1993-11-29 - RISKS DIGEST 15.27 (fwd)

Header Data

From: Anonymous <nowhere@bsu-cs.bsu.edu>
To: cypherpunks@toad.com
Message Hash: 10d7977a0028df800fef3a6ba4c44950132f739d424a11828561ac6f790df2c0
Message ID: <9311290054.AA15691@bsu-cs.bsu.edu>
Reply To: N/A
UTC Datetime: 1993-11-29 00:54:39 UTC
Raw Date: Sun, 28 Nov 93 16:54:39 PST

Raw message

From: Anonymous <nowhere@bsu-cs.bsu.edu>
Date: Sun, 28 Nov 93 16:54:39 PST
To: cypherpunks@toad.com
Subject: RISKS DIGEST 15.27 (fwd)
Message-ID: <9311290054.AA15691@bsu-cs.bsu.edu>
MIME-Version: 1.0
Content-Type: text/plain



Let's review:


Newsgroups: comp.risks
Subject: RISKS DIGEST 15.27
Date: 16 Nov 93 17:19:19 GMT
Reply-To: risks@csl.sri.com

RISKS-LIST: RISKS-FORUM Digest  Tuesday 17 November 1993  Volume 15 : Issue 27

         FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

  Contents:
Re: The Snakes of Medusa and Cyberspace (mathew, Alex Glockner, 
    Perry E. Metzger, Jamie Dinkelacker, Arthur Abraham, Peter Leppik,
    Brad Hicks, Neil McKellar, Leonard Mignerey, L. Detweiler)

 The RISKS Forum is a moderated digest discussing risks; comp.risks is its 
 USENET counterpart.  Undigestifiers are available throughout the Internet,
 but not from RISKS.  Contributions should be relevant, sound, in good taste,
 objective, cogent, coherent, concise, and nonrepetitious.  Diversity is
 welcome.  CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive 
 "Subject:" line.  Others may be ignored!  Contributions will not be ACKed.  
 The load is too great.  **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS,
 especially .UUCP folks.  PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive 
 problems, and other information to risks-request@csl.sri.com (not automated).
 BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS".
 
 Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR>
 CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 15, j always TWO digits).  Vol i
 summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out.
 The COLON in "CD RISKS:" is essential.  "CRVAX.SRI.COM" = "128.18.10.1".
 <CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password.
 There are also alternative repositories, such as bitftp@pucc.Princeton.EDU .
 
  If you are interested in receiving RISKS via fax, please send E-mail to
  risks-fax@vortex.com, phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for
  information regarding fax delivery.  PLEASE DO NOT USE THOSE NUMBERS FOR
  GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone
  PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM .
 
 ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY.
 Relevant contributions may appear in the RISKS section of regular issues
 of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise.

----------------------------------------------------------------------

Date: 11 Nov 1993 12:13:34 -0000
From: mathew@mantis.co.uk (mathew)
Subject: Re: The Snakes of Medusa and Cyberspace (RISKS-15.25)

"L. Detweiler" <ld231782@longs.lance.colostate.edu> writes at length about the
evils of what he calls "pseudoanonymous posting".  I shall try to keep this
reply brief.  I am interested not only in the issue of pseudonymity, but in
the structure of Detweiler's allegations.  His posting appears to me to be an
artfully crafted conspiracy theory.

He begins by defining "pseudoanonymously":

>`Pseudoanonymously' -- the message identification is of a `fake' identity, a
>person that does not exist despite the implicit indications of the message
>(such as a signature with a realistic name, including a phone number, etc.)

He notes that pseudoanonymous postings are active deception, rather than
passive concealment of identity, and points out that he could set up a
pseudonymous account for the purpose of fooling people into thinking that the
pseudonym was a different person.  Pardon me, but what on earth does this have
to do with RISKS?  The practice of publishing under a pseudonym has been
common for centuries; ironically, Detweiler himself quotes "Shakespeare",
believed by many to be a pseudonym.

He does on to hypothesize that people might be less wary of pseudonymous
identities they don't recognize than they are of anonymous ones; he talks of
megalomaniacs stalking the net.  Well, if I see someone post to the net under
a name I don't recognize -- like (say) L.  Detweiler -- then I assign that
person (whom I don't know) exactly the same probability of being a
megalomaniac as I assign an anonymous user I don't know.  Perhaps even a
higher probability, as what megalomaniac would wish to remain *anonymous*?

Detweiler then points out that a user could post messages under a pseudonym,
complimenting himself.  Again, this is nothing new.  Authors have been known
to review their own books, written under pseudonyms; or to write letters to
newspapers criticizing themselves.

