|
Computer Privacy Digest Vol 1 #111
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Return-path: <[email protected]>
Received: from PICA.ARMY.MIL (fsac5.pica.army.mil) by delphi.com (PMDF #3207 )
id <[email protected]>; Thu, 10 Dec 1992 10:19:25 EST
Received: from PICA.ARMY.MIL by Fsac5.pica.army.mil id aa09429; 10 Dec 92 9:45
EST
Received: from fsac5.pica.army.mil by Fsac5.pica.army.mil id aa09423; 10 Dec 92
9:40 EST
Date: 10 Dec 1992 09:40:25 -0500 (EST)
From: Computer Privacy Digest Moderator <[email protected]>
Subject: Computer Privacy Digest V1#111
To: [email protected]
Errors-to: Comp-privacy Error Handler <[email protected]>
Message-id: <[email protected]>
Content-transfer-encoding: 7BIT
Computer Privacy Digest Thu, 10 Dec 92 Volume 1 : Issue: 111
Today's Topics: Moderator: Dennis G. Rears
Re: SSNs as IDs
Re: SSN
Re: SSN
DOJ Authorizes Keystroke Mo
Re: Digital Licenses in NY State
Re: Digital Licenses in NY State
Re: Digital Licenses in NY State
Re: Digital Licenses in NY State
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
[email protected] and administrative requests to
[email protected].
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Tue, 8 Dec 1992 8:18:11 -0500 (EST)
From: "Dave Niebuhr, BNL CCD, 516-282-3093" <[email protected]>
Subject: Re: SSNs as IDs
My employer has a nice way of assigning employee IDs. Start with 00001
and end with 99999 for permanent and temporary employees and it is called
a life number. The number is issued sequentially for each new employee
and stays with that person even if he/she leaves and returns.
All others: retirees if consulting, contractors, collaborators, students,
etc, are issued an ID consisting of the first letter of their last name
followed by four digits issued sequentially.
After almost 28 years on the job, I've never seen a guest ID above the
low 6,000s.
The medical insurance ID that I have is issued via a six-digit number
with two numbers following to indicate the dependent. Retirement is
based on the plan's numbering scheme (no SSN needed except for IRS
and Social Security issues); the dental plan is the only one that
has to be changed and is getting quite difficult even after I've gone
over the issues with the personnel section quite a few times.
Dave
Dave Niebuhr Internet: [email protected] / Bitnet: niebuhr@bnl
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
Date: Tue, 8 Dec 92 18:34 PST
From: John Higdon <[email protected]>
Organization: Green Hills and Cows
Subject: Re: SSN
"BLACKMAN, EDWARD B" <[email protected]> writes:
> >[Moderator's Note: It is the phone company's number. They can take it
> >away from you and give you another number. ._dennis ]
>
> Only because we allow them to. Local carriers (the ones that assign your
> number) are regulated monopolies. If the entity in charge of regulating
> the telcos took away the power to reassign numbers, there isn't a thing
> they could do about it.
Oh, so naive. Ninety-nine percent of the practices and regulations in
any given PUC's books are written by the regulated utilities
themselves. The PUC commissioners are a bunch of ignorant hacks who
probably have difficulty dialing a telephone, much less regulating a
telephone company. For that reason, most of the real action is
accomplished by advisors, boards, engineers, and (unfortunately)
judges, who are themselves hopeless ignoramuses. Within a broad
framework, these people ensure that all regulation conforms to the
regulated entities' wishes and best interest.
Side note: I once recounted on Telecom Digest an instance where the
CPUC approved a tariff for a long distance company without even reading
it for factual errors. That tariff is currently under challenge.
Your telephone number is a technical expediency to provide a
machine-readable ID for each subscriber. Area codes, prefixes, and (at
least in recent past) the last four digits are created and assigned out
of technical considerations. In the days of SXS, there were heavy
constraints on the assignment of numbers, even within a prefix.
At any time it considers it expedient, the telco can rearrange numbers
in any manner it deems necessary to provide proper service. Granted,
this is rarely done, but it does remain within the telco's purview as a
technical consideration. Therefore, you can kiss 'goodbye' any
romantic notions or attachments regarding your telephone number. And
you can also forget about "forcing" the telco's to operate in any other
fashion with the power of regulation.
--
John Higdon | P. O. Box 7648 | +1 408 264 4115 | FAX:
[email protected] | San Jose, CA 95150 | 10288 0 700 FOR-A-MOO | +1 408 264 4407
------------------------------
From: "david.g.lewis" <[email protected]>
Subject: Re: SSN
Organization: AT&T
Date: Wed, 9 Dec 1992 16:31:41 GMT
In article <[email protected]> "BLACKMAN, EDWARD B" <[email protected]> writes:I don't think the telephone company "owns" your phone number.
