Date: Thu, 27 Jun 96 18:55:15 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#051 Computer Privacy Digest Thu, 27 Jun 96 Volume 8 : Issue: 051 Today's Topics: Moderator: Leonard P. Levine Re: Cookies Re: Cookies RISKS: IRS and DOD, Bad Coupling Re: US Export Law Re: US Export Law Re: Marketing on the Information Highway Discussion Forum on Privacy on the Internet Re: Privacy while Downloading from Newsgroup Re: Privacy in Politics White House--Database [long] RISKS: FBI Surveillance of Library Patrons NorthStar: PGP Jump Start Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Scott Wyant Date: 24 Jun 1996 16:12:13 -0700 Subject: Re: Cookies This list has seen discussion about the little "cookie" that a Netscape server hands to your browser. Have you wondered how someone might use it to make some money? Here's how. (This will take a while, but I think it's worth it.) Using Find File, look for a file called cookie.txt (or MagicCookie if you have a Mac machine). Using a text editor, open the file and take a look. If you've been doing any browsing, the odds are about 80/20 that you'll find a cookie in there from someone called "doubleclick.net." If you're like me, you never went to a site called "doubleclick." So how did they give you a cookie? After all, the idea of the cookie, according to the specs published by Netscape, is to make a more efficient connection between the server the delivers the cookie and the client machine which receives it. But we have never connected to "doubleclick." Close MagicCookie, connect to the Internet, and jump to Read all about how they are going to make money giving us cookies we don't know about, collecting data on all World Wide Web users, and delivering targeted REAL TIME marketing based on our cookies and our profiles. Pay special attention to the information at: You'll see that the folks at "doubleclick" make the point that this entire transaction (between their server and your machine) is "transparent to the user." In plain English, that means you'll never know what hit you. So what's happening is, subscribers to the doubleclick service put a "cookie request" on their home page FOR THE DOUBLECLICK COOKIE. When you hit such a site, it requests the cookie and take a look to see who you are, and any other information in your cookie file. It then sends a request to "doubleclick" with your ID, requesting all available marketing information about you. (They're very coy about where this information comes from, but it seems clear that at least some of it comes from your record of hitting "doubleclick" enabled sites.) You then receive specially targetted marketing banners from the site. In other words, if Helmut Newton and I log on to the same site at the exact same time, I'll see ads for wetsuits and basketballs, and Helmut will see ads for cameras. If you log in to a "doubleclick" enabled site, and it sends a request for your "doubleclick" cookie, and you don't have one, why each and every one of those sites will hand you a "doubleclick" cookie. Neat, huh? And you can bet they're going to be rolling in the cookie dough. Me, I edit my cookie file each and every time I go to a new site. (Despite the dire warning at the top of the file, you can edit it with no adverse consequences.) Oh, and one other thing. If you edit your cookie file BEFORE you connect to "doubleclick," and then jump around at the site, you'll notice that they DON'T hand you a cookie. I probed the site pretty carefully, checking the MagiCookie file, and nothing happened. Until I closed Netscape. The LAST thing the 'doubleclick" site did was.... You guesed it. They handed me a cookie. So much for making the client-server negotiation more efficient. (In fairness, that cookie may have been in memory until I closed Netscape -- I can't tell for sure.) Scott Wyant Spinoza Ltd. ------------------------------ From: John Date: 26 Jun 1996 08:32:13 -0700 Subject: Re: Cookies Organization: The Rock of Ages Home for Unix Hackers References: lihou@ms2.hinet.net wrote: It seems to me that these cookies are cookies files from people using Netscape Navigator and MSIE. If so, how we can prevent others from getting our 'cookies'? I mean, any other way except manually deleting them every time we use a browser. Is 'history' file also dowloadable from unsuspicious user's PC? This is a joke right? Cookies in this context == fortune cookies. Neither the cookies.txt or history files are downloadable from hard drives under MSIE or Netscape. Think of cookies as membership cards. When you visit a site it gives you a membership card (a cookie) when you come back your browser says aha I have a membership card (cookie) for this site I'll show it to them. What is written on the card is up to the site but one site can't see cookies from another. Cookies add an important feature to the web - state tracking - if you want to buy somthing from a site it's important to be able to track from page to page (so the order form can know which product you were looking at). The thing that has people bent out of shap is the option to make cookies persistant (i.e make them live beyond one session). This is easy to fix by making your cookies files read only. John ------------------------------ From: "Prof. L. P. Levine" Date: 24 Jun 1996 21:36:28 -0500 (CDT) Subject: RISKS: IRS and DOD, Bad Coupling Organization: University of Wisconsin-Milwaukee Taken from RISKS-LIST: Risks-Forum Digest Monday 24 June 1996 Volume 18 : Issue 23 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator From: "Richard L. Wexelblat" Date: 20 Jun 1996 21:38:14 -0400 Subject: DoD and IRS tax