Detweiler claims that public use of pseudonyms is often "dishonest, immoral,
and unethical"; he demands that "others should be informed if it is
occurring".  Well, I hereby inform everyone that it is occurring, and has
occurred for centuries, and will carry on occurring.  It is not a new risk
brought in by technology.

Perhaps the problem is that people have got used to the Internet being
restricted to institutionalized settings, where user accounts are numbered,
and verified to be unique by some central authority.  As the Internet spreads
into the real world, so the real-world practice of pseudonymity will
inevitably spread into the Internet.  When everyone has a computer, everyone
can have a pseudonym; just as anyone with a pen and paper can develop a
real-world pseudonym.

Detweiler next moves on to consider the use of pseudonyms in private
communication.  This, again, is nothing new.  Look at the "Henry Root" letters
(or "The Lazlo Letters"), Victor Lewis-Smith's crank phone calls, or any of
thousands of similar examples.  He complains that digital signatures do not
solve the problem; unfortunately, he seems to be under the mistaken impression
that written signatures are better.  In fact, it is quite possible for a
person to have multiple handwritten signatures.

Then, he moves on to what he calls the "dangerous, insideous [sic], and
treacherous" uses of pseudonyms.  He gives an example of an anarchist
organization using pseudonyms to aid the destabilization of governments,
democracy, law enforcement, and so on.  Every good conspiracy must have a
secret enemy trying to destroy the world.  He speaks of carefully-guarded
mailing lists and secret societies, and explains that the anarchists could
send spoof communications to public addresses, magazines, and the like.

I hate to sound repetitive, but again, this threat is nothing new.  Look at
the spoof "LSD tattoo" announcements purporting to come from police officers,
or the pranks played against government departments.  Consider campaigners who
write multiple letters under pseudonyms to send to politicians.

Detweiler then goes even further, talking about "pseudospoofers" as using
"brainwashing and an illusion of peer pressure to manipulate unknowing
subscribers", with campaigns of "mental assault" to attack doubters.  Of
course, sinister mind-control techniques are a classic part of any conspiracy
theory.

Next comes the masterstroke.  He explains that the secret pseudospoofer cabal
would attack people like him by "disparaging, discouraging and discrediting
them publicly and privately as 'paranoid ranters' and 'conspiracy theorists'".
So now anyone who criticizes his position is instantly One Of Them, a venomous
snake who cannot be trusted, and further evidence of the Great Conspiracy.  He
suggests that they "might even be able to make a real-world pariah from
simulated ire and criticism directed at a single strong opponent, say, L.
Detweiler, from many simulated identities in cyberspace".  Thus, he hopes,
everyone who replies to RISKS criticizing his bizarre fears will become
another piece of evidence in his favour.

He finishes off by suggesting that the evil pseudospoofers might already be
infiltrating public mailing lists, discussion lists concerning email and
security software, network administrators' mailing lists, CERT, the DNS
databases, and so on.  He likens pseudospoofing to a virus infecting the
Internet.  Again, like most conspiracy theories, the picture painted is one of
an insidious threat which has already subverted our most cherished
institutions!

I'm sorry if this seems impolite, but the entire article seems to me to be 10%
misconceptions and 90% pure conspiracy theory.  (Oh no!  Mathew is One Of
Them!)  I find such things amusing, but I for one would appreciate it if this
sort of nonsense was kept out of RISKS in future.

mathew

------------------------------

Date: Thu, 11 Nov 93 14:37:22 EST
From: Alex Glockner <glockner@cosc.bsu.umd.edu>
Subject: Re: Pseudospoofing (RISKS-15.25)

While I should be grateful to L. Detweiler for reminding us of the possibility
of pseudospoofing on the Internet (sidenote: his anonymity FAQ makes for great
reading...), we should also remember that this is `just another' case of
network problems that have always existed `out there in the real world'.

The RTC (the US-sponsored agency that is responsible for selling off assets of
failed Savings and Loan institutions) recently sold a beachfront property to
the Audubon Society, a large US environmental group, which in cooperation with
a developer would create a preserve from the property.

Whoops.  Turns out it wasn't the environmental group -- officially, the
National Audubon Society incorporated in New York State -- but a group,
allegedly associated with the original failed developer, that chose to
register in another state with the name "Audubon Society".

If the allegation is correct, the developer saved a lot of money from the
original purchase price this way...

(My apologies for the lack of a citation; this appeared in the Washington Post
in October 1993) 

|> ...  These are related to the potential of waging a systematic campaign of
|> propaganda, disinformation, or brainwashing unleashed on an unsuspecting
|> public by a subversive organization.

