-----BEGIN PGP SIGNED MESSAGE----- A number of postings to the alt.test Usenet newsgroup from pseudonymous accounts at anon.penet.fi have recently been reported. Correspondingly, a number of people have received email from that server indicating that an unsolicited pseudonymous account and ID and have been established for them at that server. Assuming no actual compromise of the anon.penet.fi database itself, this attack could serve a number of purposes. Let's assume that an attacker had obtained the Cypherpunks mailing list, perhaps merged with a listing of all posters to sci.crypt, alt.security.pgp, alt.politics.org.nsa, etc. and, forging a message from each member, attempted to create a new pseudonymous account at the anon.penet.fi server for each one. Likely motives for, and outcomes from this attack are: SCENARIO #1: Attempting to assign a new anon account to a person by posting to alt.test. Each failure would indicate that the address owner already possessed a password-protected anon ID there. This information could prove potentially "useful", I suppose. For example, a list of names of anon forwarder users could be collected for "special treatment" later, possibly a "sting" operation of some sort, it would also net a few people whose only use of anon.penet.fi was merely REPLYING to another's pseudonymous address, which also results in the allocation of a new ID. See Scenario #4 for further speculation. SCENARIO #2: Attempting to create such an account and SUCCEEDING would now match up the user ID with the new account number. Any future posts via this account could then be easily cross-referenced back to the source. Any account thus created, as evidenced by a "welcome" message from anon.penet.fi, should probably NOT be used, at least where anonymity was needed. SCENARIO #3: If the new accounts were password-protected by the forger, and the passwords NOT revealed to the putative "owners", the result would be a "denial of service". Has anyone received a message that an unsolicited new account has also been password "protected"? (Scenarios #2 and #3 are mutually exclusive, BTW.) SCENARIO #4: The most serious of all is the possibility of a "barium attack". A special "coded", but seemingly innocuous, message could be sent to each email address identified in Scenario #1. If the person replies, he/she has just blown his/her anonymous cover, and any previous (or future) postings/correspondence using that ID are then traceable back to the source. Needless to say, anyone who has a pseudonymous ID at anon.penet.fi that he/she would like to keep secret should be EXTREMELY careful in responding to any messages coming through that server. The most likely means of accomplishing this attack is through the Subject: header, since many people reply to messages and keep the original subject, prefixing it with "RE: ". If I send messages to Alice, Bob, and Charlie via anon.penet.fi, using a slightly different Subject: line for each, then a reply containing that Subject: line will link the pseudonymous return address on the reply with the recipient of the original message. The source of this attack could be either a TLA (three-letter agency, such as NSA, FBI, CIA, etc.), some hacker, or even the infamous Larry Detweiler. I cite the "TLA" option since a number of messages have been posted to various newsgroups via anon.penet.fi that seemingly violate Federal law. At first glance the attack would seem to have been executed in a somewhat clumsy fashion, particularly the posting of public messages with the text "I am John Doe", or whatever. OTOH, given the inevitable "welcome" message from anon.penet.fi to the "holders" of the newly assigned IDs, such "clumsiness" could also be designed to make a sophisticated attack look amateurish to disguise the motives and capabilities of the attacker(s). Or, this whole thing could be an attempt to achieve "Death to Blacknet" by undermining user confidence in the anon servers by spreading "fear, uncertainty, and doubt". QUESTION: Has anyone with a previously existing, password-protected identity at anon.penet.fi received an "invalid password" message recently, even though no attempts to send mail through the server had been made? If not, then that's a bad sign because it might indicate that password protection has somehow been curcumvented by the attacker. -- Diogenes - a registered pseudonym. PGP key (ID# D1150D49) available through PGP Public Key Servers -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLjmja+Rsd2rRFQ1JAQExTAP6A4kTUwufW05Bx5Mznz3AkjDKuP18K5/P FhZT3LEed2j8x1fxFbwmNdkUnHVsxf+pvA0cfmQQV68CY9R0BIkPEUmf59wMAlZ4 vr6kei5nNw6WFb8W3ihk7GhqynTuIZjGCHdPXP/IaZKcxGx0tdTB2A1A74eVYBB3 yRWrSTbSEbc= =7yi1 -----END PGP SIGNATURE-----