Date: Sun, 19 May 96 09:06:54 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#040 Computer Privacy Digest Sun, 19 May 96 Volume 8 : Issue: 040 Today's Topics: Moderator: Leonard P. Levine Re: Cookies Re: Cookies Re: An Ethical Dilema Re: An Ethical Dilema Re: FDA Approves At-Home HIV TEst Re: FDA Approves At-Home HIV Test Georgia Law Could Prohibit Web Links Re: Automated Toll Collection Re: Automated Toll Collection Local Ordinaces Restrict SSN Indentifiers? Re: Tempest Intrusion RISKS: Discussion of Med Privacy Bill Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Geoff Mulligan Date: 16 May 1996 22:27:45 -0600 Subject: Re: Cookies Sean said: Fortune program with over 66000 cookies Size 3006 K It seems to me that these cookies are cookies files from people using Netscape Navigator and MSIE. If so, how we can prevent others from getting our 'cookies'? I mean, any other way except manually deleting them every time we use a browser. Is 'history' file also dowloadable from unsuspicious user's PC? Actually these are not "cookies" as the term is used today with browsers. The fortune program mentioned (sm186.zip) randomly selects a witty/funny saying (a cookie) from the file a displays it. This program is claiming to contain over 66000 of these "sayings" not browser cookies. [moderator: similar comments came from huggins@tarski.eecs.umich.edu (James K. Huggins), Jim Maurer and ajm@mcs.com (Alan Miller)] ------------------------------ From: Jonas Karlsson Date: 17 May 1996 00:04:10 +0200 Subject: Re: Cookies Organization: Just me... References: lihou@ms2.hinet.net wrote: Files from the winsite-win95 archive [...] Fortune program with over 66000 cookies Size 3006 K [...] It seems to me that these cookies are cookies files from people using Netscape Navigator and MSIE. If so, how we can prevent others from getting our 'cookies'? As I can't make up my mind whether this is a troll or not, I figure I'll answer it with a straight face. (So if it is a troll, you caught me. ;-) Now, I haven't actually dl'd that file to check, but from the description it seems far more likely that the 'cookies' in question refer to 'fortune-cookies'. While this may not be apparent to non-unix users - where the 'fortune' command is virtually ubiquious - the purpose of 'fortune' is to print a 'fortune-cookie' style - usually humourous - message. Most likely, this is simply a file of 66000 such messages, probably intended to be used with some 'fortune'-equivalent windows 95 program. As for preventing people from getting the 'cookies', well, Netscape claim - and most likely are quite right - that *only* the one that set the cookie can get it. And, in Atlas, you can set an option that gives *you* control over the cookies, including the right to cancel setting/sending them. (Now, of course, the truly paranoid know that Netscape could of course do pretty much anything it's programmers want to your computer (they just have to ignore their own security precautions), if they wanted to. But then, so could, say, every other program on your hard disk... ;-) Is 'history' file also dowloadable from unsuspicious user's PC? Now, as to that, if you have a suitably broken/early version of Netscape, it's supposed to be possible. Also, given enough Java/JavaScript trickery (or VBScript for that matter), yes, it's probably doable. As to whether anyone is actually *doing* it, well, I wouldn't know. The value of getting that file from all random passers-by seems questionable. But then, I'm not a marketing person... ;-) -- | Jonas.Karlsson@baldakinen.umea.se | I am a number, | | 100342.3455@compuserve.com - jonask@io.com | not a man! - 42 | ------------------------------ From: hermit@cats.UCSC.EDU (William R. Ward) Date: 16 May 1996 18:03:25 GMT Subject: Re: An Ethical Dilema Organization: Computing and Telecommunications Services, UCSC References: Simon Rogerson writes: Problems associated with the uniqueness of IT abound. Consider these three statements: * Hacking is wrong [...] There's nothing wrong with hacking. I'm a hacker, and proud of it. That doesn't mean I do anything wrong or illegal. Just because the press has a simplistic and inaccurate picture of what a hacker is doesn't mean that you have to perpetuate that. And if you don't know what I'm talking about, read Steven Levy's book "Hackers". -- William R Ward Bay View Consulting http://www.bayview.com/~hermit/ hermit@bayview.com 1803 Mission St. #339 voicemail +1 408/479-4072 hermit@cats.ucsc.edu Santa Cruz CA 95060 USA pager +1 408/458-8862 ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 19 May 1996 01:05:17 GMT Subject: Re: An Ethical Dilema Organization: DVL Software Limited References: Simon Rogerson wrote: * Is it right to employ hackers to develop an anonymous Internet counselling service for the suicidal? What do you think? Firstly, this is a posed and loaded question. One can create a similar question using a multitude of statements such as that which preceeded the above question. If you are serious about counseling, there is no need to utilise hackers to achieve your goals. There are many competent and reliable people who will help with such projects. If it's strategy and tactics you're after, by all means, use hackers as consultants. But by definition, hackers won't give you the system you deserve. -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: briang@netcom.com (Brian Gordon) Date: 16 May 1996 13:51:55 -0700 (PDT) Subject: Re: FDA Approves At-Home HIV TEst The FDA just announced that it has approved the first at-home HIV test, manufactured by Direct Access Diagnostics, a Bridgewater, New Jersey-based division of Johnson and Johnson. The test allows for the collection of blood specimens in the home. The blood samples must then be mailed to a lab for analysis. Results are available within weeks, and the tests are allegedly anonymous, though, at this point, it is not clear how so. According to today's news, each kit comes with a code number. After an appropriate wait, you call for the results from that code number. No name, no traceability. Probably not foolproof, but pretty good. -- Brian Gordon >briang@netcom.com<-- bgordon@isi.com AOL: BGordon CompuServe: 70243,3012 ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 19 May 1996 01:26:42 GMT Subject: Re: FDA Approves At-Home HIV Test Organization: DVL Software Limited References: Results are available within weeks, and the tests are allegedly anonymous, though, at this point, it is not clear how so. from what I saw here on TV, the tests will be first released in Texas and Florida only. I understand this is to ensure that demand does not exceed supply (ie. the testers don't want to get overwhelmed by test results). One buys the test kit in the shop. Each kit contains a unique number printed on the test card which you send to the test center. You prick your finger, dab the blood onto a test card, and mail the card off to be tested. You can then dial the testing centre, and enter your unique test code. If your test is negative, you get a recorded message. If positive, you get patched through to a counselor. AFAIK, [As Far As I Know] the only hitch to the alleged privacy issue is caller id. Which I believe to be a separate issue. -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: Monty Solomon Date: 16 May 1996 23:59:58 -0400 Subject: Georgia Law Could Prohibit Web Links Excerpt from 05-15-96 ACLU Newsfeed *Georgia Law Could Prohibit Web Links* Legislation recently signed into law by Georgia Governor Zell Miller is aimed at preventing fraud in cyberspace, but the Chronicle of Higher Education recently reported that critics say it could force developers of World Wide Web pages to remove links to other pages. The law, the Chronicle reported, makes it a crime to "falsely identify" oneself on the Net, or to direct people to someone else's computer without the other person's explicit permission. The ACLU said the Georgia law raises serious questions. "The Georgia law -- like the federal Communications Decency Act -- is just another example of legislators rushing to criminallize communication in the online medium before they even begin to understand how it operates," said Ann Beeson, an ACLU expert on cyberspace. "In the process," Beeson continued, "they have violated the free speech rights of cybercitizens and have drastically hindered a democratizing medium that enables people to communicate and share information around the world in a way never previously possible." ---------------------------------------------------------------- ONLINE RESOURCES FROM THE ACLU NATIONAL OFFICE ---------------------------------------------------------------- ACLU Freedom Network Web Page: http://www.aclu.org. America Online users should check out our live chats, auditorium events, *very* active message boards, and complete news on civil liberties, at keyword ACLU. ---------------------------------------------------------------- ACLU Newsfeed American Civil Liberties Union National Office 132 West 43rd Street New York, New York 10036 To subscribe to the ACLU Newsfeed, send a message to majordomo@aclu.org with "subscribe News" in the body of the message. To terminate your subscription, send a message to majordomo@aclu.org with "unsubscribe News" in the body of the message. For