systems Special note: I work for the IRS and have a work-related vested interest in _not_ having the Department of Defense involved in contracting for IRS software and systems. Therefore, despite any claims of non-bias below, I am clearly "interested" in the classical sense of the word. That part out of the way, I'd like to say (as a private citizen, a tax-and-spend liberal, and an almost-always defender of free speech and the right of the citizen to privacy) that the present initiative by Congress to have DoD become the contracting agent for IRS system and software development is a clear and present danger to privacy in the Republic in which we stand. The initiative referred to above is in the "Subcommittee Mark" of the proposed next year's budget. It's just a House Subcommittee so it's not law, but it's a bad idea in my mind, even to consider it seriously. Is the Department of Star Wars and the $700 toilet seat really so excellent a contracting agency that they are the clear choice to handle IRS business? Well, that's my biased opinion, and I'd like very much to hear from others who may have a more valid claim to disinterest! Dick Wexelblat, Acting Lead Architect << asa APbA IRS ------------------------------ ------------------------------ From: centauri@crl.com (Charles Rutledge) Date: 24 Jun 1996 20:00:09 -0700 Subject: Re: US Export Law Organization: CRL Dialup Internet Access References: Glenn Benson (Glenn.Benson@zfe.siemens.de) wrote: I am trying to understand US export law and its motivations. It is fairly easy to locate the wording of US law but I am having some trouble identifying its intention. Join the club. I doubt that anyone outside of the NSA really understands what they are trying to accomplish. Is the law really intended to prevent non-US residents from obtaining access to high-grade cryptography? Is the law's intention to control domestic use of cryptography? Does the government have an official : position defining intent? As written, the law is intended to prevent the transfer of cryptography technology to people and organizations outside the United States. (It would seem that prime component of this law would be the acceptance as fact the idea that non-US residents would not develop their own cryptography technology.) The law is not meant to control domestic use of cryptographic, although this loophole is currently being addressed by the White House, FBI, and certain members of Congress. It is my understanding that an early attempt by the FBI to outlaw all use of cryptography within the US (except for government use, of course) failed because it also would have prevented US banks from making international wire fund transfers, which by treaty must be encrypted. The Clipper Chip is being pushed by the White House as the answer to private cryptography while still allowing the government to read the encrypted messages. They also want to give this technology (along with the US government backdoor) to everybody in the world. Naturally, many countries have declined this generous offer. What is the current status of US-implemented applications that invoke a cryptography API, e.g., Microsoft's CryptoAPI? Can these applications be exported? from what I've read, the Microsoft Crypto API is being developed with the full cooperation and blessing of the NSA. In exchange, the Microsoft will be allowed to export the software and programs that use the API can also be exported. -- Charles Rutledge | Liberty is a tenuous gift. Hard to win, easy centauri@crl.com | to give away, and no will protect it for you. ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: 25 Jun 1996 03:09:04 GMT Subject: Re: US Export Law Organization: Fantasy Farm Fibers References: "Glenn Benson" wrote: I am trying to understand US export law and its motivations. It is fairly easy to locate the wording of US law but I am having some trouble identifying its intention. The law in question is referred to a "ITAR". The International Trade in ARMs Regulations. They cover the export of materials which would be useful to an enemy of the US in a time of war. They go back to [at least] world war 2 [I've asked this before and never gotten a straight answer: does anyone know the actual _original_ legislation and its history up to the current ITARs? We struggled with it in the 60s, other manufacturers dealt with it in the 50s. But I don't know when it all got started.] Is the law really intended to prevent non-US residents from obtaining access to high-grade cryptography? Is the law's intention to control domestic use of cryptography? No, and in fact the law says *NOTHING* about 'domestic use of cryptography'. That's been the point I've been trying to raise: if US citizens, all 300 or whatever million of us, really cared about this stuff, *we*could*have*it*. Perfectly legal, and moreover almost certainly protected by the Constitution! The law covers "arms" in its most general sense: items of technology that could be used against us by our enemies in a time of war. Only the most naive [or ill-informed] don't realize the crypto technology is among the *MOST* valuable and most jealously guarded. The restriction on crypto export *is*not*new* --- it has been there all along. What is the current status of US-implemented applications that invoke a cryptography API, e.g., Microsoft's CryptoAPI? Can these applications be exported? As far as I know, "API"s do *not* come under ITAR, only the actual underlying cryptosystem. And so you can export your API and provide it with an approvedly-weak cryptosystem, and your overseas customers are free to plug in something else if