Anonymity Warning! ID stored in TAR files
L. Detweiler
ld231782 at longs.lance.colostate.edu
Wed Aug 11 23:42:45 PDT 1993
>From Risks 14.81 Aug 11 93
===cut=here===
From: olaf at bigred.ka.sub.org (Olaf Titz)
Subject: Surprise! contained in tar file
The RISK of trusting in software to save confidentiality has recently been
exposed in a German newsgroup. On a debate whether DES is illegal in Germany
(it is not, by the way) someone posted a tarred, compressed, uuencoded archive
of DES code via an anonymizing service. (No discussion on the topic of
anonymization, please.) Not only that he forgot to delete the object code
before tarring (thus giving an indication which kind of hardware he uses). The
next day someone else posted an explanation why this action was stupid, giving
the anonymous poster's full real name and address. He found it out because the
tar he used leaves user names (not only UIDs, which would suffice to restore
file permission settings) in the tar file. Of course, this fact is not
mentioned explicitly in the man page rsp. info file (but the average user
wouldn't expect it in the first place...) where an explicit warning could be
considered appropriate.
Olaf Titz - olaf at bigred.ka.sub.org - s_titz at ira.uka.de
More information about the cypherpunks-legacy
mailing list