8°L2¡†CÉŠ)pJJJJ	À…I ÿ„H(È±HÐ:°© æ=¥IH©[H`…@…H c±H™”	ÈÀëÐö¢¼	½$	™ò	½+	
Êî©	…I©†  Éù°/…H„`„J„L„N„GÈ„BÈ„F©…a…K 	°hæaæaæF¥FÉï­ Ðm©Ð¥Jm#¨æK¥KJ°É
ðU „J­	)¨±JÙ	ÐÛˆö)ðÉ Ð; ±JÉÿÐ3È±J…FÈ±J…G© …J „K„aÈ„M 	°æaæa¤NæN±J…F±L…GJÐçL  L	
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         ÿÿÿÿÿ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           üINTERNET.15A     …¿3  „¿&  ã'  -READ.ME.FIRST    5 …¿2 ã  …¿2 ÝINET.PRIVACY1      „¿'# ã  „¿* FINDER.DATA    Éí  X  …¿3p¾ç  …¿3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 ?	&PRODOS         ¥`…D¥a…ElH $?EGvô×Ñ¶K´¬¦+`L¼	©ŸH©ÿH©¢ Lyô Xü ¹P	™®ˆ÷LM	ªªª ÕÎÁÂÌÅ ÔÏ ÌÏÁÄ ÐÒÏÄÏÓ ªªª¥S)*+ª½€À©,¢ÊÐýéÐ÷¦+`¥F)É)
(*…=¥GJ¥FjJJ…A
…Q¥E…'¦+½‰À ¼	æ'æ=æ=° ¼	¼ˆÀ`¥@
…S© …T¥S…P8åQð°æSÆS8 m	¥P o	Ðã „R(8ÆRðÎˆðõ½ŒÀû                                                                                                                                                                                                                                                                         APPLE II FAMLY INTERNET STARTER'S KIT Compiled by: David Ottalini             WAP /// SIG Co-Chairman             September/October 1995Welcome to the WAP Apple Family Internet Starter Kit!We've attempted to compile literally a ton of information ion. Search for '_' (underline) fornext section.)PART 1====== (this file)Identity--------<1.1> What is `identity' on the internet?<1.2> Why is identity (un)important on the internet?<1.3> How does my email address (not) identify me and my backgr                                                                                                                                                                                                                                                                 !"#$%&'()*+,-./012                                                                                                                                                                                                                           edit if quoted.SUMMARY=======Information on email and account privacy, anonymous mailing andposting, encryption, and other privacy and rights issues associatedwith use of the Internet and global networks in general.(Search for <#.#> for exact sectIDENTITY, PRIVACY, and ANONYMITY on the INTERNET================================================(c) Copyright 1993 L. Detweiler.  Not for commercial use except by  permission from author, otherwise may be freely copied. Not to be  altered.  Please cr                                                                                                                                                                                                                                                                    íINET.PRIVACY1  u# Ã'  „¿'# Ã'  '&PART.1          & ÔI „¿'# ã  U¿5 &PART.2         4 8 „l „¿'# ã  U¿4 &PART.3         l  Ï6 „¿'# ã  U¿3 &PART.4         ‰ 5 }f „¿'# ã  U¿ &PART.5         ¾ 0 f] „¿'# ã  U¿2                   : Yet another Internet Guide for your consideration.                                                                                                                                                                                                           on the Internet        PART.4          : Privacy and Rights Issues        PART.5          : The Clipper Chip (encryption)SIDE TWOINET.PRIVACY2 (Directory)        PART.6          : Resources; Miscellaneous                  HHIKERS.GUIDE           privacy and rights issues associatedwith use of the Internet and global networks in general.        PART.1          : Identity and Why Its Important on the Internet        PART.2          : Privacy on the Inerternet        PART.3          : Anonymity e entire Apple II family!INTERNET.15                SIDE ONERead.Me.First           : A compilation of the files on this disk.INET.PRIVACY1 (Directory)Information on email and account privacy, anonymous mailing andposting, encryption, and other eed.These disks are a work in progress - please let us know how we can improve them for you. IF you would like to contribute more to them, ormake some adjustements here and there, please let us know. We wantthese disks to be a wonderful resource to ths the Macs and PCs can do these days with their WebSurfers, etc. BUT computers were accessing the Internet for years beforethese latest software goodies ever showed up. And besides - you don'tneed the memory or special software that the newer machines nfor you about the Internet and how you can use it with your Appe II or /// computer.That's right - literally ALL Apple IIs - from the Plus on up to the GS andany version of the /// - can and do have the ability to surf the Internet.It's not as pretty aound?<1.4> How can I find out more about somebody from their email address?<1.5> How do I provide more/less information to others on my identity?<1.6> Why is identification (un)stable on the internet?<1.7> What is the future of identification on the internet?Privacy-------<2.1> What is `privacy' on the internet?<2.2> Why is privacy (un)important on the internet?<2.3> How (in)secure are internet networks?<2.4> How (in)secure is my account?<2.5> How (in)secure are my files and directories?<2.6> Hogin name qualified by the complete address domain information,  for example ``ld231782@longs.lance.colostate.edu''. People see  this address when receiving mail or reading USENET posts from you  and in other situations where programs record usage.  Som=_____<1.1> What is `identity' on the internet?  Generally, today people's `identity' on the internet is primarily  determined by their email address in the sense that this is their  most unchanging 'face' in the electronic realm.   This is your  l What standards are needed to guard electronic privacy?Footnotes---------<8.1> What is the background behind the Internet?<8.2> How is Internet `anarchy' like the English language?<8.3> Most Wanted list<8.4> Change history* * *IDENTITY=======------------<7.1> What is ``digital cash''?<7.2> What is a ``hacker'' or ``cracker''?<7.3> What is a ``cypherpunk''?<7.4> What is `steganography' and anonymous pools?<7.5> What is `security through obscurity'?<7.6> What are `identity daemons'?<7.7>hanced Mail (PEM)?<6.6> What are other Request For Comments (RFCs) related to privacy?<6.7> How can I run an anonymous remailer?<6.8> What are references on privacy in email?<6.9> What are some email, Usenet, and internet use policies?Miscellaneous-le)Resources---------<6.1> What UNIX programs are related to privacy?<6.2> How can I learn about or use cryptography?<6.3> What is the cypherpunks mailing list?<6.4> What are some privacy-related newsgroups?  FAQs?<6.5> What is internet Privacy Eniticisms of the Clipper chip?<5.8> What are compliments/criticisms of the Clipper Initiative?<5.9> What are compliments/criticisms of the Clipper announcement?<5.10> Where does Clipper fit in U.S. cryptographic technology policy?PART 3====== (last finical details of the Clipper chip being kept secret?<5.4> Who was consulted in the development of the Clipper chip?<5.5> How is commerical use/export of Clipper chips regulated?<5.6> What are references on the Clipper Chip?<5.7> What are compliments/cr1> What is the Conference on Freedom and Privacy (CFP)?<4.12> What is the NIST computer security bulletin board?Clipper-------<5.1> What is the Clipper Chip Initiative?<5.2> How does Clipper blunt `cryptography's dual-edge sword'?<5.3> Why are techny Act?<4.7> What is U.S. policy on freedom/restriction of strong encryption?<4.8> What other U.S. legislation is related to privacy?<4.9> What are references on rights in cyberspace?<4.10> What is the Computers and Academic Freedom (CAF) archive?<4.1bility (CPSR)?<4.3> What was `Operation Sundevil' and the Steve Jackson Game case?<4.4> What is Integrated Services Digital Network (ISDN)?<4.5> What is the National Research and Education Network (NREN)?<4.6> What is the FBI's proposed Digital Telephoting'?<3.6> Why is anonymity (un)stable on the internet?<3.7> What is the future of anonymity on the internet?PART 2======Issues------<4.1> What is the Electronic Frontier Foundation (EFF)?<4.2> Who are Computer Professionals for Social Responsivacy on the internet?Anonymity---------<3.1> What is `anonymity' on the internet?<3.2> Why is `anonymity' (un)important on the internet?<3.3> How can anonymity be protected on the internet?<3.4> What is `anonymous mail'?<3.5> What is `anonymous posow (in)secure is X Windows?<2.7> How (in)secure is my email?<2.8> How am I (not) liable for my email and postings?<2.9> Who is my sysadmin?  What does s/he know about me?<2.10> Why is privacy (un)stable on the internet?<2.11> What is the future of prie obsolete  forms of addresses (such as BITNET) still persist.  In email messages, additional information on the path that a message  takes is prepended to the message received by the recipient.  This  information identifies the chain of hosts involved in the  transmission and is a very accurate trace of its origination.  This  type of identify-and-forward protocol is also used in the USENET  protocol to a lesser extent.  Forging these fields requires  corrupted mailing software at sites involved iur background.  The address may `identify' you as  from a department at a particular university, an employee at a  company, or a government worker.  It may contain your last name,  initials, or cryptic identification codes independent of both.  In  the of these actions, intended and inadvertent, will  literally be magnified exponentially._____<1.3> How does my email address (not) identify me and my background?  Your email address may contain information that influences people's  perceptions of yorovoking social forces of massive  proportions. Decisions made now on issues of identity will affect  many future users, especially as the network becomes increasingly  global, universal, widespread, and entrenched; and the positive or  adverse affects based on identification,  and law enforcement frequently hinges on it.  Hence, employees of  many government organizations push toward stronger identification  structures.  But when does identification invade privacy?  The growth of the internet is pnd `usage'.  Many functions in society demand reliable and accurate techniques  for identification. Heavy reliance will be placed on digital  authentication as global economies become increasingly electronic.  Many government functions and services areria.  On the other side of the  connection, the author may find identities of reviewers useful in  exerting pressure for acceptance.  Identity is especially crucial in establishing and regulating  `credit' (not necessarily financial) and `ownership' a the other hand, many  prejudices are useful!  A scientist might argue he can better  evaluate the findings of a paper as a reviewer if he knows more  about the authors.  Likewise, he may be more likely to reject it  based on unfair or irrelevant criteit is  harmful.  A professor might carefully explain a topic until he  finds he is talking to an undergraduate.  A person of a particular  occupation may be able to converse with others who might normally  shun him.  Some prejudices are erased, but, onon Usenet and forged identities makes them  more insidious.  People and their reputations can be assaulted by  forgery.  However, the fluidity of identity on the internet is for some one of  its most attractive features. Identity is just as useful as problems associated with it is  H.G. Well's ``War of the Worlds'' science fiction story adapted to  a radio broadcast that fooled segments of the population into  thinking that an alien invasion was in progress.  Hoaxes of this  order are not uncommon y severe consequences, with massive  computer networks at the forefront of the issue, which can  potentially either exacerbate or solve these problems.  Verifying that an identity is correct is called `authentication',  and one classic example of the n are all critical aspects of  computer networks. For example, the convenience of communication  afforded by email would be impossible without conventions for  identification.  But there are many potential abuses of identity  possible that can have verhe initial faked fields are names of  real machines and represent real transfer routes._____<1.2> Why is identity (un)important on the internet?  The concept of identity is closely intertwined with communication,  privacy, and security, which in turn the forwarding and  is very uncommon.  Not so uncommon is forging the chain at the  origination point, so that all initial sites in the list are faked  at the time the message is created.  Tracing these messages can be  difficult or impossible when t US some are based on parts of social security numbers. Others  are in the form 'u2338' where the number is incremented in the  order that new users are added to the system.  Standard internet addresses also can contain information on your  broad geographical location or nationhood.  However, none of this  information is guaranteed to be correct or be there at all.  The  fields in the domain qualification of the username are based on  rather arbitrary organization, such as (mostly invisible) networkncovered the  identity of R. Morris, author of the Internet Worm, through the  use of `finger' after an anonymous caller slipped by revealing his  initials which were also his login ID.  See the book Cyberpunk by  K. Hafner and J. Markoff._____<1.5>lf to find out  what is publicly reported by your UNIX system about you. Be  careful when modifying `finger' data; virtually anyone with  internet access worldwide can query this information.  In one  famous case, the New York Times writer J. Markoff ue information on `finger' and locating people's email addresses  is given in the email FAQ (such as the WHOIS lookup utility).  Just  as you can use these means to find out about others, they can use  them to find out about you.  You can `finger' yourseall users on the  system with a `finger @address'.  In general this is often  considered weak security, however, because `attackers' know valid  user ID's to `crack' passwords.  More information on the fields returned by `finger' is given below.  Morrs. Some    computers will search only for matching user IDs, others will    attempt to find the username you specified as a substring of all    actual full names of users kept in a local database.  At some sites `finger' can be used to get a list of   - A message `In real life: ???' in which case the receiving computer    could not find any kind of a match on the username. The finger    utility may return this response in other situations.  - A listing of information associated with multiple useed. The  response is generated completely by the receiving computer and may  be in any format.  Possible responses are as follows:  - A message `unknown host' meaning some aspect of the address is    incorrect, two lines with no information and '???'.or determining identity over the  internet is the UNIX utility 'finger'.  The basic syntax is:    finger user@here.there.everywhere  This utility uses communication protocols to query the computer  named in the address for information on the user namadmin (i.e. `root@address') may also  be able to supply information.  Users with related email address  may have information.  However, all of these methods rely on the  time and patience of others so use them minimally.  One of the most basic tools fress, asking. Another  way is to send mail to the postmaster at that address (i.e.  postmaster@address), although the postmaster's job is more to help  find user ID's of particular people given their real name and solve  mail routing problems.  The sysollege  .com   commercial organization  .org   'other' (e.g. nonprofit organization)  .gov   government  .mil   military site_____<1.4> How can I find out more about somebody with a given email address?  One simple way is to send email to that addtributions.)  However, UNIX utilities exist to aid  in the quest (see the question on this).  Common Suffixes  ---------------  .us    United States  .uk    United Kingdom  .ca    Canada  .fi    Finland  .au    Australia  .edu   university or cis the name of the  computer receiving mail.  Gleaning information from the email address alone is sometimes an  inspired art or an inconsistent and futile exercise.  (For more  information, see the FAQs on email addresses and known  geographical dis  cabling distributions.  The only point to make is that early fields  in the address are more specific (such as specific computer names  or local networks) and the later ones the most general (such as  continental domains).  Typically the first field  How do I provide more/less information to others on my identity?  The public information of your identity and account is mostly  available though the UNIX utility `finger' described above.  - You have control over most of this information with the utility    `chfn', the specifics vary between sites (on some systems use    `passwd -f').  - You can provide unlimited information in the .plan file which is    copied directly to the destination during the fingering.  - A technique that works at some on the internet:  - Internet mail standards, described in RFC-822, are still evolving    rapidly and not entirely orderly.  For example, standards for    mail address `munging' or `parsing' tend to vary slightly between    sites, particularly with gaate hosts is generally unforgeable. In general, while  possible, forgeries are fairly rare on most newsgroups and in  email.  Besides these pathological cases abve there are many basic  problems with today's internet protocols affecting identification ke moves inside their organizations.  - As part of current mailing protocol standards, forging the From:    line in mail messages is a fairly trivial operation for many    hackers.  The status and path information prepended to messages by  intermedi  - Anyone with access to the account, e.g. they know the password,    either legitimately or otherwise, can send mail with that address    in the From: line.  - Email addresses for an individual tend to change frequently as    they switch jobs or maiple machines anywhere in the world.  Currently internet users do not really have any great assurances  that the messages in email and USENET are from who they appear to  be. A person's mailing address is far from an identification of an  individual.in the 'real world'.  The arbitary and cryptic  sequences of letters and digits comprising most email addresses are  not particularly noticeable or memorable and far from a unique  identification of an individual, who may use multiple accounts on  multvariety of reasons.  One is the inherent  fluidity of `cyberspace' where people emerge and submerge  frequently, and absences are not readily noted in the `community'.  Most people remember faces and voices, the primary means of casual  identification with UNIX finger; log incoing fingers, etc.  Thanks to dzr@world.std.com for contributions here._____<1.6> Why is identification (un)stable on the internet?  Generally, identity is an amorphous and almost nonexistent concept  on the Internet for a stall programs that vary the .plan  file based on `who is calling' or even determine the ID of the  `caller' in some configurations. See the files on  quartz.rutgers.edu:    backfinger.tar.gz, fing-plan.c.gz, planinit*.gz: Programs to do      tricks o mask your identity in email or on USENET you can use different  accounts. More untraceable are new `anonymous posting' and  remailing services that are very recently being established.  See  the sections on that topic.  Experienced UNIX users can in nothing is foolproof.  Consult man pages on  the `chmod' command and the default file mode.  Generally, files on  a shared system have good safeguards within the user pool but very  little protection is possible from corrupt system administrators.  Tcess on a public account or one from  someone unrelated to you personally.  You may be able to remotely  login (via modem or otherwise) to computers that you are not  physically near.  These are tactics for hiding or masking your  online activities butur home directory.  Providing less information on your online identity is more difficult  and involved.  One approach is to ask your system adminstrator to  change or delete information about you (such as your full name).  You may be able to obtain ac sites allows you to find out who is    'finger'ing you and even to vary the .plan file sent to them.  - Your signature is determined by the environment variable SIGNATURE  - USENET signatures are conventionally stored in the .signature file    in yoteways and embedded addresses, and    frequently mean the difference between finding addresses and    bouncing mail.  - Domain names and computer names are frequently changed at sites,    and there are delays in the propagation of this data.  - Addresses cannot be resolved when certain critical computers    crash, such as the receiving computer or other computers involved    in resolving names into addresses called `nameservers'.  - A whole slew of problems is associated with `nameservers'; if  t traffic  frequently passes past international boundaries, and is not  centrally managed, significantly complicates and strongly  discourages its overall regulation._____<2.3> How (in)secure are internet networks?  - `Theoretically' people at any rules generally carry over to the internet with few specific rules  governing it.  However, the legal repercussions of the global  internet are still largely unknown and untested (i.e. no strong  legal precedents and court cases).  The fact that interne have rules that protect privacy (such as the  illegal search and seizure clause of the U.S. Constitution, adopted  by others) but have many that are antithetical to it (such as laws  prohibiting secret communications or allowing wiretapping).  These   privacy (un)important on the internet?  This is a somewhat debatable and inflammatory topic, arousing  passionate opinions.  On the internet, some take privacy for  granted and are rudely surprised to find it tenuous or nonexistent.  Most governmentsithout your permission.  These ideas are probably both fairly  limiting and liberal in their scope in what most internet users  consider their private domains.  Some users don't expect or want  any privacy, some expect and demand it._____<2.2> Why is                                                                                                                                                                                                                                                                356789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij                                                                                                                                                                                                         ave exclusive use and access to your account and the  data stored on and and directed to it (such as email), and you do  not encounter arbitrary restrictions or searches.  In other words,  others may obtain data associated with your account, but not  wPRIVACY ON THE INTERNET - PART 2PRIVACY=======_____<2.1> What is `privacy' on the internet?  Generally, while `privacy' has multiple connotations in society and  perhaps even more on the internet, in cyberspace most take it to  mean that you hrend in USENET  standards is toward greater authentication of posted information.  On the other hand, advances in ensuring anonymity (such as  remailers) are forthcoming. (See the sections on these topics.)                                            e not currently widespread, require large amounts  of data transfer, standardized software, and make some compromises  in privacy.  Promising new cryptographic techniques may make `digital signatures'  and `digital authentication' common.  Also, the ture of identification on the internet?  Some new technologies and standards are introducing facial images  and voice messages into mail and these will improve the sense of  community that comes from the familiarity of identification.  However, they arin that they were created when the network was  somewhat obscure and not widespread, with only a fraction of the  traffic it now sees.  Today a large proportion of internet traffic  is email, comprising millions of messages._____<1.7> What is the fut  they are not updated they will not find name addresses, and even    the operation of what constitutes `updating' has different    interpretations at different sites.  The current internet mailing and addressing protocols are slightly  anachronistic site in the chain of sites with    access to hardware and network media that transmits data over the    Internet could potentially monitor or archive it. However, the    sheer volume and general 'noise' inherent to this data makes    these scenarios highly improbable, even by government agencies    with supposedly vast funding and resources, although a    sophisticated science dedicated to filtering data can be    exploited for this role.  - Internet communications is extremely vulnerable to `traff or weaken it to satisfy performance or privacy aims.  This information is frequently consulted for troubleshooting  purposes and may otherwise be ignored.  This data tracks  unsuccessful login attempts and other `suspicious' activities on  the system.hey are executed (in fact, login  information is usually public). Most features of this `auditing' or   `process accounting' information are enabled by default after the  initial installation and the system administrator may customize it  to strengthenthers.  This means that they may read any file in your account  without detection.  Furthermore, not universally known, most UNIX systems keep fairly  extensive accounting records of when and where you logged in, what  commands you execute, and when t guess) this security is significantly diminished. Somewhat  surprisingly and frighteningly to some, certain users of the  system, particularly the administrator, generally have unlimited  access regardless of passwords, and may grant that access to  o not very.  There are a multitude of factors that may  reinforce or compromise aspects of your privacy on the internet.  First, your account must be secure from other users. The universal  system is to use a password, but if it is `weak' (i.e. easy to ity into permitting normally  > disallowed network connections.  For more information on the CSL Laboratory see the  Thanks to P. Ferguson <fergp@sytex.com> for contributions to this  section._____<2.4> How (in)secure is my account?  By default,ll-known Internet sites  > for the purpose of gaining information that would allow them to  > crack security or to steal valuable information.  This  > information sometimes permits intruders to spoof legitimate  > connections, i.e., trick system securrity of Internet  > traffic is unencrypted and therefore easily readable. As a  > result, e-mail, passwords, and file transfers can be monitored  > and captured using readily available software. Intruders have  > been known to monitor connections to wetory (CSL) Bulletin for July 1993, entitled, "Connecting to  the Internet: Security Considerations." Ironically, one paragraph  specifically states the admitted security concerns for unencrypted  traffic:  > Ease of Spying and Spoofing:  The vast majory rare. The greatest risks  tend to emerge locally.  Note that all these approaches are almost  completely defused with the use of cryptography.  (See the section  on that subject.)  The following text was excerpted from the Computer Systems  Labora' and read packets by arbitrary criteria for    troubleshooting purposes, but the cost of this type of device is    prohibitive for casual use.  Known instances of the above types of security breaches at a major  scale (such as at network hubs) are veequires knowledge and access to    very low-level hardware (the network card) to pursue, if even    possible.  - A company Network General Inc. is one of many that manufactures    and markets sophisticated network monitoring tools that can    `filteroses their    interests.  - Technologies exist to `tap' magnetic fields given off by    electrical wires without detection.  Less obscurely, any machine    with a network connection is a potential station for traffic    detection, but this scenario ric    analysis,' a technique where the content of messages is not    uncovered but information on the source and destination addresses    can effectively suggest its meaning.  For example, knowing that    certain people are on certain mailing lists exp A traditional part of the UNIX system that tracks user  commands is easily circumvented by the user with the use of  symbolic links (described in `man ln').  UNIX implementations vary widely particularly in tracking features  and new sophisticated mechanisms are introduced by companies  regularly. Typically system adminstrators augment the basic UNIX  functionality with public-domain programs and locally-developed  tools for monitoring, and use them only to isolate `suspicious'  activity as it ari---- 15 ld231782     1536 Jan 31 21:22 /users/ld231782/  Here is a listing of the rights associated with a user's home  directory, denoted by `~'.  The columns at the left identify what  rights are available. The first column identifies the entry as ated with newly created files, and can be set in the shell  with `umask'.  The details of rights implementations tend to vary  between versions of UNIX.  Consult man pages on `chmod' and `ls'.  Examples  --------    traver.lance % ls -ld ~    drwx--irectory, however, requires the `r' right.  By default most accounts are accessable only to the owner, but the  initial configuration varies between sites based on administrator  preference.  The default file mode specifies the initial rights  associa. The rights on a directory supersede  the rights associated with files in that directory. For a  directory, `x' means that access to the files (or subdirectories)  in the directory is possible -- if you know their names. To list  the contents of the dthe `x' (`execute') right on  your parent directory is off for users, groups, and other, these  users cannot gain information on anything in your directories.  Anything less may allow others to read, change, or even delete  files in your home directorydirectories?  The most important privacy considerations are related to file  rights, and many lapses can be traced to their misunderstood nature  or haphazard maintenance. Be aware of the rights associated with  your files and directories in UNIX. If o them (such as Internet Relay Chat).  Also, be aware  that forged login screens are one method to illegitimately obtain  passwords.  (Thanks to Jim Mattson <mattson@cs.ucsd.edu> for contributions  here.)_____<2.5> How (in)secure are my files and veral basic situations where UNIX  prompts you for a password: when you are logging in to a system or  changing your password.  Situations can arise in which prompts for  passwords are forged by other users, especially in cases where you  are talking toid password references in email.  - Be conservative in the use of the .rhost file.  - Use utilities like `xlock' to protect a station, but be    considerate.  Be wary of situations where you think you should supply your  password.  There are only sean often be traced to failures in these guidelines:  - Choose a secure password.  Change it periodically.  - Make sure to logout always.  - Do not leave a machine unattended for long.  - Make sure no one watches you when you type your password.  - Avhe section on    ``X Windows (in)security''.  Indepedent of malevolent administrators are fellow users, a much  more commonly harmful threat. There are multiple ways to help  ensure that your account will not be accessed by others, and  compromises cst automated services keep logs of use for troubleshooting or    otherwise; for example FTP sites usually log the commands and    record the domain originations of users, including anonymous    ones.  - Some software exacerbates these problems.  See tpted by    someone else.  - System administrators make extensive backups that are completely    invisible to users which may record the states of an account over    many weeks.  - Erased files can, under many operating systems, be undeleted.  - Moses (e.g. remote accesses to the `passwd' file,  incorrect login attempts, remote connection attempts, etc.).  Generally, you should expect little privacy on your account for  various reasons:  - Potentially, every keystroke you type could be interce  directory, and the next three columns mean that read, write, and  execute rights, respectively, are permitted for that user. For  directories, the `x' right means that contents (file and  subdirectory names) within that directory can be listed. The  subsequent columns indicate that no other users have any rights to  anything in the directory tree originating at that point. They  can't even `see' any lower files or subdirectories; the hierarchy  is completely invisible to them.    traver.lance % lm does not  > work well when multiple people can log in to a single machine and  > mutual trust does not exist.  With the access control list, the `xhost' command may prevent some  naive attempts (i.e. those other than the direct-access unix:0.0  evany client on a host in the host access control list is allowed  > access to the X server. This system can work reasonably well in  > an environment where everyone trusts everyone, or when only a  > single person can log into a given machine...This systeype of access  in these versions.  The problem arises because the security is  completely based on machine addresses rather than users, such that  any user at a `trusted' machine is himself trusted. Quoting from X  documentation (man Xsecurity):  > A  overcome existing vulnerabiliies in the Unix system). Anyone with  an account on the server machine can disrupt that display or read  it electronically based on access to the device unix:0.0 by any  regular user.  There are no protections from this tn of data such as screen updates and keystrokes in X  Windows.  Due to either intentional design decisions or unintentional design  flaws, early versions of the X Window system are extremely  insecure (the decision may have been made not to attempt to primary security and privacy issue  associated with X Windows is that much more sensitive data may be  sent over a network, and over wider regions, than in the case where  the human is situated near the host computer.  Currently there is  no encryptioomplete dissociation  of the client and server so that windows may be `broadcast' to a  server at a remote location from the  client. Unfortunately this  dynamic power also introduces many deep, intricate, and complicated  security considerations.  Theraphical  resources (such as windows or a mouse) and the `server' is the  machine that provides them.  In many situations the client is an  application program running on the same machine as the server.  The great utility of X Windows comes from its cer of networks in enhancing computational tasks, particularly the  human-computer interface.  The software implements a client-server  interface to a computer via graphical windows. In this case the  `client' is the application requesting or utilizing gibutions here.)_____<2.6> How (in)secure is X Windows?  X Windows is the primary software developed by the MIT Athena  project (1983-1991) which was funded by commercial grants  primarily from DEC and IBM to develop applications to harness the  pow possible if it is known beforehand that `foo' contains an 'r'  readable file named `file':    ls -l foo/file    cat foo/file    cd foo  The following commands fail:    ls foo    ls -l foo  (Thanks to Uwe Waldmann <uwe@mpi-sb.mpg.de> for contrfoo' has rights dr--r--r--, the following  is possible:    ls foo  These commands would fail independent of file rights:    ls -l foo    ls -l foo/file    cat foo/file    cd foo  If the directory `foo' has rights d--x--x--x, the following are m `group' and `other'.  Note that `ls -l <file>' requires both the 'r' right to get the list  of files and subdirectories, and the 'x' right to access the files  and subdirectories in order to get their size, etc. For example,  suppose the directory `s -l msg    -rw-r--r--  1 ld231782   35661 Jan 29 23:13 msg    traver.lance % chmod u=rw,g=,o= msg    traver.lance % ls -l msg    -rw-------  1 ld231782   35661 Jan 29 23:13 msg  Here the modes on the file `msg' were changed to take away rights  frosion); the syntax as typed on the host machine is ``xhost  +[name]'' where [name] is the domain name or internet address of an  authorized client machine. By default clients running nonlocal to  the host are disabled.  Public domain programs to disrupt a display  momentarily (such as 'flip' or slowly mirror the screen image, or  cause pixels to 'melt' down to the bottom) have been circulating on  the internet among hackers for several years and played as pranks  on unsuspecting or inexperienced userst of caveats (for example, unscrupulous administrators  may still be a threat if the encryption site is shared or  nonlocal).  See the sections on ``email privacy'' and ``email  policies.''_____<2.8> How am I (not) liable for my email and postings?t) are actually publicly accessable via mail    routing software mechanisms.  This `feature' can be disabled.  Most potential compromises in email privacy can be thoroughly  avoided with the use of strong end-to-end cryptography, which has  its own se recipient.  - Typically new user accounts are always set up such that the local    mail directory is private, but this is not guaranteed and can be    overridden.  - Finally, be aware that some mailing lists (email addresses of    everyone on a lisestablished and    tested legally.  - Note that bounced messages go to postmasters at a given site in    their entirety.  This means that if you address mail with an    incorrect address it has a good chance of being seen by a human    other than thethe source or destination of the message),    such as a university.  - System administrators may also release files to law enforcement    agencies, but conventions and protocols for warrants involving    computer searches have still not been strongly teria in computer and network design.  Some  potential pitfalls in privacy are as follows:  - The most serious threats are instances of immature or unscrupulous    system operators reading private mail in the `spool files' at a    local site (i.e. at e standard is virtually  universal, there is no intrinsic privacy.  Despite milleniums worth  of accumulated cryptographic knowledge, cryptographic technologies  are only recently being established that afford high priority to  privacy as a primary criabetic and symbolic  characters onto numeric codes and vice versa.  Virtually every  computer system uses this code, and if not, has ways of converting  to and from it.  When you write a mail message, by default it is  being sent in ASCII, and since thcs.iastate.edu> for contributions here.)_____<2.7> How (in)secure is my email?  By default, not very.  The characters that you are reading are  almost certainly encoded in ASCII, the American Standard Code for  Information Interchange that maps alph X Windows since ~1990, local  sites often update this software infrequently because installation  is extremely complex.  (Thanks to Marc Vanheyningen <mvanheyn@whale.cs.indiana.edu>,  Jim Mattson <mattson@cs.ucsd.edu>, and Bill Marshall  <marshall@ because no encryption of  keys occurs in transmission.  X11R5 also includes other  sophisticated encryption mechanisms.  Try `man Xsecurity' to find  out what is supported at your site.  Even though improved security  mechanisms have been available in that matches the code  allowed by the server.  Many older programs and even new  vendor-supplied code does not support or is incompatible with  `magic cookies'. The basic magic cookie mechanism is vulnerable to  monitoring techniques described earlierle.'').  New versions of the X Window system (X11R5 and higher) by default  make server access as secure as the file system using a .Xauthority  file and 'magic cookies'.  Remote machines must have a code in the  .Xauthority file in the home directory.  Much more serious security  breaches are conceivable from similar mechanisms exploiting this  inherent weaknesses.  (The minimal, easily-bypassed `trusted'  security mode of `xhost' has been jokingly referred to as ``X  Hanging Open, Security Terrib  As punishment or whatever, your system administrator can revoke  certain `privileges' such as emailing, USENET posting or reading  certain groups, file transferring, remote communications, or  generally any subset of capabilities available from your account.  This all is completely at the discretion of the local administrator  and under the procedures followed at a particular site, which in  many cases are haphazard and crisis-oriented.  Currently there are  virtually no widespread, uniform guideli ftp.eff.org:  /pub/academic/banned.1991  /pub/academic/banned.1992  ---    Computer material that was banned/challenged in academia in 1991    and 1992 including USENET hierarchies.  /pub/academic/cases  ---    This is an on-line collection of i  Famous Usenet contributor Carl Kadie and associates maintain an  archive tracking user liability as part of the Computers and  Academic Freedom project (see also the section on ``internet use  policies''). The following references are available from ble, avoid use of your company email address for private    communication.  - Use a disclaimer.  - Keep a low profile (avoid `flamewars' or simply don't post).  - Avoid posting information that could be  construed to be    proprietary or `internal'.ion. A recent visible political case  involves the privacy of electronic mail  written by White House  staff members of the Bush administration.  Following are some  guidelines:  - Acquaint yourself with your company or university policy.  - If possis and their activities on the  internet can be construed as representative of their parent  organizations. Many people put disclaimers in their `signatures' in  an attempt dissociate their identity and activities from parent  organizations as a precautups    `mail-bombing': inundating mail boxes with numerous or massive    files  Major problems originate from lack of distinctions in private and  official email or postings.  Most users have internet access via  accounts at businesses or universitie copyrighted material  - `ad hominem' attacks, i.e. insulting the reputation of the    poster instead of citing the content of the message  - intentional or extreme vulgarity and offensiveness  - inappropriate postings, esp. binary files in regular grod, either to individual users or  entire groups (such as a university campus).  Restrictions are most  commonly associated with the following `abuses':  - harassing or threatening notes, `email terrorism'  - illegal uses, e.g. piracy or propagation ofctionary, the sound a  jerk makes at the end of a fall to the bottom of a kill file).  In cases where punitive actions are applied, generally system  administrators are least likely to restrict email.  USENET postings  are much more commonly restricteps describe  their alternatives when this patience is sapped: the options  wielded by the individual user are to simply advance to the next  message (referred to as ``hitting the `n' key''), or to `plonk'  annoying posters (according to the Hacker's Di  System administrators at remote sites regularly cooperate to  'squelch' severe cases of abuse.  In general, however, by tradition  Usenet readers are remarkably tolerant of diverse views and uses of  the system, but a colorful vocabularly of slang helrom their system administrators as  urged by others on the `net'. (The debate persists endlessly on  many newsgroups whether this is also used  as a questionable means  of attacking or silencing `harmless crackpots' or censoring  unpopular opinions.)h a system adminstrator  regarding abuses by a user, usually but not necessarily preceded by  complaints to the user in email, regarding that person's  objectionable email or postings.  `abusive' posters to USENET are  usually first given admonitions fnes or procedures for  restricting use to any internet services, and local administrators  are free to make arbitrary decisions on access.  Today punitive measures are regularly applied in various situations.  In the typical scenario complaint(s) reacnformation about specific    computers and academic freedom cases. File README is a detailed    description of the items in the directory.  /pub/academic/faq/netnews.liability  ---    Notes on university liability for Usenet.______<2.9> Who is my sysadmin?  What does s/he know about me?  The requirements and screening for getting a system administration  job (and thereby access to all information on a system) vary widely  between sites and are sometimes frighteningly lax, especially at  univemechanisms are currently in place to  ensure much privacy. New standards are calling for uniform  introduction of `privacy enhanced mail' (PEM) which uses encryption  technologies to ensure privacy, so that privacy protection is  automatic, and may sigections.  Also, sensitive industrial and business information is exchanged  over networks currently and this volume may conceivably merge with  the internet.  Most would agree that, for these basic but sensitive uses of the  internet, no significant itably entail data such as voice messages, postal mail, and  many other items of extremely personal nature. Computer items that  many people consider completely private (such as their local hard  drives) will literally be inches from global network connriate level of privacy.  Others will argue that as a  prototype for future global networks it has woefully inadequate  safeguards.  The internet is growing to become a completely global,  international superhighway for data, and this traffic will  inevalmost  entirely originating from copyrighted material (newsgroups such as  `alt.sex' regularly have the highest traffic).______<2.11> What is the future of privacy on the internet?  Some argue that the internet currently has an adequate or  appropUSENET with regularity without major consequences (some email  complaints may ensue).  More astonishing to some is that currently  significant portions of USENET traffic, and less so internet  traffic, is comprised of sexually-explicit digitized images  global point of view traffic is generally completely  unimpeded on the internet and only the most egregious offenders  are pursued.  For example, verbatim transcriptions of copyrighted  material (such as newspaper or magazine articles) are posted to  SENET newsgroups labelled as `pornographic'. The  `alternative' hierarchy in the USENET system, which has virtually  no restrictions on propagation and new group creation, is  frequently targeted (although this material may appear anywhere).  From the encryption and anonymous services).  Historically the major threats to privacy on the internet have been  local. Perhaps the most common example of this are the widespread  occurrences of university administrators refusing to carry some  portion of USF (National Science  Foundation) which places certain restrictions on its use (such as  prohibiting commercial use).  Some high-level officials in this and  other government agencies may be opposed to emerging techniques to  guarantee privacy (such aslly be misused.______<2.10> Why is privacy (un)stable on the internet?  For the numerous reasons listed above, privacy should not be an  expectation with current use of the internet. Furthermore, large  parts of the internet are funded by the U.S. Nages, and potentially read either.  S/he  may have access to records indicating what hosts you are using,  both locally and elsewhere.  Administrators sometimes employ  specialized programs to  track `strange' or `unusual' activity,  which can potentiaare  extremely strict.  The system adminstrator (root user) can monitor what commands you  used and at what times.  S/he may have a record (backups) of files  on your account over a few weeks. S/he can monitor when you send  email or post USENET messrsities.  Many UNIX systems at universities are largely  managed by undergraduates with a background in computing and often  `hacking'.  In general, commercial and industrial sites are more  strict on qualifications and background, and government sites nificantly improve safeguards.  The same technology that can be extremely destructive to privacy  (such as with surreptitious surveilance) can be overwhelmingly  effective in protecting  it (e.g. with encryption). Some government  agencies are opposed to unlimited privacy in general, and believe  that it should lawfully be forfeited in cases of criminal conduct  (e.g. court-authorized wiretapping).  However, powerful new  technologies to protect privacy on computers are becoming  increasingly populs another powerful tool that can be beneficial or  problematic depending on its use.  Arguably absence of  identification is important as the presence of it.  It may be the  case that many strong benefits from electronic anonymity will be  discovered tsed to  any of these uses because of the potential for abuse. Nevertheless,  the inherent facelessness of large networks will always guarantee a  certain element of anonymity._____<3.2> Why is `anonymity' (un)important on the internet?  Anonymity il of these uses are feasible on the internet but are currently  tricky to carry out in practice, because of all the tracking  mechanisms inherent to operating systems and network protocols.  Officials of the NSF and other government agencies may be oppo  Sometimes a user wishes  to hide who he is sending mail to (in addition to the message itself).  The anonymous item itself may be directed at individuals or groups.  A user may wish to access some service and hide all signs of the  association.  Ald-run').  Or, a person may wish to be openly anonymous but carry on a  conversation with others (with either known or anonymous identities)  via an `anonymous return address'.  A user may wish to appear as a  `regular user' but actually be untraceable.                                                                                                                                                                                                                                                                kmnopqrstuvwxyz{|}~€‚ƒ„…†‡                                                                                                                                                                                                                                    on may wish to be consistently identified by a certain pseudonym  or `handle' and establish a reputation under it in some area,  providing pseudo-anonymity.  A person may wish to be completely  untraceable for a single one-way message (a sort of `hit-anPRIVACY ON THE INTERNET - PART 3ANONYMITY=========_____<3.1> What is `anonymity' on the internet?  Simply stated, anonymity is the absence of identity, the ultimate in  privacy. However, there are several variations on this simple theme.  A pers                                                                                                                                                                                                                                                                 the proper roles of networks and the  internet, will foreseeably become highly visible and explosive over  the next few years.                                                                                                                            ipper chip proposal,  for example) have been met with hot controversy at best and ridicule  and derision at worst, mainly because of concerns for the right to  privacy and objections of inherent feasibility. Electronic privacy  issues, and particularlyppable.  To date, no feasible system that guarantees both secure  communication and government oversight has been proposed (the two  goals are largely incompatible). Proposals for ``registration'' of  secret keys (by D. Denning on sci.crypt and the Clar, provoking some to say that ``the cat is out  of the bag'' and the ``genie can't be put back in the bottle''.  In  less idiomatic terms, they believe that the spread of strong  cryptography is already underway will be socially and technically  unstohat were unforeseen and unpredicted, because true  anonymity has been historically very difficult to establish.  One can use anonymity to make personal statements to a colleague  that would sabotage a relationship if stated openly (such as  employer/employee scenarios).  One can use it to pass information  and evade any threat of direct retribution.  For example,  `whistleblowers' reporting on government abuses (economic, social,  or political) can bring issues to light without fear of stigma or  rages and weaknesses:  - The anonymous server approach requires maintaining a mapping of    anonymous ID's to real addresses that must be maintained    indefinitely.  One alternative is to allow `deallocation' of    aliases at the request of the user, essed is received by the operator.  Generally the user of the remailer has to disavow any  responsibility for the messages forwarded through his system,  although actually may be held liable regardless.  These approaches have several serious disadvantthese are in existence  currently but sites and software currently somewhat unstable; they  may be in operation outside of system administrator knowledge.  The remailers don't generally support anonymous return addresses.  Mail that is incorrectly addr runs a process on  a machine that anonymizes mail sent to him with certain  characteristics that distinguish it from his regular incoming mail  (typically fields in the header).  One has been implemented as a  PERL script running on UNIX.  Several of bove.  Another more `fringe' approach is to run a `cypherpunk' remailer  from a regular user account (no root system privileges are  required).  These are currently being pioneered by Eric Hughes and  Hal Finney <hal@alumni.caltech.edu>.  The operator message by stripping of identification information  and forwards the message, which appears to originate from the  anonymous server only from the corresponding anonymous user id.  This is the `interactive' use of anonymity or pseudonymity  mentioned ait (based on his email address).  This will vary  for the same person for different machine address email  originations. To send anonymous mail, the user sends email directed  to the server containing the final destination. The server  `anonymizes' the.4> What is `anonymous mail'?  One approach to `anonymizing' mail has been to set up an `anonymous  server' that, when activated by email to its address, responds by  allocating and supplying an `anonymous ID' that is unique to the  person requesting ymity.  Virtually every protocol in existence currently  contains information on both sender and receiver in every packet.  New communications protocols will likely develop that guarantee  much higher degrees of secure anonymous communication._____<3lines.  The nonuniformity in the requirements of obtaining  accounts at different sites and institutions makes anonymous  accounts generally difficult to obtain to the public at large.  Many communications protocols are inherently detrimental to  anonosting. However, anonymous accounts (public accounts as  accessable and anonymous as e.g. public telephones) may be  effective as well, but this use is generally not officially  supported and even discouraged by some system adminstrators and NSF  guidepeutic  newsgroups. Unfortunately, extortion and harassment become more  insidious with assurances of anonymity._____<3.3> How can anonymity be protected on the internet?  The chief means, as alluded to above, are masking identities in  email and pe  departments run phone services that allow anonymous reporting of  crimes; such uses would be straightforward on the network.  Anonymity can be extremely important and potentially lifesaving  diagnoses and discussions carried out on medical or theuraetaliation. Sensitive, personal, potentially damaging information  is often posted to some USENET groups, a risky situation where  anonymity allows conversations to be carried on completely  independent of the identities of the participants.  Some policbut this has not been    implemented yet.  - Although an unlikely scenario, traffic to any of these sites could    conceivably be monitored from the `outside', necessitating the    use of cryptography for basic protection,.  - Local administrators can shut them down either out of caprice or    under pressure from local, network, or government agencies.  - Unscrupulous providers of the services can monitor the traffic    that goes through them.  - Some remailers keep logs that may be inspected.erver itself are a problem, possibly    allowing unauthorized users to potentially glean anon ID - email    address  mappings in the alias file.  This can be remedied with    the use of passwords.  - Infinite mail loops are possible with chaining remailready allocated anonymous    return addresses.  - Others passed signature information embedded in messages    unaltered.  - Address resolution problems resulting in anonymized mail bounced    to a remailer are common.  - Forgeries to the anonymous sliable, and not  completely trustworthy.  No standards have been established and  troubling situations of loss of anonymity and bugs in the software  are prevalent.  Here are some encountered and potential bugs:  - One anonymous remailer reallocated a  As noted, many factors compromise the anonymity currently available  to the general internet community, and these services should be  used with great caution.  To summarize, the technology is in its  infancy and current approaches are unrefined, unrectronic Messages Sets    Off a Furor'', D. L. Wilson, Chronicle of Higher Education,    May 12, 1993 p. A25.  - Information Week, May 31 1993 pg. 84 summarizes the Wall St.    Journal article._____<3.6> Why is anonymity (un)stable on the internet?o:  - Anonymity on the Internet FAQ, rtfm.mit.edu:    /pub/usenet/news.answers/net-anonymity.  - ``Censorship Fights Heat Up on Academic Networks'', W. M.    Bulkeley, Wall St. Journal, May 24 1993 p. B1.  - ``A Computer Program That Can Censor EleTP protocols to submit a  message directly to a newserver with arbitrary field information.  This practice, not uncommon to hackers, is also generally viewed  with hostility by most system administrators, and similar  consequences can ensue.  See alsnymous posting to  misc.test (however some operators don't recommend this because many  sites `autorespond' to test messages, possibly causing the  anonymous server to allocate anonymous IDs for those machines).  Another direct route involves using NNing'?  Anonymous servers have been established as well for anonymous Usenet  posting with all the associated caveats above (monitored traffic,  capricious or risky local circumstances, logging).  Make sure to  test the system at least once by e.g. anok will contact local administrators to  request a message be tracked and its writer admonished or punished  more severely (such as revoking the account), all of this actually  happening occasionally but infrequently._____<3.5> What is `anonymous postrmation in the header routing data  and logs of network port connection information may be retained  that can be used to track the originating site.  In practice, this  is generally infeasible and rarely carried out.  Some  administrators on the networves using SMTP  protocols to submit a message directly to a server with arbitrary  field information.  This practice, not uncommon to hackers, and the  approach used by remailers, is generally viewed with hostility by  most system administrators.  Info   to the philosophy of anonymity when the operation is discovered,    regarding it as illicit use.  - In all cases, a high degree of trust is placed in the anonymous    server operator by the user.  Currently the most direct route to anonymity invol  - The cypherpunk approach tends to be highly unstable because these    operators are basically network users who do not own the    equipment and are accountable  to their own system    administrators, who may be unaware of the use and unsympathetic lers.  Source code is being distributed, tested, and refined for these  systems, but standards are progressing slowly and weakly. The  field is not likely to improve considerably without official  endorsement and action by network agencies.  The whole idea is  essentially still in its infancy and viewed with suspicion and  distrust by many on the internet, seen as illegitimate or favorable  to criminality.  The major objection to anonymity over regular  internet use is the perceived lack of `accounting, encryption, and other privacy and rights issues associatedwith use of the Internet and global networks in general.(Search for <#.#> for exact section. Search for '_' (underline) fornext section.)                                                 c) Copyright 1993 L. Detweiler.  Not for commercial use except by  permission from author, otherwise may be freely copied. Not to be  altered.  Please credit if quoted.SUMMARY=======Information on email and account privacy, anonymous mailing andposr portion of existing traffic is anonymized. Conceivably the  services could play a role in influencing future mainstream social  acceptance of Usenet.IDENTITY, PRIVACY, and ANONYMITY on the INTERNET================================================( to the underground.  The ramifications of the  widespread introduction of anonymity to Usenet are still largely  unknown.  It is unclear whether it will provoke signficant amounts  of new traffic or, instead of expansion, cause a shift where a  greateffic statistics, anonymous services are  in huge demand. Pervasive and readily available anonymity could  carry significant and unforeseen social consequences. However, if  its use is continued to be generally regarded as subversive it may  be confinedd and `alt' groups have had  in the past. For example, as part of new group creation, the  charter may specify whether `anonymous' posting is (un)welcome.  Nevertheless, the widespread introduction and use of anonymity may  be inevitable. Based on tramous posting is a  disruptive and dangerous idea and detracts from discussions in  `serious' groups.   The introduction of unlimited group anonymity  may have fundamental repercussions on Usenet conventions and  distribution mechanisms such as moderate  The future of anonymous services on the internet is, at this time,  highly uncertain and fraught with peril. While specific groups seem  to benefit significantly from anonymous posting capabilities, many  feel that unlimited newsgroup scope for anonyver the internet globally so that local weaknesses  (such as corrupt governments or legal wiretapping within a nation)  would be more unlikely to sacrifice overall security by message  tracing.  However, remailers run by corrupt operators are possible.estination.  In this way generally multiple  links of the chain have to be `broken' for security to be  compromised. Re-encryption at each link makes this scenario even  more unlikely.  Even more significantly the anonymous remailers  could be spread oample, the same mechanism that  routes email over multiple hosts, thereby threatening its privacy,  can also be used to guarantee it.  In a scheme called `chaining' an  anonymous message is passed through multiple anonymous servers  before reaching a d anonymous mail however they prefer,  e.g. ignoring it or filtering it with kill files._____<3.7> What is the future of anonymity on the internet?  New anonymous protocols effectively serve to significantly increase  safeguards of anonymity.  For extribution flows.  This may only  have the effect of encouraging server operators to create less  characteristically detectable headers.  Probably the least  problematic approach, and the most traditional to Usenet, is for  individual users to deal withtability' to system  operators, i.e. invulnerability to account restrictions resulting  from outside complaints.  System adminstrators at some sites have  threatened to filter anonymous news postings generated by the  prominent servers from their redis                                                                                                                                                                                                                                                                PRIVACY ON THE INTERNET - PART 4ISSUES======_____<4.1> What is the Electronic Frontier Foundation (EFF)?  From ftp.eff.org:/pub/EFF/mission_statement:  > A new world is arising in the vast web of digital, electronic  > media which connect us.  f the  > future....I ask your help in gaining input from the computer  > industry so that the Subcommittee can shape policies that will  > bring this spirit of innovation and entrepreneurship to the  > information services industry.  ftp.eff.org  ==ch  > competition is open and innovation rewarded.  I also want to  > learn what lessons from the computer industry over the past ten  > to fifteen years should apply to the current debate on  > structuring the information and communications networks o a consumer-oriented, public information network. Please let me or  > my staff know what policies you and others in the computer  > industry believe would best serve the public interest in creating  > a reasonably priced, widely available network in whiatly  by myself and the Members of the Subcommittee'' (complete text in  ftp.eff.com:/pub/pub-infra/1991-12):  > ...we need to pursue policies that encourage the Bell companies to  > work with other sectors of the communications industry to create  >rimary jurisdiction over telecommunications policy dated  November 5, 1991, Representative Edward J. Markey complemented  Mitchell Kapor on his ``insights on the development of a national  public information infrastructure'' which ``were appreciated grempanying civil suit (see section on ``Steve  Jackson Games'').  The foundation publishes EFF News (EFFector  Online) electronically, send requests to effnews-request@eff.org.  In a letter to Mitchell Kapor from the Chairman of the Subcommittee  with pmultimillionaire Mitchell Kapor, founder of  Lotus software, and John Barlow, lyricist for the Grateful Dead  rock band.  A highly publicized endeavor of the organization  involved the legal defense of Steve Jackson Games after an FBI  raid and an accoy useful and  > beneficial not just to a technical elite, but to everyone; and to  > do this in a way which is in keeping with our society's highest  > traditions of the free and open flow of information and  > communication.  EFF was started by the r and communications technologies,  > even as they struggle to master or simply cope with them in the  > workplace and the home.  >  > The Electronic Frontier Foundation has been established to help  > civilize the electronic frontier; to make it trulorks.  Conflicts come about as  > the law struggles to define its application in a context where  > fundamental notions of speech, property, and place take  > profoundly new forms. People sense both the promise and the  > threat inherent in new computeonic frontier.  >  > While well-established legal principles and cultural norms give  > structure and coherence to uses of conventional media like  > newspapers, books, and telephones, the new digital media do not  > so easily fit into existing framew                                                                                                                                                                                                                                                                ˆŠ‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼                                                                                                                                                                                                            Computer-based communication media like  > electronic mail and computer conferencing are becoming the basis  > of new forms of community.  These communities without a single,  > fixed geographical location comprise the first settlements on an  > electr=========  /pub/EFF/about-eff  ---    A file of basic information about EFF including goals, mission,    achievements, and current projects. Contains a membership form.  /pub/EFF/historical/founding-announcement  ---    EFF founding press release.  /pub/EFF/historical/eff-history  ---    John Perry Barlow's ``Not Terribly Brief History of the EFF'' (July    10, 1990).  How EFF was conceived and founded, major legal cases,    and the organizational directions.  /pub/EFF/historical/legal-caseight be' a document  > compromising the security of the 911 telephone system.  (A detailed and vivid account of the seizure is documented in the  book ``The Hacker Crackdown'' by Bruce Sterling.)  FBI agents  involved in the seizure were named in a cihe SJG Computer Bulletin  > Board System.  Yet Jackson and his business were not only  > innocent of any crime, but never suspects in the first place.  > The raid had been staged on the unfounded suspicion that  > somewhere in Jackson's office there `monal  > warrant, agents of the Secret Service conducted a search of the  > SJG office.  When they left they took a manuscript being prepared  > for publication, private electronic mail, and several computers,  > including the hardware and software of tng the Steve Jackson Games company of  Austin Texas on March 1, 1990.  From the column GURPS' LABOUR LOST  by Bruce Sterling <bruces@well.sf.ca.us> in Fantasy and Science  Fiction Magazine:  > In an early morning raid with an unlawful and unconstitutiues in dozens of  > jurisdictions.  Massive `show-trials' never materialized, although isolated  instances of prosecution were pursued.  The movement reached a  crescendo in Texas with the highly publicized case of illegal  search and seizure involvi  > their criminal instruments.  It also saddled analysts with some  > 24,000 floppy disks, and confronted harried Justice Department  > prosecutors with the daunting challenge of a gigantic nationwide  > hacker show-trial involving highly technical iss,1990, concentrated on telephone code-fraud and credit-card  > abuse, and followed this seizure plan with some success.  > [Bulletin Board Systems] went down all over America, terrifying  > the underground and swiftly depriving them of at least some ofall thievery. (Descriptions of real  `hacking' exploits can be found in the book Cyberpunk by J. Markoff  and K. Hafner.)  See ftp.eff.org:/pub/SJG/General_Information/EFFector1.04:  > `Operation Sundevil,' the Phoenix-inspired crackdown of May  > 8eve Jackson Game case?  In the early 1990's a fear spread among U.S. law enforcement  agencies on the illicit activities of `hackers' and `phreakers'  involved in such activities as computer tampering via modem, credit  card fraud, and long-distance cest collection of privacy documents on the internet.  For  more information, anonymous FTP to cpsr.org:/cpsr/cpsr_info.  (Thanks to Dave Banisar <banisar@washofc.cpsr.org> for contributions  here.)_____<4.3> What was `Operation Sundevil' and the Stity commissions to  testify on privacy, information policy, computer security, and  caller identification.  CPSR has created an extensive Internet Privacy library available  via FTP, Gopher, WAIS, and email at cpsr.org, currently comprising  the largmentation  on issues such as Operation Sundevil, the FBI wiretap proposal,  NSA's interference in crypography, the breakup of the 2600 raid in  Arlington, Va in Nov 1992. Members speak frequently in front on  Congress, state legislators and public util since ~1982.  The group has three offices (Palo Alto, Cambridge,  Washington, DC) and 20 chapters. It is involved in litigation  against the FBI, The NSA, NIST, the Secret Service and other other  U.S. government agencies to declassify and provide docu-summary  ---    EFF legal case summary._____<4.2> Who are Computer Professionals for Social Responsibility (CPSR)?  The Computer Professionals for Social Responsibility have been  working to protect and promote electronic civil liberties issues vil suit filed on behalf  of Steve Jackson Games by The Electronic Frontier Foundation.  See  information on EFF below.  From an article by Joe Abernathy in the  Houston Chronicle ~Feb 1, 1993:  > AUSTIN -- An electronic civil rights case against the Secret  > Service closed Thursday with a clear statement by federal  > District Judge Sam Sparks that the Service failed to conduct a  > proper investigation in a notorious computer crime crackdown,  > and went too far in retaining  custody of seized eout to be  > irrevocably altered.  But will that network be the open,  > accessible, affordable network that the American public needs?  > You can help decide this question.  >  > The Electronic Frontier Foundation recently presented a plan to  > Con. V. der Leun in the file  ftp.eff.org: /pub/pub-infra/1991-11:  > Telecommunications in the United States is at a crossroads.  With  > the Regional Bell Operating Companies now free to provide  > content, the shape of the information networking is abndard that utilizes  existing copper telephone lines, and is a possible inexpensive and  intermediate alternative to laying fiber optic cable for phone  networks.  The speeds involved may be sufficient for audio and  video transmission applications.  Grything you wanted to know but    could never find.  /pub/cud/papers/sj-resp  ---    Steve Jackson's response to the charges against him._____<4.4> What is Integrated Services Digital Network (ISDN)?  ISDN is a high-speed data communications staSee the Wall Street Journal, 3/18/93, p. B1,  ``Ruling Gives Privacy a High-Tech Edge''  ftp.eff.org  ===========  /pub/cud/papers/sundevil  ---    A collection of information on Operation SunDevil by the Epic    nonprofit publishing project. Eveed as a legal precedent explicitly  guaranteeing protection of electronically stored information under  the Privacy Protection Act, and safeguarding bulletin boards and  electronic mail by federal wiretap laws limiting government  surveillance powers.  spent by the Electronic Frontier  > Foundation in bringing the case to trial. The EFF was founded by  > Mitchell Kapor amid a civil liberties movement sparked in large  > part by the Secret Service computer crime crackdown.  The trial is now recogniz harm Steve Jackson economically?"  >  > Foley replied, "No, sir," but the judge offered his own answer.  >  > "You actually did, you just had no idea anybody would actually go  > out and hire a lawyer and sue you."  >  > More than $200,000 has beenou read the article in Business Week magazine where it had  > a picture of Steve Jackson -- a law-abiding, tax-paying citizen  > -- saying he was a computer crime suspect?  >  > "Did it ever occur to you, Mr. Foley, that seizing this material  > could. Foley, to find out what  > Steve Jackson Games did, what it was?" asked Sparks. "An hour?  >  > "Was there any reason why, on March 2, you could not return to  > Steve Jackson Games a copy, in floppy disk form, of everything  > taken?  >  > "Did yoyee, or to determine  > that the company was a publisher. Indeed, agents testified that  > they were not even trained in the Privacy Protection Act at the  > special Secret Service school on computer crime.  >  > "How long would it have taken you, Mrhe Austin  > science fiction magazine and game book publisher was never  > suspected of a crime, and that agents did not do even marginal  > research to establish a criminal connection between the firm and  > the suspected illegal activities of an emplation and abusive computer  > seizure policies.  While the Service has seized dozens of  > computers since the crackdown began in 1990, this is the first  > case to challenge the practice.  >  > Sparks grew visibly angry when it was established that tquipment.  >  > Secret Service Special Agent Timothy Foley of Chicago, who was in  > charge of three Austin computer search-and-seizures on March 1,  > 1990, that led to the lawsuit, stoically endured Spark's rebuke  > over the Service's poor investiggress calling for the immediate deployment of a national  > network based on existing ISDN technology, accessible to anyone  > with a telephone connection, and priced like local voice service.  >  We believe deployment of such a platform will spur the  > development of innovative new information services, and maximize  > freedom, competitiveness, and civil liberties throughout the  > nation.  >  > The EFF is testifying before Congress and the FCC; making  > presentations to public utility commision for natiowide computer data    `superhighway.'  IBM-MCI venture as monopoly destructive to fair    competition and  innovation?  National Science Foundation NSFnet.    complete text in  /pub/pub-infra/1991-12.  Commentary  ==========  /pub/academideral program to accelerate development and    deployment of an advanced information infrastructure.  U.S. SAID TO PLAY FAVORITES IN PROMOTING NATIONWIDE COMPUTER NETWORK  By John Markoff, N.Y. Times (~18 Dec 91).  ---    President Bush's legislationInformation Infrastructure and Technology    Act of 1992 introduced by Senator Gore to expand Federal efforts    to develop technologies for applications of high-performance    computing and high-speed networking, and to provide for a    coordinated Fe  ftp.eff.org  ===========  /pub/internet-info/gore.bill  ---    102nd congress 1st Session. Text of high performance computing    bill cosponsored by Sen. A. Gore.  /pub/EFF/legislation/gore-infrastructure-bill  ---    The text of S.2937, the te high-speed data  network infrastructure augmenting the internet with up to 50 times  faster transmission rates.  The bill passed the House on November  20, 1991, the Senate on November 22, 1991, and was signed by the  President on December 9, 1991.es and news articles.  Letter from Rep.    E. J. Markey to M. Kapor._____<4.5> What is the National Research and Education Network (NREN)?  The Nation Research and Education Network was introduced in  legislation cosponsored by Sen. A. Gore to promo Bell Operating Companies or    `Baby Bells', e.g. NET, New England Telephone). Influencing    development of future networks (e.g. ISDN and NREN, National    Research and Education  Network), encouraging competition (cable    TV systems). Press releas Services Digital Network.    Uses of ISDN (phone video, audio, etc.)  Japanese model.    Alternatives to ISDN (HDSL, ADSL, fiber optics). Technical    specifications of ISDN, implementation details, cost issues,    political obstacles, (RBOC, Regionalin ftp.eff.org:/pub/pub-infra/1992-01.  ftp.eff.org:/pub/pub-infra/  ---    Files 1991-11 through 1992-05 containing email from the EFF public    infrastructure group organized by month.  Opinions and facts on    the pros and cons of ISDN, Integratedses, written in popular science    style.   John Perry Barlow (cofounder EFF). Regional telephone    companies (Ohio Bell).  ISDN as ``Technological Rorschach Test.''     Anecdotes about McDonald's,  Barbara Bush teleconferencing. See    complete text ---    56Kbps vs. ISDN services and products. See comments by J. Powers    in ftp.eff.org:pub/pub-infra/1992-02.  ``Telephone Service That Rings of the Future.'' By Joshua Quittner.  Newsday, Tue, Jan 7 1992.  ---    Implications of ISDN for the mas documents open-platform-overview  or send mail to eff@eff.org.  See also the Introduction to the EFF  Open Platform Proposal in ftp.eff.org:/pub/pub-infra/1991-02.  References  ==========  ``Digital Data On Demand.'' MacWorld, 2/82 (page 224).  ernet, as pioneers on  > the electronic frontier, need to have their voices heard at this  > critical moment.  To automatically receive a description of the platform and details,  send mail to archive-server@eff.org, with the following line:    sends from Massachusetts to  > California; and meeting with representatives from telephone  > companies, publishers, consumer advocates, and other stakeholders  > in the telecommunications policy debate.  >  > The EFF believes that participants on the Intc/statements/nren.privacy.cpsr  ---    ``Proposed Privacy Guidelines for the NREN'' -- Statement of Marc    Rotenberg, Washington Director Computer Professionals for Social    Responsibility (CPSR).  /pub/internet-info/cisler.nren  ---    The National Research and Education Network: Two meetings Steve    Cisler, Senior Scientist Apple Computer Library December 17, 1990    Summary of meetings exploring educational issues of NREN by    diverse members of academia and industry.  /pub/internet-infoe in future wiretapping and    cryptographic regulation roles, by J. Barlow, cofounder of the    EFF (May 1992).  /pub/EFF/legal-issues/eff-fbi-analysis  ---    The EFF-sponsored analysis of the FBI's Digital Telephony proposal._____<4.7> What is ntent of wire and electronic communications when authorized by    law and for other purposes. Version 2 of the bill after FBI    changes in response to public response.  /pub/EFF/papers/decrypting-puzzle-palace  ---    Analysis of the NSA and FBI rolnes in January.  See also the section on the Clipper chip.  ftp.eff.org  ===========  /pub/EFF/legislation/fbi-wiretap-bill  /pub/EFF/legislation/new-fbi-wiretap-bill  ---    A bill to ensure the continuing access of law enforcement to the    coto get Congress to take up the bill before  > Congress adjourned, but the bill never ... found a Congressional  > sponsor (and was therefore never officially introduced). The FBI  > [may] reintroduce "Digital Telephony" when the 103rd Congress  > conveion. A white paper produced  > by the EFF and ratified by the coalition, entitled, `An Analysis  > of the FBI Digital Telephony Proposal,' was widely distributed  > throughout the Congress.  ... The Justice Department lobbied hard  > in the final days elf ...  >  > The Electronic Frontier Foundation organized a broad coalition of  > public interest and industry groups, from Computer Professionals  > for Social Responsibilty (CPSR) and the ACLU to AT&T and Sun  > Microsystems, to oppose the legislatthey will be  > unlikely to add any features that may result in a DOJ rejection  > of their entire product. ... the FBI proposal suggests that the  > cost of this wiretapping 'service' to the Bureau would have to be  > borne by the service provider its> communications products off the market if it determines that  > these products do not meet the DOJ's own ... guidelines. This  > [could] result in increased costs and reduced competitiveness for  > service providers and equipment manufacturers, since in progress, exclusive of any communications  > between other parties, regardless of the mobility of the target  > of the FBI's investigation, and without degradation of service.  >  > ... under the proposal, the Department of Justice (DOJ) can keep  anufacturers to make their  > systems 'tappable' by providing 'back doors' through which law  > enforcement officers could intercept communications. Furthermore,  > this capability would have been provided undetectably, while the  > communications was islation to amend the  > Communications Act of 1934 to make it easier for the Bureau to  > perform electronic wiretapping. The proposed legislation,  > entitled 'Digital Telephony,' would have required communications  > service providers and hardware my law...''  From `BBS Legislative Watch: FBIs Wiretapping Proposal Thwarted' by  S. Steele in Boardwatch Magazine, Feb. 1993, p. 19-22:  > In a move that worried privacy experts, software manufacturers and  > telephone companies, the FBI proposed leglephony Act?  ``Providers of electronic communication services and private branch  exchange operators shall provide within the United States  capability and capacity for the government to intercept wire and  electronic communications when authorized b/privatized.nren  ---    Feb. 14 1991 essay by M. Kapor advocating advantages of a private    National Public  Network, and specific recommendations for open    NREN policies encouraging  competition._____<4.6> What is the FBI's proposed Digital TeU.S. policy on freedom/restriction of strong encryption?  The Clipper announcement says ``we [the Clinton Administration]  understand the importance of encryption technology in  telecommunications and computing'' and specifically addresses the  question,  ``would the Administration be willing to use legal  remedies to restrict access to more powerful encryption devices?''  It states that ``The U.S. [is not] saying that  `every American, as  a matter of right, is entitled to an unbreakable commercia is a bibliography.  /pub/academic/faq/archive  ---    List of files available on the Computers and Academic Freedom    archive.  /pub/academic/news  ---    Directory of all issues of the Computers and Academic Freedom    News. A full list of absic freedom.  Covers free expression, due    process, privacy, and user participation.  /pub/academic/books  ---    Directory of book references related to Computers and Academic    Freedom or mentioned in the CAF discussion. The file books/README   eenfield (greeny@eff.org).  ftp.eff.org  ===========  /pub/academic/statements/caf-statement  ---    Codifies the application of academic freedom to academic    computers, reflecting seven months of on-line discussion about    computers and academso available via email. For  > information on email access send email to archive-server@eff.org.  > In the body of your note include the lines `help' and `index'.  >  > For more information, to make contributions, or to report typos  > contact J.S. Gronic Frontier Foundation FTP site.  > If you have gopher, the archive is browsable with the command:  >   gopher -p academic gopher.eff.org  >  > It is available via anonymous ftp to ftp.eff.org (192.88.144.4) in  > directory `pub/academic'. It is alrspace by R. E. Baird_____<4.10> What is the Computers and Academic Freedom (CAF) archive?  The CAF Archive is an electronic library of information about  computers and academic freedom. run by the Computers and Academic  Freedom group on the Electrackers Who Break into Computer Systems'' by Dorothy E Denning.  /pub/cud/papers/privacy  ---    ``Computer Privacy vs First and Fourth Amendment Rights'' by    Michael S. Borella  /pub/cud/papers/rights-of-expr  ---    Rights of Expression in Cybein.cyberspace  ---    Laurence Tribe's keynote address at the first Conference on    Computers, Freedom, & Privacy. `The Constitution in Cyberspace'  /pub/cud/papers/denning  ---    Paper presented to 13th Nat'l Comp Security Conf ``Concerning    Hes of electronic monitoring in the    workplace.  /pub/cud/law/us.e-privacy  ---    Title 18, relating to computer crime & email privacy._____<4.9> What are references on rights in cyberspace?  ftp.eff.org  ===========  /pub/cud/papers/const.ted States (federal    code), Canada, Ghana, and Great Britain.  /pub/cud/law/bill.s.618  ---    Senate bill 618, addressing registration of encryption keys with    the government.  /pub/cud/law/monitoring  ---    Senate bill 516; concerning abus    AL, AK, AZ, CA, CO, CT, DE, FL, GA,                                  HI, IA, ID, IL, IN, MD, MN, NC, NJ,                                  NM, NY, OR, TX, VT, VA, WA, WI, WV.  /pub/cud/law/<country>  ---    Current computer crime laws for: The Uniues would be  unconstitutional under guarantees of freedom of speech._____<4.8> What other U.S. legislation is related to privacy?  ftp.eff.org  ===========  /pub/cud/law/<state>  ---    State computer crime laws:                               currently no  U.S. laws regulate domestic cryptography use, although the U.S.  International Traffic in Arms Regulations classify cryptographic  devices as `munitions' and regulate export.  Some argue that  regulation of domestic cryptographic techniql  encryption product' '' although currently ``the Administration is  not saying, `since [strong] encryption threatens the public safety  and effective law enforcement, we will prohibit it outright' as  some countries have effectively done.''  However,tracts is available in file `abstracts'.    The special best-of-the-month issues are named with their month,    for example, `June'._____<4.11> What is the Conference on Freedom and Privacy (CFP)?  CFP is a yearly conference covering issues such as data security,  hacking, viruses, law enforcment, etc.  The written proceedings  and the electronic written proceedings of the Second Conference on  Computers, Freedom, and Privacy, sponsored by the Association for  Computing Machinery and held March 1ephones and other network devices, and the government commitment  to installing it in future select  government telephones with  potentially much more widespread penetration (e.g. NREN, commercial  telephones, computers, etc.). The voluntary program see                                                                                                                                                                                                                                                                ½¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëì                                                                                                                                                                                                                 wsgroups by NIST) that introduced the technology and  `proposal' that had been developed in strict secrecy prior to that  date.  The `initiative' introduced the Clipper Chip, a high-speed  and `high-security' encryption device with applications in  telPRIVACY ON THE INTERNET - PART 5CLIPPER=======_____<5.1> What is the Clipper Chip Initiative?  On April 16, 1993 the Clinton Administration announced the Clipper  Chip Directive in a saturated publicity effort (including postings  to Usenet ne                                                                                                                                                                                                                                                                 where filename is the name of the file you wish  > to retrieve.  send index will return an index of available  > files.                                                                                                                                   he  > password, and locate files in directory pub; an index of all  > files is available for download.  >  > For users with Internet-accessible e-mail capability, send  > e-mail to docserver@csrc.nist.gov with the following message:  > send filename,et users with telnet or ftp capability may telnet to the  > BBS at cs-bbs.nist.gov (129.6.54.30).  To download files, users  > need to use ftp as follows:  ftp to csrc.nist.gov (129.6.54.11),  > log into account anonymous, use your Internet address as tter with communications  > capability and a modem.  For modems at 2400 bits per second (BPS)  > or less, dial (301) 948-5717.  For 9600 BPS, dial (301) 948-5140.  > Modem settings for all speeds are 8 data bits, no parity, 1 stop  > bit.  >  > Internurces provide  > information on computer security publications, CSL Bulletins,  > alert notices, information about viruses and anti-virus tools, a  > security events calendar, and sources for more information.  >  > To access the BBS, you need a compu  here._____<4.12> What is the NIST computer security bulletin board?  > NIST maintains a computer security bulletin board system (BBS)  > and Internet-accessible site for computer security information  > open to the public at all times.  These resoings, make an ftp connnection  to ftp.gwu.edu and login as "anonymous".  Get file CFP2S00, which  has a table of contents describing the other files CFP2S01,  CFP2S02, ..., CFP2S11.  Thanks to Lance J. Hoffman <hoffman@seas.gwu.edu> for contributions8-20, 1992 in Washington, D. C.  are available.  To obtain the written proceedings, contact the ACM Order Department,  P. O. Box 64145, Baltimore MD 21264, 1-800-342-6626 or  1-410-528-4261 (MD, AK, and outside US).  To obtain the electronic proceedks to unite  the federal government and private industry ``to improve the  security and privacy of telephone communications while meeting the  legitimate needs of law enforcement'' by use of the chip. Critical  aspects of the directive:  - ``A state-of-the-art microcircuit called the `Clipper Chip' has    been developed by government engineers'', for use in phones with    more power than many commercial encryption devices currently    available. ``The key escrow mechanism will provide Americans wit  security of the key escrow system.''  - ``Respected experts from outside the government will be offered    access to the confidential details of the algorithm to assess its    capabilities and publicly report their findings.''  - ``We are willing to reasoned, balanced approach such as is proposed with the "Clipper  Chip" and similar encryption techniques.''_____<5.3> Why are technical details of the Clipper chip being kept secret?  - The algorithm will ``remain classified'' to ``protect the  ng privacy via encryption vs. wiretapping, the Clipper  announces: ``There is a false `tension' created in the assessment  that this issue is an "either-or" proposition.  Rather, both  concerns can be, and in fact are, harmoniously balanced through a  r criminals.'' and declares  that ``We need the "Clipper Chip" and other approaches that can  both provide law-abiding citizens with access to the encryption  they need and prevent criminals from using it to hide their illegal  activities.''  Regardi the law.''  The statement notes that sophisticated encryption technology is  increasingly being used by Americans to ``protect business secrets  and the unauthorized release of personal information'' but also  ``by terrorists,  drug dealers, and othehelps to protect the privacy of  individuals and industry, but it also can shield criminals and  terrorists.''  ``The Administration is committed to policies that  protect all Americans' right to privacy while also protecting them  from those who breakf protecting Americans'  and `previous policies [that] have pitted government against  industry and the rights of privacy against law enforcement.' The  Clipper Initiative attempts to find a compromise in encryption's  ``dual-edge sword'' wherein it ``e President, the Vice President, and    appropriate Cabinet officials.''_____<5.2> How does Clipper blunt `cryptography's dual-edge sword'?  The Clipper wiretapping initiative refers to `tension between  economic vitality and the real challenges oate conversations of    Americans''.  - The Clipper decision was developed and sanctioned by The National    Security Council, the Justice Department, the Commerce    Department, and ``other key agencies''.  ``This approach has    been endorsed by thy General will soon purchase several thousand of the    new devices.'' to ``demonstrate the effectiveness of this new    technology.''  - `Clipper Chip' technology provides law enforcement with ``no new    authorities to access the content of the priv.''  - ``The two key-escrow data banks will be run by two independent    entities.  At this point, the Department of Justice and the    Administration have yet to determine which agencies will oversee    the key-escrow data banks.''  - ``The Attornerow" system will be established to ensure that the    "Clipper Chip" is used to protect the privacy of law-abiding    Americans.''  Keys are released from the escrow agencies to    ``government officials with legal authorization to conduct a    wiretapations    and prevent unauthorized release of data transmitted    electronically'' while preserving ``the ability of federal, state    and local law enforcement agencies to intercept lawfully the    phone conversations of criminals''.  - ``A "key-esch    an encryption product that is more secure, more convenient, and    less expensive than others readily available today.''  - The technology seeks to ``help companies protect proprietary    information, protect the privacy of personal phone conversinvite an independent panel of cryptography    experts to evaluate the algorithm to assure all potential users    that there are no unrecognized vulnerabilities.''_____<5.4> Who was consulted in the development of the Clipper chip?  - ``The President has directed early  and frequent consultations    with affected industries, the Congress and groups that advocate    the privacy rights of individuals.''  - ``We have briefed members of Congress and industry leaders on the    decisions related to telectronic communications, from cellular telephone calls to    > computer data.    >    > "I don't want to sound too stridently opposed to this," said Ken    > Wasch, executive director of the Software Publishers    > Association (SPA) in Washington. ght-Ridder/Tribune Business News, ~Apr. 17 1993.    > SAN JOSE, Calif.--Apr. 17--Civil libertarians and a major    > computer industry group raised concerns Friday about how much    > protection a Clinton administration plan would afford private    > ance between banning private    > encryption and declaring a public right to unbreakably coded    > conversations.  - ``Computer Group, Libertarians Question Clinton Phone Privacy    Stance.'' By Rory J. O'Connor, San Jose Mercury News, Calif.    Knimanufacture    > likens to the choice of VHS over Beta for videotape machines.    >    > An administration official said the consideration will be given    > to banning more sophisticated systems investigators cannot    > crack, thereby creating a balrdable chip to scramble phone calls.'' By    Frank J. Murray. The Washington Times, April 17, 1993 Saturday,    Final Edition.    > President Clinton gave a major boost yesterday to one telephone-    > scrambler technology in a decision its delighted t    > licenses for the NSA-proof products.  Even that may not appease    > the spymasters.  ``No one rules out a mandatory encryption    > standard,'' says NIST spokesman Mats Heyman.  That's industry's    > greatest fear.  - ``Government picks affock.'' S. Begley, M. Liu, J. C. Ramo.  Newsweek, June 7    1993.    > For now, no one is forced to use the NSA chip.  But    > manufacturers who put a rival chip into, say, their modems    > would likely be denied government contracts, as well as exporr to spy invisibly on these contacts, we take    > a giant step toward a world in which privacy belongs only to the    > wealthy, the powerful, and perhaps, the criminals.''  - ``The Code of the Future: Uncle Sam wants you to use ciphers it    can cra daily interaction with intimates we    > can only rarely afford to visit in person,'' said Whitfield    > Diffie, a computer researcher at Sun Mycrosystems and one of    > the nation's leading cryptographers.  ``By codifying the    > Government's powe_____<5.6> What are references on the Clipper Chip?  - ``Wrestling over the Key to the Codes.'' J. Markoff. The New    York Times, Sunday May 9, 1993.    > ``Electronic communication will be the fabric of tomorrow's    > society, and we will haveor each export is required to ensure    appropriate use of these devices'' fitting in with the existing    program for review of ``other encryption devices.'' ``We expect    export licenses will be granted on a case-by-case basis for U.S.    companies.ces them.''  - The chip's (unspecified) `programming function' ``could be    licensed to other vendors in the future.'' Also, ``We plan to    review the possibility of permitting wider exportability of these    products.''  - ``Case-by-case review fating the "Clipper    Chip" into their devices.''  - ``The government designed and developed the key access encryption    microcircuits, but ... product manufacturers ... [buy] the    microcircuits from the chip manufacturer [Mykotronx] that    produhis initiative'' and ``expect those    discussions to intensify''._____<5.5> How is commerical use/export of Clipper chips regulated?  - ``Q. How do I buy one of these encryption devices?  A. We expect    several manufacturers to consider incorpor"But...we feel blindsided."    >    > American Telephone & Telegraph Co. announced Friday it would    > adapt the $1,200 product, called the Telephone Security Device,    > to use the Clipper Chip by the end of this fiscal quarter. AT&T    > makes a related device, which encrypts voice and computer data    > transmissions, that could be converted to the Clipper    > technology, said spokesman Bill Jones.    >    > VLSI, which invented a manufacturing method the company said    > makes it difficultrcement agency's to retain wiretapping    ability without serious or impossible obstacles.  - May enable broad new traffic analysis by law enforcement agencies.  Criticisms  ----------  - Algorithm designed exclusively by the NSA with biased interesd superior algorithm endorsed by the    NSA.  - May establish a new standard whereby  companies may be able to    come up with competing pin-compatible chips.  - Potential for encrypting `on top' of the Clipper algorithm.  - May allow diverse law enfotion on Mycotronx,  the Clipper chip maker._____<5.7> What are compliments/criticisms of the Clipper chip?  Compliments  ----------  - Chip may protect the law abiding citizen's privacy from the casual    snooper.  - Potentially sophisticated ane rest of the world.  For additional details, call Mat Heyman, National Institute of  Standards and Technology, (301) 975-2758.  See also soda.berkeley.edu:/pub/cypherpunks/clipper/ for an excellent  collection of data and articles, including informa> encryption products available on the market that are, in    > theory, unbreakable codes.    >    > "A criminal probably wouldn't use it," said Mike Agee, marketing    > manager for secure products at AT&T, adding that the Clipper    > Chip is for thBut government officials had a difficult time last week    > rebutting the question why any criminal would use a Clipper    > Chip-based product when the person knows the government could    > listen in, particularly since there are a host of other     > government standard for encryption devices.  - ``Clinton security plan hints of Big Brother: Clipper Chip would    let governemnt eavesdrop on encrypted voice and data    communications.'' By Ellen Messmer. Network World, April 19,    1993.    >  communications over telephones, fax machines, and    > computers while ensuring the government's ability to eavesdrop.    >    > The official White House announcement yesterday was the    > endorsement of the Clipper Chip, developed by NSA, as the   US reveals computer chip for scrambling telephones.'' By John    Mintz. Washington Post, April, 17 1993.    > WASHINGTON -- The White House yesterday announced its new plan    > to prevent criminals, terrorists, and industrial spies from    > decodingth experts in the industry" whose investments    > could be wiped out.    >    > To spur the venture, the Justice Department will soon purchase    > several thousand of the devices. Military and spy agencies also    > are expected to use them.  - ``> Bryen, a former Pentagon official who runs a company developing    > a rival encryption system.    >    > Bryen said it was "very disturbing" that the government has gone    > so far with the previously classified project "without    > consulting wideral government has designed a    > powerful device that would protect the privacy of electronic    > communications by encoding them but still allow police to    > eavesdrop.    >    > "`A.k.a. Big Brother,' that's what I call it," said Stephen    o Protect Privacy, But Allow Police    Monitoring.'' By Christopher Drew, Chicago Tribune.    Knight-Ridder/Tribune Business News, ~Apr. 19, 1993.    > WASHINGTON--Apr. 19--As a step toward the development of vast    > new data "superhighways," the fe to "reverse engineer" the chip or discern    > the encryption scheme,  expects to make $50 million in the next    > three years selling the device, said Jeff Hendy, director of    > new product marketing for the company.  - ``New Scrambler Designed tts.  - Possibly unsophisticated, inferior, or more costly in comparison    with current or emerging technology.  - Compromised keys retroactively weaken all communication ever sent    over the device.  - Key generation techniques are `baroque activities in a vault':    suspicious and unrealistic-sounding.  - Impossible to ensure secrecy of a chip in the face of today's    technology and inevitable intense independent inquiry and    scrutiny,  and dependence on it weakens security.  - No specific agencies are.  - Appears to assume that Americans wish to preserve wiretapping    capabilities by law enforcement agencies in the face of new    unbreakable encryption technologies.  - Specifically does not commit to freedom of encryption and hints     better than many encryption technologies    available today but does not indicate that many are recognized to    be weak and new and more powerful technologies are already under    development.  - Vague on critical aspects such as who the key escrow aion  commitment to developing national    policies on  `information infrastructure' and the intrinsic role    of encryption  technology.  - Masterpiece of propaganda for study by future generations.  Criticisms  ----------  - States that Clipper ists.  - Publicizes previously secret development and processes regarding    Clipper in particular and cryptography in general.  - Well publicized within some circles. Usenet press release    unprecedented and sophisticated.  - Shows Clinton administratay require new vast and superfluous government bureacracies._____<5.9> What are compliments/criticisms of the Clipper announcement?  Compliments  -----------  - Shows unequivocal commitment to wiretapping drug dealers,    criminals, and terroris sales    not addressed.  - Secrecy of the chip design prevents inquiries into its precise    security.  - ``government engineers'' in competition with private industries,    with special favoritism in policies of the Clinton    administration.  - M on aspects of    chip operation staying confidential and undiscovered.  - Government appears to be colluding with private companies and    using leverage to intentionally create a monopoly.  - Possibility of taxpayer funds effectively subsidizing chipaw-abiding citizens will be inconvenienced    and/or sacrifice rights.  - Does not protect the individual from corrupt government officials.  - Secrecy of the algorithm may amount to `security through    obscurity,' i.e. the algorithm security may relyyer money with no meaningful public oversight and    scrutiny.  - Represents a fundamental switch in the government's role in    wiretapping from passive to active.  - Potentially criminals won't use the technology and will easily    evade it, while lwork of paramount constitutional guarantees    on freedom of speech and freedom from unreasonable search and    seizure wholly unaddressed.  - Unilaterally imposed, i.e. no involvement from the parties it    purports to represent.  - Funded with taxpaveness.  Criticisms  ----------  - Evasion of critical aspects (such as key agencies) and    preoccupation with others (references to criminals) ``begs the    question'' of inherent public desireability and support of plan.  - Legality within frame    to manage cryptographic technology.  - Potential new option for individuals and companies interested in    protecting privacy.  - Suggests Clinton administration has strong interest in technology,    reaching compromises, and encouraging competiti  Compliments  -----------  - Brings privacy and encryption issues into the limelight.  - Sharpens the public debate on the role, extent, and legitimacy of    wiretapping practices.  - Exposes previously concealed high-level agenda in U.S. governmentssurance that key generation is impartial and safe.  - Secrecy of the algorithm prevents serious inquiry and sabotages    trust in the algorithm. No guarantee against `back door'._____<5.8> What are compliments/criticisms of the Clipper Initiative?that failure of Clipper-style approaches may lead to restrictions    on strong cryptography.  - Gives the impression that Congress and private industry was    involved when their participation is minimal to nonexistent.  - Authoritarian, dictatorial, and Orwellian undertones.  - Evades mention of the NSA's specific involvement.  - Refers to the chip as `state of the art' without evidence.  - Refers to ``drug dealers, criminals, and terrorists'' with terms    such as `alleged,' `suspected,' `reputed,6.3> What is the cypherpunks mailing list?<6.4> What are some privacy-related newsgroups?  FAQs?<6.5> What is internet Privacy Enhanced Mail (PEM)?<6.6> What are other Request For Comments (RFCs) related to privacy?<6.7> How can I run an anonymous remas `anonymous posting'?<3.6> Why is anonymity (un)stable on the internet?<3.7> What is the future of anonymity on the internet?Part 3------ (next file)<6.1> What UNIX programs are related to privacy?<6.2> How can I learn about or use cryptography?<et?<2.11> What is the future of privacy on the internet?<3.1> What is `anonymity' on the internet?<3.2> Why is `anonymity' (un)important on the internet?<3.3> How can anonymity be protected on the internet?<3.4> What is `anonymous mail'?<3.5> What ire my files and directories?<2.6> How (in)secure is X Windows?<2.7> How (in)secure is my email?<2.8> How am I (not) liable for my email and postings?<2.9> Who is my sysadmin?  What does s/he know about me?<2.10> Why is privacy (un)stable on the intern<1.7> What is the future of identification on the internet?<2.1> What is `privacy' on the internet?<2.2> Why is privacy (un)important on the internet?<2.3> How (in)secure are internet networks?<2.4> How (in)secure is my account?<2.5> How (in)secure aoes my email address (not) identify me and my background?<1.4> How can I find out more about somebody from their email address?<1.5> How do I provide more/less information to others on my identity?<1.6> Why is identification (un)stable on the internet?ns with    Congress and industry on encryption issues'' are expected to    ``intensify.''* * *SEE ALSO========Part 1------ (previous file)<1.1> What is `identity' on the internet?<1.2> Why is identity (un)important on the internet?<1.3> How dmanufacture and export high    technology products.''  - ``The Federal Government must act quickly to develop consistent,    comprehensive policies regarding its use'' and ``as we carry out    our review of encryption policy'' the ``on-going discussioinistration is developing.''  - The `broad policy review' will also address the role of    cryptography in ``the development of a  National Information    Infrastructure or `information superhighways''' and consider    ``the need of U.S. companies to ed government agencies to develop a    comprehensive policy on encryption'' and ``explore new approaches     like the key-escrow system'' which ``is just one piece of what    must be the comprehensive approach to encryption technology,    which the Admstry and public-interest groups to    find innovative ways to protect Americans' privacy, help    businesses to compete, and ensure that law enforcement agencies    have the tools they need to fight crime and terrorism.''  - ``The President has directommunications networks and wireless  communications links'' utilizing the chip.  - ``we [of the Clinton Administration] understand the importance of    encryption technology in telecommunications and computing and are    committed to working with indus primary._____<5.10> Where does Clipper fit in U.S. cryptographic technology policy?  The Clipper chip is part of a large-scale plan that involves ``the  creation of new products to accelerate the development and use of  advanced and secure telec' and `accused'    conspicuously absent.  - Does not specifically commit to unrestrained public policy review    and appears to evade it.  - Evades mention of the history of the plan and erroneously implies    that Clinton administration involvement iiler?<6.8> What are references on privacy in email?<6.9> What are some email, Usenet, and internet use policies?<7.1> What is ``digital cash''?<7.2> What is a ``hacker'' or ``cracker''?<7.3> What is a ``cypherpunk''?<7.4> What is `steganography' and anonymous pools?<7.5> What is `security through obscurity'?<7.6> What are `identity daemons'?<7.7> What standards are needed to guard electronic privacy?<8.1> What is the background behind the Internet?<8.2> How is Internet `anarchy' like the Englis                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 &  f v     $  º þ          .   *  ð B READ.ME.FIRSTf à ¬ INET.PRIVACY15                                                                                                                                                                        orks in general.(Search for <#.#> for exact section. Search for '_' (underline) fornext section.)                                                                                                                                                          ly copied. Not to be  altered.  Please credit if quoted.SUMMARY=======Email and account privacy, anonymity, file encryption, relevantlegislation and references, and other privacy and rights issuesassociated with use of the Internet and global netw3Last-modified: 1993/10/11Version: 3.2IDENTITY, PRIVACY, and ANONYMITY on the INTERNET================================================(c) Copyright 1993 L. Detweiler.  Not for commercial use except by  permission from author, otherwise may be freeet and global networks in  general.X-Last-Updated: 1993/10/12Xref: senator-bedfellow.mit.edu sci.crypt:20646 comp.society.privacy:1643 alt.privacy:9093 sci.answers:559 comp.answers:2401 alt.answers:1104 news.answers:13891Archive-name: net-privacy/parteply-To: ld231782@longs.lance.colostate.eduNNTP-Posting-Host: pad-thai.aktis.comSummary: Email and account privacy, anonymity, file encryption,  relevant legislation and references, and other privacy and rights  issues associated with use of the Intern2 -0400Organization: TMP EnterprisesLines: 1082Sender: faqserv@security.ov.comApproved: news-answers-request@MIT.EduExpires: 29 Nov 1993 04:00:09 GMTMessage-ID: <net-privacy/part3_751521609@GZA.COM>References: <net-privacy/part1_751521609@GZA.COM>Rsgroups: sci.crypt,comp.society.privacy,alt.privacy,sci.answers,comp. answers,alt.answers,news.answersSubject: Privacy & Anonymity on the Internet FAQ (3 of 3)Supersedes: <net-privacy/part3_749707213@GZA.COM>Followup-To: posterDate: 25 Oct 1993 00:00:31 days.Written by L. Detweiler <ld231782@longs.lance.colostate.edu>.All rights reserved.Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!pad-thai.akti s.com!pad-thai.aktis.com!not-for-mailFrom: ld231782@longs.lance.colostate.edu (L. Detweiler)Newh language?<8.3> Most Wanted list<8.4> Change history* * *This is Part 2 of the Privacy & Anonymity FAQ, obtained via anonymous  FTP to rtfm.mit.edu:/pub/usenet/news.answers/net-privacy/ or  newsgroups news.answers, sci.answers, alt.answers every 2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                