penet hack

Richard Johnson Richard.Johnson at Colorado.EDU
Sun Jul 31 11:02:23 PDT 1994


| I got a message from anon.penet.fi this morning:
| 
| > You have sent a message using the anonymous contact service.
...
| I have never sent any messages using the remailer.  So whoever
| is fiddling with the remailer is still doing it.  Is it a coincidence
| that I posted to this list for the first time a few days ago?

No coincidence.  For those that haven't figured it out yet, some less
than clueful individual has subscribed a penet pseudonymous id to
cypherpunks.  Again.  Then again, maybe it _was_ an intentional try
at 'out'ing posters to cypherpunks.  The perp will receive each post
twice, once with the 'real' header via their normal subscription, and
once with the 'anonymized' header via their penet subscription.

When a message from a mailing list arrives at penet, addressed to
a 'nym, penet anonymizes it and assigns a new 'nym for the address
in the From: line.  To me, this is obviously stupid when mailing
lists are involved, causing automatic 'out'ing of folks who didn't
know they were sending to a pseudonymous account.

Might it be better for penet to fix the problem by more intelligent
parsing on their end (using the Sender: line too?), rather than
forcing the rest of the world to patch around their little security
bug?

Such patches include not attaching signatures and real names to any
mailing list posts, making sure all your accounts have penet ids
protected by passwords, not signing posts using PGP or RIPEM, and
sending to lists only via anonymous remailers.  A whole lot of bother
for little gain...

Basically, this penet problem makes Julf's service less than useless
to anyone who wants their pseudonymous address to remain private.






More information about the cypherpunks-legacy mailing list