>
>>[Moderator's Note: It is the phone company's number. They can take it
>>away from you and give you another number. ._dennis ]
>
>Only because we allow them to. Local carriers (the ones that assign your
>number) are regulated monopolies. If the entity in charge of regulating
>the telcos took away the power to reassign numbers, there isn't a thing
>they could do about it.
The Georgia PUC has done just that on a limited basis in the 404 NPA split.
Although it's not what people typically think of as "reassigning numbers",
an NPA split does just that. The Georgia PUC has countermanded part of the
404 NPA split, mandating that somewhere on the order of 200 CO codes that
BellSouth and Bellcore, as NANP Administrator, had planned to move into the
new North GA NPA (810?) should instead remain in 404.
Of course, this royally screws up the plans to alleviate CO code exhaust in
the Atlanta metro area which the NPA, the whole reason for the NPA split,
increasing the likelihood that another NPA split will be needed in the near
future, but hey, why should technical planning interfere with politics?
------------------------------
Organization: CPSR, Washington Office
From: Dave Banisar <[email protected]>
Date: Tue, 8 Dec 1992 9:29:57 EDT
Subject: DOJ Authorizes Keystroke Mo
DOJ Authorizes Keystroke Monitoring
Subject: DOJ Authorizes Keystroke Monitoring
CA-92:19 CERT Advisory
December 7, 1992
Keystroke Logging Banner
-----------------------------------------------------------------
The CERT Coordination Center has received information from the United
States Department of Justice, General Litigation and Legal Advice
Section, Criminal Division, regarding keystroke monitoring by computer
systems administrators, as a method of protecting computer systems
from unauthorized access.
The information that follows is based on the Justice Department's advice
to all federal agencies. CERT strongly suggests adding a notice banner
such as the one included below to all systems. Sites not covered by U.S.
law should consult their legal counsel.
------------------------------------------------------------------
The legality of such monitoring is governed by 18 U.S.C. section 2510
et seq. That statute was last amended in 1986, years before the words
"virus" and "worm" became part of our everyday vocabulary. Therefore,
not surprisingly, the statute does not directly address the propriety
of keystroke monitoring by system administrators.
Attorneys for the Department have engaged in a review of the statute
and its legislative history. We believe that such keystroke monitoring
of intruders may be defensible under the statute. However, the statute
does not expressly authorize such monitoring. Moreover, no court has
yet had an opportunity to rule on this issue. If the courts were to
decide that such monitoring is improper, it would potentially give rise
to both criminal and civil liability for system administrators.
Therefore, absent clear guidance from the courts, we believe it is
advisable for system administrators who will be engaged in such
monitoring to give notice to those who would be subject to monitoring
that, by using the system, they are expressly consenting to such
monitoring. Since it is important that unauthorized intruders be given
notice, some form of banner notice at the time of signing on to the
system is required. Simply providing written notice in advance to only
authorized users will not be sufficient to place outside hackers on
notice.
An agency's banner should give clear and unequivocal notice to
intruders that by signing onto the system they are expressly consenting
to such monitoring. The banner should also indicate to authorized
users that they may be monitored during the effort to monitor the
intruder (e.g., if a hacker is downloading a user's file, keystroke
monitoring will intercept both the hacker's download command and the
authorized user's file). We also understand that system administrators
may in some cases monitor authorized users in the course of routine
system maintenance. If this is the case, the banner should indicate
this fact. An example of an appropriate banner might be as follows:
This system is for the use of authorized users only.
Individuals using this computer system without authority, or in
excess of their authority, are subject to having all of their
activities on this system monitored and recorded by system
personnel.
In the course of monitoring individuals improperly using this
system, or in the course of system maintenance, the activities
of authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring
and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide the
evidence of such monitoring to law enforcement officials.
-------------------------------------------------------------------
Each site using this suggested banner should tailor it to their precise
needs. Any questions should be directed to your organization's legal
counsel.
--------------------------------------------------------------------
The CERT Coordination Center wishes to thank Robert S. Mueller, III,
Scott Charney and Marty Stansell-Gamm from the United States Department
of Justice for their help in preparing this Advisory.
---------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in FIRST (Forum of Incident
Response and Security Teams).
