Recently I noticed an interesting thread on the Usenet newsgroup s.c.r regarding a Web site with a conferencing system, supposedly anonymous. I repost several articles which some folks on cp might find interesting. Path: !howland.erols.net!news2.digex.net!access1.digex.net!arthures From: "Arthur E. Sowers" <arthures@access.digex.net> Newsgroups: sci.research.careers Subject: Review and Warning about the "Biotech Rumor Mill" Date: Mon, 2 Sep 1996 22:16:39 -0400 Organization: Express Access Online Communications, USA Lines: 114 Message-ID: <Pine.SUN.3.94.960902214715.17927F-100000@access1.digex.net> References: <lindasj-2908961456130001@client9.sedona.net> NNTP-Posting-Host: access1.digex.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Sender: arthures@access1.digex.net In-Reply-To: <lindasj-2908961456130001@client9.sedona.net> Folks, I decided to visit this web site and tell all of you a few things you ought to keep in mind. First, the review: Yes, the "Rumor Mill" is a sort-of web-site "newsgroup". The majority of posts and responses that I saw (not counting the archives) were by "anonymous" posters. A good many were not particularly "hot" (such as "why is company 'X' stock dropping?" and some inane comments). Some were cryptic (meaning to the average person, they might be essentially meaningless). Most were very short (1-2 sentences). A few posts did have some information that I downloaded for use later. One or two mentioned lawsuits (patent infringement). Second, the warning: The Rumor Mill lets you post anonymously (as far as I could see, but I did not try it) but THAT DOES NOT MEAN THAT SOMEONE WILL NOT KNOW WHO YOU ARE. I don't know how the Rumor Mill is operated, but I do know that websites CAN be configured to capture information about browser users who access that site! They can get a large amount of information about you including your name, email address, all sorts of information about your domain & ISP, etc. Your anonymous post may appear to everyone else as anonymous, but the sysop (webmaster) at that site should be presumed to be capable of determining who you are. I myself have seen website "hit statistics" and believe me, it all shows up. You should look in your Web Browser directory for the <cookies.txt> file and note that some web sites that you visit will put short lines of data into your file. You might try to change the attributes on that file to "read only" and see what happens. Sometimes it will thwart the web site, sometimes it will give you an error message. As a matter of fact, I did click on one button and my netscape security window opened up to warn me that the channel to that site was not secure. What else is related to this? There are a number of anonymous remailers out in cyberspace, but it has been stated by a knowledgeable source that a number of them are being operated by law enforcement agencies (presumably to troll for criminal activity). A website which allows rumors to be posted anonymously, especially involving commercial business details (i.e. proprietary) but carries at least no disclaimer that the sysop or sponsors do not use hit statistics data to correlate it with anonymous posters and thereby determine or attempt to determine thier identity is a website that I would avoid using. In the worlds of politics, leaks, trial-baloons, rumor, inuendo, insinuations, etc. are common and make for entertaining reading for those who enjoy it. But in the world of commerce, the wrong blip in the wrong place can lead to lawsuits, prosecution (by, for example, the Securities and Exhange Commission), and other personal information, identity, etc., to fall into hands that I would hope smart people might think about before they make posts. I have the feeling that a simple post to a newsgroup through a remailer would be safer that an anonymous post to the Rumor Mill. At least, I would get into the configuration dialog boxes on your web browser and leave "your name" and "your email address" blank, or put in a dummy name. But then, you can figure out that this is a way to also send forged mail (there was a "fake mail" website about a year or two ago, but the sysops eventually shut it down). There is in fact a website out there that says it can be used for anonymous web browsing (and I expect at some time in the future that they will start charging for its use [think for a minute why these would exist and it will be obvious]), but where I have that little snit of paper is burried on my desk with mountains of uncolated paperwork (sorry). What dothey say about "buyer beware?" Caveat emptor? Eh? Art Sowers ======= On 29 Aug 1996, Linda St. James wrote:

Do you want to have a little fun and perhaps learn something about the current state of the biotechnology industry?

Have you a particular company you've been interested in that you'd like more information on -- but the "inside scoop" seems better than an official company profile?

IF SO ---

Please take a look at Dr. Martin Leach's BIOTECH RUMOR MILL, one of the most fascinating sites on the WWW for the biotechnologist.

In this site, Martin goes to great lengths to have an "all in one location" center for biotechnology news. Whether it is the daily reports from PR Newswire, or his reader surveys, you are bound to find something of interest. But, to prove that the internet imitates real life, some of the most interesting tidbits are pure rumor.

