Faking hostnames and inconvenient anon IP
joshua geller <joshua@cae.retix.com>:
[on IRC]
Fraid not....it's a trivial matter to fake the username, and if yer a smart cookie, faking the hostname is just as easy.
as far as I know, you have to hack the server to fake hostname.
historically this practice has been frowned upon by the majority of IRC administrators.
Oh, there are other ways of faking hostnames, depending on your level of access to systems (your closest nameserver, for example). My point was that it's not quite as convenient to have anon IRC (or any other IP protocol) as it is to send anon mail through a remailer. ------------------------------------------------------------------------------- Rishab Aiyer Ghosh rishab@dxm.ernet.in Voicemail +91 11 3760335; Vox/Fax/Data 6853410 H-34C Saket New Delhi 110017 INDIA The National Short-Sleeved Shirt Association says: Support your right to bare arms! -------------------------------------------------------------------------------
Oh, there are other ways of faking hostnames, depending on your level of access to systems (your closest nameserver, for example). My point was that it's not quite as convenient to have anon IRC (or any other IP protocol) as it is to send anon mail through a remailer.
In that case one of us (who owns a machine directly plugged into the net) should set up an anon server that doesn't check for user/host names, or better yet, provide a bouncing off point for anonymous telnet... Say something like you telnet to port 666 on toad.com, and then you're given an anonymous temporary id. At that point, you are prompted with a menu for what to do... telnet to another site, ftp into another side, call an IRC server from somewhere, etc. All the anon server would have to do is bounce packets... I think this idea came up before... an anon packet forwarding service of sorts... If a user goes through several of these, s/he is granted pretty decent anonimity... Perhaps another play on this would work with encrypted packets? Where each user who dials into one of these packet bouncers talks to it via a PGP like RSA and key-exchange system. All the IRC server will see is that someone named anon7 logged in from eminar.toad.com... Of course if the sysadmins who run irc's are true assholes, they'll blacklist the anons, but if there are enough anon packet bounces on the network, this will be pretty hard. They'll just have to recognize that the right of privacy is one that outweighs their desire to keep logs. Granted anon packet bouncers can be used to throw junk mail or messages thought irc's, but we could install a time delay in the anon forwarding software so that it can receive quickly, but only send slowly. (Slowly enough for one person to type to an IRC, but not for a script to send thousands of messages. Granted, there are still other forms of abuse available, but if we could limit one we could still get somewhere and not have the IRC sysadmins bitch too hard....
In that case one of us (who owns a machine directly plugged into the net) should set up an anon server that doesn't check for user/host names, or better yet, provide a bouncing off point for anonymous telnet... Say something like you telnet to port 666 on toad.com, and then you're given an anonymous temporary id. At that point, you are prompted with a menu for what to do... telnet to another site, ftp into another side, call an IRC server from somewhere, etc. All the anon server would have to do is bounce packets... I think this idea came up before... an anon packet forwarding service of sorts...
If a user goes through several of these, s/he is granted pretty decent anonimity... Perhaps another play on this would work with encrypted packets? Where each user who dials into one of these packet bouncers talks to it via a PGP like RSA and key-exchange system.
There's something similar to this in ftp.germany.eu.net:/pub/networks it's called inet, or something similar. basically you set it up to run on a site, and dependig on which port of said site you telnet to, it bounces packets to somewhere else. so, at ports 2000-2010 on toad.com, you have 11 different anon-irc servers, 2011 has somewthing else, and so on. I'm sure that someone could hack up the source code to inclde anything you damn well want. * * Mikolaj J. Habryn dichro@tartarus.uwa.edu.au * "Life begins at '040." PGP Public key available by finger * "Spaghetti code means job security!"
In that case one of us (who owns a machine directly plugged into the net) should set up an anon server that doesn't check for user/host names, or better yet, provide a bouncing off point for anonymous telnet... Say something like you telnet to port 666 on toad.com, and then you're given
Well starting sometime this summer I'm going to start selling shell accounts, and I don't plan on spending much time verifying that there is a TrueName associated with any given account. All I will care is that I get my money and that the account isn't used to violate any security. I'll only have a 14.4 analog connection to the net at first but as time goes on I'll get a faster link. (As people pay me..) (If I get a report that the account has been abused, I probably just shut it off with no refund.. I'll develop a more specific policy when the time comes.) It's not exactly what you wanted, but it's privacy.
Sameer writes:
Well starting sometime this summer I'm going to start selling shell accounts, and I don't plan on spending much time verifying that there is a TrueName associated with any given account.
Most (all?) private PO box places won't give out a box without a "real" US mail address and some form of ID. Is this due to legal requirements (direct or indirect)? If so, can we not look forward to such restrictions being placed on those who supply electronic PO boxes? -- | GOOD TIME FOR MOVIE - GOING ||| Mike McNally <m5@tivoli.com> | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" |
Sameer writes:
Well starting sometime this summer I'm going to start selling shell accounts, and I don't plan on spending much time verifying that there is a TrueName associated with any given account.
Most (all?) private PO box places won't give out a box without a "real" US mail address and some form of ID. Is this due to legal requirements (direct or indirect)? If so, can we not look forward to such restrictions being placed on those who supply electronic PO boxes?
-- | GOOD TIME FOR MOVIE - GOING ||| Mike McNally <m5@tivoli.com> | | TAKE TWA TO CAIRO. ||| Tivoli Systems, Austin, TX: | | (actual fortune cookie) ||| "Like A Little Bit of Semi-Heaven" |
On Wed, 27 Apr 1994, Mike McNally wrote:
Most (all?) private PO box places won't give out a box without a "real" US mail address and some form of ID. Is this due to legal requirements (direct or indirect)? If so, can we not look forward to such restrictions being placed on those who supply electronic PO boxes?
It is not a legal requirement. It is an administrative requirement of the USPS. They threaten to withhold delivery of mail addressed to people at mail receiving services for whom there is no form on file. In practice they don't enforce this requirement and as long as a mail receiving service files "enough" forms, all mail is delivered. Even without a cooperating mail receiving service, it is trivial to open a box using "employment ID" printed up in Word for Windows. They don't check closely. DCF Privacy 101: Since anyone in the land of the free and the home of the brave can start a business or a school without permission, anyone can issue his own "employment ID" or "school ID." Kids - try this at home.
If so, can we not look forward to such restrictions being placed on those who supply electronic PO boxes?
Evidently this _has_ been discussed. It came out at one of the CFP-94 sessions, that some telecomm and law group had considered this very issue. I'll call it what I did then, during the Q&A. Identity escrow. Eric
participants (7)
-
Duncan Frissell -
hughes@ah.com -
m5@vail.tivoli.com -
Mikolaj Habryn -
rarachel@prism.poly.edu -
rishab@dxm.ernet.in -
Sameer