Computer Privacy Digest Mon, 13 Dec 93

 

Computer Privacy Digest Mon, 13 Dec 93              Volume 4 : Issue: 006

Today's Topics:        Moderator: Leonard P. Levine

                         SSN's in Mail Addresses

               Re: Gun Control/Registration/Confiscation

               Re: Guns Control/Registration/Confiscation

                   Re: Right To Search Floppy Disks?

                   Re: Right To Search Floppy Disks?

                          Encryption At School

                        Cellular Phone Security

                     Re: Is PGP really Uncrackable?

                   ALERT: FBI's Wiretap Bill is Back!

                     CPSR Letter on Clipper (long)

   The Computer Privacy Digest is a forum for discussion on the effect 

  of technology on privacy.  The digest is moderated and gatewayed into 

  the USENET newsgroup comp.society.privacy (Moderated).  Submissions 

  should be sent to comp-privacy@uwm.edu and administrative requests 

  to comp-privacy-request@uwm.edu.  Back issues are available via 

  anonymous ftp on ftp.cs.uwm.edu [129.89.9.18].  Login as "ftp" 

  with password "yourid@yoursite".  The archives are in the directory 

  "pub/comp-privacy".   Archives are also held at ftp.pica.army.mil

  [129.139.160.133].

----------------------------------------------------------------------

From: Brinton Cooper <abc@arl.army.mil>

Organization:  The US Army Research Laboratory

Date:     Fri, 10 Dec 93 18:33:15 GMT

Subject:  SSN's in Mail Addresses

The following appeared in the Weekly Bulletin  (sent to all employees)

of this installation.  I offer it without comment:

"9.  USE OF WINDOW ENVELOPES FOR PAY RELATED ACTIONS:  Quote from a 14

Mar 77 letter from Treasury's Bureau of Public Debt:  "Until a bond

sent through the mails is delivered to the addressee as legally

defined by the Postal statues, only employees of the U.S. Government,

its agents, or the Postal Service in performance of their official

duties, have access to the social security number.  Thus, the number

is not being disclosed indiscriminately to the public.  Further, as

the Postal Service is bound, under the Privacy Act, to not disclose

any information relating to the individual, we fell that the

visibility of an individual's number through the envelope does not

result in his privacy being impinged upon."  Treasury's Assistant

Secretary for Legislative Affairs reiterated this position in a 17 May

90 response to a Congressional Inquiry.  Considering all this, the

visibility of a social security number thru a window envelope does not

create a violation of the Privacy Act.  In fact, Treasury's Regional

Disbursing Officers (RDOs) use window envelopes which are designed so

that the addressee's social security number does show, thus allowing

for faster rerouting of misaddressed mail."

------------------------------

From: dwn@dwn.ccd.bnl.gov (Dave Niebuhr)

Date: Sat, 11 Dec 93 07:01:07 EST

Subject: Re: Gun Control/Registration/Confiscation

In Volume 4, Issue 5 steele!basile@uunet.uu.net (Steve Basile) writes:

>A Brady Bill-induced five day waiting period is of little consequence.  My 

>permit is NOT valid in the 5 Boroughs (counties) that make up NYC.  

>Permits there require a psychiatric evaluation, and NYPD commissioner 

>approval, and must be renewed every year.

And after what happened on the Long Island Railroad on December 7, 1993,

the Brady Bill has proved worthless.  A man got on a train and proceeded

to kill five people and injure about 20 more.  He used a 9mm pistol that

was purchased legally in California.

So much for a 5-day waiting period.  California has a 15-day one and this

guy checked out clean.

So far, the public here knows that he came from Jamaica, formed an intense

dislike for blacks, whites and asians for unknown reasons; moved to 

Louisiana and the to California where he rented a motel room until he

could satisfy the permit waiting period and then proceeded to purchase

the gun.

Following that, he came to Brooklyn, boarded a commuter train and started

shooting about 1 hour later.

Dave Niebuhr      Internet: dwn@dwn.ccd.bnl.gov (preferred)

                            niebuhr@bnl.gov / Bitnet: niebuhr@bnl

Senior Technical Specialist, Scientific Computing Facility

Brookhaven National Laboratory Upton, NY 11973  (516)-282-3093

------------------------------

From: mcinnis@vnet.ibm.com 

Organization: IBM Austin

Date: Mon, 13 Dec 1993 17:05:30 GMT

Subject: Re: Guns Control/Registration/Confiscation

Of course, the lesson to be learned here is to move to NY City where the gun

laws keep the steets free of crime and to avoid lawless areas of the country

like Texas.

------------------------------

From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse)

Organization: Kansas State University

Date: Sat, 11 Dec 1993 18:33:03 -0600

Subject: Re: Right To Search Floppy Disks?

nevin@cs.arizona.edu (Nevin Liber) writes:

>In article <comp-privacy4.4.4@cs.uwm.edu>,

>Here is a thought:  suppose the disk in question had a virus on it, and

>the administration confuscates the disk and tries to read the disk,

>thus invoking the virus.

Reading a disk does not invoke a virus.   In order for a virus to infect

a system an executable has to be run.   It is possible that the

computers in question might already be "infected"  and a virus could

recognize a disk read of a floppy to start some damaging process, but

anyway the kind of protection the school is relying on is not very good.

------------------------------

From: kkruse@matt.ksu.ksu.edu (Korey J. Kruse)

Organization: Kansas State University

Date: Sat, 11 Dec 1993 18:44:44 -0600

Subject: Re: Right To Search Floppy Disks?

bitbug@netcom.com (James Buster) writes:

>ranck@joesbar.cc.vt.edu (Wm. L. Ranck) writes:

>>Actually I think folks seem to have a basic misconception here.  It is

>>precisely *because* they are not the police that they can do locker searches,

>>etc.  The police are held to a higher standard for probable cause to search.

>That is, precisely, the problem. In most(all?) public schools, school

>administrators are government employees. I think that *all* government

>employees should be held to the same standard of conduct as police officers.

>Otherwise you have the current intolerable situation where "Oh, she's not a

>*police officer*, she's an *administrator*.". Just wait until some idiot

>bureaucrat figures this out, and sends administrators to illegally search

>your home: "It's ok, they're not police officers.".

    The reason locker searches are o.k. is because the lockers are the

property of the school.  The reason backpack, purse searches, and body

searches are o.k. is because children under the age of 18 are not

granted the same Constitutional rights as adults.    The Supreme Court

has already determined that the safety of the children in schools far

more important than their personal rights.   This is why schools are

allowed to ban certain types of clothing, all kinds of speech, and

other things.   The police could just as easily be involved in the

locker search or any other search.   Whether the person is an admin.

really has nothing to do with it.   Often times police are called by

the admin to help with searches by bringing in dogs or equipment.

The issue of administators of schools coming to your house for a routine

search is a joke.   You don't have to let anyone in your house unless

they have a search warrant.   Basically your argument that there is

some kind of legal distinction between police and school administation

searches is wrong.    If the safety of the students in the school is

in question the police could search every backpack, locker, and purse

in the whole school without fear of any "legal" reprisals.

------------------------------

From: Chris Burris <cburris@cap.gwu.edu>

Date: Sun, 12 Dec 1993 22:48:17 -0500 (EST)

Subject: Encryption At School

I have a question:

Suppose that I wrote a simple encryption program and

ran it at school, and the administration searched my disk.

Could the administration force me to give them the encryption key

even if i refused?

------------------------------

From: agrosso@world.std.com (Andrew Grosso)

Organization: The World Public Access UNIX, Brookline, MA

Date: Sun, 12 Dec 1993 08:13:07 GMT

Subject: Cellular Phone Security

As a federal prosecutor, I have my own opinions about cellular 

phones and the legality (or illegality) of listening in on cellular phone 

conversations.  Please note that this is a  personal opinion, not one of 

the Dept. of Justice.

Unlike a phone conversation transmitted via a cable-type network, 

a cellular phone from the start transmits its information over the 

airwaves.  There is no pretension that the information transmitted is 

physically protected or secure.  The means to "tap" or otherwise listen 

to the information is very simple, and widespread: radio receiver type 

devices.  By using a cellular phone, one is consenting to having one's 

conversations broadcast to an outside world, a world which has the means 

to listen to those converations.  It is similar to using a megaphone to 

transmit your conversations.

If you want privacy, then use a phone which uses cables.  There, 

your information is physically secure, and you have a legitimate 

*expectation of privacy* in your converstations.  An unauthorized taping 

is therefore properly unlawful.

People who want the law to protect their cellular conversations by 

making the listening-in on such conversations illegal or unlawful are, in 

my opinion, like people who want it made illegal or unlawful for others 

to listen to conversations broadcast by megaphone.  Since there is, and 

should be, no expectation of privacy in the means used to transmit the 

information, there should be nothing unlawful about listening in. 