they wish. [note: you can *sell* your domestic customers anything you please. I use SCO unix and its normal package includes only a weak crypto system... BUT: by signing a statement that my system will not be exported I received a copy of a very-strong crypto system on a floppy. Nothing sinister, nothing difficult. -- Bernie Cosell Fantasy Farm Fibers bernie@fantasyfarm.com Pearisburg, VA --> Too many people, too few sheep <-- ------------------------------ From: bernie@fantasyfarm.com (Bernie Cosell) Date: 25 Jun 1996 03:09:14 GMT Subject: Re: Marketing on the Information Highway Organization: Fantasy Farm Fibers References: Rose M Daitsman wrote: New tools for marketing products are ready for sale. However, the price of convenience of renting videos by computer and making purchases of clothing, appliances,etc. via tv is a serious loss of privacy. The insidious aspect of this is that people will voluntarily accept opening their lives, habits, idiosyncracies, tastes, needs to the marketers [ ...] How do we change it? Why do you think that such a thing is even possible or that anyone wants to? US citizens have voted [with their feet and with their dollars!] over and over, _consistenty_, that they place essentially no value on the 'privacy' that the drum thumpers laud so highly. If a 'secure' item costs even a little bit more than its 'open' colleague, it is doomed in the marketplace [e.g., secure cordless phones]. If someone offers a person an amazingly small amount of money (or a little bit of convenience) in exchange for a bit of their privacy, they opt for the money/convenience every time. For good or ill, the US consumer just does *NOT* represent a market that is terribly concerned about privacy issues. That's observable fact [and I've never even heard much of an anecdote to the contrary... mostly just handwringing in forums like this one by folk who _wish_ that their neighbors and colleagues cared about this stuff...] -- Bernie Cosell Fantasy Farm Fibers bernie@fantasyfarm.com Pearisburg, VA --> Too many people, too few sheep <-- ------------------------------ From: Berliner Datenschutzbeauftragter Date: 25 Jun 1996 10:48:14 -0700 Subject: Discussion Forum on Privacy on the Internet Organization: Technical University of Berlin, Germany The International Working Group on Data Protection in Telecommunications is currently working on Data Protection and Privacy on the Internet. The Group was founded in 1983 and has been initiated by Data Protection Commissioners from different countries in order to improve Data Protection and Privacy in Telecommunications. The Secretariat of the Group is located at the Berlin Data Protection Commissioners Office, Berlin, Germany. At its spring meeting 1996 in Budapest the Group has agreed on a Draft Report and Guidance on Data Protection on the Internet. It was agreed to publish the Report on the Net in order to receive comments from the network community. The Secretariat of the Working Group has initiated a discussion forum located at the WWW-Server of the Berlin Data Protection Commissioner (http://www.datenschutz-berlin.de/diskus/). The comments received will be published on the server. We are looking forward to your comments on the report. -- Yours sincerely, Hansjürgen Garstka (Chairman of the Group) ------------------------------ From: rwh@best.com (Dick Hein) Date: 25 Jun 1996 14:14:23 -0700 Subject: Re: Privacy while Downloading from Newsgroup Organization: Best Internet Communications, on-ramp to the ISH. beardawg@usa.pipeline.com () wrote; Let me admit right upfront - I'm a newbie. That said - Who, other than my ISP, has access to what I may be downloading from the newsgroups? acar@vcn.bc.ca (Al Acar) I can think of 3 possibilities (And I'm sure there're more...) 1- People hacking into your ISP from outside, 2- People who use the same ISP as you do and have found a way to access other user's account info (internal hackers, if you will) Does this not assume a shell-based newsreader? Or do you include the possibility of a packet sniffer for TCP/IP (PC-based) clients? -- Dick Hein / rwh@best.com / Mountain View, California. ------------------------------ From: blanchar@mail1.sas.upenn.edu (Jean-Marc F. Blanchard) Date: 26 Jun 1996 22:10:08 GMT Subject: Re: Privacy in Politics Organization: University of Pennsylvania References: Charles R. Smith (softwa19@us.net) wrote: Privacy is now an issue. Recent events at the White House have placed personal privacy as a major concern before Congress and the people. The current resident of 1600 Pennsylvania Avenue has made his political success by claiming to be the friend of the common people. However, his claims fall far short of his actions. I am a supporter of President Clinton, but agree with Mr. Smith that Clinton has failed as an advocate of individual privacy rights. Unfortunately, this is a problem with all of the candidates--I did a survey of the Clinton, Bush, and Perot campaigns in 1992 and NONE of the candidates had anything to say (either in terms of their respective campaign platforms or in response to specific questions) with respect to measures that should be taken to protect individual privacy rights. -- Jean-Marc F. Blanchard Prisonership Editor Once Upon A Time ------------------------------ From: David Kennedy <76702.3557@CompuServe.COM> Date: 27 Jun 96 12:52:29 EDT Subject: White House--Database [long] Courtesy of Associated Press via CompuServe's Executive News Service: White House-Database AP US & World 6/27/96 2:08 AM By KAREN GULLO Associated Press Writer WASHINGTON (AP) -- The White House keeps nearly 200,000 computer files on everyone from lawmakers to political donors to people who get holiday cards from the president, a senior aide revealed. o The White House listed some of uses for the db: Invitations (including a list of past events invited to) Christmas Cards Receiving "the President's views on issues." Whether people are personal friends Whether they've contributed money (Less than half the names) Specifically not used as "an intelligence tool" The system, which took a year and a half to build and was completed in 1995, is available to about 90 White House aides who need the information for their jobs, such as social office, public liaison and intergovernmental affairs employees, said >Toiv. [DMK: Senior Advisor to Chief of Staff Leon Panetta, Barry Toiv.] o The Democratic National Committee, the re-election campaign organizations and other government agencies, except the Secret Service cannot access the system. The Secret Service has access to assist in White House access control. o Republicans have jacked up the rhetoric that was already at a moderate volume over the "Filesgate" issue. No one has called for Congressional hearings. Yet. Rep. John Boehner, R-Ohio asked theWhite Housee to release to individual Republican congresmembersrs his or her personal file. o Most files are of government officials, governors, Congress members, mayors and other people who have contacted the Clinton's on political issues. The Clinton White House once included race and ethnicity in the files, but that practice was discontinued, Toiv said. "In the past a person's ethnicity would be listed because it might determine their interest in an issue," he said. The White House later decided that race shouldn't be included. The Washington Times, which first reported on the database, said sexual preference once was included in the files. Toiv denied that and said it was never part of the files. ********* "If a person was interested in gay and lesbian issues that would be noted," he said. Social security numbers are included for people who have visited the White House. FBI and tax records are not in the files, he said. [DMK: SSN are Privacy Act protected information. OMB Circular A-130 includes the following, "Within the Executive Office of the President, the term (agency) includes only OMB and the Office of Administration." If this system is under the control of the Office of Administration, OMB A-130 applies, begging the question is the system protected to "C2" or better? If the system is not in the Office oAdministrationon, what prudent, common sense precautions are being taken to protect Privacy Act information?] Dave Kennedy [CISSP] InfoSec Recon Team Chief, National Computer Security Assoc. ------------------------------ From: jwarren@well.com (Jim Warren) Date: 27 Jun 1996 13:08:14 -0700 Subject: RISKS: FBI Surveillance of Library Patrons It seems appropriate to recap this past(?) FBI surveillance practice -- given the: * FBI's half-billion-dollar national wiretap system (mandated by the Democrats in 1994 legislation), * FBI's and Clinton's continuing *vehement* opposition to widespread use of robust privacy protection (standardized uncrackable crypto), and * White House's past (Watergate) and apparently-ongoing use of confidential FBI files compiled on an administration's political opponents. The following is a response that I received to some private dialogue re the FBI's snooping on "suspicious" library patrons and what they read. It is from, Jim Schmidt, past President of the American Library Association's stellar legal-action arm, the Freedom-to-Read Foundation. He is currently in academic librarianship at San Jose State Univerity. -- Jim Warren, GovAccess list-owner/editor, advocate & columnist (jwarren@well.com) 345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request> [puffery FWIW: Hugh M. Hefner First-Amendment Award, Playboy Foundation; James Madison Freedom-of-Information Award, Soc.of Prof.Journalists-Nor.Cal.; Pioneer Award, Electronic Frontier Foundation (its first year, 1992); founded InfoWorld, DataCast, Computers, Freedom & Privacy confs, etc. :-).] Date: 26 Jun 96 12:33:14 PDT From: jim Subject: Re: Librarys To: Jim Warren Jim I am one of the two living experts on the FBI's Library Awareness Program; the other one wrote a book about it. A short recap below. In 1970 (give or take) after the bombing which cause at least one death of the computer center at U Wisc - Madisson, FBI and ATF folks asked the Milwaukee Public Lib for names of persons who had recently checked out or who still had library books on plastic explosives. From this incident arose the Amer Lib Assoc's first policy on confidentiality of lib recs. The FBI's so-called "Library Awarness Program" was an initiative of the latter 80's, represented by the Agency as limited to scientific and technical libraries and primarily run out of the NY regional office. Given reported visits across the country and not only to scientific and technical libraries we know that the Bureau's characterization of the program is incorrect. >From testimony of bureau employees and from documents secured under FOIA, we know that the program of the 80's was in fact a resurrection of one that operated in the 70's, and we have inferential (strongly suggestive)evidence that library visits occurred in the 60's too. The 80's version was the Bureau's contribution to an interagency program coordinated by the CIA, specifically initiated at the behest of the CIA deputy one Adm Bobby Inman (ret), to limit technology transfer from US to other countries (remember the commodities list, licences required from Dept of Commerce, NSA monopoly re encryption research, etc?) of which Zimmerman's problems with PGP are vestiges as are those that the grad student at Berkeley had to go to court about. As a result of the 80's program, now 46 states have statutes specifically protecting personally identifiable information in library records (there were 38 when news broke in Sept 87 of the FBI's visit to the Math Lib at Columbia). Automated library systems currently do attach at least a patron's name to items he or she has checked out, i.e. still has not returned. Virtually all such systems strip personnally identifiable data from the transaction records when the items are returned. I won't vouch for whether a forensic data specialist (or hacker) could with some amount of work reconstruct who borrowed what but it wouldn't be easy and getting access to a library's system to do it would be another matter. I think the consciousness of libraries was greatly raised in the 80's and I feel comfortable, especially given the wonderful way the library staff in Montana responded in re Kaczynski, in saying that the staffs won't willingly permit access and that they go to some lengths to assure that access cannot be gained. Jim Schmidt San Jose State == I asked for & received Jim's permission for arbitrary re-distribution == Date: 27 Jun 96 10:43:07 PDT From: jim Subject: Re: Librarys To: Jim Warren you may recirculate to your heart's desire. ------------------------------ From: mthompson@asu.edu (M Thompson) Date: 26 Jun 1996 08:22:25 GMT Subject: NorthStar: PGP Jump Start Organization: Arizona State University NorthStar A Guiding Light on Internet Issues Newsletter of the Internet Users Consortium To heighten the NorthStar experience, subscribe to the HTML Version of NorthStar. NorthStar is a guiding light to help you focus on the primary issues which threaten our Internet Freedom. In this Newsletter we let Internet Users know what the necessary issues and actions are to defend the Internet. We sincerely invite your participation at all levels, from discussion to action. Rethink what Activism means - Isn't it just participation? NorthStar #20 Sunday 6/23/96 Director..........proteios@iuc.org Editor..............wtj@primenet.com Author.............John Whitman <75211.2147@compuserve.com> Update: Internet Users Consortium WE'VE MOVED!!!! The NEW HomePage for the Internet Users Consortium is at: http://www.iuc.org/ The NEW HomePage for NORTHSTAR is at: http://www.iuc.org/northstar.html Update your bookmarks, links and most especially your link to the latest addition of NorthStar can ALWAYS be found at: http://www.iuc.org/current.html This URL will never change and will always link you to the current issue of NorthStar. NEVER SAY NEVER . . . but . . . We at NorthStar believe so strongly in these principles that we make the following pledge to you, our reader and fellow Internet Activist: NorthStar will NEVER sell/rent/trade/share our mailing list NorthStar will NEVER use Government mandated encryption NorthStar will NEVER represent any commercial interest NorthStar will NEVER cooperate with any Government intrusion +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ PGP JUMP START If you hate reading manuals -- here is the easy way to get started with PGP (Pretty Good Privacy). PGP JUMP START helps you get up and running fast with PGP, so that you can exchange encrypted e-mail messages with your friends. This document assumes basic familiarity with DOS, Windows and Unzipping! STEP ONE: DOWNLOAD PGP STEP TWO: DOWNLOAD PGP QuickStart (for Windows users) STEP TWO-A: UNCOMPRESS PGP STEP TWO-B: EDIT AUTOEXEC.BAT STEP THREE: GENERATE YOUR PGP KEY PAIR STEP FOUR: SIGN YOUR KEY STEP FIVE: EXTRACT A COPY OF YOUR KEY STEP SIX: REGISTER YOUR PUBLIC KEY STEP SEVEN: OBTAIN A PERSON'S PUBLIC KEY STEP EIGHT: ADD A PERSON'S KEY TO YOUR PUBLIC KEYRING STEP NINE: ENCRYPT A MESSAGE STEP TEN: SEND AN ENCRYPTED MESSAGE AS E-MAIL STEP ELEVEN: DECRYPT AN ENCRYPTED E-MAIL MESSAGE STEP TWELVE: READ THE DOCUMENTATION STEP THIRTEEN:PGP THE EASY WAY STEP ONE: DOWNLOAD PGP If you do not already have an official copy of Phil Zimmermann's PGP 2.6.2, then download pgp262.zip now from one of the MIT sites: ftp://net-dist.mit.edu/pub/PGP/ http://web.mit.edu/network/pgp.html Go ahead ~ download PGP now! ~ It's only 276 K. We'll wait for you. STEP TWO: DOWNLOAD PGP QuickStart (for Windows users) PGP QuickStart is a PGP install program which will automatically perform STEP TWO-A and TWO-B listed below. This easy-to-use Windows program, written by Joel McNamara, is highly recommended. EITHER download PGP QuickStart and skip to STEP THREE, OR continue with Step TWO-A below. Note: If you decide to use PGP QuickStart, you may want to scan STEP TWO-A and TWO-B to get an idea of what PGP QuickStart does. STEP TWO-A: UNCOMPRESS PGP Create a directory for the PGP files (e.g. C:\PGP). UNZIP pgp262.zip to the PGP directory. This will create the files pgp262i.zip, pgp262i.asc and setup.doc. UNZIP pgp262i.zip into the same directory. STEP TWO-B: EDIT AUTOEXEC.BAT Add the following lines, after the PATH statement, to your Autoexec.bat file: SET PGPPATH=C:\PGP SET PATH=C:\PGP;%PATH% SET TZ=**** (**** is the timezone you are in) Below are some examples: Hawaii: SET TZ=HST10 (Hawaii never uses daylight savings time) Alaska: SET TZ=AST9 Los Angeles: SET TZ=PST8PDT Denver: SET TZ=MST7MDT Arizona: SET TZ=MST7 (Arizona never uses daylight savings time) Chicago: SET TZ=CST6CDT New York: SET TZ=EST5EDT London: SET TZ=GMT0BST Amsterdam: SET TZ=MET-1DST Moscow: SET TZ=MSK-3MSD Auckland: SET TZ=NZT-13 Substitute your own