Date: Fri, 30 Apr 93 12:59:41 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V2#039 Computer Privacy Digest Fri, 30 Apr 93 Volume 2 : Issue: 039 Today's Topics: Moderator: Dennis G. Rears Wiretaps without warrants Encryption SSNs and College Applications * Report on privacy-protecting off-line cash available * No FTP? You can still have PGP! Re: SSN I won one! The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- From: David Brierley Subject: Wiretaps without warrants Organization: Division of Academic Computing, Northeastern University, Boston, MA. 02115 USA Date: Wed, 28 Apr 1993 01:54:13 GMT Sorry to get this out so late, but better late than never. It is from the Boston Sunday Globe of April 11, 1993, page 16. ------------------------- New England Votes in Congress Roll Call Report Syndicate WASHINGTON - This is how New England members of Congress were recorded on major roll-call votes last week. ... TO EXPAND FBI PHONE ACCESS: By a vote of 367-6, the House sent the Senate a bill expanding the FBI's power to obtain, without court warrants, telephone records and conversations in investigations of international terrorism and espionage. The bill grants the FBI access in such investigations to information on unlisted numbers that phone companies cannot now divulge. It also enables FBI counterintelligence agents to obtain a broader range of telephone conversations involving suspected terrorists and spies. A yes vote was to pass the bill. Connecticut: Voting yes: Kennelly, Gejdenson, Shays, Franks, Johnson. Not voting: DeLauro. Maine: Voting yes: Andrews, Snowe. Massachusetts: Voting yes: Neal, Blute, Frank, Meehan, Torkildsen, Markey, Kennedy, Moakley, Studds. Not voting: Olver. New Hampshire: Voting yes: Swett. Not voting: Zeliff. Rhode Island: Voting yes: Machtley, Reed. Vermont: Not voting: Sanders. ... ------------------------------ From: thomas ciccateri Subject: Encryption Date: Wed, 28 Apr 93 0:32:50 MDT The proposed Clipper Chip scheme seems to rely on a degree of public trust in the government to maintain the confidentiality of encryption keys unless a court order allows access. A recent story in the Albuquerque Journal (April 25) shows that such trust may be misplaced. A worker at a government facility (Sandia Labs) alledges that he was discharged for not engaging in illegal acts for his employer and his employer's customer (NSA). The worker resisted direct orders to copy comercial embedded software, reverse engineer electronic locks, and develop computerized lockpicks for industrial espionage. The worker said he was told on the one hand that he would lose his clearance if he engaged in any illegal activities and on the other he would lose his clearance if he refused to accept any work assignment. Guess what, he lost his clearance. The Department of Energy has sealed all court records for National Security Reasons. Does this sound like the kind of government which deserves our trust regarding privacy ? ------------------------------ Date: Wed, 28 Apr 1993 7:36:26 -0400 (EDT) From: "Dave Niebuhr, BNL CCD, 516-282-3093" Subject: SSNs and College Applications I've filled out quite a few college loan applications for my kids and in each case the SSN was required since the Privacy Act statement is given. Each of them (Pell, NYHESC (NY Higher Education Service something), NY Tuition Assistance Program, Parent Plus) contained this and all are tied to some federal law (I forget which) required that they do this. My feeling is that if I want their money, they have a right to know as much financially about me as possible. Dave Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl Brookhaven National Laboratory Upton, LI, NY 11973 (516)-282-3093 Senior Technical Specialist: Scientific Computer Facility ------------------------------ From: Stefan Brands Subject: * Report on privacy-protecting off-line cash available * Date: 28 Apr 93 09:45:27 GMT Followup-To: sci.crypt Organization: CWI, Amsterdam PRIVACY-PROTECTING OFF-LINE ELECTRONIC CASH SYSTEMS ___________________________________________________ I recently published a new privacy-protecting (!) off-line electronic cash system as a technical report at CWI. Being a PhD-student at David Chaum's cryptography-group, our group has a long history in research in the field of privacy-protecting cash systems. The electronic version of the report is called CS-R9323.ps.Z, contains 77 