A few notes on the progress in anonymity: Eric Hughes suggests an alt.whistleblower with localized anonymizing. I like this, but I don't see how NNTP provides it. Wouldn't every server have to be modified or upgraded to support anonymizing? It would be trivial but I think we will find that the people in charge of NNTP are looking for ways to increase authentication and validation mechanisms, and would be hostile to the idea, althought that's definitely the place for it. As I hinted in an earlier message, the possibility of a centralized moderator stripping addresses, while already currently supported in the software mechanisms, is problematic because it is a single location with all the traffic--hence the need to go through independent anonymous servers first. But I think the localized header-stripping is totally superior to all this. Having a message bounce around a net a bit with *real* information is very vulnerable, when the ID could be stripped off at the source. Regarding the alt.whistleblower group, someone has proposed starting a .gov hierarchy on news.admin.policy very recently, and I sent along the proposal to him. Watch for new RFCs and vote with your email. For now I think the route to go is to get a group and let independent servers take care of anonymizing the traffic. Maybe the moderating address could pick a random remailer from a list of active ones--? I'd like to say a few things about what's going on in news.admin.policy right now. The thing has turned into quite a conflagation. But most notable is that Julf@penet has broken his silence on the really voracious drubbing he's getting, and come forward to say that he has taken actions against abusive posters, and is under severe amounts of stress--he said he spends 5 hrs some days answering email (administrative queries?) on the server. In one case an abusive poster crashed his system by mailbombing (filling it up with junk). K. Kleinpaste, who wrote original scripts that julf is using, IMHO is at best a hypocrite and at worst a traitor to the cause. He has attacked julf repeatedly on news.answers (most recently calling him a `bastard') for not implementing the `fire extinguisher' (killing abusive posters) or restricting group access, or using his own software for any of these purposes, despite originally providing it. In private email to him I find him very authoritarian and narrowminded on issues of anonymity and am frankly quite stunned he ever partook in the project. I think history will show very clearly that the great and tremendous popularity of the penet server (10,000 users in a few months) is due *precisely* to julf's decision to allow postings to all groups. Anyway, if ever there was a call for other server operators (not just account remailers)--this is it. We need people with as much control over their own site as possible. Stuff that is running without the knowledge of sysadmins at the site is great for experiments but its just not going to cut it for some very serious future uses that are approaching at the speed of light. Also, if anyone from EFF is listening, I think this could turn out to be one of the most important net.issues over the coming years. How about an EFF sponsored server? I suspect, if anybody did a fairly impartial study, instead of all the ranting and prejudice that is going on right now in news.admin.policy, that anonymous abuse is not extremely problematic or unmanagable compared to regular phantom/untraceable postings on Usenet. People are so vocal about `abuses' right now, but only because they tend to be highly visible. The anonymity is a red herring here. If julf@penet has 10,000 anonymous users, do we now have 10,000 times the problems on Usenet in general? Or *any* measurable fraction more than previously? I think this anonymous use is getting very high use right now. We are right in the midst of a major trend toward greater anonymized traffic. Stats on news.lists show that a lot of traffic is starting to get anonymized, traffic that was once (previously, probably) simply forged. They'll be plenty of people complaining from upset status quo. Tell them to take some virtual alkaseltzer. - - - I apologize for not bringing this to the attention of the list earlier, as it sort of seems to be a recent epiphany on the list, but julf@penet told me he added the password protection precisely for the forgery questions that are popping up. Also, something to note on forgery is that the forger may not necessarily *know* a person has an anonymous mail address on a given server, and the forgery may result in allocating a new anonymous ID for the forged address. The forger can tell the difference if the message simply goes through or he gets back a `you have been allocated xxx ID..' Also, note the simple scheme of serially allocating anonymous ID's could be a problem. If the infiltrator knows the rough date that someone was allocated a new ID, he could narrow down the range of IDs. For this reason randomly allocated IDs is a better idea. The infiltrator could even go around to new accounts all the time (or forge them) to get an idea where the server is in the allocation cycle. It seems to me that there are probably a lot of ID's that are not being used on these servers and the issue of when to get rid of old ID's is a big problem. Regarding some notes from Mr. Finney:
You have these security threats which involve people being tricked into sending messages through the remailer in such a way that the recipient knows the true email address from where the messages are coming.
These are completely analogous to users being tricked into supplying passwords in regular login situations. Not a new problem. And anybody who hasn't figured out that you should *never* put any identifying information in the message itself is probably a little too clueless to be using the service in the first place. However, the idea of giving a warning in the use introduction is ok: ``under NO CIRCUMSTANCES EVER DO THIS'' type thing.
Another problem that people have complained about is when they respond to an anonymous posting, they get a message from Penet saying that they now have an anonymous ID assigned. This confuses and bothers some people.
Tell them to try not to be so sensitive that a breeze causes themselves to panic. Its a new scheme but they need to get used to it. They can throw off the anonymity voluntarily any time they want by just including their ID in their message. But they shouldn't do this if they ever want to use the server in the future. Really, all this comes down to is that they get one extra reply in their mailbox other than usual--the one from the server saying `you now have this ID'. I think most people are recognizing that people complaining about this are just trying to be troublesome. The argument was called `pedantic' on news.admin.answers.
Evidentally there is positive harm that can occur by automatically anonymizing all messages which pass through a remailer.
The problem is that the anonymity is implicitly requested by a message to the server. Hence replies are getting this anonymity. One possibility is an override switch in the header that leaves it entirely intact and the server just acts like another hub forwarder. But what is this `harm'? We have to recognize these complaints as completely frivolous and without merit. Please, don't find a problem where there is none, you will only complicate simplicity. One thing I'd like to see that no one has done is an `unlink' feature for servers that carry address alias tables, so the user can erase all trace of any previous transactions through the server (other than the mail). But maybe this is too close to the hit-and-run abuse out there. Maybe there is a compromise somewhere, like a waiting period before unlinking, during which complaints can be registered and possibly prohibit future use.