general information about the ACLU, write to info@aclu.org. ------------------------------ From: Jonathon Blake Date: 17 May 1996 06:58:41 +0000 (GMT) Subject: Re: Automated Toll Collection dan@dvl.co.nz (Dan Langille) wrote: I do not feel worried about passing my credit card details over the internet. Is there any [documented] case of credit card details being Do you seriously expect backing institutions to admit to that? stolen whilst in transmission? Such transmissions must happen Packet sniffers, located at any router between here and there. Any large computer exposition in the US will have several packet sniffers running. capture data, it would be done. But it isn't easy. Sure it's Want a packet sniffer? They are two a penny, with a tickey back for change. possible, but it's not probable. For that matter, encryption won't Has anybody broken 128 bit RSA yet? 2048 bit PGP Keys? NSA isn't talking, but I doubt they have. Can anybody to break a stenographed message that is also encrypted with a 4096 but PGP Key, without using TEMPEST? -- jonathon grafolog@netcom.com ------------------------------ From: dan@dvl.co.nz (Dan Langille) Date: 19 May 1996 01:18:16 GMT Subject: Re: Automated Toll Collection Organization: DVL Software Limited References: Rick Carlson wrote: There is nothing to prevent the State of VA to sell the data that they collect through the automated toll booths. It would seem imprudent to expect that would not eventually try to get some money into the state treasury for this "state resource". Hmm, it sounds to me like someone is in need of a Privacy Bill. What we have here in NZ is a [seemingly] good piece of legistation. If someone collects information, said information can ONLY be used for the purpose for which it was collected. In such circumstances, the State of VA would not be able to sell the information. Does such legislation exist in VA? -- Dan Langille DVL Software Limited - Wellington, New Zealand ------------------------------ From: rgerst1026@aol.com (RGerst1026) Date: 18 May 1996 21:50:25 -0400 Subject: Local Ordinaces Restrict SSN Indentifiers? Organization: America Online, Inc. (1-800-827-6364) Is anyone aware of cities or towns which have outlawed the practice of requiring a customer to provide a social security number for commercial transactions or for other non-official uses? If so, what does the ordinace say? Thanks for your help. ------------------------------ From: "Prof. L. P. Levine" Date: 16 May 1996 15:22:10 -0500 (CDT) Subject: Re: Tempest Intrusion Organization: University of Wisconsin-Milwaukee In a recent CPD we had a posting from SpyKing in which he stated: In 1985, a Dutch scientist Wim van Eck published a paper which was written about in the prestigious "Computers & Security" journal, "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper caused a panic in certain government circles and was immediately classified as is just about all TEMPEST information. Wim van Eck's work proved that Video Display Units (CRT's) emitted electromagnetic radiation similar to radio waves and that they could be intercepted, reconstructed and viewed from a remote location. This of course compromises security of data being worked on and viewed by the computer's user. Over the years TEMPEST monitoring has also been called van Eck monitoring or van Eck eavesdropping. However, I subsequently got a memo from Belden Menkus indicating: My apologies for not having mentioned this earlier. A number of weeks ago you including a posting which claimed that an article by Wm Van Eck was classified and surpressed by the intelligence community. That is not so, I wrote the article in the same issue that explained how to reduce the problem. Neither article was classified or surpressed by anyone! I have the clips in my personal file. -- BELDEN MENKUS menkus@dockmaster.ncsc.mil POB 129, Hillsboro TN 37342 (615) 728-2421 Things are not always what they seem. -- Leonard P. Levine e-mail levine@cs.uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-2769 Box 784, Milwaukee, WI 53201 PGP Public Key: finger llevine@blatz.cs.uwm.edu ------------------------------ From: "Prof. L. P. Levine" Date: 16 May 1996 13:01:22 -0500 (CDT) Subject: RISKS: Discussion of Med Privacy Bill Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Wednesday 15 May 1996 Volume 18 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: James Love Date: 14 May 1996 19:05:23 -0400 (EDT) Subject: Discussion Drafts of Medical Records Privacy Legislation [Sent to RISKS via Stanton McCandlish . RISKS generally eschews such postings. However, this one may have broad appeal to readers in the U.S., and far-reaching implications. PGN] Re: Getting Copies of "Discussion Drafts" of Med Privacy Bill Online This is a sign-on letter to Senators Kassebaum and Warner, asking that the Senate make copies of its "discussion drafts" of S. 1360, the Medical Records Confidentiality Act, on the Internet. The discussion drafts reflect the current versions of the controversial legislation, after negotiations between various Senators and lobbyists. Currently these drafts are only distributed in paper, and are mostly available to Washington DC lobbyists. Senator Kassebaum controls access to the discussion drafts, and Senator Warner is in charge of Senate rules on topics such as public access to Senate documents. The letter has been signed by Gary Ruskin, Director of the Congressional Accountability Project, Lori Fena, Director of the Electronic Frontier Foundation, James Love, Director of Consumer Project on Technology, and Jim Warren, a well known computer journalist and information activist. To add your name, send a note to Gary Ruskin at gary@essential.org. The letter follows: Senator Nancy Kassebaum, Chair Committee on Labor and Human Resources 428 Dirksen Senate Office Bldg Washington, DC 20510-6300 Senator John Warner, Chair Committee on Rules and Administration 305 Russell Senate Office Bldg Washington, DC 20510-6325 Dear Senators Kassebaum and Warner: We are writing to express the frustrations of many American citizens who cannot effectively monitor the actions of the U.S. Congress, because the Senate does not give ordinary citizens the same access to key legislative documents that it gives to interest groups that can afford full time lobbyists. Our immediate concern is the refusal of the Senate Labor Committee to provide online access to a series of discussion drafts of S. 1360, the Medical Records Confidentiality Act. This controversial legislation seeks to pre-empt state laws in favor of a federal system regulating access to personal medical records. The legislation is controversial and complex and the stake holders are many. Privacy and consumer groups say the legislation provides too much access and too little privacy, while industry groups are pressing for even easier access to identified medical records. The legislation was introduced last October. Beginning in April, the Committee on Labor and Human Resources has prepared several "discussion drafts" for a new chairman's mark. These drafts have been given to lobbyists, but the Committee staff has refused to make the text of the drafts available on the Internet where they would be readily available to the general public. As a consequence, as Equifax, IBM, Dun & Bradstreet, TRW, Blue Cross, Aetna, and other groups with full-time lobbyists read each and every new discussion draft, the general public mistakenly believes the October 24, 1995 version of the bill represents the relevant text of the legislation. Why keep the discussion drafts from the general public? The bill is very long, and it is costly and difficult to distribute the bill in the paper formats. Most citizens don't have any way of even knowing that the various discussion drafts even exist. With efforts to push for a rapid mark-up on S. 1360 it seems urgent to resolve this issue soon. More generally, however, the Senate should adopt new rules about access to the various types of "unofficial" drafts of bills, including committee prints, managers amendments, chairman's marks, and widely disseminated discussion drafts, which are the real stuff of the legislative process. The text of these important documents should be placed on the Internet for the benefit of the general public, as soon as they are made available to Washington lobbyists. Sincerely, Gray Ruskin, Director, Congressional Accountability Project (Member, Advisory Committee, Congressional Internet Caucus) gary@essential.org Lori Fena, Director, Electronic Frontier Foundation, lori@eff.org James Love, Director, Consumer Project on Technology, love@tap.org Jim Warren, tech-policy columnist and open-government advocate Government Technology Magazine, MicroTimes Magazine, etc. 345 Swett Rd., Woodside CA 94062; voice/415-851-7075 jwarren@well.com To add your name to this letter, send a note to Gary Ruskin. His contact info is: Gary Ruskin gary@essential.org 202/296-2787; fax: 202/833-2406 James Love, Center for Study of Responsive Law, P.O. Box 19367, Washington DC 20036 202/387-8030 Consumer Project on Technology; love@tap.org with webpages. ------------------------------ From: "Prof. L. P. Levine" Date: 17 May 1996 09:14:50 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #040 ****************************** .