What these people are trying to do is to utilize the law in order 

to achieve an unnatural result:  one wants privacy, but also wants the 

convenience of using an easy means to communicate which has no privacy.  

As a prosecutor, I can tell you that I have much too much work to do (and 

so do all other prosecutors) to prosecute a case against person A for 

listening to person B's conversation when person B decided to use an 

obviously insecure means of communication simply because he or she 

thought it convenient at the time.

As I said, it's my personal opinion.  For your further 

information, I am very adamant about protecting peoples' privacy, 

particularly my own.  I don't use cellular phones.  

------------------------------

From: news@cbnewsh.cb.att.com (NetNews Administrator)

Organization: NCR, an AT&T Company, Pleasanton CA

Date: Mon, 13 Dec 93 07:12:13 GMT

Subject: Re: Is PGP really Uncrackable?

First of all, the hoax article claiming that PGP was hosed was really

a hoax, and reasonably funny if you got all the in-jokes.

kkruse@enterprise.ksu.ksu.edu (Korey J. Kruse) writes:

> Nope.   PGP is distributed with source code.  You can examine it all

> you want.   Numerous experts in cryptography have (check out sci.crypt)

> and determined that the program does not have any "trap doors".

That's not precisely correct.  PGP does come with source, and with

reasonably good documentation, and the documentation for the major

algorithms used in the system is widely available; you can check for

yourself that the code implements the algorithms accurately if you want.

While nobody has *discovered* any trapdoors (or at least published them),

there are some potential locations they could be hidden; after all,

the point of a trap door is that only the Bad Guy knows about it,

and you don't, so you can be tricked into falling in it :-)

- the RSA public key algorithm depends primarily on the difficulty of factoring;

maybe there will be some radical new breakthrough in the next N years,

or maybe the NSA or KGB has already made it and we don't know yet.

(Not likely....)

- the IDEA encryption algorithm appears to be fairly strong, and _is_

resistant to the Differential Cryptanalysis techniques that

weaken DES and have broken FEAL and a number of other systems,

and the keys are long enough to prevent brute-force attacks,

but that doesn't mean there isn't some hole we don't know about.

The hoax said that "Paul[sic] Zimmerman" planted the trapdoor,

but perhaps the crafty Swiss researches who wrote IDEA really

did it for their military intelligence service.  (Not likely..... :-) 

- the MD-5 Message Digest algorithm (used for hashing files for signatures)

doesn't have any known ways to break it, but if there are,

signatures may not be trustable, which risks the security of

the key certification process a bit.  Again, unknown, but unlikely.

- the NSA could have broken into your computer and tampered with your

C compiler, or installed a radio transmitter that leaks out

your private key at night when you're not looking - check for

dirty fingerprints around the motherboard, and extra antennas...

- All the "experts" who've said it's good stuff may be Tentacles of

M.E.D.U.S.A., Inc.  Trust no one, and keep your phaser handy....

But if you've got the time, after you've installed Spook Repellant on

your keyboard, do check out the documentation and maybe the code and

some of the algorithm references.

------------------------------

From: mech@eff.org (Stanton McCandlish)

Organization: EFF mail-news gateway

Date: 10 Dec 1993 19:35:32 -0500

Subject: ALERT: FBI's Wiretap Bill is Back!

(Originally from EFFector Online 6.07 (Stanton McCandlish), summarized 

from Communications Daily 12/09/93 (Brock Meeks).)

Digital Telephony Threat Returns

According to FBI Dir. Louis Freeh, the development of sophisticated digital

telecom and networking technology threatens the ability of the Feds to

wiretap.  In a Dec. 8 speech at Washington's National Press Club, Freeh

annouced a renewal of the FBI's 'Digital Telephony' legislation scheme:

the return of the controverial 'Wiretap Bill'.  The bill is strongly

opposed by organizations and individuals concerned about privacy, as well

as the telecommunications and computing industries at large.  The FBI's

'need' for this legislative action is under review by the Administration

as part of it's examination of security and encryption issues.

The reappearance of this Bureau effort contradicts statements by Special

Agent Barry Smith of the FBI's Congressional Affairs Office, who stated

less than a month ago that the 'Wiretap Bill' had been tabled.

According to classified documents released under the Freedom of  

Information Act (FOIA), the FBI and the Electronic Communications Service

Provider Committee or ECSPC (an ad hoc industry working group, which

formed in March), are attempting to decide if technical solutions can

be found to satisify law enforcement. According to a Nynex representative

co-chairing the group, Kenneth Raymond, no solution has yet been found, but

that FBI has yet to prove any solution is needed at all.  Raymond likened

Freeh's tactics to "yelling out the window" - an attention-getting move

that needs some sort of clarifying followup.

Though the ECSPC claims to be attempting to evaluate the problem and to

solve it "in some reasonable way that is consistent with cost and demand",

Raymond indicated that the group considers one 'solution' to be building

wiretap access into future telecom hardware - like the  Clipper chip

backdoor, but a 'feature' of all switch specifications for phone and data

lines.

This news was just received, and a more detailed analysis and statement

from EFF will follow soon.

-- 

Stanton  McCandlish  mech@eff.org  1:109/1103   EFF  Online  Activist & SysOp

O P E N  P L A T F O R M   C R Y P T O P O L I C Y   O N L I N E  R I G H T S

N  E  T  W  O  R  K  I  N  G      V  I  R  T  U  A  L     C  U  L  T  U  R  E

I   N   F  O :  M   E   M   B   E   R   S   H   I   P  @  E  F  F  .  O  R  G

------------------------------

From: Dave Banisar <banisar@washofc.cpsr.org>

Organization: CPSR Washington Office

Date: Thu, 9 Dec 1993 17:10:20 EST    

Subject: CPSR Letter on Clipper (long)

  CPSR Letter on Clipper

  

       On December 6, the Digital Privacy and Security Working

  Group, a "coalition of over 50 communications and computer

  companies and associations, and consumer and privacy advocates"

  coordinated by the Electronic Frontier Foundation, sent a letter

  to President Clinton concerning cryptography policy.  The letter

  states, "In our discussions with Administration officials, we have

  expressed the Coalition's tentative acceptance of the Clipper

  Chip's encryption scheme (as announced on April 16, 1993), but

  only if it is available as a voluntary alternative to widely-

  available, commercially-accepted, encryption programs and

  products."

  

       The Washington Office of Computer Professionals for Social

  Responsibility (CPSR) has sent the following letter to the

  President.  We believe that the position stated in this letter

  continues to represent the views of the vast majority of network

  users, as reflected in the overwhelmingly critical comments

  submitted to the National Institute of Standards and Technology in

  response to its recent solicitation of public comments on the

  Clipper proposal.

  

  ==================================================================

  

                                       December 8, 1993

  

  The President

  The White House

  Washington, DC  20500

  

  Dear Mr. President,

  

       We are writing to you regarding the Clipper cryptography 

  proposal now under consideration by the White House and a 

  letter you may have received about the proposal from a group 

  called the "Digital Privacy and Security Working Group."

  

       This group wrote to you recently and expressed their 

  "tentative acceptance" of the Clipper Chip encryption scheme.  

  We disagree with their views.  This group has made a grave 

  mistake and does not speak for the many users of computer 

  networks and developers of network services who have 

  vigorously opposed this proposal.

  

       We are very much concerned about the Clipper proposal.  

  At its core is the dubious premise that the government 

  should have the authority to design communications networks 

  that facilitate wire surveillance.  The plan was developed in 

  secret by the National Security Agency over the objection 

  of U.S. firms, professional associations and public interest 

  organizations.  Key details about the proposal remain 

  classified.

  

       This proposal must not be endorsed.  The development of 

  open, unclassified standards is critical for the future of the 

  nation's communications infrastructure. Progress and 

  innovation depend on the free exchange of scientific and 

  technical information.  It is essential to the integrity of 

  the scientific process that standards are openly created and 

  available for public review. 

  

       There is also a great need to ensure that future networks 

  are designed with the highest levels of privacy and security 

  possible.  As our country becomes ever more dependent on the 

  high-speed network, the need for secure systems will only 

  increase.  The Clipper proposal purposefully cripples the 

  security of the network and reduces the privacy protection 

  that users could otherwise obtain.

  

       There is another still more serious problem with the 

  Clipper proposal.  An agency with the authority to conduct 

  wiretaps must not be allowed to impose technical standards to 

  facilitate wire surveillance.  The threat to Constitutional

  democracy is clear.  A system of checks and balances is

  essential to ensure that the powerful investigative tools of

  government are properly controlled.  