In American politics, we call this `lobbying'.  Any number of groups are
misleadingly named and directed to achieve an agenda (*which* groups, of
course, depend on your own beliefs, so I won't try to name any).

The fact is that most (all?) states have rules that you can choose any name
(or more to the point, *names*) that you want as long as 1) the state cannot
prove that it is in the public interest to deny your name change or 2) you are
not intending to defraud anyone or escape legal obligations.  Stage names and
pen names are also long-established instances of this, also.

Pseudospoofing isn't anything new; it's just a new guise of something
thousands of years old...what's the first C program everybody writes?  "hello,
world"?  :-)

Alexander Glockner, Asst. Professor, Dept. of Computer Science, Bowie State 
University  Bowie MD 20715  (301) 464-6609   glockner@cosc.bsu.umd.edu

------------------------------

Date: Thu, 11 Nov 93 20:36:23 EST
From: pmetzger@lehman.com (Perry E. Metzger)
Subject: The Perils of Pseudospoofing (Detweiler, RISKS-15.25)

I was amused to see that the article contained an elaborate, and amusingly
paranoid, scenario, that describes, thinly veiled, the way that Mr. Detweiler
apparently thinks that the "Cypherpunks" mailing list operates.

"Cypherpunks" is an informal group of privacy and cryptography advocates --
the lists members include such varied individuals as Phil Zimmerman (the
author of PGP), Mike Godwin of EFF, John Gilmore, Phil Karn, a gentleman from
CPSR who's name I forget, and other fairly illustrious crusaders for privacy
and personal data security in the digital age.

Some members of the list are radical libertarians such as myself, who often
point out (with some glee) that cryptographic techniques, which are
essentially unstoppable because even high school students can now implement
extremely secure cipher systems, will likely ultimately eliminate the capacity
of the government and others to nose in where they do not belong.

With this introduction, I will explain what has happened: Mr. Detweiler has
apparently decided that many members of the group are in fact the same person
(posting under multiple identities) and that the entire mailing list is a
monstrous plot to undermine Truth, Justice, and The American Way.

The allegation that most of the mailing lists members are identical is bizarre
-- anyone is free to check for themselves that people like Tim May, Eric
Hughes, and others are real people. However, Mr. Detweiler became convinced
that because so many people disliked his rantings on the list that they all
had to, in fact, be the same person. I suppose the notion that more than one
person might disagree with him did not cross his mind. I am not a qualified
psychiatrist and do not pretend to be one, but I do know paranoid delusions
when I see them.

As an example:

>The CryptoAnarchists might even be able to make a real-world pariah from
>simulated ire and criticism directed at a single strong opponent, ...

I suppose it never occurred to Mr. Detweiler that he could simply look up
folks like Eric Hughes (whom I believe lives in Berkeley), Tim May (whom I
believe lives in Aptos, CA), and others, and verify that they exist and have
differing voices and the like.

However, people who are suffering from insane fantasies rarely bother
to listen if people tell them that they have insane fantasies.

The following paragraph speaks for itself:
>In fact, the CryptoAnarchists might even infiltrate sensitive internal mailing
>lists like those maintained by CERT (Computer Emergency Response Team). ...

Perry Metzger

------------------------------

Date: Thu, 11 Nov 1993 01:45:05 -0800
From: jamie@netcom.com (Jamie Dinkelacker)
Subject: Personal Singularity

In a recent Cypherpunk post, the venerated individual E.Hughes suggested
individuals make themselves known, and mention L.Detweiler's amorphous post to
.risks.  First, I'm honored to be mentioned along with May, Szabo, Finney,
Hughes, ... indeed, fine company these electrons keep!

Jamie Dinkelacker is in fact and in blood an independent individual, living in
Silicon Valley, who is finding profit from all the attention he's getting. He
goes so far as to post his phone number for people who would care to call and
offer consulting contracts for marketing management in the Bay Area.

More to the point: Jamie Dinkelacker is the only name I've used posting on the
net.

Does Detweiler truly exist as an individual? Can anyone attest to his
existence as separate from S.Boxx, Jim Riverman, David Sternlight? Who'll take
a stand on his behalf?

Jamie Dinkelacker   Palo Alto CA   Jamie@netcom.com    415.941.4782 

------------------------------

Date: Thu, 11 Nov 93 15:14:39 -0800
From: a2@ah.com (Arthur Abraham)
Subject: "L. Detweiler"'s single personality problem 

I would like to attest from personal knowledge that the following 
personalities each emanate from a separate flesh and blood person:

  G.Broiles, A.Chandler, J.Dinkelacker, H.Finney, E.Hughes, M.Landry,
  T.C.May, N.Szabo

I myself emanate from yet another flesh and blood person.

