PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page


PRIVACY Forum Digest     Friday, 24 December 1999     Volume 08 : Issue 22

                (http://www.vortex.com/privacy/priv.08.22)  

            Moderated by Lauren Weinstein (lauren@vortex.com)         
              Vortex Technology, Woodland Hills, CA, U.S.A.
                         http://www.vortex.com 
        
                       ===== PRIVACY FORUM =====              

    -------------------------------------------------------------------
                 The PRIVACY Forum is supported in part by
               the ACM (Association for Computing Machinery)     
                 Committee on Computers and Public Policy,      
                 Cable & Wireless USA, Cisco Systems, Inc., 
                           and Telos Systems.
                                 - - -
             These organizations do not operate or control the     
          PRIVACY Forum in any manner, and their support does not
           imply agreement on their part with nor responsibility   
        for any materials posted on or related to the PRIVACY Forum.
    -------------------------------------------------------------------


CONTENTS 
         Web Tracking and Data Matching Hit the Campaign Trail
            (Lauren Weinstein; PRIVACY Forum Moderator)
         Who owns your mailing list?  Topica.com may have bought it.
            (Allyn Weaks)
         Re: Defective crypto in Netscape mail password saver [V08 #20]
            (Ethan Benson)


 *** Please include a RELEVANT "Subject:" line on all submissions! ***
            *** Submissions without them may be ignored! ***

-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond.  The
moderator will choose submissions for inclusion based on their relevance and
content.  Submissions will not be routinely acknowledged.

All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored.  Excessive "signatures" on submissions are
subject to editing.  Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com".  Mailing list problems should be reported to
"list-maint@vortex.com". 

All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations. 

The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory.  Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password.  The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access.  PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system.  Please follow the instructions above
for getting the list server  "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.  

All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".  Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------

VOLUME 08, ISSUE 22

     Quote for the day:

        "As long as they can think, we'll have our problems..."

              -- Eros (Dudley Manlove)
                 "Plan 9 From Outer Space" (Reynolds Pictures; 1959)
      
----------------------------------------------------------------------

Date:    Thu, 23 Dec 99 20:40 PST
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Web Tracking and Data Matching Hit the Campaign Trail

Greetings.  In yet another example of the "if it's legal, someone will do it"
school of data matching and web tracking, it has been revealed that the two
leading Republican presidential candidates, Sen. John McCain and Texas Gov.
George W. Bush, have contracted with Aristotle Publishing
(http://www.aristotle.org) to target web users by matching web browsing
habits and web site signup data with actual voter registration records.
Apparently these are the only two presidential candidates currently making
use of this service, as announced by an Aristotle spokesman.

Aristotle, which describes itself as a "thriving, growing, profitable firm,"
provides "tools" to political campaigns to "influence public opinion" and
"win votes."  Their web site apparently can only be viewed if you have
javascript enabled--without it you could simply see a blank page.

You may have already been justifiably concerned about DoubleClick, Inc.'s
tracking of your behavior over the web, but Aristotle takes consolidation of
personal data to a whole new level, by actually combining the information
that has been provided by web users (e.g. for various "freebie" web
giveaways), with specific and detailed political data such as voter location
and party affiliation information, obtained from voter registration roles.
Maybe you wondered why you seemed to be getting something for nothing at
those web sites, and what would really happen to that information you
provided to them?  Well, now you know.  Welcome to the big time.

Once you've been targeted by this system, you'll be presented with the
designated candidates' political banner ads on at least 1500 web sites,
including some major portal and news sites.  Some of these ads, once
clicked, entice the user to enter various additional personal information
(some of which Aristotle says they don't record).

Of course, to the average web user, there's no clue that they've been the
subject of this sort of intensive data matching and rifling through their
voter registrations.  Most users would probably just assume that the ads
popped up at random.  Random?  Surely you jest!  