pages, and can be retrieved from ftp.cwi.nl (192.16.184.180) from the directory pub/CWIreports/AA. The postscript-file is suitable for 300dpi laserprinters. ==================================================================== TITLE : An Efficient Off-line Electronic Cash System Based On The Representation Problem ABSTRACT: (from coverpage): We present a new off-line electronic cash system based on a problem, called the representation problem, of which little use has been made in literature thus far. Our system is the first to be based entirely on discrete logarithms; the security is unrelated to RSA. Using the representation problem as a basic concept, some techniques are introduced that enable the construction of protocols for withdrawal and payment that do not use the cut and choose methodology of earlier systems. As a consequence, our cash system is much more efficient in both computation and communication complexity than any privacy-protecting off-line cash system proposed before. An important aspect of our system concerns its provability. Contrary to previously proposed systems, its correctness can be mathematically proven to a very great extent. Specifically, if we make one plausible assumption concerning a single hash-function, the ability to break the system seems to imply that one can break the Diffie-Hellman problem. Honest users of the system are guaranteed to be information-theoretically untraceable, i.e., they remain completely anonymous in the sense that not even a cooperation of the bank(s) with all shops can find out which user paid in what shop. Our system offers a number of extensions that are hard to achieve in previously known systems. All these extensions can be achieved very efficiently. Perhaps the most interesting of these is that the entire off-line cash system (including all the extensions) can be incorporated in a setting based on so-called wallets with observers (a user-module with embedded within it a tamperresistant module), which has the important advantage that double-spending can be prevented (!), rather than detecting the identity of a double-spender after the fact. In particular, it can be incorporated even under the most stringent requirements conceivable about the privacy of the user, which seems to be impossible to do with previously proposed systems. Another benefit of our system is that framing attempts by a bank have negligible probability of success (independent of computing power) by a simple mechanism from within the system, which is something that previous solutions lack entirely. Furthermore, the basic cash system can be extended to checks, multi-show cash and divisibility, while retaining its computational efficiency. ==================================================================== Cryptographers are challenged to try to break this system! I made a particular effort to keep the report as self-contained as possible. Nevertheless, if you have any questions, please e-mail to me and I will try to reply as good as I can. Any comments are also welcome! Stefan Brands, -------------------------------------------------------- CWI, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands Tel: +31 20 5924103, e-mail: brands@cwi.nl ------------------------------ From: Stanton McCandlish Subject: No FTP? You can still have PGP! Date: 28 Apr 1993 19:16:01 -0500 Organization: UTexas Mail-to-News Gateway ************************************************************************* DEFEAT THE BIG BROTHER PROPOSAL! JUST SAY F!CK NO TO THE PRIVACY CLIPPER! ************************************************************************* ************************************************************ The security of PGP encryption for those without FTP access! ************************************************************ This is not an ad, but a public service announcement. NitV-BBS is FREE. This info (and my system!) has been updated to make it easier for you to obtain Pretty Good Privacy (PGP): Secure RSA pubkey encrytion for all! Due to the overwhelming response, I have sought out as many ports as possible. After a week of exhaustive FPT/Archie searches it appears to me that NitV-BBS is the world's singlemost comprehensive PGP site, with executables and/or source code for the following platforms: Platform exec source patch extras MS-DOS (PC-DOS, etc.) X X X Macintosh X X Archimedes X ? OS/2 X X Amiga X X Unix X X