-----BEGIN PGP SIGNED MESSAGE----- Jon Boone expressed what seems to be a consensus, " I won't hack into mail.netcom.com to demonstrate that it is possible to figure out who used your remailer. But, if one of the admins from netcom wants to send me their syslogs, I'll do my best to put together a correlation." Netcom logs mail. The mail queue is viewable by most anyone willing to set up a mail queue logging routine. If someone wants to see the mail logs after it is no longer in the mail queue they have to be root on Netcom or illegally hack in. If the FDA wants your illegal smart drugs, they might get Netcom to hand over mail logs. If a hacker or the NSA taps into root, they don't need mail logs; they'll just "wiretap" the qwerty account, including its secret key and pass phrase. Is there any OTHER serious but unrelated problems with a Netcom remailer? Now I know what warnings and hints to put in qwerty's .plan: "Since Netcom keeps mail logs, people should only have contact with qwerty via other remailers or send mail out from qwerty only to public sites like Usenet or a mailing list, so the real addresses of the users never shows up on Netcom's logs or in the mail queue. It is also best to use encryption in case someone is reading the contents instead of just the logs." Routing through qwerty will add another layer of difficulty to someone trying to track down a message sender, since if forces them to get Netcom's sendmail logs after the fact or to make their own logs every day of the year from an account on Netcom. Is this legal for say the FDA to do? How about my new idea for a company called "Netlog!" in which I log the mail queue on Netcom and offer to sell CD ROMs containing a year's mail logs from Netcom? These tricks could be made more difficult with traffic analysis countermeasures. However, the issue seems more touchy than this rationalization for the existance of Netcom remailers. Not assuming qwerty remains in its current state, will adding qwerty to a mailing chain, say between extropia to hfinney@shell, using encryption, add to or decrease security? The question needs to be answered, with the assumption that someone IS collecting mail queue logs. How would you have me alter qwerty so that this link ADDED to the security of a chain? More than an hour delay must be avoided by making the scheme more sophisticated, in my view. If I add a 0-30 min. random delay, with added dummy traffic going out from qwerty in a circle through other remailers and back to qwerty's bit bucket, every few minutes, would this make it useful also to SERIOUS remailer users? Before I start throwing out ideas that I'm sure aren't new to readers here, I have a simple question that perhaps I should post to comp.unix.questions or comp.lang.perl, but.... Can I, and how would I, get a perl script to kick in and send out mail every few minutes when I am NOT logged in. Is this possible on Netcom? The question is pretty general, and involves any public access or personal account machine. So send me a remailer or tell me how to patch Hal's. -Nik (Xenon) -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLVGOgQSzG6zrQn1RAQFGLAP+N31dNMjnArEOklm4AeruT7pu6LgfNdUM OawRDPY8CYgxYi5kJ4yByh7+uD+Asr7FCMaKacln8YwO6oOz3FlceNupC1czWFI5 NWuS9b4r5ZPKpLClv9K3oY1QvRePc1r0Ypl4SYCtZux/7U787BoyT/VUHmkfwple I6X6+irFXns= =6Klu -----END PGP SIGNATURE-----