From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
Date: Fri, 22 Oct 93 15:43:00 PDT
To: cypherpunks@toad.com
Subject: ANON: revealing penet id
Message-ID: <9310222238.AA15930@flammulated.owlnet.rice.edu>
MIME-Version: 1.0
Content-Type: text/plain


Hm...

this topic seems to come up every few months - just today I was
reading the newest Risks digest and an32153 (or something like that)
was announcing the "risk" of using penet.  I mailed off a submission
describing how to avoid this.  I think people don't know about this
because it isn't published anywhere.  Or is it?

Maybe somebody could help Julf out and offer to write a new help file
that specifically mentions the an/na trick.  Last time I looked at the
penet help file, this wasn't mentioned.

It only takes a bit of work to avoid blowing your id - you just can't
hit 'r' and reply to the addressee; instead you must type in the
address manually (and be sure to type na#### instead of an####).  Last
week I responded to some email from a penet user.  I was careful to
respond to na####, or penet would have allocated me an id for
klbarrus@owlnet.rice.edu (since I don't have one for this account) and
thus someone would have been able to correlate my penet id and this
account.  As a matter of fact, I think that I revealed the penet id
for an old account of mine (elee9sf@menudo.uh.edu) this exact way,
although this was before the an/na functionality.

-- 
Karl L. Barrus: klbarrus@owlnet.rice.edu         
keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5  3D F3 93 7E 81 B5 CC 32 

"One man's mnemonic is another man's cryptography" 
  - my compilers prof discussing file naming in public directories