Internet E-mail: [email protected]
Telephone: 412-268-7090 (24-hour hotline)
CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
------------------------------
From: Mike Johnston <[email protected]>
Subject: Re: Digital Licenses in NY State
Organization: Lehman Brothers
Date: Tue, 8 Dec 1992 15:47:25 GMT
Apparently-To: uunet!comp-society-privacy
In article <[email protected]> Mike McNally <[email protected]> writes:
>My biggest problem is this: I don't want my picture and signature
>digitally stored on NY's computers, where it can easily be transmitted
>to anyone the state deem's fit to receive it. This could include
>the Federal Government, other State's and various agencies within
>our own state. I won't even get into the ramifications of having
>my SIGNATURE stored where someone can replicate it, perfectly, every
>time they need to.
>
>It seems the privacy issues here have either been ignored or swept
>under the carpet.
It seems to me that elementary logic has either been ignored or swept
under the carpet.. The very interesting thing about this post is that
while I'm sure the author earnestly believes this is a privacy issue,
his privacy is not in any significantly greater jeopardy because the
stroage media employed by the NY state DMV has changed. The real issue
is paranoia towards digital technology and its applications. Unless
the author earnestly believes that photocopies and fascimiles of his
motor vehicle permit cannot now be easily transmitted to "the Federal
Government, other State's and various agencies within [his] own state," I
I fail to see how digital storage of information that is already kept
throws his personal privacy into serious danger.
This line of reasoning relies upon the supposed 'fact' that the
government is the friendly, benign institution that some would like
us to think it is. It is not and never has been, but, then, this
depends upon which side of the political fence you sit.
I reject any charges of 'paranoia' based upon my opinions. I've
been active in the computer industry for 15 years and have served
in a variety of capacities both hardware and software related. I
understand quite well the uses and abuses possible with modern
computing machinery. Technologists who see the world through rose colored
glasses and reject criticism of their technology out-of-hand are the ones
that are likely to be bit first if ever any biting is done. Time will
tell.
I continue to maintain that privacy issues are not given the attention
they currently deserve. Hopefully this will change in the near-term
future. Meanwhile, I predict we will see more and more cases of the
abuse of information technology, along with the gradual increase in
public awareness that it merits.
MJ
--
Michael R. Johnston, System Administrator [email protected]
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable man." - G.B. Shaw
------------------------------
From: [email protected] (Hoops McCann)
Subject: Re: Digital Licenses in NY State
Date: 8 Dec 92 13:45:11
Organization: SunConnect - A Sun Microsystems Business
In article <[email protected]> [email protected] (Mike Johnston)e:
>
> Today's (12/3/92) New York Times carried a small article in the Metro
> section describing NY's new licenses. In a nutshell, drivers will
> have *both* their pictures and signatures digitally stored on the
> state's computers. This makes me nervous.
>
> The reasons given are 'easier storage and retrieval and will result in
> more secure and higher-quality licenses and ID's'. Also noted is that
> duplicate licenses will be available within three weeks WITHOUT visiting
> the DMV. This is probably the hardest part of all to believe, as anyone
> who's ever tried to get ANYTHING from Motor Vehicles will attest.
I haven't felt the need for higher quality ID. But I can see
another, unstated, use for digitally encoded signatures: Easier
government fraud.
For example, consider my experience.
Last year I was assessed ~$2,000 for back taxes. Taxes which had
been deducted from my wages, but weren't paid to the IRS by my
employer. The IRS, unable to get the money from my previous employer
simply assessed me again for it. I contested it and had it sent to
"Tax court". That court determined that I really didn't owe anything.
That was fine until the IRS seized by bank account. When I demanded
why, they produced a document stating that I agreed to the assessment
of ~$2,000 with my signature. Except it really wasn't my signature.
It was sort of like my signature, but the letters were wrong. Whoever
signed it for me had actually mispelled my name.
For those of you who want to know what I did about it, I did
nothing. I contacted several lawyers, one of which put it to me
bluntly. It would cost me alot more than $2,000 to take it to court.
The IRS has no one who can be held accountable, so a criminal
complaint is futile. Pay the $2k and consider it the price of living
in the US.
So you see, a digital signature would help remove the human-error in
document forgery, and lessen the potential chagrin of those agents of
government tasked with ensuring you comply through whatever means
necessary. Documents can be printed with your signature already on
them for your convenience.
------------------------------
From: Steve Johnson <[email protected]>
Subject: Re: Digital Licenses in NY State
Organization: TRW Systems Division, Fairfax VA
Date: Tue, 8 Dec 1992 23:20:05 GMT
Mike McNally <[email protected]> writes:
[...]
>>Today's (12/3/92) New York Times carried a small article in the Metro
>>section describing NY's new licenses. In a nutshell, drivers will
>>have *both* their pictures and signatures digitally stored on the
>>state's computers. This makes me nervous.
>[...]
>It seems to me that elementary logic has either been ignored or swept
>under the carpet.. The very interesting thing about this post is that
>while I'm sure the author earnestly believes this is a privacy issue,
>his privacy is not in any significantly greater jeopardy because the
>stroage media employed by the NY state DMV has changed. The real issue
>is paranoia towards digital technology and its applications. Unless
>the author earnestly believes that photocopies and fascimiles of his
>motor vehicle permit cannot now be easily transmitted to "the Federal
>Government, other State's and various agencies within [his] own state," I
>I fail to see how digital storage of information that is already kept
>throws his personal privacy into serious danger.
> -mcnally.
A colleague of mine recently went home to find the county sheriff waiting
to talk to him about some recent burglaries. Seems they had a tire iron
with his fingerprints all over it at the scene of one of the crimes. Lucky
for him he had a nice airtight alibi. This is a guy whose only crime to
date has been an occasional speeding ticket. Oh yes, how did they know they
were his prints? He's got one of those nice jobs in the defence industry
where they interview everyone you've ever known, done credit and police
checks on you from everywhere imaginable, strap you to a polygraph (i.e.,
a "lie detector" for the uninitiated), and fingerprint you. And imagine
how nice it will be when the FBI has all those fingerprint cards digitized
and accessible to even the most remote law enforcement agency (right from
the squad car with live scanning technology) in seconds. Sound far fetched?
Naw, it's from the specifications from the National Crime Information Center
(NCIC) 2000 RFP and the Integrated Automated Fingerprint Identification
System (IAFIS) RFP. The moral of this story: if you are ever robbed of
any posession (like the tire iron he had) or ever touch anything be sure to
tell the police or have a good alibi. It get's just a little scary to think
how things could have turned out if he hadn't been at home with his wife and
kids that night and hadn't reported the breakin of his truck earlier. Now
even good guys need to worry.
------- Any views expressed are those of myself and not my employer. --------
Steven C. Johnson, WB3IRU / VK2GDS |
TRW | [email protected]
FP1 / 3133 | [129.193.172.90]
1 Federal Systems Park Drive | Phone: +1 (703) 968.1000
Fairfax, Virginia 22033-4412 U.S.A. | Fax: +1 (703) 803.5189
--
------------------------------
Subject: Re: Digital Licenses in NY State
From: "Roy M. Silvernail" <[email protected]>
Date: Wed, 09 Dec 92 20:09:36 CST
Organization: Villa CyberSpace, Minneapolis, MN
nicmad!madnix!zaphod%[email protected] (Ron Bean) writes:
> As long as you're not trying to defraud anyone, it's still a
> valid signature. Since other organizations (such as UPS) are
> digitising signatures, a better strategy might be to get in the
> habit of *dating* everything you sign (although the date could
> still be cut off or altered).
When UPS started that, everybody in my office refused to sign it except
the boss. He didn't really understand our reservations, but was
temporarily willing to sign all packages in. Eventually, practicality
and business sense won out over principle, and we all do something to
the pad. I elected to print my name.
What really bothered me was UPS's attitude when they first introduced
this marvelous new gadget. They couldn't believe anyone had _any_
reason to be concerned. None of the PR droids I spoke with had the
first idea about technological privacy risks, and one chose to interpret
my concern as an accusation. Unfortunately, the only way to make some
people understand a risk is to present an exagerated example... it
really upset this guy.
At the same time, they also got really upset with our suggestions;
signing a different name, a nickname, or printing manuscript characters.
None of these, they claimed, was a signature.
As you might expect, UPS has conveniently forgotten that they demanded
I _sign_ the pad. I print, he accepts it and we go on about our work.
So far, nobody's clipboard has been hijacked and I haven't seen my
purloined siggie attached to any incriminating faxes. Perhaps the risks
were overstated in the beginning.
But UPS hasn't started dumping the clipboards' contents by radio, yet.
Wonder if they're familiar with the terms 'encryption' and 'scanner'?
--
Roy M. Silvernail -- roy%[email protected] - OR- [email protected]
"I like Santa Claus as well as the next guy, but do you really want a
hard drive that's spent 6000 miles at the bottom of a canvas sack in a
wooden sleigh powered by airborne reindeer?" -- me
------------------------------
End of Computer Privacy Digest V1 #111
******************************
|
|
