-----BEGIN PGP SIGNED MESSAGE----- It seems like there are several problems that arise from this "automatic" anonymization of messages sent through the Penet remailer. You have these security threats which involve people being tricked into sending messages through the remailer in such a way that the recipient knows the true email address from where the messages are coming. (I think that is what happened here with "deadbeat", because otherwise why would he have asked people to send their email addresses? He wouldn't need email addresses since he could reply to people without knowing them, by just using a "reply" command in his mailer.) (It's interesting that he also sent his message via one of the Cypherpunks remailers. Maybe he thought they worked like the Penet remailer and he could break anonymity on those as well.) Another problem that people have complained about is when they respond to an anonymous posting, they get a message from Penet saying that they now have an anonymous ID assigned. This confuses and bothers some people. We had some debate about this issue here several months ago (before Penet was operating, I think). One question is, if I send mail to anonymous person A, does that mean or imply that I should be made anonymous to A? This is to some extent a matter of expectations. Some people argued that should be no expectation of anonymity in this case; A is the one who wants to be anonymous, not the people who are sending to him/her. Others replied that since some anonymous remailers already worked this way, there would be an expectation of anonymity, and so the safest assumption was to anonymize all messages since people can always override the anonymity by revealing their true addresses. I think these attacks on Penet re-open these questions. Evidentally there is positive harm that can occur by automatically anonymizing all messages which pass through a remailer. (BTW, I certainly don't mean here to be presuming to tell Julf what he should or should not do with Penet. I'm just taking that as an example. We have discussed adding similar functionality to our Cypher- punks remailers. The main problem occurs when sending a message to an anonymous Penet address. For the other uses of the Penet remailer, for anonymous posting and for mail to a non-anonymous address, it's more reasonable to assume that anonymization is desired. (Otherwise, why would they be using the service?) But when sending a message to an anonymous address, it's not known whether the sender wants to be anonymized or not. One possibility (which might not be that easy technically) would be to assign a new anonymous ID for each such message through the Penet server. This means that you would get a _different_ anonymous ID for each of these messages, preventing an attacker from pairing up your "usual" posting ID with your email address. (Perhaps this anonymous ID creation could be suppressed with another X- command, as proposed earlier, but this could be the default behavior.) It might be hard to keep track of that many anonymous ID's, but perhaps they could be kept active for only a limited period of time (several weeks or months) and retired after that. It might seem that people should just be careful about what they send through Penet, but there are some problems with this. What do you do if you get a message from an5877@anon.penet.fi asking for advice on cryptography mailing lists? If you reply, your questioner can figure out who the reply is coming from, and sees your Penet alias. There is no way to prevent this from happening currently. Also, I have seen proposals that anonymous ID's should be made less recognizable, so that instead of an5877@anon.penet.fi we would have joe@serv.uba.edu. In such a situation it might be tedious to scrutinize every email address we send to (via replies, for example) to make sure it isn't a remailer where you have an anonymous ID. All in all, I think some changes need to be made in how anonymous addresses are used and implemented in order to provide reasonable amounts of security. Hal Finney -----BEGIN PGP SIGNATURE----- Version: 2.1 iQCVAgUBK4lfIagTA69YIUw3AQGzQAQApOduiD7P2C26f7ml5tcOJf6xQff7bdV0 qw+zjOevW6hSBunOY59Qstkk5uQ2CoEALDAyUfKRsy7dionBAtCJYlwfX7uclHKL Sonor8bg0NPHMP8SV/antacq00fK3b5wtiFFMn3WsjCvSEjhGoB9SIE/TB/zL9Et Ow8JEodP488= =cXHd -----END PGP SIGNATURE-----
One possibility (which might not be that easy technically) would be to assign a new anonymous ID for each such message through the Penet server.
I was thinking of installing a trivial hack in my remailer, such that upon demand it adds some random (essentially unrepeatable) cruft to the From: line, placing it as a name field so as to have no addressing significance. I believe penet assigns IDs based on this line, so chaining this to a penet-style remailer would provide "hit-and-run" anonymity -- even if the remailer wants nothing of the sort. The social desirability of this could be questioned, but it certainly seems more secure to built pseudonyms on top of something like this (using PGP sigs to provide a solid identity) than through the presently-popular approach. Comments? (Julf?)