  

       We have followed the development of this proposal with 

  great concern.  We have testified before Congressional 

  committees.  We have appeared before agency panels, provided 

  reports on wire surveillance, and debated the former FBI 

  Director on national television.  We have also sponsored 

  conferences with full participation from across the federal 

  government.  We believe that the best policies will result from 

  an open and unrestricted exchange of views.  

  

       It is our assessment that you must not permit adoption of 

  the Clipper technical standard, even on a voluntary basis.  At 

  a time when the country should be moving toward open standards 

  designed for commercial networks, the Clipper proposal asks 

  future users of the nation's information infrastructure to 

  accept a standard intended for the Cold War era.  It is a 

  backward-looking plan that serves neither the interests of the 

  American people nor American business. 

  

       The adoption of the Clipper proposal would also ratify an 

  unlawful process that has undermined the authority of Congress 

  and weakened the mechanisms of government accountability.  The 

  proper authority for the development of this standard never 

  rested with the NSA.  Under the Computer Security Act of 1987, 

  it was a civilian agency that was to develop appropriate 

  standards for the nation's commercial networks.  Through a 

  series of secret executive orders, the NSA usurped the 

  authority of the National Institute of Standards and 

  Technology, substituted its own proposal for those of NIST, 

  and effectively derailed this important policy process.

  

       When the computer user community had the opportunity to 

  voice its position on this proposal, it rejected the plan 

  overwhelmingly.  The notice and comment process conducted by 

  the Department of Commerce earlier this year resulted in 

  nearly uniform opposition to the Clipper proposal. It would be 

  hard to find a technical standard more disliked by the 

  potential user community.

  

       While we support the relaxation of export controls on 

  cryptography, we are not willing to concede to the NSA the 

  right to develop secret standards.  It is only because the 

  National Security Agency also exerts influence on export 

  control policy that the Digital Privacy coalition is prepared 

  to endorse the Clipper standard in exchange for new 

  opportunities to market products.  It may be a good deal for

  the coalition members, but it is a terrible outcome for the 

  rest of the country.

  

       We very much appreciate your efforts on behalf of open 

  government, and your work with the Vice President and the 

  Secretary of Commerce to develop the nation's information 

  infrastructure.  We believe that these efforts are sending our 

  country in the right direction, helping to develop advanced 

  technologies appropriate for a democratic nation and to 

  preserve open and accountable government.

  

       But the Clipper proposal was not a creation of your 

  administration.  It is a relic from a period that is now 

  moving rapidly into the history books, a time when secret 

  agencies made secret decisions and when backroom deals with 

  powerful, private interests sustained these arrangements.

  

       It is time to end this cynical form of policy making. 

  

       We ask you to reject the deal put forward by the Digital 

  Privacy and Security Working Group. The Clipper proposal 

  should not go forward.

  

       We would be pleased to meet with members of your 

  administration to discuss this matter further.

  

  

  

                                Sincerely yours,

  

  

                                Marc Rotenberg, Director

                                David Sobel, Legal Counsel

                                Dave Banisar, Policy Analyst

                                CPSR Washington office

  

  

  cc:   The Vice President

        Secretary Ron Brown, Department of Commerce 

        Anthony Lake, National Security Council

        Computer System Security and Privacy Advisory Board

  

 ------------------------------

CPSR Cryptography Resolution

Adopted by the CPSR Board of Directors, Seattle, WA  October 18, 1993

WHEREAS,

Digital communications technology is becoming an increasingly

significant component of our lives, affecting our educational,

financial, political and social interaction; and

The National Information Infrastructure requires high assurances of

privacy to be useful; and

Encryption technology provides the most effective technical means of

ensuring the privacy and security of digital communications; and

Restrictions on cryptography are likely to impose significant costs on

scientific freedom, government accountability, and economic

development; and

The right of individuals to freely use encryption technology is

consistent with the principles embodied in the Constitution of the

United States; and

The privacy and security of digital communications is essential to the

preservation of a democratic society in our information age; and

CPSR has played a leading role in many efforts to promote privacy

protection for new communications technologies:

BE IT RESOLVED THAT

Computer Professionals for Social Responsibility supports the right of

all individuals to design, distribute, obtain and use encryption

technology and opposes any government attempt to interfere with the

exercise of that right; and

CPSR opposes the development of classified technical standards for the

National Information Infrastructure.

------------------------------

End of Computer Privacy Digest V4 #006

******************************