And golly gee whiz Mr. Wizard, you guessed it, this is all entirely legal.
Proponents claim that there've been no significant complaints about the
privacy aspects of the operation (perhaps that will change?), and they also
suggest that they're no more privacy-invasive than direct mail (wow, now
there's a "high" ethical bar to be shooting for if ever I've seen one...)
And in fact, Aristotle is obviously proud of the service, since they've
posted at least one outside press account on their own web site.  (Will this
issue of the PRIVACY Forum Digest show up on there?  They hereby have my
permission...)

Keep in mind that this is just the barest shadow of the sorts of "services"
likely to evolve in the near future, given the "wild west" attitude which
still prevails regarding personal information.  It was bad enough when this
only involved search engines and ads for offshore gambling or mailorder
sales pitches.  But the introduction of the political element directly into
the mix should give everyone cause for some serious concern.  I dare say
that this calls into sharp focus the abysmal lack of regulations to control
the handling and abuse of personal information, regardless of its various
sources.

The power of web data collection, tracking, ad presentation, and similar
technologies, combined with other traditionally public record data sources
(and voter registration roles are just the tip of the iceberg) creates a
scenario that might cause Darth Vader to be jealous.

But of course, it's also possible to hold opposing points of view.  Maybe
none of this actually matters?  Perhaps some persons reading this might feel
that there really are no significant privacy problems with these sorts of
data collection and matching activities.  Perhaps you're not all that
concerned about who gets your data or how it's used?  Regardless of where
you stand on this issue, I'd be interested in hearing your views (please
remember to send submissions for possible inclusion in the Digest to
privacy@vortex.com).

It does seem bizarre, however, that it appears to be impossible to register
to vote in this country without subjecting yourself to these sorts of
information manipulations, with apparently no real opt-out available.

Given these developments, perhaps it's no wonder that whenever I see the
glowing descriptions of plans for voting over the Internet (already a
reality for one state's primary and high on the wish list for
many states) I get a cold chill down the back of my spine...

Until next time, all the best for the holidays!

--Lauren--
lauren@vortex.com
Lauren Weinstein
Moderator, PRIVACY Forum - http://www.vortex.com
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Member, ACM Committee on Computers and Public Policy

------------------------------

Date:    Wed, 22 Dec 1999 01:18:21 -0800
From:    Allyn Weaks <allyn@teleport.com>
Subject: Who owns your mailing list?  Topica.com may have bought it.

Who owns your mailing list?

This may be old hat to some, but it was a shock to me.  I own a non-free
majordomo mailing list at esosoft.com.  List owners generally pay for lists
in order to have full control over content and the usual majordomo (or
other list server) features.  Two weeks ago, we started getting an odd
message back when we tried to send admin commands to majordomo.  I didn't
think to save one, but it was to the effect that majordomo commands were
turned off pending an upgrade.  On Wednesday (15 Dec), just before midnight
PST, we all received a email proclaiming "Your Esosoft Mailing Lists now
Free!".  Inside was a hyped up description of how all of our lists were
going to be moved to topica.com in one week, and that this is such a
wonderful thing because we can get royalties from the advertising that can
be added to each message if we request it. (By default, so far, each
message 'only' advertises topica.)  Meanwhile, during much of this week,
admin commands to esosoft's majordomo were disabled, making it impossible
to get our subscriber lists or list settings, or maintain the lists,
without going through esosoft support (who did a good job--she was as
shocked as the rest of us and did her best to help us cope).

One of the long time esosoft mailing list owners has estimated that about
1600 lists were affected.  If we assume that there are an average of 300
subscribers per list, that's nearly a half million addresses.  How much is
that worth to topica?  Well, if there are 1600 lists, esosoft is going to
have to shell out about $40,000 in refunds to us owners, and they're almost
certainly getting a hefty profit out of the deal as well as getting rid of
the lists (they apparently want to use those ten servers for higher
profit-margin virtual servers.)