Hal Finney
PGP 2 key by finger or e-mail Eli ebrandt@jarthur.claremont.edu
I was thinking of installing a trivial hack in my remailer, such that upon demand it adds some random (essentially unrepeatable) cruft to the From: line, placing it as a name field so as to have no addressing significance. I believe penet assigns IDs based on this line, so chaining this to a penet-style remailer would provide "hit-and-run" anonymity -- even if the remailer wants nothing of the sort. The social desirability of this could be questioned, but it certainly seems more secure to built pseudonyms on top of something like this (using PGP sigs to provide a solid identity) than through the presently-popular approach. Comments? (Julf?)
I think we should come up with a more socially acceptable solution. Widespread use of hit-and-run abuse on the net would certainly lead to actions against sites such as anon.penet.fi. Some method that preserves a return path is needed for a *general* posting facility (alt.whistleblowers etc. would be special cases). And... Please remember anon.penet.fi has something like 13000 existing users. And most of them have been using other anonymous posting hosts with the same limitations/defaults as anon.penet.fi. So we can't change everything overnight... Julf
A few notes on the progress in anonymity: Eric Hughes suggests an alt.whistleblower with localized anonymizing. I like this, but I don't see how NNTP provides it. Wouldn't every server have to be modified or upgraded to support anonymizing? It would be trivial but I think we will find that the people in charge of NNTP are looking for ways to increase authentication and validation mechanisms, and would be hostile to the idea, althought that's definitely the place for it. As I hinted in an earlier message, the possibility of a centralized moderator stripping addresses, while already currently supported in the software mechanisms, is problematic because it is a single location with all the traffic--hence the need to go through independent anonymous servers first. But I think the localized header-stripping is totally superior to all this. Having a message bounce around a net a bit with *real* information is very vulnerable, when the ID could be stripped off at the source. Regarding the alt.whistleblower group, someone has proposed starting a .gov hierarchy on news.admin.policy very recently, and I sent along the proposal to him. Watch for new RFCs and vote with your email. For now I think the route to go is to get a group and let independent servers take care of anonymizing the traffic. Maybe the moderating address could pick a random remailer from a list of active ones--? I'd like to say a few things about what's going on in news.admin.policy right now. The thing has turned into quite a conflagation. But most notable is that Julf@penet has broken his silence on the really voracious drubbing he's getting, and come forward to say that he has taken actions against abusive posters, and is under severe amounts of stress--he said he spends 5 hrs some days answering email (administrative queries?) on the server. In one case an abusive poster crashed his system by mailbombing (filling it up with junk). K. Kleinpaste, who wrote original scripts that julf is using, IMHO is at best a hypocrite and at worst a traitor to the cause. He has attacked julf repeatedly on news.answers (most recently calling him a `bastard') for not implementing the `fire extinguisher' (killing abusive posters) or restricting group access, or using his own software for any of these purposes, despite originally providing it. In private email to him I find him very authoritarian and narrowminded on issues of anonymity and am frankly quite stunned he ever partook in the project. I think history will show very clearly that the great and tremendous popularity of the penet server (10,000 users in a few months) is due *precisely* to julf's decision to allow postings to all groups. Anyway, if ever there was a call for other server operators (not just account remailers)--this is it. We need people with as much control over their own site as possible. Stuff that is running without the knowledge of sysadmins at the site is great for experiments but its just not going to cut it for some very serious future uses that are approaching at the speed of light. Also, if anyone from EFF is listening, I think this could turn out to be one of the most important net.issues over the coming years. How about an EFF sponsored server? I suspect, if anybody did a fairly impartial study, instead of all the ranting and prejudice that is going on right now in news.admin.policy, that anonymous abuse is not extremely problematic or unmanagable compared to regular phantom/untraceable postings on Usenet. People are so vocal about `abuses' right now, but only because they tend to be highly visible. The anonymity is a red herring here. If julf@penet has 10,000 anonymous users, do we now have 10,000 times the problems on Usenet in general? Or *any* measurable fraction more than previously? I think this anonymous use is getting very high use right now. We are right in the midst of a major trend toward greater anonymized traffic. Stats on news.lists show that a lot of traffic is starting to get anonymized, traffic that was once (previously, probably) simply forged. They'll be plenty of people complaining from upset status quo. Tell them to take some virtual alkaseltzer. - - - I apologize for not bringing this to the attention of the list earlier, as it sort of seems to be a recent epiphany on the list, but julf@penet told me he added the password protection precisely for the forgery questions that are popping up. Also, something to note on forgery is that the forger may not necessarily *know* a person has an anonymous mail address on a given server, and the forgery may result in allocating a new anonymous ID for the forged address. The forger can tell the difference if the message simply goes through or he gets back a `you have been allocated xxx ID..' Also, note the simple scheme of serially allocating anonymous ID's could be a problem. If the infiltrator knows the rough date that someone was allocated a new ID, he could narrow down the range of IDs. For this reason randomly allocated IDs is a better idea. The infiltrator could even go around to new accounts all the time (or forge them) to get an idea where the server is in the allocation cycle. It seems to me that there are probably a lot of ID's that are not being used on these servers and the issue of when to get rid of old ID's is a big problem. Regarding some notes from Mr. Finney:
You have these security threats which involve people being tricked into sending messages through the remailer in such a way that the recipient knows the true email address from where the messages are coming.
