TUCoPS :: Privacy :: priv0820.txt

Privacy Digest 8.20 12/19/99

<head><TITLE>PRIVACY Forum Archive Document - (priv.08.20) </TITLE></head>
<body bgcolor="#ffffff" text="#000000" link="#0000ff" vlink="#660099" alink="#ff0000">

<table border=0 cellpadding=0 cellspacing=0 width=100%>

<td bgcolor="#ffffcc" width=30%>

<table border=0 cellpadding=4 cellspacing=0 width=100%>

<a href="/reality.html"><img src="/spkr1.gif" border=0 align=middle></a>
<font size=-1 face="Arial, Helvetica, sans-serif"><b>RealAudio</b></font><br>
A Moment of Sanity & Fun!<br>

<font size=-1 face="Arial, Helvetica, sans-serif">
<font color="#ff0000"><b>& UNREALITY TRIVIA QUIZ!</b></font>

<table border=0 cellpadding=0 cellspacing=0 width=100%>

<table border=0 cellpadding=4 cellspacing=0>

<a href="/reality.html"><i>LISTEN</i> or <i>INFO!</i></a></td>







<td align=center>

<font size=+2><b>PRIVACY Forum Archive Document</b></font><br>

<A href="/privacy"><h3>PRIVACY Forum Home Page</h3></A><p>
<A href="http://www.vortex.com"><h4><i>Vortex Technology Home Page</i></h4></A><p>
<A href="/privmedia"><h4>Radio, Television, and Press Contact Information</h4></A><p>



PRIVACY Forum Digest     Sunday, 19 December 1999     Volume 08 : Issue 20


            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                       ===== PRIVACY FORUM =====              

                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
	         Committee on Computers and Public Policy,      
		 Cable &amp; Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.

	Buying Postage Over the Net--and Your Privacy
	   (Lauren Weinstein; PRIVACY Forum Moderator)
	RST discovers defective crypto in Netscape mail password saver
           (Gary McGraw)
	New FTC Panel Will Be Web Privacy Watchdog (Monty Solomon)

 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.


     Quote for the day:

	"Nobody's perfect!"

	    -- Osgood Fielding III (Joe E. Brown)
	       "Some Like it Hot" (United Artists; 1959)


Date:    Sun, 12 Dec 99 09:43 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Buying Postage Over the Net--and Your Privacy

Greetings.  If you watch much television, it's likely that you've seen some
of the ads promoting the new "print postage on your PC" services.  Two
companies are mainly competing in this area at this time: E-Stamp
(http://www.e-stamp.com) and Stamps.com (http://www.stamps.com).  The latter
is currently running a series of humorous commercials featuring Bob Newhart
as a harried business owner, describing his pleasure at finally finding a way
to have more stamps (for his recall notices) than he has defective products.

Several years ago when I interviewed officials of the United States Postal
Service (USPS) and Postal Inspection Service for PRIVACY Forum Radio
(http://www.vortex.com/privacy/priv.05.20) on "change of address" topics, I
learned that these systems were in test with the USPS--they've now obviously
been fully deployed.

While the services are similar in terms of their final output (postage), they
have differing operational models in some respects.  E-Stamp relies on a
printer port "dongle" that the customer must purchase.  This stores postage
value for offline use.  Stamps.com requires no extra hardware, but does
require that the user be online at the time of postage printing.  The fee
structures also vary between the two services.  Both appear to be charging a
10% premium for the actual postage, but various minimum fees may apply
monthly and/or per postal purchase.  As per USPS regulations, items must be
mailed within 24 hours of printing the postage, in a manner similar to that
of conventional postage meters.

One aspect that both of these services share, however, is a number of
privacy-relevant issues that are new to this technology.  Both make the
typical pronouncements regarding their use of personal data, individual vs.
aggregate data use/release, and so on.  At least one of them requires the
use of browser cookies.  But what might be the most surprising to many
potential users of these systems is the degree to which your mail might
become potentially trackable via these technologies.  Is this a big issue?
Should you care?  For most people, probably not.  For others, perhaps.  But
in either case, it's always wise to understand what's going on.

Postage meters have always been tightly controlled by the USPS--for obvious
reasons.  All postage meters print a meter ID on every piece of mail.
However, the print quality was typically so poor that reliable machine
reading would have been problematic.  Recently, many postage meter users have
been forced to migrate to newer "electronic" meters.  These receive their
postage via integral modem dialup, eliminating the need to take meters to
the post office for refilling.  Some of these new meters also have some very
unfortunate negative attributes, such as using extremely expensive,
proprietary ink cartridges, which rapidly deplete regardless of how
infrequently you use the meter.  On the other hand, in most situations,
postage meters are a lot more convenient to use than a PC printer, especially
when dealing directly with envelopes.

These new "postage on your PC" services add a new element, as required by the
USPS.  They encode ID information and destination extended ZIP+4 data in a
machine-readable code block on the mail.  They also save ZIP+4 information
(Stamps.com specifically says only in "aggregate" form) to meet USPS
auditing requirements.

In the case of E-Stamp, address lookups to determine the ZIP+4 codes are
performed locally via a CD-ROM, with reports to E-Stamp presumably made at
your next online connect to buy more postage.  With Stamps.com, your full
address information is sent to them for lookup remotely, so reporting would
likely be immediate.  Stamp.com takes pains to point out that they do not
"store" your address information on their servers--only the ZIP+4.  