Meanwhile, there are at least a hundred of us who are irate that our
subscriber lists have been sold to the very worst of the 'free' list sites
without our permission (probably many more than a hundred, but some owners
probably don't know how to find us, and we don't know how to find them).
If we had wanted to do business with an Ads-R-Us site, we could have gone
with onelist or similar in the first place.  But being serious list admins,
we were willing to pay out real money to have full control over content (no
ads!) and to protect our subscribers.  All gone for naught.  Worse, even
though many of us frantically told esosoft and topica to cancel the
transfer before subscriber lists were moved, and were assured that this was
done, we found out this afternoon that the 'deleted' lists on topica have
been recreated and the subscriber lists as of Dec 17th handed over anyway.
(Note that between the time we received notice and the time the lists were
copied for transfer, majordomo was disabled and there was nothing we could
do about protecting our subscriber lists, even assuming that esosoft
wouldn't just rip them out of a backup set.)  As far as I can tell, esosoft
is covered legally, because the buyout is called a 'partner arrangement'
and esosoft can assign who actually handles the lists we've paid for, even
though the services are not even remotely comparable.

Now that it's happened, we've been trying to find other mailing list
suppliers, only to find that topica has been approaching and trying to buy
many of them out.  A few are proud to have refused and are using that as a
(very good!) selling point.  Some have already sold out just as esosoft
did.  Some won't say whether they've talked to topica.  We've also found
lists on topica that have never had any known association with them, or
with any provider who has had association with them.  Some of the lists
that show up at topica have been run from their start from private virtual
servers, but topica lists them in their directory anyway.  We don't know
yet if they're active in any way but are working on it.

Topica does have a copyright/privacy statement.  But according to an
ex-esosoft list owner who's stuck with topica until she can make other
arrangements, a topica account rep said in the topica listowners mailing
list that the statement published on the web isn't the current policy!  It
_should_ read:

 "Topica does not claim ownership of the Content you transmit through
 Topica's Service. By transmitting Content through Topica for
 distribution to your Topica List, you grant Topica a world-wide,
 royalty-free, and non-exclusive license to reproduce, modify, adapt and
 publish the Content solely for the purpose of providing Topica's
 hosting, archiving, subscription, and promotion services. This license
 exists only for as long as your List continues to be a archived at
 Topica and shall be terminated at the time your Topica account is
 terminated."

Note the bit about 'promotion services'.  So they don't claim 'ownership'
of everyone's work, just the right to use it however they darned well
please.  None of us in the former-esosoft-listowners group would ever have
knowingly agreed to such a thing.

So, if any of you run mailing lists, make sure that your contract says that
none of the list information will be transferred to any other party under
any circumstances, _including_ partner arrangements.  Better yet, invest in
a virtual server and run the list server from scratch, with clear and
strong warnings to any potential hijackers.

Side note: topica.com is the most annoying site I've ever been forced to
try to use.  You can't get anywhere to speak of without images .and.
cookies .and. javascript all turned on.  Ads with associated cookies from a
wide variety of servers pop up every few seconds.  Horrible bugs, too:
people who subscribe to one list find themselves subscribed to multiple
lists, and the same for unsubscribe.  Truly a nightmare.  The most
disturbing thing of all is that some people don't mind it!

If any readers are ex-esosoft list owners in search of the support group,
let me know and I'll point you in the right direction.

--
Allyn Weaks    allyn@tardigrade.org
Seattle, WA  Sunset zone 5
Pacific NW Native Wildlife Gardening: http://www.tardigrade.org/natives/

                [ Letting any outside entity have access to one's complete
                  mailing lists is an extremely risky business.  The safest
                  route (and the one I've always followed) is to maintain
                  100% control over the maintenance of my lists and related
                  distributions.  Unfortunately, this option is not practical
                  for many persons, resulting in the sorts of surprises
                  described above.
                 
                        -- PRIVACY Forum Moderator ]

------------------------------

Date:    Sun, 19 Dec 1999 17:40:48 -0900
From:    Ethan Benson <erbenson@alaska.net>
Subject: Re: defective crypto in Netscape mail password saver [V08 #20]

On 19/12/99 Gary McGraw <gem@rstcorp.com> wrote:
> defective crypto in Netscape mail password saver...