These are completely analogous to users being tricked into supplying passwords in regular login situations. Not a new problem. And anybody who hasn't figured out that you should *never* put any identifying information in the message itself is probably a little too clueless to be using the service in the first place. However, the idea of giving a warning in the use introduction is ok: ``under NO CIRCUMSTANCES EVER DO THIS'' type thing.
Another problem that people have complained about is when they respond to an anonymous posting, they get a message from Penet saying that they now have an anonymous ID assigned. This confuses and bothers some people.
Tell them to try not to be so sensitive that a breeze causes themselves to panic. Its a new scheme but they need to get used to it. They can throw off the anonymity voluntarily any time they want by just including their ID in their message. But they shouldn't do this if they ever want to use the server in the future. Really, all this comes down to is that they get one extra reply in their mailbox other than usual--the one from the server saying `you now have this ID'. I think most people are recognizing that people complaining about this are just trying to be troublesome. The argument was called `pedantic' on news.admin.answers.
Evidentally there is positive harm that can occur by automatically anonymizing all messages which pass through a remailer.
The problem is that the anonymity is implicitly requested by a message to the server. Hence replies are getting this anonymity. One possibility is an override switch in the header that leaves it entirely intact and the server just acts like another hub forwarder. But what is this `harm'? We have to recognize these complaints as completely frivolous and without merit. Please, don't find a problem where there is none, you will only complicate simplicity. One thing I'd like to see that no one has done is an `unlink' feature for servers that carry address alias tables, so the user can erase all trace of any previous transactions through the server (other than the mail). But maybe this is too close to the hit-and-run abuse out there. Maybe there is a compromise somewhere, like a waiting period before unlinking, during which complaints can be registered and possibly prohibit future use.
Also, note the simple scheme of serially allocating anonymous ID's could be a problem. If the infiltrator knows the rough date that someone was allocated a new ID, he could narrow down the range of IDs. For this reason randomly allocated IDs is a better idea. The infiltrator could even go around to new accounts all the time (or forge them) to get an idea where the server is in the allocation cycle. It seems to me that there are probably a lot of ID's that are not being used on these servers and the issue of when to get rid of old ID's is a big problem.
Here's an idea.... What if I added anonymous ID's to my remailer such that the following would occur: Messages with "Command: Create ID" header field will result in a random ID being allocated to that user's account (if one does not already exist) and mailed to the account. Messages with "X-Allow-Reply: yes" header field (for example) will result in the user's anonymous ID being sent to the recipient in a header field (not From: because I do not have alias capabilities on this system). Messages with "X-Anon-To: <an anon ID>" will get forwarded to the anon ID's actual address. This is a sort of on-demand reply mechanism. I could make flags on the anon ID's so that I can disable a user's ID, set send/reply privileges, etc. If a user wants to change his ID, he could send "Command: Change ID" or "Command: Delete ID" to the remailer. Then, I could either setup a waiting period, make it require manual attention, or make it automatically do as requested. Since the program is written in C, about half of this is trivial. Making it secure is the most difficult part. By default, of course, messages would have no reply ability. Any user who replies will send mail to me. They would have to specifically place the X-Anon-To header line with the person's anon ID into the message. On the other hand, I could institute a serial number scheme where each message receives a serial number. Replies to that message for the period of a week or a month or whatever I choose will be forwarded to the sender. Each one has a different serial number no matter who it came from. Of course, this would require both a self-maintaining cross-reference list and an extra header field and/or work on the part of the person who replies. I was wondering, what is the opinion on this list (just reply to me, so we won't clog up cypherpunks any more than we (my remailer) already have) as to whether or not I should append a footer to remailed messages saying "Remailed by: nowhere@bsu-cs.bsu.edu" or some such nonesense that will let the recipient know that I did not write the message. My software already supports footer files, but I haven't been using them.
One thing I'd like to see that no one has done is an `unlink' feature for servers that carry address alias tables, so the user can erase all trace of any previous transactions through the server (other than the mail). But maybe this is too close to the hit-and-run abuse out there. Maybe there is a compromise somewhere, like a waiting period before unlinking, during which complaints can be registered and possibly prohibit future use.
I tried to incorporate this unlink idea of yours into my above proposal. The above is the way I understand your idea. Is this correct? Chael Hall -- Chael Hall nowhere@bsu-cs.bsu.edu, 00CCHALL@BSUVC.BSU.EDU, CHALL@CLSV.Charon.BSU.Edu (317) 285-3648 after 5 pm EST
Eric Hughes suggests an alt.whistleblower with localized anonymizing. I like this, but I don't see how NNTP provides it. Wouldn't every server have to be modified or upgraded to support anonymizing?
In an already supported sense, yes. As I understand it, when a moderated group is created, an email address for the moderator is propagated with it. So every time a moderated group is created, every server already is "modified". But the anonymity does not take place in NNTP. The news server mails every posting to the moderator's address. The header filtering take place on that machine, unbeknowst to the original NNTP server. I hear that this mechanism didn't used to work reliably, but that it now basically does. Comments? In addition, the direct mail address should be advertised independently, so that those without easy access to Usenet news can still use the system.
[...] I think we will find that the people in charge of NNTP are looking for ways to increase authentication and validation mechanisms,
The way to forge a posting to alt.whistleblower would be to post with your real address in it! That's not exactly a positive feedback loop for the outlaw.
[...] a centralized moderator stripping addresses, [...] is problematic because it is a single location with all the traffic
Granted. Thus the need for a periodic posting stating exactly what the security level of the system is.
But I think the localized header-stripping is totally superior to all this.
Agreed. That's why you publish the newsgroup entry point. Then a more sophisticated whistleblower could use a remailer chain to get to the access point. Eric
-----BEGIN PGP SIGNED MESSAGE----- Date: Tue, 23 Feb 93 18:46:17 -0800 From: Eric Hughes <hughes@soda.berkeley.edu>
Eric Hughes suggests an alt.whistleblower with localized anonymizing. I like this, but I don't see how NNTP provides it. Wouldn't every server have to be modified or upgraded to support anonymizing?
In an already supported sense, yes. As I understand it, when a moderated group is created, an email address for the moderator is propagated with it. So every time a moderated group is created, every server already is "modified". That's how it *should* work, not how it *does* work. In real life, moderator addresses are distributed "out of band" to a relatively small number of "backbone" sites; all the rest of the sites merely forward the mail to a "backbone" site. Making a newsgroup moderated in the absence of a moderation address is an easy way to make it "read-only"; I think the folks who run the fj.* groups do this instead of sending rmgroups (which are generally ignored). - Bill -----BEGIN PGP SIGNATURE----- Version: 2.1 iQCWAgUBK4r4H69wjZexL7jBAQGBagQBAbrZ42usqd/JhdWqtMNbS6PmXHfSCcA7 5qvi34i/vSe0lKc4t5JFys4S7+4OCkR8URniwOhcDGMXoXMTfeonbqNakselMJn3 m3l0Zz/vmA8ZcY0eS0F27AVwydooIVSdRiI5TFVFOLrnOzSpmyBxYzgzavnG0jRm T8vecJTtYqXf =VFG/ -----END PGP SIGNATURE-----
Re: alt.whistleblower moderation I wrote:
So every time a moderated group is created, every server already is "modified".
Bill writes:
That's how it *should* work, not how it *does* work. In real life, moderator addresses are distributed "out of band" to a relatively small number of "backbone" sites; all the rest of the sites merely forward the mail to a "backbone" site.
Well, we can weekly publish the submission address. It would take slightly more intelligence on the part of the would-be poster. What are exactly the politics of propagating this moderator's address, anyway? Is it particularly difficult? Is it automated? Please advise. alt.whistleblower, in addition to being a public good, is a great way to raise hell. Eric
Please advise. alt.whistleblower, in addition to being a public good, is a great way to raise hell.
True. Actually, I want to ask for some help/advice. I am about to implement alt.whistleblower on anon.penet.fi. But one thing I think I would like some input on is the description text of the newsgroup for the newsgroups file. A more important matter is the way the group should be implemented. Moderated or unmoderated doesn`t matter, as the server already knows how to send messages to moderated groups to the moderator. But how should it differ from other groups on anon.penet.fi? All groups will be able to accept PGP-encrypted messages, but I was thinking of making a.w a special case where id's aren't allocated at all, and every message would just come from "an000000" or something. Is this a good idea? Pros are that it would make it very hard to track down the real poster, cons that it would be impossible to tell the different posters from each other, thus not enabling informers to earn good or bad reputations, unless they include key signatures or something. Comments? Julf
A more important matter is the way the group should be implemented. Moderated or unmoderated doesn`t matter, as the server already knows how to send messages to moderated groups to the moderator.
Actually, I was thinking that whistleblower@anon.penet.fi would _be_ the moderator. Then you just post directly. All the messages would come from that address, and no id's would be assigned. Since all messages are from "whistleblower", replies to a poster go right back out to the list, also anonymized. It's actually a much simpler system than is currently implemented, since id's arenit involved at all.
Pros are that it would make it very hard to track down the real poster, cons that it would be impossible to tell the different posters from each other, thus not enabling informers to earn good or bad reputations, unless they include key signatures or something.
PGP 2.1 contains the cleartext-signature feature, and the periodic posting to the list should mention this. This allows a real pseudonym to develop, just like we want. Eric
accept PGP-encrypted messages, but I was thinking of making a.w a special case where id's aren't allocated at all, and every message would just come from "an000000" or something. Is this a good idea? Pros are that it would make it very hard to track down the real poster, cons that it would be impossible to tell the different posters from each other, thus not enabling informers to earn good or bad reputations, unless they include key signatures or something.
I like the idea, but would this make it impossible to respond anonymously and/or privately to a whistleblower? I couldn't write back privately to compare evidence if I didn't want to go public with my information yet (assuming that I had a similar interest, of course). Of course, if they have included a public key I could post an encrypted message to them, but is the idea to create a newsgroup where much of the traffic could conceivably be encrypted E-mail? But, on yet another hand (I feel like I'm in _A Mote in God's Eye_), if a regular informational posting in a.w discussed these issues, a whistleblower would be warned to post a publik key, a nom de guerre, and (maybe) a regular anon ID, if they wished, or to join an anon pool. To repeat: I do like the an00000 idea. But I think people may want E-mail response. Seth <seth.morris@launchpad.unc.edu> (Yay, I finally figured out +clearsig=on ! Now I need an option to add a oublic-key block to a message before signing automatically!)
Actually, I was thinking that whistleblower@anon.penet.fi would _be_ the moderator. Then you just post directly. All the messages would come from that address, and no id's would be assigned. Since all messages are from "whistleblower", replies to a poster go right back out to the list, also anonymized.
Well, this was my original idea as well, but the ensuing discussion confused me.
It's actually a much simpler system than is currently implemented, since id's arenit involved at all.
Exactly. And it's already implemented. I just have to enable it. But it doesn't support PGP/MIME yet.
PGP 2.1 contains the cleartext-signature feature, and the periodic posting to the list should mention this. This allows a real pseudonym to develop, just like we want.
Agree. But this requires us to really actively distribute PGP 2.1. Julf
participants (8)
-
Bill Sommerfeld -
Eli Brandt -
Eric Hughes -
Hal -
Johan Helsingius -
L. Detweiler -
nowhere@bsu-cs.bsu.edu -
Seth Morris