directory name if different from "C:\PGP" Now reboot your computer so that these changes will take effect. STEP THREE: GENERATE YOUR PGP KEY PAIR You are now ready to generate your PGP Key Pair. At the DOS prompt type: pgp -kg and press Enter. STEP THREE is divided into 4 Parts. Answer the questions when prompted by the PGP program. STEP THREE, Part 1. *Pick your RSA key size* We recommend Size 2 [768 bits - High commercial grade] as the most practical for general use. STEP THREE, Part 2. *Enter a user ID for your public key* Use your full name as your userID, because then there will be less risk of people using the wrong Public Key to encrypt messages to you. Spaces and punctuation are allowed in the userID. Type your full name followed by your E-mail address in like so: John Q. Smith Please note: When you use PGP, you do not have to type your full userID when requested. You can type any part of the userID. If your userID were John Q. Smith any of the following would work: John Smith jqs "John Q." (Note: If there is a space, the userID must be in quotes.) "John Q. Smith" STEP THREE, Part 3. *Enter pass phrase* PGP will ask for a "pass phrase" to protect your secret key in case it falls into the wrong hands. Nobody can use your secret key without this pass phrase. The pass phrase is like a password, except that it can be a whole phrase or sentence with many words, spaces, punctuation, or anything else you want in it. The pass phrase is case-sensitive, and should not be too short or easy to guess. The longer and more random your pass phrase is, the more secure your key files and encrypted files will be. Don't leave your pass phrase written down where someone else can see it, and don't store it on your computer if other people can access your computer. Here are some examples of pass phrases: QwErTy Omaha, Bugaha, Rugaha, 1936XYZ hdF6kjHd4f$w%@@K#^%5%RoEihefiUwe9/f/g77E5Q7$ Although the third pass phrase is strongest, don't make the pass phrase too complicated, since you have to type your pass phrase EVERY time you decrypt or sign a PGP message. The first one, a simple pass"word" will work, but it is vulnerable to attack and may compromise your security. If you can find the phrase in any published work then don't use it. Don't use any phrases from your personal history or popular culture. Using "0dd sp3LLing5 and CaPitaliZaTiOn" will make your pass phrase harder to guess or attack. Also, you must remember which letters are capitalized, since the pass phrase is case-sensitive. Now type your pass phrase. STEP THREE, Part 4. *We need to generate ___ random bits* PGP will ask you to enter some random text to help it accumulate random bits for key generation. When asked, you should provide some keystrokes that have irregular timing between strokes, and that utilize upper case and lower case letters as well as numerals. Type this random text on the keyboard, until you are prompted to stop. There will then be a delay (a few seconds to a few minutes) depending upon the speed of your computer and the RSA key size you picked. PGP will actually generate two keys [your key pair]; your Secret key that you keep secret and a Public key that your friends and [if you allow it] the general public may obtain and use to send you messages. (The public key "locks" the message; the secret key "unlocks" it.) Your Secret key will automatically be placed into the file C:\pgp\secring.pgp which is your Secret keyring. Your Public key will be automatically placed into the file C:\pgp\pubring.pgp which is your Public keyring. To view or verify your keyring, type: pgp -kv and press Enter. STEP FOUR: SIGN YOUR KEY You must sign your key for added security. At the DOS prompt type: pgp -ks userID and press Enter. (The userID is what you decided on, back in STEP THREE, Part 2) PGP will respond by showing your Key ID and your Key fingerprint. You don't need to worry about such things at this point. Press y and Enter when you are asked: "to solemnly certify that the above public key actually belongs to the user specified by the above userID ?" Type in your pass phrase when asked. (The pass phrase is what you decided on, back in STEP THREE, Part 2) You will then see, "Key signature certificate added". STEP FIVE: EXTRACT A COPY OF YOUR KEY TO A KEYFILE To allow others to send you encrypted messages, you must give them your public key. To do this, you should extract a copy of your key to an ascii keyfile. The keyfile name should start with your initials, followed by the word "key", and the extension "asc", which indicates that the keyfile is an ascii file. For example, if your name were John Q. Smith, then you would name your keyfile, jqskey.asc. At the DOS prompt type: pgp -kxa userID keyfile Below is an example of how John Q. Smith would extract a copy of his key at the DOS prompt: pgp -kxa John jqskey.asc He would then see: "Key extracted to file 'jqskey.asc'" In STEP SEVEN you can see an example of a PGP PUBLIC KEY BLOCK that is contained in a PGP keyfile. STEP SIX: REGISTER YOUR PUBLIC KEY In order to receive messages encrypted with PGP, you should submit your public key to a PGP Public Key Server, which allows PGP users to exchange their public keys with each other. http://www-swiss.ai.mit.edu/~bal/pks-commands.html is the URL of a PGP Public Key Server where you can submit your public key. Follow the simple instructions found there to add your public key to the PGP Public Key Server's keyring. It's as easy as using the copy and paste commands. The keyserver processes ADD requests every 10 minutes. After your key has been processed the server will send a confirmation