Computerworld, February 12, 1996, Front page: Stealth E-mail poses corporate security risk By Gary H. Anthes Anonymous remailers on the Internet are emerging as a threat to national and corporate security, some experts warn. These remailers are Internet sites that strip the names and addresses from electronic-mail messages before passing them along anonymously to prople or newsgroups. For corporate information systems managers, stealth E-mail is especially troubling because it allows hackers to attack systems, steal trade secrets and broadcast them worldwide without leaving an audit trail for authorities to follow. "Anonymous remailers have a lot of nasty potential," said Stephen T. Kent, chief scientist for security technology at BBN Corp. in Cambridge, Mass. "They have the broadcast potential of the news media but without the possibility of recourse if something is unsubstantiated or defaming is published." Critics are calling for strict limits or an outright ban on remailer sites, but others insist they are a safeguard against electronic snooping by abusive governments and should be considered a political freedom. Anonymous remailers have been used in a variety of criminal acts, including distributing pornography and computer viruses, violating copyright laws and harassing people with nasty messages. One snowy day last month, for example, about 25% of the workforce at a defense contractor in Rockville, Md., went home after they received a bogus E-mail message dismissing them for the day. The message originated from an anonymous remailer that allowed the user to impersonate a senior company official. But there are more scary, less publicized uses of remailers, said Paul Strassmann, former director of defense information at the Pentagon. Stealth E-mail also is used extensively by Russian criminals, often former KGB agents. "This method of communication is a favorite for engaging the services of cyber-criminals and for authorizing payment for their acts through a third party." Strassmann said. Its Reputation Precedes It Perhaps the best-known remailer site is in Finland at anon.penet.fi. The Finnish server was used last year to publish confidential and copyrighted scriptures from the Church of Scientology. It also was used to reveal the secret source code used by RSA Data Security, Inc. in some of its encryption products. Last year, police raided the Finnish site and seized records and computer gear as part of an investigation of alleged copyright infringement. The administrator of anon.penet.fi offers this warning to new users: "I believe very firmly that it's not for me to dictate how other people ought to behave. But remember, anonymous postings are a privilege, and use them accordingly. Remember, this is a service that some people who use newsgroups such as alt.sexual.abuse.recovery need. Please don't do anything stupid that would force me to close down the service." One remailer advertises itself as a way to thwart attempts by intelligence agencies to trace illegal traffic, Strassmann said. It holds all incoming messages until five minutes after the hour, then remails them in random order. The messages are sent through five to 20 other remailers, with a stop in at least one of the several countries noted for lax law enforcement, he said. Yet other experts say the threat from remailers is greatly exaggerated. "We've had remailers around for a while, and society hasn't fallen," said Mike Godwin, staff counsel at the Electronic Frontier Foundation in San Francisco. "We've had anonymous communication in the U.S. for years, you can use a public telephone, send a letter without a return address or engage in a cash transaction." Last year, the U.S. Supreme Court struck down an Ohio law that required the authors of political posters and pamphlets to identify themselves. "In the case of political speach, you can't make people tell you who they are," said Patrick Sullivan, executive director of the Computer Ethics Institute in Washington. But Sullivan said the police raid on the Finnish remailer was prompted by the Church of Scientology's legitimate complaint about violations of copyright law. "I haven't heard many uses of remailers that haven't involved, at the very least, being disrespective and, at the most, trying to cause harm of some sort." he said. _________________________________________________________ Battle against remailers an unfair fight Think of anonymous remailers as enemies you can't fight face to face, says Paul Strassmann, former director of defense information at the Pentagon and now a lecturer at the U.S. Military Academy at West Point. "Anonymous remailers are here to stay," he said. "That means the old military paradigm of retaliation falls apart. The whole theory of warfare has been if someone attacks you, you can attack them. But when you are anonymous, there is no one to shoot at." Strassmann said society myst look for defenses in the health sciences, not among electronic technologies. "The history of public health teaches us that suppression of any disease must be preceded by a thorough understanding of its behavior, its method of transmission and how it creates its own ecology," he said. "As in the case of smallpox, yellow fever, flu epidemics, AIDS or malaria, it will take disasters before the public may accept that some forms of restrictions on the electronic freedom of speech and that privacy may be worthwhile." - Gary H. Anthes _________________________________________________________ Do's and don'ts Unethical or illegal uses of anonymous remailers: - To spread viruses or other malicious software - To harass or commit libel - To violate copyright laws - To encourage others to commit unethical or illegal behavior Legitimate uses of anonymous remailers: - For "whistle blowing" - For political speech - For encouraging frank but constructive exchanges of opinions _________________________________________________________ Article also contained chart on how to use anon.penet.fi, not included here. [Thanks to BC for transcribing]