In this site, you and your colleagues have an opportunity to post information in a completely anonymous fashion. Some of the biggest news in the biotechnology business comes out of the "Rumor Mill" before it hits the trade journals, or even the Wall Street Journal! Of course, you have to remember that in any forum where anyone can post anonymously, there is a certain amount of frivolity as well. But what fun!

Search Masters International, an industry-leading search firm specializing in Biotechnology, Pharmaceuticals, and Medical Device industries, is now a sponsor of this site along with Research Diagnostics.

Take a look at your earliest convenience:

The Biotech Rumor Mill is at: http://www.tradesmart.com/rumor

The Search Masters International home page is at: http://smi.bio.com/

Best regards,

Linda St. James, Office Manager Search Masters International Five Hundred Foothills South, Suite #2 Sedona, AZ 86336 (520) 282-3553 Phone or (520) 282-5881 Fax email to lindasj@sedona.net

Path: !howland.erols.net!news2.digex.net!access5.digex.net!arthures From: "Arthur E. Sowers" <arthures@access.digex.net> Newsgroups: sci.research.careers Subject: Re: Review and Warning about the "Biotech Rumor Mill" Date: Tue, 3 Sep 1996 13:59:21 -0400 Organization: Express Access Online Communications, USA Lines: 89 Message-ID: <Pine.SUN.3.94.960903133225.2947A-100000@access5.digex.net> References: <lindasj-2908961456130001@client9.sedona.net> <Pine.SUN.3.94.960902214715.17927F-100000@access1.digex.net> <davej-0309960723220001@client12.sedona.net> NNTP-Posting-Host: access5.digex.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Sender: arthures@access5.digex.net In-Reply-To: <davej-0309960723220001@client12.sedona.net> On 3 Sep 1996, Dave Jensen wrote:

In article <Pine.SUN.3.94.960902214715.17927F-100000@access1.digex.net>, "Arthur E. Sowers" <arthures@access.digex.net> wrote:

"Nice" of you to delete ALL of my post instead of dealing with the specific issues, or CONSIDERING that I might have some valid points.

Art you have gone off the deep end.

Yes, let's now add web site reviews and critiques to your mix of strange posts. Personally, I think you miss the whole point of Martin's rumor mill site, and it is obvious that you didn't read the webmaster's introduction of how he handles anonymity.

I returned to that website a few minutes ago to look over "how he handles anonymity" and nothing in what he said negates the possibility that he (and, by extension, can share "inteligence" information about the source of the rumor and maybe even the identity of the poster). You can have him look at his web hit statistics and he will find my "visit" listed (or at least he should be able to find it, as I did not go to the site "cloaked"). As a matter of fact, the wording of the disclaimers (at .../rumor/post.html) is that "All correspondees identities will be kept confidential." which says to me that he (and you?) may "keep" them confidential (i.e. you may know them, even though you may not broadcast them all over the net, and that may give you some valuable insight into who says what and when). He says at another point "..., an email is sent directly to me and a message is appended to the Rumor Mill." As far as I am concerned, if you go over to the anonymous newsgroups and read about privacy (and get the help file from Julf Helsigius' anon remailer) ANY sysop can read any mail that comes through a sysop's site. And, if I were in a private business, I would see the temptation to "use" that information being just as strong as governments all over the world justify having their own CIAs, NSAs, KGBs, etc., and just as strong as many corporations have their own "intelligence" activities, reverse engineering departments, and private security and investigation units. If you go to any good sized public library and look up under industrial espionage and spying, you will get many books on this. You can try to pull the wool over most of the eyes around here, but it ain't gonna work with me. You would also be advised to work with Martin to rephrase some of his language. He says at another point in a page that "This site is for entertainment purposes only." Hell, thats crap. If I go looking for such gossip and rumors, its because it deals with something that impacts on my life, my job, my career and it better be good poop! Besides, on the esthetics, virtually every (EVERY) post that I clicked on had this overly obvious "Proudly Sponsored by -- SMI" box plastered right on the top. Then right under it is the RDI box. Man, can't you guys show a little "class" and just have this showing just once on the home page and cut out all the repetition? It turns me off. And, you should have thanked me for NOT mentioning all the posts that are now archived that reported problems hitting your SMI site (I didn't read more than one or two of them).

Stick to what you know, Art, which appears to me to be academic career tracks. No one has ever disputed your commentary in that area. But, like the restaurant reviewer who thinks he now knows enough about entertainment to review opera, you have gone over the edge and into territory better left for those who, like Dr. Martin Leach, really know how to provide value on the WWW.

