1993-02-23 - Re: anon.penet.fi hacking
Header Data
From: Johan Helsingius <julf@penet.FI>
To: Hal <74076.1041@compuserve.com>
Message Hash: ba9b4a8bb76be799606b347d2613f01dad16565df992ea98c0bc8e0c79bb6899
Message ID: <9302230955.aa20252@penet.penet.FI>
Reply To: <930223074743_74076.1041_DHJ21-1@CompuServe.COM>
UTC Datetime: 1993-02-23 08:52:04 UTC
Raw Date: Tue, 23 Feb 93 00:52:04 PST
Raw message
From: Johan Helsingius <julf@penet.FI>
Date: Tue, 23 Feb 93 00:52:04 PST
To: Hal <74076.1041@compuserve.com>
Subject: Re: anon.penet.fi hacking
In-Reply-To: <930223074743_74076.1041_DHJ21-1@CompuServe.COM>
Message-ID: <9302230955.aa20252@penet.penet.FI>
MIME-Version: 1.0
Content-Type: text/plain
> Well, I think I have deduced the identity of "Deadbeat" from his posting
> style. I don't think Julf should say who he is. This was an important
> demonstration of a weakness in the security of the remailers.
Definitely!
> The Penet remailer seems now to require a password for all messages; at
> least, I wasn't able to send to an5877@anon.penet.fi ("Deadbeat") without
> using my password. So chaining through Cypherpunks remailers to Penet would
> seem not to be possible now.
Unless you include your password in the message! Remember that
anon.penet.fi can pick up the X-Anon-To: and X-Anon-Password: lines from
the start of the message text - they don't have to be header fields.
> Unless Eli's suggestion works - having our remailers put out a random
> "From:" line (perhaps just on mail to Penet?) might cause Penet to issue a
> new pseudonym for that apparent new user. This would be kind of wasteful
> from Penet's perspective - all those pseudonyms are never going to be
> re-used. But it might allow this form of chaining, without compromising the
> pseudonym of the remailer operator.
The social implications are more important.
> Another possibility would be for there to be a command to Penet to allow
> users to send truly anonymous mail, mail which does not have a meaningful
> "From" line (and in particular which does not have the user's Penet
> pseudonym displayed as the "From" address). We could set our remailers to
> use that command for any mail sent to Penet. Mail sent with that command
> would not need a password. This would be an alternative way for users to
> deal with some of the other attacks, such as the one Deadbeat demonstrated.
I repeat: for general postings, we have to come up with a way to provide
anonymity while retaining a return path. Otherwise chaos ensues, just
look at the most blatant misuses of anon postings witnessed recently!
> P.S. - My, the list has sure been lively today. Looks like we beat
> Extropians again on volume!
Yeah... Haven't ben able to get away from my machine to have my morning
shower yet (it's 10:30am in Finland).
Julf
Thread
Return to February 1993
- Return to “Hal <74076.1041@CompuServe.COM>”
Return to “Johan Helsingius <julf@penet.FI>”
- 1993-02-23 (Mon, 22 Feb 93 23:55:33 PST) - anon.penet.fi hacking - Hal <74076.1041@CompuServe.COM>
- 1993-02-23 (Tue, 23 Feb 93 00:52:04 PST) - Re: anon.penet.fi hacking - Johan Helsingius <julf@penet.FI>