpj/public/del120.zip ftp://ftp.demon.co.uk/pub/ibmpc/security/realdeal.zip WHAT DO I DO ABOUT THE PASS PHRASE IN MY WINDOWS SWAP FILE? The nature of Windows is that it can swap any memory to disk at any time, meaning that all kinds of interesting things could end up in your swap file. ftp://ftp.firstnet.net/pub/windows/winpgp/wswipe.zip WHERE DO I GET PGPfone(tm)? PGPfone is in beta test for Macintosh users. A Windows 95 version is being developed. http://web.mit.edu/network/pgpfone ftp://net-dist.mit.edu/pub/PGPfone/README ftp.hacktic.nl/pub/pgp/pgpfone WHERE DO I GET NAUTILUS? Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See ftp://ripem.msu.edu/pub/crypt/GETTING_ACCESS ftp://ripem.msu.edu/pub/crypt/other/nautilus-phone-0.9.2-source.tar.gz ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/pub/GETTING_ACCESS ftp://ftp.dsi.unimi.it/pub/security/crypt/cypherpunks/nautilus ftp://ftp.ox.ac.uk/pub/crypto/misc HOW DO I ENCRYPT MY DISK ON-THE-FLY? Secure File System (SFS) is a DOS device driver that encrypts an entire partition on the fly using SHA in feedback mode. Secure Drive also encrypts an entire DOS partition, using IDEA, which is patented. Secure Device is a DOS device driver that encrypts a virtual, file-hosted volume with IDEA. Cryptographic File System (CFS) is a Unix device driver that uses DES. http://www.cs.auckland.ac.nz/~pgut01/sfs.html ftp://ftp.informatik.uni-hamburg.de/pub/virus/crypt/disk/ ftp://ftp.csn.net/mpj/README ftp://miyako.dorm.duke.edu/mpj/crypto/disk/ ftp://ftp.nic.surfnet.nl/surfnet/net-security/encryption/disk/ ftp://ftp.demon.co.uk/pub/ibmpc/secdev/secdev14.arj WHERE IS PGP'S COMPETITION? RIPEM is the second most popular freeware email encryption package. I like PGP better for lots of reasons, but if for some reason you want to check or generate a PEM signature, RIPEM is available at ripem.msu.edu. There is also an exportable RIPEM/SIG. ftp://ripem.msu.edu/pub/GETTING_ACCESS HOW DO I PUBLISH MY PGP PUBLIC KEY? Send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers sychronize keys with each other. There are other key servers, too. pgp-public-keys@keys.pgp.net pgp-public-keys@keys.de.pgp.net pgp-public-keys@keys.no.pgp.net pgp-public-keys@keys.uk.pgp.net pgp-public-keys@keys.us.pgp.net WWW interface to the key servers: http://www.pgp.net/pgp/www-key.html http://www-swiss.ai.mit.edu/~bal/pks-toplev.html For US $20/year or so, you can have your key officially certified and published in a "clean" key database that is much less susceptible to denial-of-service attacks than the other key servers. Send mail to info-pgp@Four11.com for information, or look at http://www.Four11.com/ Of course, you can always send your key directly to the parties you wish to correspond with by whatever means you wish. CAN I COPY AND REDISTRIBUTE THIS FAQ? Yes. Permission is granted to distribute unmodified copies of this FAQ. Please e-mail comments to mpj@csn.net Michael Paul Johnson mailto:mpj@csn.net M i k e ><> ><> ><> PO Box 1151 http://www.csn.net/~mpj Longmont CO 80502-1151 Colorado Catacombs BBS 303-772-1062 Jesus is Lord! mpj8:F25EA1C1A6CFEF71 121F91926AEDAEA9 mpjA:3E67A5800DFBD16A 6D52D3A91C074E41 ------------------------------ From: "Prof. L. P. Levine" Date: 15 Apr 1996 01:35:09 -0400 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #032 ****************************** .