message to your e-mail address. Note: It is not mandatory that you register your public key. There are alternative methods available to exchange public keys. These methods are mentioned at the end of STEP SEVEN. STEP SEVEN: OBTAIN A PERSON'S PUBLIC KEY In order to send a message encrypted with PGP to a person, you must first obtain that person's PGP Public Key. Go to the http://www-swiss.ai.mit.edu/~bal/pks-commands.html Website. This is the same URL of the PGP Public Key Server mentioned above, and is where you can extract someone else's public key. Follow the simple step-by-step instructions found there to extract a public key from the PGP Public Key Server's keyring. Remember, while viewing the keyfile, highlight the entire PGP PUBLIC KEY BLOCK with your mouse and copy. Then paste the KEY BLOCK into a text editor and save it as a keyfile using the same keyfile naming convention as you used in STEP FIVE to name your own keyfile. Thus the keyfile name for John Q. Smith (whose initials are jqs) would be jqskey.asc Below is an example of a PGP PUBLIC KEY BLOCK that would be copied. Be sure to highlight all the dashes "-----" at the beginning and end of the KEY BLOCK. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCtAzFdDD8AAAEFAPLLiJ+cmQEPDE7l7SFgJw/RZvRK8Z/dDprpBzTVmdGzSuwX SORInqHH5/AADA6WWIrRctOHE5nkfaM/LUwz24NXMRXodUgreIHZQndFQz3oDe6c eg5voBMft0NyAk23WMlU3FCiff8QW1duA0g3UXaD1ufuzYrX0avSrGbJoSS0Yw8w 5olqZkfWQtc6gWVdULyuuliZkRwOjnqxi1n7ThUABRG0KEpvaG4gV2hpdG1hbiA8 NzUyMTEuMjE0N0Bjb21wdXNlcnZlLmNvbT6JALUDBRAxXRtejnqxi1n7ThUBAQ7h BQDAhm/C7WeH/QMhn2wePS46z86gN9Q2BmK4QnItN01yRw5unJgXhCxGF/R+RFid m1ulc5thOCDYUktJWvUU7a+tNmwwL2rD4MZ6Z7AdTn5zeU00/FSh2B6PrWVoBZgJ LB0TDBCQg1jkk3e9Tm0NFrjjG287GzIxyhbM4K8wq7wrXBCKJGLnjm7MnxZLD9dQ 9BfsBZvQtFvvUGxOxCHyt/yw =KJOg -----END PGP PUBLIC KEY BLOCK----- If your web browser does not support the highlighting of text with a mouse, then do a Save As command to download the keyfile to the PGP directory on your computer. There are alternative methods to obtain (or deliver) a PGP Public Key: You can simply e-mail the keyfile that contains the PGP PUBLIC KEY BLOCK instead of using a PGP Public Key Server. You would e-mail your keyfile to your friend, so that your friend could encrypt messages to you, with your public key. And, your friend would e-mail their keyfile to you, so that you could encrypt messages to them, with their public key. You can post your PGP PUBLIC KEY BLOCK on your web site or ftp site. A visitor need only highlight the entire PGP PUBLIC KEY BLOCK with their mouse and copy. They would then paste the KEY BLOCK into a text editor and save it as a keyfile. (See STEP FIVE for instructions on naming a keyfile). You can obtain a person's public key from their web site or ftp site in the same manner. STEP EIGHT: ADD A PERSON'S KEY TO YOUR PUBLIC KEYRING After you receive an individual's public key (as in STEP SEVEN), you must add that person's key to your public keyring (pubring.asc), so that PGP can use it. At the DOS prompt type: pgp -ka keyfile This will automatically add the person's key to your public keyring. For example, to add John Q. Smith's key to your keyring you would type: pgp -ka jqskey.asc To view your key ring and verify that the key was added properly, type: pgp -kv at the DOS prompt. STEP NINE: ENCRYPT A MESSAGE Type a short test message with a text editor and save it as an ascii file, message.txt. To encrypt and sign your message, go to the DOS prompt and type: pgp -seat message.txt sender_userID recipient_userID Remember that you don't have to type the full userID, but if the userID has a space in it, then the userID must be in quotes. Since the message is signed, you will be asked for your pass phrase. Type in your pass phrase that you created in STEP THREE, Part 3, and press Enter. The program will then state: Transport armor file: Message.asc Message.asc is the name of the encrypted ascii file that you will e-mail to your friend. Note: to see what the individual letters (-seat) instruct PGP to do, at the DOS prompt type: pgp -h for online help. STEP TEN: SEND AN ENCRYPTED MESSAGE AS E-MAIL Open the encrypted ascii file, message.asc, with your text editor. Copy/paste the entire PGP MESSAGE block into your e-mail client, then send your e-mail in the usual way. Below is an example of a PGP MESSAGE that would be copied. Be sure to highlight all the dashes "-----" at both ends of the MESSAGE. -----BEGIN PGP MESSAGE----- Version: 2.6.2 pgAAATVqaqdNzOXCQBI/XNhE9nOZSUBbhGr6UuiSKty2jT/aP8/VhY8/WxLkfmsm H1AlD5TBzoBwDMqLLQCT9SU0NozeAFCMRMzMl0c1AFB2dT/YNE5Y2hE00TfkHecM ddggHzxVur+Xcon6C1tN0TUAQqLK+l0+aomtYBeRghVGAqTHB3nA71yK9MXeEcz2 lzEqUJuhKORCMYy6GfeW5ZRKmKloggJXHIafisF82Fw9FZXKHjbsUKtQZCYWxADR XSs6QzedojKNu33MvxNzjqX4JGUr4w7rYSCY6L2SJWz0MROop1EsHNb0AS/cdd0t eKNFi6JrHfG3aSBkL9QNcfqsQZiyeAjxv9/YsbJGC4h0Nxlu+Dlfq5nXajARaJNG szmrPNYxwIO7waKIeB6Y84OE9CcMXd7TriY= =5+NR -----END PGP MESSAGE----- STEP ELEVEN: DECRYPT AN ENCRYPTED E-MAIL MESSAGE When you receive an encrypted e-mail message save the message to your hard drive using "asc" as the extension to the file name. (e.g., message.asc) To decrypt the message that you received, type: pgp message.asc -o message.txt. The file name "message.txt", after the -o indicates the name of the output file that you will create and read. You will be asked for your secret pass phrase to decrypt the message. After creating the file "message.txt", read it in a text editor. Assuming you have installed PGP, you can go back to STEP TEN, and try to decrypt the actual PGP Message shown there. Remember, highlight the entire PGP MESSAGE block with