Such systems do exist. I have info on one handy, but I know at least one other based on the same software exists in finland. This one seems to be still using pgp2.0, I don't know when they will upgrade to pgp2.1. These remailers assign you a pseudony like anon.19, and anyone can send mail to anon.19@pax.tpa.com.au and the mail will be forwarded to you. Here's the file you can get by sending an empty message to anon.info@pax.tpa.com.au. PAX - Public Access Unix (Adelaide,South Australia) - Anonymous Posting Host ============================================================================ Last modified: Fri Nov 20 18:55:52 CST 1992 Information about Anonymous & Privacy-Enhanced Posting. ======================================================= PAX is conducting research into the viability of anonymous privacy- enhanced mail as a means of providing practical, secure and confidential electronic mail and news. An experimental server has been setup and you are encouraged to use it. There are many anonymous posting services in existence which provide anonymous electronic mail and posting to specific newsgroups where posting is sometimes harmful to one's health or reputation ! Such services allow you to: - post anonymously to those news groups - reply anonymously to posts by email - converse anonymously with another anonymous user, neither of you knowing your real identities Privacy-enhanced electronic mail refers to the concept of encrypting one's mail prior to sending it off into the ether, presumably to someone at the other end capable of decrypting it. If one uses a so-called "public key" method of encryption, then one can make one's "public" key widely known so that anyone can encrypt mail to you, but only you can decrypt it using your "secret" key. There is much development going on in this area, but one quite popular public-domain implementation is Philip Zimmermann's "Pretty Good Privacy 2.0" which makes use of a number of cryptographic methods including the RSA algorithm in places (See Legal Issues later on). PGP allows you to: - exchange public keys with another individual - encode messages to them that only they can read - receive messages from them that only you can read These tools are all very well for the specific purposes for which they were designed, but unfortunately your anonymous message or post is not actually anonymous until it gets to the machine that host's the service. Anyone in between, including your own administrators, can in theory read your post, even though they won't know to whom it is directed. What is more they can also read replies addressed back to you. This can be highly embarrassing at best, and result in dismissal or disconnection at worst if your thoughts, beliefs or activities are disapproved of by the powers that be, even if they are perfectly legal. PAX's privacy-enhanced anonymous services were conceived in the belief that free speech and privacy are fundamental rights and that it is high time the networks to which we are connected provided such services on a routine basis. Seeing as they don't we have to make a start somewhere. This service provides: - conventional anonymous mailing and posting services via a "normal" alias assigned in the usual fashion - the ability to post to ANY newsgroup that is carried out of PAX (which includes most non-regional groups) - PGP 2.0 based privacy-enhanced mail & posting, including: - ability to register your "public" key with PAX, so that PAX can send encrypted messages to you - local generation of a unique public key which is sent to you, so that you can send encrypted messages to PAX - any encoded messages from you mailed to a user or newsgroup are decrypted at PAX before being passed on in anonymous form - any anonymous replies to your "pgp" alias are encrypted before being mailed to you For example, once you have obtained your PGP 2.0 software (as described later) and got it going, and once you have generated and registered your public key and received PAX's key in response, you will be able to post to any newsgroup without anyone beyond your machine having access to the plaintext of your post. Furthermore, if another user has registered in the same manner, and you know their anonymous alias or are responding to one of their anonymous posts, even though you don't know who they are and haven't exchanged keys to communicate directly, the PAX service will automatically decrypt any encrypted messages from you and re-encrypt them before passing them on to the other person ! How to use it. ============== All transactions are handled by email, and commands are selected by the name of the alias to which you mail, not by the subject or body of the message (which are ignored unless sending or posting a message). The separator between the "anon" and the command is a dot (period,'.') and nothing else will work ! Not '-', not '_', not ":", only a dot. The site to address mail is "pax.tpa.com.au". If this fails for some reason, you may need to address it to the specific host (at present) ie. "flash.pax.tpa.com.au". "Normal" (unencrypted) commands: - To get information (this message): mail anon.info@pax.tpa.com.au - To see what your "normal" alias is, or get one: mail anon.ping@pax.tpa.com.au - To send a reply to another anonymous user: mail anon.###@pax.tpa.com.au NB: - eg. mail anon.36@pax.tpa.com.au - don't be creative ... anon.036 won't work - an attempt is made to strip off signature lines by discarding everything after a line starting with "--" or "__" - To send a post to a newsgroup: mail anon.post.groupname@pax.tpa.com.au NB: - eg. "mail anon.post.talk.abortion" will send a post to "talk.abortion" - only the Subject field from your post is used, the rest of the header is discarded - the newsgroup is selected by the alias; Newsgroup header fields are discarded; hence cross-posting isn't feasible - signatures are stripped as above "PGP" (encryption) commands: - To register your public key with PAX: (ABSOLUTELY NECESSARY) mail anon.key@pax.tpa.com.au NB: - first you have to make install pgp and make a key then send it in a "anon.key" command - the body of the message MUST contain an ascii encoded public key generated by PGP V2.0. You may use your regular public key that you give to other people if you wish. The user ID name must be unlikely to conflict with one PAX already has, so use your full name, or include your email address or something. If you want you can use a unique key just for PAX - it makes no difference. If PAX already has a key of the same user-id it will reject yours. Note that this means that you need different key user-id's on different machines (or mail