Date: Thu, 11 Jan 96 17:22:15 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V8#005 Computer Privacy Digest Thu, 11 Jan 96 Volume 8 : Issue: 005 Today's Topics: Moderator: Leonard P. Levine FLASH: Phil Zimmermann Case Dropped! Privacy, DBMS's and Client Server Re: Spy Viruses Re: Breasts on AOL Re: Checking Account Status is Public Canadian Social Insurance Number Re: Gas Station Receipts Info on CPD [unchanged since 11/22/95] ---------------------------------------------------------------------- From: Declan McCullagh Date: 11 Jan 1996 14:36:09 -0800 (PST) Subject: FLASH: Phil Zimmermann Case Dropped! This is FABULOUS news! Please distribute widely! -- Declan // declan@eff.org // My opinions are not in any way those of the EFF // From: Philip Zimmermann Date: 08 Jan 1996 03:35:46 -0700 (MST) Subject: Zimmermann case is dropped. -----BEGIN PGP SIGNED MESSAGE----- My lead defense lawyer, Phil Dubois, received a fax this morning from the Assistant US Attorney in Northern District of California, William Keane. The letter informed us that I "will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed." This brings to a close a criminal investigation that has spanned the last three years. I'd like to thank all the people who helped us in this case, especially all the donors to my legal defense fund. Apparently, the money was well-spent. And I'd like to thank my very capable defense team: Phil Dubois, Ken Bass, Eben Moglen, Curt Karnow, Tom Nolan, and Bob Corn-Revere. Most of the time they spent on the case was pro-bono. I'd also like to thank Joe Burton, counsel for the co-defendant. There are many others I can thank, but I don't have the presence of mind to list them all here at this moment. The medium of email cannot express how I feel about this turn of events. -Philip Zimmermann 11 Jan 96 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9 pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw MfUiYaMREu4= =9CJW -----END PGP SIGNATURE----- ------------------------------ From: kkirk@compumedia.com Date: 09 Jan 1996 02:29:24 GMT Subject: Privacy, DBMS's and Client Server Organization: Compumedia, Inc. I am putting together an article on the 'new' issues of Client Server database access to corporate databases/warehouses. One of the major issues is security. Example: Joe User has access to public records at a school district, including name, address and phone number information. Joe User downloads this information into an Access database, makes a copy to a ZIP drive, and takes it home to work with. Joe User's kid gets ahold of this information and makes copies... and passes them out at school. Joe Abuser gets a hold of the database, which contains information on where his estranged wife is hiding.... and.... What I'm looking for is actual, published and documented cases where a company or organization became liable either civilly or criminally for releasing information that is considered private and protected. If you have any references please email me at kkirk@compumedia.com. Please, no rumours or non-public information. Appreciate your help! ------------------------------ From: bo774@freenet.carleton.ca (Kelly Bert Manning) Date: 09 Jan 1996 06:55:54 GMT Subject: Re: Spy Viruses Organization: The National Capital FreeNet References: "Prof. L. P. Levine" (levine@blatz.cs.uwm.edu) writes: Syndicated columnist Gina Smith predicts a proliferation of computer "spy" viruses similar to Microsoft Windows 95's registration wizard that can zip around your CPU and determine whether you've legally registered all the software you've got loaded on there: "It's already possible to do this sort of scanning without alerting the user, so it doesn't take much of a futurist to imagine the same sort of stealth technology being used on unknowing bulletin board and Internet users. In fact, I think a trend away from juvenile-prank computer viruses to information-seeking `spy' viruses isn't merely likely, it's inevitable." (Popular Science Dec 95 p12) According to a CBC Radio "Quirks and Quarks" segment from a few weeks back a Vancouver company called "Absolute Software" is planning to offer a "PC Phone Home" product to deter or alleviate theft. The cure seems to create a worse problem than it solves. The spokesman for the product claimed that it would work even if parts of the PC were disassembled and recombined into more than 1 new box. The claim was that whatever is added in would look for a modem port and dial a special 1-800- number during idle periods, in such a way that it wouldn't be noticed by the user of the stolen system. In fact it would do this on a preset schedule just to verify that it was working correctly! If it got stolen CNID/ANI or simply the call billing details would reveal where it had been moved to. Sounded not too bad up to that point, but then the spokesman went on to talk about how data from stolen hard drives could be recovered by phone during one of these calls, without the user of the stolen drive being aware of the call being made or the transfer taking place. I can't imagine an individual or a company with any concern about data confidentiality that would seriously consider putting something inside their boxes that is designed to surreptiously dial out without the user knowing, and which has the added bonus of covertly dumping data over the phone line. -- notice: by sending advertising/solicitations to this account you will be indicating your consent to paying me $70/hour for a minimum of 2 hours for my time spent dealing with it ------------------------------ From: gmcgath@mv.mv.com (Gary McGath) Date: 09 Jan 1996 12:08:14 GMT Subject: Re: Breasts on AOL Organization: Conceptual Design References: fyoung@oxford.net (F Young) wrote: Does AOL allow members to use PGP to encrypt their e-mails? I've exchanged PGP encrypted E-mail with AOL users, and have never had any problems that couldn't be attributed to the usual sources of confusion. What is bizarre about AOL is that, while having a fixation on "dirty words," they will not do anything about defamatory posts. When I had a subscription