NeXT X In one case I do not have the means to open the archive to see if it comes with the source code, thus "?". WARNING: My DallasFax 14.4k v32bis modem does not always cooperate too well with USR/Miracom Dual Standards. BY MODEM TO BBS: Call NitV-BBS (see .sig at end of message for details) Here you will find: File area file name description LOGIN PGP22.ZIP DOS version of PGP LOGIN PGPSHEL1.ZIP menu/shell for PGP (DOS only) NONIBM PGP22B-A.LHA PGP for Amiga (w/source) NONIBM ARCPGP22 PGP for Archimedes (format unknown; w/src??) NONIBM MACPGP22.CPT PGP for Mac (.cpt archive) NONIBM PGP22.TAZ PGP for Unix (compressed .tar; w/source) WIN PGP22OS2.ZIP PGP for OS/2 (w/source patch) LOGIN PGP22SRC.ZIP PGP source code & utils for DOS NONIBM MPGP22SC.S_H PGP source code for Mac (BinHex .hqx encode of a .sea self-extracting archive) MONIBM MPGP22SC.SIG PGP signature for validation of Mac source NONIBM NXTPGP22.ASC PGP source code diff (patch) for NeXT. ASCII A quick ext search for "pgp" will yield the files for flagging quickly. Note: original name of Mac version is: MacPGP_2.2.cpt original name of Unix version is: pgp22.tar.Z original name of Mac source is: MacPGP2.2src.sea.hqx original name of Mac signature is: MacPGP2.2src.SIGNATURE NeXT patch is a concatenation of: PGP.random.c.diff and PGP.random.c.diff.README These names were changed because of the 12 char limit of MesSDOS filenames. All files are direct from these FTP sites: nic.funet.fi, sony.com, garbo.uwasa.fi, and ftp.uni-erlangen.de. They are NOT uploaded by BBS users, nor gotten from other BBSs. You can rest assured that they are "clean" (the superparanoid^H^H^H^H^H^H^H^Hcautious may wish to obtain additional copies and compare them for further validation.) You may login anonymously as ANONYMOUS, password GUEST. If you want the whole lot you won't have time, as that acct. is limited. In that case, login normally, but if you never intend to call again, please be courteous, and leave a omment to sysop to delete your account. Disk space is limited! All user accounts are free. There is no charge (other than your phone expenses of course) for obtaining PGP from NitV-BBS. BY FIDO-PROTOCOL FREQ Anyone in FidoNet or any other FTN/FTSC network (such as RBBSNet, etc.), or anyone with a working Fido-type mailer, can get PGP from the same source, via File REQuest, as long as they can send mail to Fido address 1:301/2 (you will need a Fido nodelist to pull that off). You do not have to be nodelisted to do this. You can even be a point system. Just send a DIRECT not routed netmail To: Sysop, NitV (1:301/2) From: Re: ,, St: Crash, Direct, FilReq, can be a full file name, or a "magic name". Status is not that important, as long as the message is set for at least these 2: Direct and FilReq. You can use the following magic names (which will still hold for future releases of PGP): Magic Name files description PGPDOS PGP22.ZIP, PGPSHEL1.ZIP DOS PGP and menu/shell PGPAMI PGP22B-A.LHA Amiga PGP & source PGPARC ARCPGP22 Archimedes PGP PGPMAC MACPGP22.C_H Mac PGP PGPNXT NXTPGP22.ASC NeXT PGP source code diff (requires a full src package) PGPOS2 PGP22O2.ZIP OS/2 PGP & patch PGPUNX PGP22TAR.Z Unix PGP & source PGPSDOS PGP22SRC.ZIP PGP source & utils (DOS fmt.) PGPSMAC MPGP22SC.S_H, MPGP22SC.SIG PGP source & sig (Mac fmt.) --------------------------------------------------------------------------- Please upload, file-attach via netmail, uuencode and email, or just tell me where to find, any interesting utils, FAQs, etc for PGP that you come across, so that I can make them available to the needy but FTPless hordes. Please do NOT further distribute this copy of PGP, especially to BBSs. Part of the Good Thing about getting it from NitV is that you know it came right from one of the original FTP sites for it, not from some cheezy BBS via the hands of 27 other people and systems, any of which might harbour a baddie. This is not to say that BBSs are bad (hell, I run one!) but rather that too much is left to chance (and ill-will!) in it's distribution methods. PGP is a security program, and needs to be guaranteed to be secure. Thank you. This offer, due to IDIOTIC export restrictions, must of course be limited to the USA. Authors are stongly encouraged to upload, mail, etc. their ports of PGP, their PGP utilities, etc. directly to me or the system listed below so that non-FTP-using PGP afficionados can be