addresses anyway). # makes new keys & adds to your "keyring" pgp -kg Enter a user ID for your public key: First M. Last of somefirm # extract key in ascii form suitable for a message body pgp -kxa "First M. Last of somefirm" savedfile pubring # send it to PAX mail anon.key@pax.tpa.com.au <savedfile.asc - PAX will respond by sending you a new alias number and a public key to add to your keyring to use to encrypt messages to PAX. It will have a user ID name of "paxanon.publickey" and you should add it to your public key ring by saving the message in a file and presenting it as follows: pgp -ka savedfile Your life will be easier in future if you reply yes to the certify question. - Note that now you may have two aliases, that sent in response to the anon.key command and that sent in response to the anon.ping command or previous unencrypted replies or posts. Any sunsequent replies or posts that you encrypt before sending will be seen to others as having come from the new alias, and replies will be encrypted before being passed on to you. Any plaintext messages you send will appear to have come from the original alias and responses will also come back in plaintext. - Sending encrypted posts and replies. There are no other commands. If you encrypt a message and send it using the "anon.reply" and "anon.post" groups, the software will detect that they are encrypted, select the appropriate alias as a return address, decrypt the message, and mail or post it. You should use PGP 2.0 to encrypt messages sent to PAX, using the public key that PAX sent to you. DON'T FORGET TO SIGN your message using the secret key corresponding to the public key that you sent to PAX !!! Unsigned messages will be rejected to ensure that the message is really from you and not someone pretending to be you using your account or mailpath. Eg.: # sign and encrypt message for mailing to pax. pgp -east message "paxanon.publickey" -u "First M. Last of somefirm" mail -s "A test post" anon.post.alt.test <message.asc Note the -a (armor) and -t (text) options. Note also the subject flag to mail - PAX will whinge if you post something without a subject. Similarly, all messages to you will be signed using PAX's secret key corresponding to the public key PAX sent to you, hence you will know if the message really came from PAX and not someone else using your public key. ***** NB. The ENTIRE encrypted segment will be passed on after it has been decrypted. There is no processing of any contained header (though it won't work as a header), nor any removal of signature information within the encrypted text. Take great care to ensure that there is no identifying information within the encrypted text. ***** Any plain text accompanying the encrypted text will be discarded. The Subject header field is still passed on during postings as with "normal" unencrypted posts. More work may be done on these "features" if there is sufficient demand for it :). Miscellaneous administrative commands: - To see the current status of the system (message of the day): mail anon.status@pax.tpa.com.au - To send mail to a human administrator: mail anon.admin@pax.tpa.com.au Mailing List ============ To send mail to/join/unjoin a mailing list about this service, and anonymous services in general: mail anon.list@pax.tpa.com.au mail anon.subscribe@pax.tpa.com.au mail anon.unsubscribe@pax.tpa.com.au How secure is it ? ================== Not bad. Clearly it depends on the security of the underlying PGP 2.0 software which is discussed at length in its documentation. The keys are stored, and the messages encrypted and decrypted on a server which also hosts a Public Access Unix system. These files are protected by the usual Unix security mechanisms, but in the event of a security breach could conceivably become visible. The keys would hence be compromised and any messages passing through could be decrypted. The PAX administration could theoretically access the keys and files at will of course. It is hard to conceive of an alternative implementation which links anonymity with privacy enhancement however. This is no substitute for a direct person to person link with certified keys and this service should not be used as a substitute for such if security is a primary concern. Legal Issues. ============= PGP 2.0's use of the RSA algorithm is a problem in the US where a patent is now held on the algorithm, despite its widespread promulgation before the patent was obtained. The PGP documentation discusses this issue at length. Sufficeth to say, this service is provided by a site in Australia and hence should not be subject to the constraints imposed by the US patent. The service is offered to anyone who can reach this site by mail, in addition to PAX's own users, and there is no intention of obtaining any commercial gain by providing the privacy-enhanced anonymous service. Whether individuals in the US can legally use the PGP software to use the service provided by PAX for their own personal use, without first obtaining a license to use the RSA algorithm is an untested issue. Certainly the software is widely available even though it is now maintained outside the US. No such concerns should apply anywhere other than the US. This project is an experiment to see if the concept is feasible and if there is any demand for it. The software is crude, but functional, but it is quite possible that it will fail in unforeseen circumstances. It is designed to loose or fail to pass on a message rather than post or return plaintext (which would be very undesirable) but there can be no guarantees. It is conceivable that plaintext might get sent where it was not intended, and PAX assumes no responsibility for the consequences. At least this would be no worse than the situation that prevails with current anonymous services. THIS IS EXPERIMENTAL SOFTWARE IN A STATE OF FLUX - YOU HAVE BEEN WARNED. END OF FILE -- ** Anonymity & Privacy by PAX - Public Access Unix (Adelaide,South Australia) ** anon.admin@pax.tpa.com.au (a human) anon.info@pax.tpa.com.au (for help) anon.ping@pax.tpa.com.au (get alias) anon.key@pax.tpa.com.au (register key) anon.###@pax.tpa.com.au (reply) anon.post.g@pax.tpa.com.au (post to g) anon.list@pax.tpa.com.au (to mailing list) anon.subscribe@pax.tpa.com.au anon.unsubscribe@pax.tpa.com.au For dialup Unix access phone +61-8-235-9010 - online registration. -- Yanek Martinson mthvax.cs.miami.edu!safe0!yanek uunet!medexam!yanek this address preferred -->> yanek@novavax.nova.edu <<-- this address preferred Phone (305) 765-6300 daytime FAX: (305) 765-6708 1321 N 65 Way/Hollywood (305) 963-1931 evenings (305) 981-9812 Florida, 33024-5819