Your opinion, as usual. But for the rest of you out there, think twice about posting an "anonymous" message to a web site. I've been on the other end of them, and I know that people sit around trying to figure out as much as possible about who its from if they don't get an email identity. Or... how, Dave, would you like it if I tried to go in and put a warning to visitors to that site? Would you and or Martin "censor" my post? After all, at another place on the website is the statement that "I am not responsible for the accuracy of this information although I try to confirm where possible." I know that many "service providers" openly state that they reserve the right to decline or terminate service to any subscriber for any reason at any time. Martin could be in a little "free speech" trouble and you and he might get together (since you are sponsoring, too, and therefore "calling the tune") and talk about this. I should send you a bill for consulting time on this, actually.

Dave

Art Sowers Path: !howland.erols.net!news2.digex.net!access2.digex.net!arthures From: "Arthur E. Sowers" <arthures@access.digex.net> Newsgroups: sci.research.careers Subject: Re: Review and Warning about the "Biotech Rumor Mill" Date: Wed, 4 Sep 1996 22:03:34 -0400 Organization: Express Access Online Communications, USA Lines: 118 Message-ID: <Pine.SUN.3.94.960904214345.20399A-100000@access2.digex.net> References: <lindasj-2908961456130001@client9.sedona.net> <Pine.SUN.3.94.960902214715.17927F-100000@access1.digex.net> <50i2rr$t6i@news.bu.edu> <Pine.PMDF.3.91.960904173108.88691A-100000@BIOMED.MED.YALE.EDU> NNTP-Posting-Host: access2.digex.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Sender: arthures@access2.digex.net In-Reply-To: <Pine.PMDF.3.91.960904173108.88691A-100000@BIOMED.MED.YALE.EDU> On Wed, 4 Sep 1996 mmartin@BIOMED.MED.YALE.EDU wrote:

About the Biotech Rumor Mill - I think it is a very cool idea. Really, I do. I have some doubts about the duplicity of the statement *for entertainment purposes only* but I can live with it. (It just sounds a bit too much like those ads on late-night TV for psychics; most of the ad is full of testamonials about how the service accurately predicted things and how it helps people by predicting events but if you look closely there is a small disclaimer that says *for entertainment purposes only*. Yeah, right. But Martin Leach isn't charging for access, so I can live with it.)

On 3 Sep 1996, Martin Leach wrote:

...

Hi Arthur,

I read your initial comments to Dr. Jensen and feel that are being a little paranoid.

To each his own. <insert tongue in cheek> Just because you are paranoid doesn't mean they aren't out to get you (or so the saying goes). ha, ha.

...

Information can be readily collected by any adept webmaster that wishes to.....so your comments are applicable to EVERY web site.

Can't argue with that. But, of course, that isn't the point. The point is that your site (unlike the vast majority of sites) claims to protect anonymity. If you claim to protect anonymity, then your site should be held to different standards.

...

Just because somebody clicks 'submit' on a form e.g. posting form on my site it does not send any extra information that cannot be gathered any other nefarious way.

I don't think Art was suggesting anything of the sort (Art, feel free to correct me if I'm wrong). I think he was just pointing out that it is possible to gather a lot of information about a poster - information that the poster may not be aware that he/she is giving. People (even scientists!) are generally unaware about how insecure electronic transmissions are and I think Art was just trying to raise the level of awareness.

Yep, that is what I had in mind. The anonymous posts may be anonymous to everyone else, but the "masters" at that site have it in their power to know where the post came from and who authored it and that could give them some interesting information to be privy to. Julf Helsingius who used to run the anon.penet remailer was a lot more honest about security and was very upfront about this in his "help" responder. But his site is off the air now. I could make lots of speculations but I won't. But everyone should beware of anything which is offered for "free" by business entities. Sometimes its a PR thing. Sometimes its genuine altruism. And sometimes its a pure scame. I won't openly estimate here how I would partition the fractions between those three possibilities. However, if I were running the "Rumor Mill" I would have a lot more extensive of a disclaimer and explanation (not only for PR but for legal purposes...I would not want to be a party in a lawsuit to "leaked" proprietary information... there is a fair bit of case law on this now).

The reason your site has become a lightning rod for security/privacy issues is that you claim to protect anonymity. This discussion could be about any website, but it only seems relevant when a website claims to protect anonymity. I don't think it was meant to suggest that you (or anyone who has priveleged access to the site) would actually abuse the contract of anonymity, but of course you can't warn people about potential abuse without it looking like you think it is likely that people will abuse priveleges. (hope that convoluted sentence makes sense)

I know what you mean, and if those guys are smart, they will think about this a little.