Hello,

I would like to comment on this issue, while the problems you raised 
regarding the ability to snag the preferences data remotely via 
Javascript exploits is indeed a serious problem, the issue of 
Netscape using weak encryption to protect the saved mail passwords is 
not.  In fact I believe it would be better to simply save them in 
plain text.  Why? because it is absolutely impossible to save mail 
passwords securely for use in the manner, and saving them in 
plaintext offers no false sense of security.

The reason people save the mail password as you say is to avoid the 
need to type it (and thus remember it) every time they wish to check 
their mail.  In order for any encryption algorithm to grant any 
security a secret is needed, this is in the form of the secret key 
used to encrypt the data (in the symmetric sense) this key MUST be 
protected.  Otherwise all the security the algorithm provides is 
moot.  Since the user is obviously unwilling to provide the secret to 
the mail client (otherwise they would just enter the POP3/IMAP 
password every time) the mail program must use the SAME HARD CODED 
KEY to encrypt the user's mail password with.  This approach is 
fundamentally flawed, Netscape could use 128 bit CAST5, Blowfish, 
Twofish, 3DES, whatever and it would be no more secure then just 
saving the password in plain text. This is so since all it would take 
to `crack' the encryption is to run Netscape through a debugger (or 
any other form of reverse engineering) until the hard coded secret is 
discovered, then one can simply decrypt any saved password with the 
same ease as it can be done now with a XORed or plaintext password.

The security of the saved password must be kept by the Operating 
System NOT the individual mail/ftp/whatever utility. There is NO WAY 
for this data to be securely encrypted without asking the user to 
keep and provide the secret needed to encrypt and decrypt the 
password, therefore the program itself has no means to protect this 
data.

The Operating System has two primary means it can protect this data:

File permissions: the various Free Un*x variants (GNU/Linux, OpenBSD, 
FreeBSD etc) all provide this and will keep these files much more 
secure then the completely open MacOS/Windows environments.  (this 
does not protect against remote access bugs such as the Javascript 
bug, and has limited defense if someone gains physical access. 
though it at least requires rebooting and/or tampering with the BIOS 
or a boot floppy in cases where physical security is kept in mind)

A strongly encrypted OS level database:  this would be a database 
that is encrypted using the user's login password used to 
authenticate to the OS, this allows the user to only need to remember 
and type a single password instead of many.  This approach could 
possibly have exploitable attacks through a hostile program 
surreptitiously accessing and downloading all saved passwords once 
the user has unlocked the database.  It also creates a single point 
of failure where one password being compromised leads to all saved 
passwords being compromised along with it.  this however is already a 
problem since, as you say many people already use the same password 
for everything (foolish IMNSHO).  Such a program would also suffer 
problems being restricted by the US's encryption export regulations.

A final aside, any such utility for saving a large number of 
passwords in a secure manner should never EVER be trusted unless its 
complete source code is open and available for peer review at a 
minimum, and preferably is Free Software (www.gnu.org) that may be 
repaired and enhanced by the people themselves.   Any closed source 
proprietary solution (*) to this problem should be viewed with the 
utmost scrutiny, and IMO should not be used at all.  (i would prefer 
to just save passwords  (of medium to low importance) into a GNUPG or 
PGP encrypted file in case I forget and simply memorize my passwords, 
rather then to trust some huge organization more interested in money 
then my security or privacy)

(*) such as Apple's `Keychain' and Microsofts various APIs for saving 
passwords in .PWL files and such.

If you are interested in a more technical and detailed discussion of 
this issue I believe it has been discussed significantly on the 
BugTraq mailing list, consult its archives.  www.securityfocus.com

-- 
Ethan Benson

------------------------------

End of PRIVACY Forum Digest 08.22
************************


PRIVACY Forum Home Page

Vortex Technology Home Page

Copyright © 2005 Vortex Technology. All Rights Reserved.