From Risks 14.81 Aug 11 93

===cut=here=== From: olaf@bigred.ka.sub.org (Olaf Titz) Subject: Surprise! contained in tar file The RISK of trusting in software to save confidentiality has recently been exposed in a German newsgroup. On a debate whether DES is illegal in Germany (it is not, by the way) someone posted a tarred, compressed, uuencoded archive of DES code via an anonymizing service. (No discussion on the topic of anonymization, please.) Not only that he forgot to delete the object code before tarring (thus giving an indication which kind of hardware he uses). The next day someone else posted an explanation why this action was stupid, giving the anonymous poster's full real name and address. He found it out because the tar he used leaves user names (not only UIDs, which would suffice to restore file permission settings) in the tar file. Of course, this fact is not mentioned explicitly in the man page rsp. info file (but the average user wouldn't expect it in the first place...) where an explicit warning could be considered appropriate. Olaf Titz - olaf@bigred.ka.sub.org - s_titz@ira.uka.de