Anyway, if I had something that could get me fired, sued, or blackballed, I sure wouldn't want to trust someone's claim of anonymity - especially since that claim is probably not legally enforcable (i.e., I couldn't sue the webmaster for damages if s/he made my identity known).

Well, the anon.penet service got the local Finnish authorities (i.e. the heat) on their rear ends and that caused the whole service to terminate. The FBI, here, has been known to just go in and confiscate the hardware and software if they want to shut someone down for good cause. Suppose you were a company that didn't like something. Money and lawyers can lead to actions to stop something. I recall a year or two ago that one of the tobbacco companies didn't like the results of a researcher which got published and came out as anti-tobbacco. What did the company do? They used legal manuvering to force the researcher to turn over all of his notes, data, notebooks, manuscript drafts to the tobbacco company. How do you like them apples? By the way, this was reported in an issue of _Science_ back maybe 2 (?) years ago.

This is even more important if that someone is intimately tied to the industry about which I have information! I'd be much more likely to send it through an anonymous remailer (even though those are no longer secure).

I'd go for plain paper, handled with gloves that had not been touched on the outside by any of my pinkies, in an envelope, addressed and stamped (without licking), to the Wash Post, NY Times, and FBI, if I had something to blow the whistle about. You know, like in the spy novels written by ex-spooks.

Call me paranoid, if you will. But I sure as heck won't go walking in downtown at night with $20 bills taped all over me - I'd just be asking to get robbed, wouldn't I? I don't see that this is any different (except in degree, perhaps).

Right-on!