there, one nut started making posts on the Religion Forum, falsely claiming that I was sending him obscene E-mail, and fabricating quotations. When I complained to the forum sysop, nothing happened; when I followed up to ask if anything was done, this sysop (known as Sermoner1) that confidentiality rules prevented him from answering my question -- and that incidentally *I* was violating the rules for calling this person a "jerk." The lies continued; I cancelled my account. At the time, I thought that AOL figured that flamewars increased usage of the system, while "dirty words" might drive people away, and thus that they were increasing their revenue by having this policy. But banning the word "breast" while allowing mildly dirty synonyms doesn't even have this kind of twisted logic to it. -- Gary McGath gmcgath@mv.mv.com http://www.mv.com/users/gmcgath I'll lift my voice in a tone unshaken And keep on singing until I die! -- Berton Braley ------------------------------ From: tye@metronet.com (Tye McQueen) Date: 11 Jan 1996 14:41:39 -0600 Subject: Re: Checking Account Status is Public Organization: Texas Metronet, Inc (login info (214/705-2901)) References: "Mark W. Eichin" writes: I'm told (by friends who are customers there) that University Bank, in Palo Alto CA, also provides this service by default; however, if you specifically ask them about it, they'll set a "privacy flag" on your account and will in fact refuse all such requests. I'm shocked how many banks have tellers that will divulge any information about an account or even allow transfers, etc. based solely on the person knowing the account number(s) and name(s) on the account(s). I requested my bank not allow *any* transactions on my account without photo ID and was surprised that they always asked me for it from then on. But that same bank cashed a check in the amount of the full balance of my friend's account to an unseen individual in the far drive-up lane based on my friend's driver's license being included with the check. No camera caught pictures usable for identifying either the car or the driver who had stolen my friend's purse (netting the DL and check book w/ balance). Embarrassingly, a young relative repeatedly stole personal checks from GrandMa then filled them out and cashed them without presenting ID. It took several repeats before they were caught. I also had to change the "Bank by Phone" PIN from the default SSN to one of my choosing. The troubling thing is that all of these ways of accessing my account are made available by default with little notification. You can't afford to not make use of the Bank by Phone or Customer Service Line or Drive-Thru lanes or in-person tellers because otherwise you don't know how easy it is for anyone to get at your account and which access holes you need to try to have plugged. Utilities (phone, power, etc.) are often even worse. Most customers seem to like it this way if asked properly (thinking of convenience before security). -- Tye McQueen tye@metronet.com || tye@doober.usu.edu Nothing is obvious unless you are overlooking something http://www.metronet.com/~tye/ (scripts, links, nothing fancy) ------------------------------ From: mbesosa@drake.prometric.com (Michael Besosa) Date: 11 Jan 1996 16:37:55 GMT Subject: Canadian Social Insurance Number Organization: Drake Prometric, L.P. Can someone point me to a source of information on the Net about the structure, validation, and permitted uses of the Canadian Social Insurance number? ------------------------------ From: tye@metronet.com (Tye McQueen) Date: 11 Jan 1996 14:59:57 -0600 Subject: Re: Gas Station Receipts Organization: Texas Metronet, Inc (login info (214/705-2901 - 817/571-0400)) References: "Prof. L. P. Levine" writes: Over the last few months, I have pulled up to self-serve gasoline pumps that accept credit card payment, and noticed that a previous customer has left behind the receipt that gets printed at the end of the transaction. Some pumps make you explicitly hit a button to get a receipt, but others do it automatically. Seven Eleven Citgo stations automatically print a receipt that includes credit card type, expiration date, and trasaction ID #. No account number, customer name, etc. I find this ideal. I can easilly tell which credit card I used for that transaction, I'm not delayed by having to push a "print receipt" button during some time window of the transaction, and my privacy is protected if I forget or lose the receipt. [They also always have latches so I don't have to stand stooped over in the weather gripping freezing metal in my bare hand while my tank fills; and my car gets better mileage than on more expensive brands; so I'm a happy customer.] I half wish the ubiquitous little automatted credit card systems attached to most cash registers these days would print such benign receipts for me to sign. However, the credit card companies insist on the full identifying information appearing on such receipts/authorizations (sufficient information to easilly make fraudulent charges). They claim this helps them catch fraud but I'm currently at loss to explain how. I say "half wish" because I fear only including a transaction ID would lead to wider electronic availability of details of my speding history. Oh for wide-spread use of little cryptographic challenge/response smart cards protected by a PIN so I could choose to require one's use before any of my personal information could be accessed... -- Tye McQueen tye@metronet.com || tye@doober.usu.edu Nothing is obvious unless you are overlooking something http://www.metronet.com/~tye/ (scripts, links, nothing fancy) ------------------------------ From: "Prof. L. P. Levine" Date: 08 Jan 1996 14:44:49 -0600 (CST) Subject: Info on CPD [unchanged since 11/22/95] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the Subject: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Web browsers will find it at gopher://gopher.cs.uwm.edu. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Web: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V8 #005 ****************************** .