certain that they are getting a "pris- tine" copy. Thanks! ---------------------------------------------------------------------------- Distribute ENTIRE contents of this message freely. ---------------------------------------------------------------------------- -- Testes saxi solidi! ********************** Podex opacus gravedinosus est! Stanton McCandlish, SysOp: Noise in the Void Data Center BBS IndraNet: 369:1/1 FidoNet: 1:301/2 Internet: anton@hydra.unm.edu Snail: 8020 Central SE #405, Albuquerque, New Mexico 87108 USA Data phone: +1-505-246-8515 (24hr, 1200-14400 v32bis, N-8-1) Vox phone: +1-505-247-3402 (bps rate varies, depends on if you woke me up...:) ------------------------------ From: Charles Mattair Subject: Re: SSN Organization: Synercom Technology, Inc., Houston, TX Date: Wed, 28 Apr 1993 20:32:11 GMT In article Mitch Collinsworth writes: > >Implementation of juror solicitations is, I assume, left up to the >various courts. In my county, they use drivers licenses, voter >registrations, and one other database, which I can't recall at the >moment. > Texas has just started using DLs instead of voter registration rolls (there was a perception many people were not registering to avoid jury duty :-( ). The result has been, shall we say, a very mixed success. On the positive side, the pool of potential jurors is definitely up. Other positives include - actually, the courts and the DA say that's it. Negatives are: much higher rate of no-shows; lower average level of educational attainment; lower socio-economic status (that is, much higher percentage of un/under employeed); much higher percentage of undocumented workers and non-English speakers; jurors who serve but really don't participate in the process; in general, a lower quality juror pool. There probably are areas where a system like this could work. The courts here have been underwhelmed by the result. -- Charles Mattair (work) mattair@synercom.hounix.org (home) cgm@elmat.synercom.hounix.org In a mature society, "civil servant" is semantically equivalent to "civil master." - Robert Heinlein, _The Notebooks of Lazarus Long_ ------------------------------ Date: Thu, 29 Apr 93 00:08:23 GMT From: Bear Giles Subject: I won one! I just opened a new checking and savings account (since my former bank forgot who hired whom) and several interesting things happened: The bad news: 1. The _very_ first thing the rep did was call a telephone number to "verify" my SSN. Said verification was nothing more than verifying that SSN had actually been assigned to a person (I don't recall if she read my name or not), but a completely bogus SSN will _not_ work. (I hadn't been paying attention because I thought she was verifying my driver's license). 2. I asked about this and she said the bank _requires_ SSNs for any account. If I went in with $1000 in cash and tried to open a savings account, agreeing that 33% of all interest will be paid to the IRS (and 5% to Colorado) to cover any possible income tax, _they would refuse my business_. The good news: 3. After providing my legal name, I asked if the records could be marked a/k/a for my use-name. After a bit of hemming and hawing (since I don't have court documents to force them to do this) they agreed to accept both names _and_ to print my use-name on the checks. My previous bank insisted on court papers, but it was an existing account when I inquired. 4. When I handed over my standard "a condition of me doing business with you is _no_ _mailing_ _lists_" letter she said that the Bank did not release the names of its customers, but she would accept it in case the policy changed in the future. I had also been told (when investigating banks) that I would be asked for a 4-digit identifying number -- they don't use readily available information like SSNs for checkcodes. I wasn't asked today, but this may be because this rep had recently started. In many ways, the bank's willingness to accept something other than my legal name for the account (both signature and check) is more important than the hassles over the SSN. I can see how the _bank_ will want information to find me if I do fraudulent misdeeds (e.g., writing lots of bad checks), but they shouldn't care if I arrange it so I can use the name "John Doe" on my checks. -- Bear Giles bear@fsl.noaa.gov ------------------------------ End of Computer Privacy Digest V2 #039 ******************************