Margaret A. Martin

Yale University mmartin@biomed.med.yale.edu

Art Sowers Path: !magnus.acs.ohio-state.edu!lerc.nasa.gov!purdue!news.bu.edu!darwin!leach From: leach@darwin (Martin Leach) Newsgroups: sci.research.careers Subject: Re: Review and Warning about the "Biotech Rumor Mill" Date: 3 Sep 1996 20:02:03 GMT Organization: Boston University Lines: 163 Message-ID: <50i2rr$t6i@news.bu.edu> References: <lindasj-2908961456130001@client9.sedona.net> <Pine.SUN.3.94.960902214715.17927F-100000@access1.digex.net> NNTP-Posting-Host: darwin.bu.edu X-Newsreader: TIN [version 1.2 PL2] Hi Arthur, I read your initial comments to Dr. Jensen and feel that are being a little paranoid. Information can be readily collected by any adept webmaster that wishes to.....so your comments are applicable to EVERY web site. Just because somebody clicks 'submit' on a form e.g. posting form on my site it does not send any extra information that cannot be gathered any other nefarious way. The only additional information they send is whatever they fill in the dialog boxes. an example of info-gathering that can be acheived by any webmaster can be found at: http://www.uiuc.edu/cgi-bin/info together with the web browser + privacy issue. The only information that I have the need to collect is the I.P. (internet protocol) address of the postee. The purpose of this being that I can prevent them posting to my site if they repeatedly post off-topic or abusive posts. In the past I have used this to prevent stock touting on my website and have banned whole sub-domains. (since the i.p. address may be general to the sw region of ATT or AOL). This is all mentioned on the top of the post page (http://www.tradesmart.com/rumor/post.html) that people have to scroll through to get to the posting section. Other information that is automatically collected (by the web server) is the domain name/I.P. address of the people visiting the web site. This allows me to see who (in a very general sense) access my web site. This information is freely available to anyone visiting my website...and I frequently advertise this fact. You can obtain your own copy of the traffic report at this web site by going to: http://www.tradesmart.com/cgi-bin/surfreport.html just fill in your email address and wait. The results will be emailed to you. You do not need to wait for the reply..since the stats processing takes time. good luck on your endeavours and feel free to post something on the Rumor Mill. Whether anonymous or pubicly. Martin Leach Webmaster of the Biotech Rumor Mill. Arthur E. Sowers (arthures@access.digex.net) wrote: : Folks, I decided to visit this web site and tell all of you a few things : you ought to keep in mind. : First, the review: Yes, the "Rumor Mill" is a sort-of web-site : "newsgroup". The majority of posts and responses that I saw (not counting : the archives) were by "anonymous" posters. A good many were not : particularly "hot" (such as "why is company 'X' stock dropping?" and some : inane comments). Some were cryptic (meaning to the average person, they : might be essentially meaningless). Most were very short (1-2 sentences). A : few posts did have some information that I downloaded for use later. One : or two mentioned lawsuits (patent infringement). : Second, the warning: The Rumor Mill lets you post anonymously (as far as I : could see, but I did not try it) but THAT DOES NOT MEAN THAT SOMEONE WILL : NOT KNOW WHO YOU ARE. I don't know how the Rumor Mill is operated, but I : do know that websites CAN be configured to capture information about : browser users who access that site! They can get a large amount of : information about you including your name, email address, all sorts of : information about your domain & ISP, etc. Your anonymous post may appear : to everyone else as anonymous, but the sysop (webmaster) at that site : should be presumed to be capable of determining who you are. I myself have : seen website "hit statistics" and believe me, it all shows up. You should : look in your Web Browser directory for the <cookies.txt> file and note : that some web sites that you visit will put short lines of data into your : file. You might try to change the attributes on that file to "read only" : and see what happens. Sometimes it will thwart the web site, sometimes it : will give you an error message. As a matter of fact, I did click on one : button and my netscape security window opened up to warn me that the : channel to that site was not secure. What else is related to this? There : are a number of anonymous remailers out in cyberspace, but it has been : stated by a knowledgeable source that a number of them are being operated : by law enforcement agencies (presumably to troll for criminal activity). A : website which allows rumors to be posted anonymously, especially involving : commercial business details (i.e. proprietary) but carries at least : no disclaimer that the sysop or sponsors do not use hit statistics data : to correlate it with anonymous posters and thereby determine or attempt to : determine thier identity is a website that I would avoid using. In the : worlds of politics, leaks, trial-baloons, rumor, inuendo, insinuations, : etc. are common and make for entertaining reading for those who enjoy it. : But in the world of commerce, the wrong blip in the wrong place can lead : to lawsuits, prosecution (by, for example, the Securities and Exhange : Commission), and other personal information, identity, etc., to fall into : hands that I would hope smart people might think about before they make : posts. I have the feeling that a simple post to a newsgroup through a : remailer would be safer that an anonymous post to the Rumor Mill. At : least, I would get into the configuration dialog boxes on your web browser : and leave "your name" and "your email address" blank, or put in a dummy : name. But then, you can figure out that this is a way to also send forged : mail (there was a "fake mail" website about a year or two ago, but the : sysops eventually shut it down). There is in fact a website out there that : says it can be used for anonymous web browsing (and I expect at some time : in the future that they will start charging for its use [think for a : minute why these would exist and it will be obvious]), but where I have : that little snit of paper is burried on my desk with mountains of : uncolated paperwork (sorry). : What dothey say about "buyer beware?" Caveat emptor? : Eh? : Art Sowers : ======= : On 29 Aug 1996, Linda St. James wrote: : > Do you want to have a little fun and perhaps learn something about the : > current state of the biotechnology industry? : > : > Have you a particular company you've been interested in that you'd like : > more information on -- but the "inside scoop" seems better than an : > official company profile? : > : > IF SO --- : > : > : > Please take a look at Dr. Martin Leach's BIOTECH RUMOR MILL, one of the : > most fascinating sites on the WWW for the biotechnologist. : > : > In this site, Martin goes to great lengths to have an "all in one : > location" center for biotechnology news. Whether it is the daily reports : > from PR Newswire, or his reader surveys, you are bound to find something : > of interest. But, to prove that the internet imitates real life, some of : > the most interesting tidbits are pure rumor. : > : > In this site, you and your colleagues have an opportunity to post : > information in a completely anonymous fashion. Some of the biggest news in : > the biotechnology business comes out of the "Rumor Mill" before it hits : > the trade journals, or even the Wall Street Journal! Of course, you have : > to remember that in any forum where anyone can post anonymously, there is : > a certain amount of frivolity as well. But what fun! : > : > Search Masters International, an industry-leading search firm specializing : > in Biotechnology, Pharmaceuticals, and Medical Device industries, is now a : > sponsor of this site along with Research Diagnostics. : > : > Take a look at your earliest convenience: : > : > The Biotech Rumor Mill is at: http://www.tradesmart.com/rumor : > : > The Search Masters International home page is at: http://smi.bio.com/ : > : > Best regards, : > : > Linda St. James, Office Manager : > Search Masters International : > Five Hundred Foothills South, Suite #2 : > Sedona, AZ 86336 : > (520) 282-3553 Phone or (520) 282-5881 Fax : > email to lindasj@sedona.net : > : > --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps