|
<HTML> <head><TITLE>PRIVACY Forum Archive Document - (priv.08.20) </TITLE></head> <body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#660099" alink="#ff0000"> <table border=0 cellpadding=0 cellspacing=0 width=100%> <tr> <td bgcolor="#ffffcc" width=30%> <table border=0 cellpadding=4 cellspacing=0 width=100%> <tr> <td> <center> <a href="/reality.html"><img src="/spkr1.gif" border=0 align=middle></a> <font size=-1 face="Arial, Helvetica, sans-serif"><b>RealAudio</b></font><br> A Moment of Sanity & Fun!<br> <font size=-1 face="Arial, Helvetica, sans-serif"> <b>VORTEX REALITY REPORT</b><br> <font color="#ff0000"><b>& UNREALITY TRIVIA QUIZ!</b></font> </font><br> <table border=0 cellpadding=0 cellspacing=0 width=100%> <tr> <td> <center> <table border=0 cellpadding=4 cellspacing=0> <tr> <td> <b> <a href="/reality.html"><i>LISTEN</i> or <i>INFO!</i></a></td> </b> </tr> </table> </center> </td> </tr> </table> </center> </td> </tr> </table> </td> <td align=center> <font size=+2><b>PRIVACY Forum Archive Document</b></font><br> <A href="/privacy"><h3>PRIVACY Forum Home Page</h3></A><p> <A href="http://www.vortex.com"><h4><i>Vortex Technology Home Page</i></h4></A><p> <A href="/privmedia"><h4>Radio, Television, and Press Contact Information</h4></A><p> </td> </tr> </table> <hr> <pre> PRIVACY Forum Digest Sunday, 19 December 1999 Volume 08 : Issue 20 (http://www.vortex.com/privacy/priv.08.20) Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. http://www.vortex.com ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, Cable & Wireless USA, Cisco Systems, Inc., and Telos Systems. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Buying Postage Over the Net--and Your Privacy (Lauren Weinstein; PRIVACY Forum Moderator) RST discovers defective crypto in Netscape mail password saver (Gary McGraw) New FTC Panel Will Be Web Privacy Watchdog (Monty Solomon) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are via an automatic list server system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the list server system. Please follow the instructions above for getting the list server "help" information, which includes details regarding the "index" and "get" list server commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 08, ISSUE 20 Quote for the day: "Nobody's perfect!" -- Osgood Fielding III (Joe E. Brown) "Some Like it Hot" (United Artists; 1959) ---------------------------------------------------------------------- Date: Sun, 12 Dec 99 09:43 PST From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator) Subject: Buying Postage Over the Net--and Your Privacy Greetings. If you watch much television, it's likely that you've seen some of the ads promoting the new "print postage on your PC" services. Two companies are mainly competing in this area at this time: E-Stamp (http://www.e-stamp.com) and Stamps.com (http://www.stamps.com). The latter is currently running a series of humorous commercials featuring Bob Newhart as a harried business owner, describing his pleasure at finally finding a way to have more stamps (for his recall notices) than he has defective products. Several years ago when I interviewed officials of the United States Postal Service (USPS) and Postal Inspection Service for PRIVACY Forum Radio (http://www.vortex.com/privacy/priv.05.20) on "change of address" topics, I learned that these systems were in test with the USPS--they've now obviously been fully deployed. While the services are similar in terms of their final output (postage), they have differing operational models in some respects. E-Stamp relies on a printer port "dongle" that the customer must purchase. This stores postage value for offline use. Stamps.com requires no extra hardware, but does require that the user be online at the time of postage printing. The fee structures also vary between the two services. Both appear to be charging a 10% premium for the actual postage, but various minimum fees may apply monthly and/or per postal purchase. As per USPS regulations, items must be mailed within 24 hours of printing the postage, in a manner similar to that of conventional postage meters. One aspect that both of these services share, however, is a number of privacy-relevant issues that are new to this technology. Both make the typical pronouncements regarding their use of personal data, individual vs. aggregate data use/release, and so on. At least one of them requires the use of browser cookies. But what might be the most surprising to many potential users of these systems is the degree to which your mail might become potentially trackable via these technologies. Is this a big issue? Should you care? For most people, probably not. For others, perhaps. But in either case, it's always wise to understand what's going on. Postage meters have always been tightly controlled by the USPS--for obvious reasons. All postage meters print a meter ID on every piece of mail. However, the print quality was typically so poor that reliable machine reading would have been problematic. Recently, many postage meter users have been forced to migrate to newer "electronic" meters. These receive their postage via integral modem dialup, eliminating the need to take meters to the post office for refilling. Some of these new meters also have some very unfortunate negative attributes, such as using extremely expensive, proprietary ink cartridges, which rapidly deplete regardless of how infrequently you use the meter. On the other hand, in most situations, postage meters are a lot more convenient to use than a PC printer, especially when dealing directly with envelopes. These new "postage on your PC" services add a new element, as required by the USPS. They encode ID information and destination extended ZIP+4 data in a machine-readable code block on the mail. They also save ZIP+4 information (Stamps.com specifically says only in "aggregate" form) to meet USPS auditing requirements. In the case of E-Stamp, address lookups to determine the ZIP+4 codes are performed locally via a CD-ROM, with reports to E-Stamp presumably made at your next online connect to buy more postage. With Stamps.com, your full address information is sent to them for lookup remotely, so reporting would likely be immediate. Stamp.com takes pains to point out that they do not "store" your address information on their servers--only the ZIP+4. But of course, ZIP+4 conveys a lot of information, even in its current form (I've heard reports of plans for further extensions to the code, but nothing specifically as of late). In many cases, the existing ZIP+4 is enough to locate a specific, individual address (especially with P.O. boxes, but sometimes in other cases as well). A potential issue is to what extent such information, possibly under court order (even in a civil action) could be collected and analyzed to reveal significant information about mailing lists or other communications patterns. There are two potential avenues for this. First is the service providers themselves. Could they be ordered to cease deleting any individually-identifiable information in some cases? After all, to create aggregate data, you start with individual data. The second is the mail stream itself. Obviously, the whole point of encoding all that information onto the mail is so that it can be machine processed in the course of mailing and delivery. Again, most people might not care about any of these possibilities. But since this is a significant change in the amount of information being provided to third parties in the course of mailing--certainly way beyond that even of standard postage meters, it's certainly worthy of note. One final, somewhat ironic note. Both services have privacy policies on their web sites--Stamps.com seems to have by far the more extensive of the two. Both sites also have links that are purported to take you to a page that would describe the USPS privacy policies regarding these services and collected data. Neither link works at the time of this writing. Attempts to access the links (which require javascript be enabled) take you to a blocking login/password authentication page! Oops! Oh well, nobody *really* wanted to bother reading all of that stuff anyway, right? --Lauren-- lauren@vortex.com Lauren Weinstein Moderator, PRIVACY Forum - http://www.vortex.com Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org Member, ACM Committee on Computers and Public Policy ------------------------------ Date: Mon, 13 Dec 1999 17:18:18 -0500 From: Gary McGraw <gem@rstcorp.com> Subject: RST discovers defective crypto in Netscape mail password saver [ From RISKS-FORUM Digest, Volume 20, Issue 68 -- PRIVACY Forum Moderator ] Because remembering your passwords is a pain (you do have more than one, don't you?), many programs are set up to remember them for you. Exactly how they do this is a risky business. Netscape didn't do it right. Beyond simply stealing e-mail passwords, our discovery provides a gateway to other accounts and systems since people generally use the same password everywhere. Netscape has been notified of the flaw. The POP3 and IMAP protocols are often used to read e-mail on a home or office PC from a central mail server. As a convenience to the user, many programs offer to remember the user's password. When Netscape offers to save your e-mail password, it is encrypted before being stored in the registry or preferences file on your computer. Unfortunately, the encryption algorithm used by Netscape to scramble passwords is exceptionally weak. Tim Hollebeek, an RST Research Associate, and John Viega, a member of the RST Software Security Group, were able to deduce the algorithm after only eight hours of work. No reverse engineering of the software was involved. Instead, a few hundred carefully chosen passwords were analyzed using pencil and paper. The algorithm turns out to be a simple combination of XOR with a constant key and a substitution cipher weaker than those found in puzzle magazines. For more details, see http://www.rstcorp.com/news/bad-crypto.html Once the cipher is known, recovering a POP3 or IMAP password stored on a machine is trivial. Any attacker with physical access to the victim's machine or the ability to run code on it can use our exploit. Additionally, passwords can be stolen from some versions of Netscape remotely using Javascript. RST has created a working password snagging attack in the lab. A successful attack allows the bad guy to download and read a victim's e-mail from a remote machine. Since careful use of the hack would not leave too many obvious clues, a victim's e-mail could be snooped indefinitely. The only workaround is to turn off the ``remember password'' feature. Though stealing mail alone is a very serious security/privacy problem, more dangerous scenarios exist. The largest risk is that people use the same password for POP3 and other logins to remote machines (and maybe even their PGP passphrase). In particular, many people use IMAP or POP3 to access work related e-mail from home, and their mail password is also the login password they use at work. In fact, the login account and the mail account are often the same. Home computers are notoriously insecure and easy to penetrate. A malicious attacker can read the POP3 password stored on an insecure home computer (often over the net) and use it to log in to a more secure machine run by the victim's employer. The attacker can then take control of an account, read sensitive information, attack more privileged accounts, and set up remote monitoring systems inside a corporate network. Our exploit code could also be used as a payload in a much more insidious version of Melissa. Quote of the day: ``We didn't do this with just a pencil and some paper. Lots of our notes are in pen. We didn't need to erase much.'' Tim Hollebeek & John Viega Other quote: ``This is another illustration of how bad closed, proprietary, cryptography is. What makes this vulnerability particularly nasty is that people tend to use the same passwords over and over again. If you can attack someone's mail server password, you're likely to also have their login password, PGP password, etc. Software security is important.'' Bruce Schneier Gary McGraw, Ph.D., Vice President, Corporate Technology Reliable Software Technologies http://www.rstcorp.com ------------------------------ Date: Sat, 18 Dec 1999 00:33:08 -0500 From: Monty Solomon <monty@roscom.com> Subject: New FTC Panel Will Be Web Privacy Watchdog New FTC Panel Will Be Web Privacy Watchdog Uncle Sam, Advocates No Longer Buying Industry's Self-Regulation Vows by Keith Perine WASHINGTON - In what could be the first step toward broad regulation of online privacy, the Federal Trade Commission has announced the formation of an advisory committee to study the handling of private data by commercial firms over the Internet. http://www.thestandard.com/article/display/0,1151,8262,00.html ------------------------------ End of PRIVACY Forum Digest 08.20 ************************ </pre> <hr> <center> <A href="/privacy"><h3>PRIVACY Forum Home Page</h3></A><p> <A href="http://www.vortex.com"><h4><i>Vortex Technology Home Page</i></h4></A><p> <A href="/privmedia"><h4>Radio, Television, and Press Contact Information</h4></A><p> </center> <p> <font size=-2>Copyright © 2000 Vortex Technology. All Rights Reserved.</font> </body> </HTML>