your mouse and copy. Then paste the PGP MESSAGE block into a text editor and save the message to your hard drive as "practice.asc". To decrypt the file type: pgp practice.asc -o practice.txt at the DOS prompt. When asked for the pass phrase type in "Zimmermann Rules", without the quotes, and press enter. Then view the newly created file "practice.txt" with a text editor or your favorite file viewer. STEP TWELVE: READ THE DOCUMENTATION PGP JUMP START is not a substitute for your reading the files, pgpdoc1.txt and pgpdoc2.txt, which contain documentation for PGP. Before using PGP, at least read Volume I of the PGP User's Guide, pgpdoc1.txt. Reading the manual tends to get neglected with most computer software, but Cryptography software is easy to misuse. If you don't use it properly much of the security you could gain by using it will be lost! You might also be unfamiliar with the concepts behind public key cryptography; the manual explains these ideas. Even if you are already familiar with public key cryptography, it is important that you understand the various security issues associated with using PGP. PGP may be an unpickable lock, but you have to install it in the door properly or it won't provide security. Below is a list of PGP Documentation files which come with the program: setup.doc - Installation guide pgpdoc1.txt - PGP User's Guide, Vol I: Essential Topics pgpdoc2.txt - PGP User's Guide, Vol II: Special Topics pgp.hlp - Online help file for PGP To display the online help file, type: pgp -h at the DOS prompt. You may prefer to read the hypertext version of Phil Zimmermann's PGP Documentation files at http://www.pegasus.esprit.ec.org/people/arne/pgp.html After reading all the PGP documentation if you still have a specific question you can ask the noble PGP Help Team at http://www.well.com/user/ddt/crypto/pgp-help-team.html STEP THIRTEEN: PGP THE EASY WAY PGP is a DOS command line program, surviving in a Windows world. Many computer users have no interest in using arcane DOS commands. PGP The Easy Way means using a Windows Front-End program. You may download a PGP Windows Front-End program (or a PGP DOS Shell) (or even a UNIX or OS/2 or Mac Front-End) from Scott Hauert's Website at http://www.primenet.com/~shauert/ To incorporate PGP with your e-mail client try Joel McNamara's Private Idaho at http://www.eskimo.com/~joelm/pi.html the Windows PGP Front-End, which facilitates sending/receiving encrypted email messages. There's even a Windows Front-End which runs as an extension to Eudora, called PgpEudra at http://www.xs4all.nl/~comerwel/ The most recent version of PGP JUMP START, which is always found at http://tucson.com/2001/pgpjumps.html, may be freely distributed for non-commercial purposes, by any electronic means. Please leave intact, unaltered, and fully credited. However, neither the author of this document, nor any of its distributors are liable for any loss, damage, or breach of security which may result from its use. Copyright 1996 Author: John Whitman <75211.2147@compuserve.com> Editor: William Johnson ---------------------------------------------------------------------------- NorthStar is an Internet Distribution List provided by the Internet Users Consortium a fiercely independent Grass Roots organization founded by Martin Thompson and Kenneth Koldys, Jr, to inform and coordinate Internet Users concerning political and government actions against the complete self-actualization of the Internet and our Constitutional Rights in Cyberspace. ---------------------------------------------------------------------------- Past issues of NorthStar are archived at the NorthStar Archive http://www.iuc.org/www/northstar.html on the Internet Users Consortium WWW site ---------------------------------------------------------------------------- ***Please feel free to distribute NorthStar to as many people and relevant forums as possible. That is one way to inform, educate and take action. All we ask is that you keep NorthStar intact. It is concise for that very reason. ***If you wish to submit an article to NorthStar, please send your article to northstar@iuc.org ++++++++++++++++++++++++++++++++++++++ SUBSCRIPTION REQUESTS for NorthStar: To: northstar@iuc.org Subject: leave blank Body of message: subscribe NorthStar your email (format) *NorthStar comes in 3 formats. Note which format you wish to recieve: html,ascii or ns mail PUT (ascii) AS THE VERSION IF you do not have access to the World Wide Web or would simply prefer to receive NorthStar as a plain vanilla ascii email message. PUT (html) AS THE VERSION IF you would like to see the fully-formatted Web version of NorthStar. In this case, you will receive NorthStar as an email with the HTML version ATTACHED for easy viewing in Netscape or other Web browser. PUT (Netscape Mail) AS THE VERSION IF you use Netscape Mail and would like to see NorthStar materialize as a Web-formatted document right in your mail. To unsubscribe write: unsubscribe and your email (format) ++++++++++++++++++++++++++++++++++++++ MEMBERSHIP REQUESTS for IUC: http://www.iuc.org/join.html ++++++++++++++++++++++++++++++++++++++ Internet Users Consortium 7031 E. Camelback Ste 102-515 Scottsdale, AZ 85251 Email: proteios@iuc.org IUC: http://www.iuc.org/ NorthStar: http://www.iuc.org/northstar.html Rethink what activism means - Isnt it just participation? ******************************************************************** ------------------------------ From: "Prof. L. P. Levine" Date: 27 Jun 1996 13:19:56 -0500 (CDT) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #051 ****************************** .