But of course, ZIP+4 conveys a lot of information, even in its current form
(I've heard reports of plans for further extensions to the code, but nothing
specifically as of late).  In many cases, the existing ZIP+4 is enough to
locate a specific, individual address (especially with P.O. boxes, but
sometimes in other cases as well).  A potential issue is to what extent such
information, possibly under court order (even in a civil action) could be
collected and analyzed to reveal significant information about mailing lists
or other communications patterns.  There are two potential avenues for
this.  First is the service providers themselves.  Could they be ordered to
cease deleting any individually-identifiable information in some cases?
After all, to create aggregate data, you start with individual data.  The
second is the mail stream itself.  Obviously, the whole point of encoding
all that information onto the mail is so that it can be machine processed in
the course of mailing and delivery.

Again, most people might not care about any of these possibilities.  But
since this is a significant change in the amount of information being
provided to third parties in the course of mailing--certainly way beyond
that even of standard postage meters, it's certainly worthy of note.

One final, somewhat ironic note.  Both services have privacy policies on
their web sites--Stamps.com seems to have by far the more extensive of the
two.  Both sites also have links that are purported to take you to a page
that would describe the USPS privacy policies regarding these services and
collected data.  Neither link works at the time of this writing.  Attempts
to access the links (which require javascript be enabled) take you to a
blocking login/password authentication page!  Oops!  Oh well, nobody
*really* wanted to bother reading all of that stuff anyway, right?

Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy


Date: Mon, 13 Dec 1999 17:18:18 -0500
From: Gary McGraw &lt;gem@rstcorp.com&gt;
Subject: RST discovers defective crypto in Netscape mail password saver

   [ From RISKS-FORUM Digest, Volume 20, Issue 68 
	                 -- PRIVACY Forum Moderator ]

Because remembering your passwords is a pain (you do have more than one,
don't you?), many programs are set up to remember them for you.  Exactly how
they do this is a risky business.  Netscape didn't do it right.  Beyond simply
stealing e-mail passwords, our discovery provides a gateway to other accounts
and systems since people generally use the same password
everywhere. Netscape has been notified of the flaw.

The POP3 and IMAP protocols are often used to read e-mail on a home or
office PC from a central mail server.  As a convenience to the user, many
programs offer to remember the user's password.  When Netscape offers to
save your e-mail password, it is encrypted before being stored in the
registry or preferences file on your computer.

Unfortunately, the encryption algorithm used by Netscape to scramble
passwords is exceptionally weak.  Tim Hollebeek, an RST Research Associate,
and John Viega, a member of the RST Software Security Group, were able to
deduce the algorithm after only eight hours of work.  No reverse engineering
of the software was involved.  Instead, a few hundred carefully chosen
passwords were analyzed using pencil and paper.  The algorithm turns out to
be a simple combination of XOR with a constant key and a substitution cipher
weaker than those found in puzzle magazines. For more details, see

Once the cipher is known, recovering a POP3 or IMAP password stored on a
machine is trivial.  Any attacker with physical access to the victim's
machine or the ability to run code on it can use our exploit.  Additionally,
passwords can be stolen from some versions of Netscape remotely using

RST has created a working password snagging attack in the lab.  A successful
attack allows the bad guy to download and read a victim's e-mail from a
remote machine. Since careful use of the hack would not leave too many
obvious clues, a victim's e-mail could be snooped indefinitely.  The only
workaround is to turn off the ``remember password'' feature.

Though stealing mail alone is a very serious security/privacy problem, more
dangerous scenarios exist. The largest risk is that people use the same
password for POP3 and other logins to remote machines (and maybe even their
PGP passphrase).  In particular, many people use IMAP or POP3 to access work
related e-mail from home, and their mail password is also the login password
they use at work.  In fact, the login account and the mail account are often
the same.  Home computers are notoriously insecure and easy to penetrate.  A
malicious attacker can read the POP3 password stored on an insecure home
computer (often over the net) and use it to log in to a more secure machine
run by the victim's employer.  The attacker can then take control of an
account, read sensitive information, attack more privileged accounts, and
set up remote monitoring systems inside a corporate network.  Our exploit
code could also be used as a payload in a much more insidious version of

  Quote of the day: ``We didn't do this with just a pencil and some paper.
Lots of our notes are in pen.  We didn't need to erase much.'' Tim Hollebeek
&amp; John Viega

  Other quote: ``This is another illustration of how bad closed,
proprietary, cryptography is.  What makes this vulnerability particularly
nasty is that people tend to use the same passwords over and over again.  If
you can attack someone's mail server password, you're likely to also have
their login password, PGP password, etc.  Software security is important.''
Bruce Schneier

Gary McGraw, Ph.D., Vice President, Corporate Technology
Reliable Software Technologies  http://www.rstcorp.com


Date:    Sat, 18 Dec 1999 00:33:08 -0500
From:    Monty Solomon &lt;monty@roscom.com&gt;
Subject: New FTC Panel Will Be Web Privacy Watchdog

New FTC Panel Will Be Web Privacy Watchdog 
Uncle Sam, Advocates No Longer Buying Industry's Self-Regulation Vows 
by Keith Perine 

WASHINGTON - In what could be the first step toward broad regulation of 
online privacy, the Federal Trade Commission has announced the formation 
of an advisory committee to study the handling of private data by 
commercial firms over the Internet.



End of PRIVACY Forum Digest 08.20
<A href="/privacy"><h3>PRIVACY Forum Home Page</h3></A><p>
<A href="http://www.vortex.com"><h4><i>Vortex Technology Home Page</i></h4></A><p>
<A href="/privmedia"><h4>Radio, Television, and Press Contact Information</h4></A><p>

<font size=-2>Copyright &copy; 2000 Vortex
Technology.  All Rights Reserved.</font> 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH