This issue's highlights are from cypherpunks, dcsb, risks, tbtf, privacy, and CRYPTO-GRAM.
Microsoft uses DCE UUIDs to uniquely identify OLE objects. What could be wrong with an engineering decision like that? It has turned into a major privacy problem. GUIDs (which is what they're now called by Microsoft) include the machine's Ethernet address. They're put into Office97 documents, and also reported by the registration wizard that collects the user's name and other demographic information. So, in theory, any document created with Microsoft tools can be traced to its creator. Microsoft's group product manager for Windows said the registration program shouldn't be sending that information without the user's consent (why would a user think to not let it send a GUID?), and that Microsoft technicians would look through the company's databases and expunge information that had already been collected. Phar Lap Software Inc. initially reported the problem.
Intel's Pentium III includes a unique serial number that can identify the processor (and perhaps indirectly the user). The stated purpose is to help corporations track and manage their PC inventory, and to provide another level of security for online banking and e-commerce applications. Conversation on this feature keeps going on, and on, in part because it neither seems extrodinarily effective for its stated purpose, nor seems to be something that can be securely turned off to keep it from doing any ancillary damage. Schneier points out that because of the untrusted software that runs on the box, "the only positive usage for processor IDs is the one usage that Intel said they would not do: stolen processor tracking." Discussion on cypherpunks pointed out Ethernet cards and Sun Unix boxes also have serial numbers that are accessible. There was also a bit of debate about how much privacy is already lost and how innocuous this feature is. You can expect to see conversations like this last one for some time to come, in part inspired by Scott McNealy's (Sun CEO) quote: "You have zero privacy anyway. Get over it." In a priceless another quote, David Aucsmith, security architect for chip maker Intel said "This is a new focus for the security community...The actual user of the PC -- someone who can do anything they want -- is the enemy." The Intel Developers Forum he spoke at spawned the rumor that the ID is really there for copy protection. Intel has announced several changes since some threatened boycotts, including moving the default to disabling the ID. Major PC vendors say they will disable the ID in the basic input/output system (BIOS) software. A quotable quote from Gateway's VP of product management & planning: "We know that the BIOS mechanism is completely secure." A cypherpunk pointed out that a trojan could flip the appropriate bit in CMOS, then cause the PC to reboot to enable it. Zero Knowledge Systems published an ActiveX program that bypasses Intel's Pentium Serial Number (PSN) Control Utility. It puts the serial number in a cookie file even when the Intel utility indicates the ID number is turned off.
An article on patent problems states that U.S. Patent 5848161 covers the practice of using encryption functions to hide credit card account numbers on the Internet.
The White House has a new privacy czar (first chief counselor for privacy), Peter Swire. He says he's going to review federal, private-sector and international privacy issues created by new information technologies.
A British government report has given the IT community 3 weeks to come up with an alternative to key escrow. The Department of Trade and Industry's policy had proposed licensing of encryption providers that would require them to hold copies of users' encryption keys for law-enforcement access to electronic communications. Interested parties have indicated the time is too short for meaningful dialog.
In more excitment from the UK, news reports had said that hackers had seized control of one of Britain's Defense Ministry's military communications satellites and issued blackmail threats. After a few days of speculation on the veracity of the report, the Ministry dismissed the story as "not true". In a humorous aside, someone tried to anonymously send email to cypherpunks indicating that they had done this sort of thing before. Unfortunately, they cc'ed the list directly, so it came with full headers. Anonymity isn't easy.
A sudden (small) spate of announcements came for "infomediaries" who want to provide privacy by managing customers' personal profiles (I'm sure it's only my choice of phrasing that makes this sound like "War is Peace" :-). PersonaXpress by PrivaSeek will provide a free service to maintain, update, and control the type and amount of personal information that marketers and advertisers draw from their customers they browse the Web. Their profiles will be encrypted and stored in Persona Vault. Companies accessing the information will be "screened" then asked to sign a contract "stating that they will adhere to a set of privacy practices". Another venture, Lumeria, will release an open-source version of their system so that other infomediaries can support it. This will also help to build trust, a big issue in this market-to-be.
One the same theme as infomediaries, "drkoop.com, a leading consumer healthcare network led by Dr. C. Everett Koop, former U.S. Surgeon General, announced [2/19] it is developing a Web-based personal medical record for consumers. The drkoop.com Personal Medical Record (PMR) will be introduced in the second quarter of 1999 and will be free to all Americans. It will enable consumers to create a lifelong record of their health that is secure and private."
Continuing with medical information, somehow private patient information found its way to the search area of the University of Michigan Health System. This was reported anonymously to Lauren Weinstein, PRIVACY Forum Moderator. The data was primarily names, addresses, phone numbers, and patient IDs (which in this case, and contrary to the norm, were *not* equivalent to Social Security Numbers). The problem was fixed rapidly after Lauren reported it. Although the URLs were publicly accessible, U Mich believes that only an insider could have found them.
From Peter G. Neumann and risks: "Sean Trifero was sentenced to one year in prison by a U.S. District Judge for intentionally damaging computer systems (Harvard, Amherst, a Florida ISP, and Alliant Technologies, including planting sniffers and denial-of-service attacks) and unauthorizedly accessing others (Arctic Slope Regional Corp. and Barrows Cable, Alaska), three years subsequent probation, 150 hours of community service, and $31,650 restitution. [Source: PRNewswire, 23 Feb 1999]"
Discussion of the UPS signature pads that trap your signature while you write it brought out a story from someone who said that UPS had claimed a suspect delivery had been made and signed for. When they pushed UPS and asked for a copy of the signature, they got it. It was the recipient's name, but it clearly was not in their hand. The theory was the delivery person had signed for it.
And now listwatch quotes TBTF reporting on CRYPTO-GRAM (with the URLs to go straight to the source :-):
..The long reach of the NSA
US spy agency has been reading other nations' cable traffic as if it were the morning paper