From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Wed, 11 Aug 93 23:42:45 PDT
To: cypherpunks@toad.com
Subject: Anonymity Warning! ID stored in TAR files
Message-ID: <9308120640.AA05507@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


From Risks 14.81 Aug 11 93

===cut=here===

From: olaf@bigred.ka.sub.org (Olaf Titz)
Subject: Surprise! contained in tar file

The RISK of trusting in software to save confidentiality has recently been
exposed in a German newsgroup. On a debate whether DES is illegal in Germany
(it is not, by the way) someone posted a tarred, compressed, uuencoded archive
of DES code via an anonymizing service.  (No discussion on the topic of
anonymization, please.) Not only that he forgot to delete the object code
before tarring (thus giving an indication which kind of hardware he uses). The
next day someone else posted an explanation why this action was stupid, giving
the anonymous poster's full real name and address. He found it out because the
tar he used leaves user names (not only UIDs, which would suffice to restore
file permission settings) in the tar file. Of course, this fact is not
mentioned explicitly in the man page rsp. info file (but the average user
wouldn't expect it in the first place...) where an explicit warning could be
considered appropriate.

Olaf Titz  -  olaf@bigred.ka.sub.org  -  s_titz@ira.uka.de