I have communicated with "L. Detweiler" in the past, and have frequently been
amazed by his postings.  His/her decline in the past month or two has been
somewhat disturbing.  It seems to illustrate how it is occasionally possible
for strongly held positions, that seem to rely on an slightly unbalanced view
of the world, to actually originate in unbalanced minds.

------------------------------

Date: 15 Nov 1993 20:27:55 GMT
From: leppik@uxa.cso.uiuc.edu (leppik peter)
Subject: Re: pseudospoofing (RISKS-15.25)

IMHO, I fail to see the real "risk" in pseudospoofing.  Keep in mind that such
famous people as Mark Twain and Marilyn Monroe never actually existed (they
were "pseudospoofed," as it were, by Samuel Clemens, and Norma Jean,
respectively).

The only possible risk that exists is if people lose their perspective, and
forget the distinction between the network and the real world.  Beyond that,
the use of realistic-sounding nom-de-plumes for various reasons is a long and
time-honored tradition.  I see no reason why it should stop merely because the
medium has become modulated electric fields, rather than ink and paper.

(Did William Shakespeare really exist?  Some people with nothing better
to do still argue about this question....)

	 Peter Leppik--  p-leppi@uiuc.edu

If people have a hard time understanding General Relativity, what makes us
think computers will do any better?

------------------------------

Date: 15 Nov 93 21:11:08 GMT
From: mc/G=Brad/S=Hicks/OU1=0205925@mhs.attmail.com
Subject: Re: Snakes of Medusa and Cyberspace (RISKS-15.25)
 
"If your best friend jumped off of a cliff, would you?
 Did your mother ask you this?
 Every four years, lemmings jump off of cliffs.
 There are no five-year-old lemmings ... unless they've
   learned to think for themselves."
     - recent TV ad for radio KPNT 105.7 FM, St. Genevieve/St. Louis, MO
 
OK, by now everybody knows that the lemmings story is a fake, but it's still a
potent metaphor, and a relevant one to any discussion of what Mr.  L.
Deitweiler has termed "pseudospoofing."  (Does Mr. Deitweiler exist? In my
experience, most real people have first names.)
 
For those of you who've just subscribed, "pseudospoofing" is the use of
"spoofed" SMTP mail connections, multiple anonymous mail servers, or other
techniques to enable one person to send e-mail messages appearing to be from
multiple people.
 
And if you missed Mr. Deitweiler's previous jeremiads, you might not know that
this idea scares the water out of him.  For example, consider this paragraph
from the introduction to his latest lengthy posting on the subject, this one
on RISKS Forum Digest, volume 15 issue 25, 10 Nov 1993:
 
 > ... These are related to the potential of waging a systematic campaign
 > of propaganda, disinformation, or brainwashing unleashed on an 
 > unsuspecting public by a subversive organization.
 
Propaganda?  I'll answer to that charge myself; I write propaganda for a small
not-for-profit educational organization ... if you'll allow me to define
propaganda as anything intended to influence people's opinions.  (When I do
it, it's a forceful essay.  When you do it, it's called spin doctoring.  When
somebody we both think is "evil" does it, it's called propaganda.)
 
But the warnings of disinformation and brainwashing are something else
altogether.  Not for nothing did David Brin in his novel _Earth_ refer to a
UseNet-like system as "the Net of a million lies."  All manner of lies have
appeared on the Net, from the US government's facile attempt to persuade us
that Clipper is a harmless alternative to existing systems and won't be
mandatory, to a recent (wonderfully funny) hoax having to do with modem taxes,
that fooled even net veterans like Pat Townson of Telecom Digest.
 
But does pseudospoofing make it easier to lie successfully via the Net?
 
If I post a message here that says that I've met J. R. "Bob" Dobbs, and he
really exists, will you believe me?  Of course not; you know that I don't live
in Dallas.  (weak grin) You also know, by now, that J. R. "Bob" Dobbs is a
myth built around a piece of 1950s clip art, and exists only in the same
mystical realm as Santa Claus, Lazarus Long, the Easter Bunny, the World-Wide
Satanic Conspiracy, John Galt, the Risen Lord Jesus Christ, the Tooth Fairy,
and Wise and Benevolent Government.  And you're not going to change your mind
on the existence or non-existence of any of these things just because I, or
anybody on the Net, told you otherwise.
 
Would you change your mind if ten people on the Net told you so?  A hundred?
A thousand?
 
Mr. Deitweiler has written that if I were to create (let us say) a hundred and
twenty three alternate (fake) net.identities, and each of them sent him mail
telling him that black was really white, that he would be in imminent danger
of dying at the next zebra crossing.  He calls this process "brainwashing."
 
To compare pseudospoofed argumentation to brainwashing is to show that you are
far, far too susceptible to peer pressure, and also to irresponsibly diminish
the seriousness of brainwashing.
 
As Wilson documented in Leary's _Neuropolitics_, there is a technology for
breaking down a person's resistance to ideas and lifestyles that are foreign
to them, and "re-imprinting" them with the ideas and values of a new group.
But among other things, it requires control of a person's physical
environment, food, movement, social environment, and all punishments and
rewards.  Not for nothing do cult leaders take their converts to remote
retreats, "deprogrammers" tie their captives to chairs in remote hotel rooms,
fundamentalist preachers preach "separation from the world," and the military
isolate recruits from all outside contact, control their every waking moment,
and bully them mercilessly during the early weeks of boot camp.
 
But you cannot exert that kind of control over anyone's life or body or mind
via the Net.  All you can do is create fake peer pressure.  And if you're that
susceptible to peer pressure, Gods' pity on you.  You need to learn to judge
arguments by their quality, not by the number of people who say that they
agree with them.
 
Does pseudospoofing have dire implications for democracy?
 
Well, no, because in the political context, pseudospoofing isn't that
different from what interest groups do now.  Do you really think that, for
example, everybody who joins the AARP to get the club discounts agrees with
everything that organization's lobbyists tell Congress?  I doubt it, and any
Congressman with any sense doubts it, too.  What's more, with the rise of
800-number generated automatic telegrams, clipped coupons, and so forth, a new
term has entered American political discourse, the term "astroturf campaign"
-- that is, a fake grass roots campaign.
 
Sure, pseudospoofing provides another way to create a fake grass roots
campaign.  But will anybody be fooled?  No.  Congressional staff already look
for close similarities between supporting messages and inform their bosses of
them.
 
Somebody with enough determination could hand-write a thousand letters to
Congress trying to influence a piece of legislation, carefully varying each
one so that they look like they came from separate constituents.  Without
pseudospoofing, they would put them in separate envelopes and drop them in
mailboxes all over the city over a course of days.  With pseudospoofing, they
could write a program to batch them out to anon mail servers or spoof them
into SMTP mailers over the course of many days.  But either way, the =real=
work would not be in the mailing process, but in the laborious task of
hand-writing a thousand entries while keeping them all different.  Who is
capable of such an effort?
 
Now, after thinking about the arguments above, if you are still terrified of
the possibilities of pseudospoofing, take this challenge: try to design a
system that allows anonymous email and anonymous transactions that =doesn't=
permit pseudospoofing.  Such a system, it seems to me, will have to have
=some= entity that knows which aliases go with which real.people, and such a
system is by definition not anonymous.
 
After a hundred-plus lines, I am not going to go into the arguments about
whether or not anonymity is itself a good or a bad thing.  Suffice it to
say that there are people, not involved in plotting the overthrow of
society or any of Mr. Deitweiler's other paranoid fancies, who believe
that anonymity is valuable.
 
All that I hope that I hope to accomplish with this message is to persuade you
of is that there is little basis for fear that "the treacherous and toxic
effects of pseudospoofing" will lead to "brainwashing" or "general
destabilization of governments, democracy, laws, and law enforcement."
 
 J. Brad Hicks     Internet: mc!Brad_Hicks@mhs.attmail.com
 X.400: c=US admd=ATTMail prmd=MasterCard sn=Hicks gn=Brad

------------------------------

Date: 	Mon, 15 Nov 1993 15:22:51 -0700
From: Neil McKellar <mckellar@cs.ualberta.ca>
Subject: Conspiracy 101? (Detweiler, RISKS-15.27)

In his article, " The Snakes of Medusa and Cyberspace: Internet identity
subversion", L. Detweiler outlines a variety of methods by which
'pseudospoofing' can be used to influence public opinion and research (at
least on the Internet).  Having read a fair share of spy fiction in my time,
none of these methods comes as a surprise to me.  :-) And all these methods
can be used AGAINST the conspirators in his scenario.

Perhaps it's time to pull out my copy of "Schroedinger's Cat" by
Robert Anton Wilson, and bone up on conspiracy theory.  :-)

Neil McKellar (mckellar@cs.ualberta.ca)

"Just because you aren't paranoid, doesn't mean they aren't out to get you."

------------------------------

Date: Thu, 11 Nov 1993 14:39:20 -0500 (EST)
From: Leonard Mignerey <MIGNEREY@cua.edu>
Subject: Re: Snakes of Medusa and Cyberspace...

    I fail to see the difference between electronic pseudospoofing and print 
media pen names. It to me that all of Mr. Detweilers arguments
hold for that scenario as well.  The problem is not in pseudospoofing as much
as in an individual relying on a single medium as a source of information.
Certainly in the "War of the Worlds" incident, Orsen Wells pseudospoofed a
number of people into believing that the Martians and actually landed.  This
unhappy group of individuals relied solely on their radios (and a single
channel at that) for their information.  
    If we are to dive so deeply into cyberspace that it becomes the total
extent of our research on important issues, then I think the problem is not in
the pseudospoofers but in the pseudospoofed.

Leonard J. Mignerey, The Catholic University of America, Washington, DC 20064
Director, Management Information Systems           INTERNET: mignerey@cua.edu

------------------------------

Date: Sun, 14 Nov 93 19:57:16 -0700
From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Subject: Pseudospoofing (ld, RISKS-15.25)

Many people have emailed me to say that they are skeptical of my scenario
about the Internet CryptoAnarchist pseudospoofing conspiracy published in
RISKS-15.25. The scenario was built painstakingly from hundreds of messages I
have reviewed on the subject over many weeks. I would like to present some of
the more interesting pieces of `evidence' (but withhold the more substantial
pieces) that there is at least, in one quarter of the Internet, a very strong,
systematic, and dedicated attempt to pseudospoof, and a very concerted effort,
possibly, to cover it up and viciously attack those who seek to expose it.

My informal poll of pseudospoofing posted to the cypherpunks mailing list and
talk.politics.crypto was unanswered by top Cypherpunk leadership, and many
poll responses were very evasive, and several in the form `yeah, I have done
it' with little additional information. The Cypherpunk mailing list and my
private mail were my greatest source of inspirations for `Medusa's Snakes in
Cyberspace'. For example, three prominent cypherpunks have suggested to me
that there is a secret mailing list for `project development' free of
`paranoid ranters'. I asked a cyperpunk leader about the existence of the
list, and he said that `your question does not allow anything other than an
incriminating answer.'

* * *

Here is a paragraph from a posting on the Cypherpunks list on Oct. 18 1993:

``In my limited experience creating Internet pseudonyms, I've been quite
distracted by the continual need to avoid leaving pointers to my True Name
lying around -- excess mail to/from my True Name, shared files, common
peculiarities (e.g. misspellings in written text), traceable logins, etc.  The
penet.fi site explicitly maintains a list of pointers to the original address.
All kinds of security controls -- crypto, access, information, inference --
have to be continually on my mind when using pseudonymous accounts. The
hazards are everywhere. With our current tools it's practically impossible to
maintain an active pseudonym for a long period of time against a sufficiently
determined opponent, and quite a hassle to maintain even a modicum of decent
security. Pointers to info and/or tools to enable the establishment and
maintenance of a net.nym, beyond the standard cypherpunks PGP/remailer fare
with which I'm now familiar, greatly appreciated. Especially nice would be a
list of commercial net providers that allow pseudonymous accounts''.

This paragraph contains an astounding amount of data on the possibility of a
highly refined, intense, extended, insidious, global, and systematic
pseudospoofing effort. Some of the details it suggests, in particular:

1) Based on the context that surrounded this excerpt and the message, the
author is intentionally conflating `pseudonymity' (identification of the
message implicitly indicates, `this is a pseudonym', such as origination from
anon.penet.fi) with `pseudoanonymity' (the deception that `I am a real
person'). This is a classic cypherpunk tactic. I have hundreds of subtle
variations of this obfuscation in my collection.

2) The author starts with `in my limited experience in creating'... but
clearly the author has *extensive* experience with meticulous practice and
knowledge that rivals that of the most literate RISKS postings on the subject
(for example, the anon.penet.fi site, the possibility of style analysis for
identification, etc.)

3) The author clearly has an obsession to completely dissociating all
traceability to his actual identity and a virtually fanatical aversion to
`pointers to my True Name lying around'.  This includes extensive
considerations for deleting mail, detecting shared files on a filesystem, and
`common peculiarities' like consistent misspellings.

4) The author refers to his efforts at deception as `security controls' and
categorizes them in general categories of `crypto, access, information,
inference' -- clearly he has dedicated an extreme amount of systematic
thinking and effort to the `project' of pseudospoofing.  He laments, sounding
somewhat like an NSA administrator, that it's `quite a hassle to maintain even
a modicum of decent security'.

5) There is an identifiable tone of paranoia in the message that most rational
humans would not associate with casual anonymity. `The hazards are
everywhere'. The author laments, `It's practically impossible to maintain an
active pseudonym for a long period of time against a sufficiently determined
opponent'.

6) The objective characterization of a `sufficiently determined opponent'
indicates the author considers attempts to trace the pseudoanonymity by what I
have been calling `demon exorcists' is an inevitable inconvenience that must
be addressed. The author clearly considers it a routine hazard and has
encountered and evaded it before.  He considers his routine deceptions
something like a game strategy.

7) Despite already obviously being an unsurpassed expert, the author requests
`pointers to info and/or tools to enable the establishment and maintenance of
a [`pseudoanonym'], beyond the standard cypherpunks PGP/remailer far with
which I'm now familiar, greatly appreciated.'  This may also disguise an
attempt to appear to be unsophisticated or determine what extent other
`octopuses' are existent in Cyberspace.

8) The author asks for a `list of commercial net providers that allow
[pseudoanonymous] accounts' without regard to *geography* whatsoever,
suggesting that it is no constraint. That is, the author may have no problem
with accounts spread very wide geographically. This is in stark contrast to
the standard request, `does anyone know a site in [x] area?' to avoid long
distance charges.

Clearly, the author has an *obsession* with maintaining *multiple*
`pseudoanonyms', possibly over a very *widespread* geographical area, has a
paranoia over exposure of one of his `tentacles' but also has conceived and
probably practiced countermeasures, and spends a great deal of time polishing
his techniques and arsenal. The author is not interested in casual anonymity
as a hobby. He is interested in systematic pseudospoofing, virtually as a
*profession*. He may even be spreading *disinformation* about his own
practices and the extent of his own knowledge. The author continues:

``Another big problem I see with [pseudoanonymous] reputations is entry. If
most people are blocking posts from new pseudonyms, how does one get a new
reputation established? I've had several years to establish a net.reputation
for [...], and it might take a long time for any of my [pseudoanonyms] to
catch up. Altruistic sponsorship requires trusted friends knowing the True
Name, but that public sponsorship itself provides important clues to that
Name.''

This paragraph further promotes pseudospoofing, now suggesting its use in
reputable forums:

1) Again, the author alludes to his arsenal of multiple pseudoanonyms, and
expresses regret that it will take *a long time* of concerted pseudospoofing
for before his other pseudoanonyms may `catch up'.

2) The author appears to be attempting to subvert mechanisms that bar
pseudoanonymous identities, trampling on their right to do so in his obsessive
promotion of the `reputation' associated with his various name tags.

3) From the context of the message, and the references to `sponsorship by a
true name', the author appears to actually be alluding to *identity databases*
and ways of infiltrating them with pseudoanonyms.  He laments that this
`public sponsorship itself provides important clues pointing to that name.'
This could be interpreted as a deliberate attempt at deception and corruption
of a `True Name' database by conspiracy, and the `clues' that would `point' to
a perpetrator of the crime.

Actually, because of the blurring of identities and misinformation this author
promotes, I think that this paragraph may potentially be another
disinformation stab -- the apparent owner of the message may be *itself* a
pseudoanonymous identity, *itself* built up over `several years'! (The author
posts from the site netcom.com, a site that is notorious for requiring
essentially no proof of identity to receive an Internet account.)

The author continues with classic cypherpunk dogma that blurs pseudonymous and
anonymous identities with pseudoanonymity (`pure anonymity'), and vilifies
those who feel `threatened' by the latter:

``I hope that we stick to experimenting with pure anonymity in many venues. I
suggest we'll find out that purely anonymous vposts are not so bad, overall.
[...] Pure anonymity is a strange, threatening, fascinating beast in our
panoptic social-welfare world. Even those of us at the forefront of
harnessing this monster shrink back in fear when it whinnies. [...]''

Now, superimpose the `Medusa's Snake's and Cyberspace' essay in your mind as
you read the following:

``Pure anonymity provides a voice for a wide variety of new kinds of
expression that up until now have been suppressed. [...] I hope we continue
experimenting with pure anonymity for a while longer [...].  Some of what
comes out might look very strange, something like tapping into previously
concealed areas of our social psyche. I suspect the result will be a more
honest dialog, a more productive conversation freed from posturing and,
ironically, from the concealment of threatening truth. I hope we will observe
with Zen patience and allow this quite interesting experiment to continue.''

* * *

Since the above posting was to a public list, I will reveal the author of the
message I have been dissecting. He is the same person who took my short
comment at the end of the `Medusa's Snakes & Cyberspace' essay as an
*accusation* that some pseudanonyms may be listed. He writes in RISKS-15.26:

>I'd like to assure the readers of RISKS that I am in fact a unique person,
>distinct from the other names L. Detweiler listed.  Of the people on his list
>I know from personal contact, all are distinct people in Real Life(tm).  Well
>before his post to RISKS, L. Detweiler was provided means of personally
>verifying that many of the names he listed are distinct True Names (eg phone
>numbers he can call), but it doesn't seem to help.

Let's dissect these statements with an eye to rigor. `I am in fact a unique
person [...]'  means nothing in the question of pseudanonymity -- Medusa may
have one of her Snakes claim that `I am a unique person' without lying.

Next, `Of the people on his list I know from personal contact, all are
distinct people in Real Life(tm)'. But this can be taken to mean only that
more than one person is represented by a list of pseudoanonyms.  Note the
author is careful not to mention *which* people he knows from personal
contact. That, after all, might reveal `important clues pointing to that
Name'!

Also, there is a problem that members of a `cult of pseudospoofers', who
subscribe to the `pseudoreligion of pseudoanonymity', as this person
apparently does, may twist language to the point of actually maintaining that
different pseudoanonymous identities *are* different `people', even when typed
in at a keyboard by the same individual! This would not be unlike a fanatic
religious sect maintaining that acts of `terrorism' are actually `holy
liberation' when commited in the name of God!

The author says he is `distinct from the other names L. Detweiler listed.' But
again, this is not a guarantee of uniqueness of flesh! The use of the word
`name' instead of `people' is quite suspicious in our context! The whole
*issue* is that beyond the uniqueness of mere ASCII `names'!

The person goes on to state that `Well before his post to RISKS, L.  Detweiler
was provided means of personally verifying that many of the names he listed
are distinct True Names (eg phone numbers he can call) but it doesn't seem to
help.'

The people I listed are separated by vast geography in their posting sites,
with a concentration in California. Furthermore, I have been in private
correspondence with all of them over many weeks, and I am unsure of what
specifically Mr. Szabo is referring to as my opportunity to verify that `many
of the names' are `distinct True Names'. I have never before posted a list of
this set of names before! The lack of specific information is highly
suspicious in our context! Furthermore, in our context, the issue would not be
whether `some' real people are represented in the list, but whether *all*
names listed correspond to the legal identities of *unique* human beings! (A
complex and widespread pseudospoofing effort actively being orchestrated by
some, which very possibly spans many states, may not even be thwarted by the
necessity of establishing interstate telephone numbers!)

* * *

Finally, I have very strong tangential cues that the `Medusa's Snakes in
Cyberspace' essay is far more true than hypothetical. Over many weeks I have
encountered strong stonewalling, evasion, and counterattacks from some of the
most prominent cypherpunks in response to my specific allegations in email.
This included a mailbombing, a mailbombing threat, four letters to my site
postmaster, two from cypherpunk leaders, one referring to `your latest
paranoid descent into fantasy in RISKS', my `violent threats', without quoting
any of my statements in particular (I find the thought of a physical threat
abhorrent), and suggested `I have a strong feeling you are going to have a
very hard time getting a job in the computer industry' in part from the essay.
Another called my efforts against pseudospoofing a `a nonsensical, paranoid,
one-man jihad against cypherpunks'. Apparently because the lamentations and
supplications to my postmaster have largely been ignored, one cypherpunk
suggested that `I intend to go beyond your postmaster on the next try, to
various former classmates and old friends of mine who are computation center
employees, faculty, and administration members at CSU now.'

Incidentally, there is a strong overlap between the people perpetrating the
above activities and those I credited at the end of my essay.  Elsewhere, one
cypherpunk suggested that `I better start looking over my shoulder'. Another,
in what might be termed `psychopunk humor,' wrote `I'm going to come kill your
family with a rusty razor blade' (the latter broadcast on the entire mailing
list) and suggested it demonstrated my personal problems in being upset by
such a message.

These tactics are all quite shocking to me, and I am not sure how to respond
to these letters except to perceive them as outrageous and desperate attempts
to intimidate and censor me indirectly where other approaches have failed. I
warn others of the searing hostility they may encounter on the cypherpunks
list -- with philosophies promoted there that are increasingly blurred with
raw criminality -- and against any attempts to find an antidote to poisonous
pseudospoofing.

L. Detweiler

------------------------------

End of RISKS-FORUM Digest 15.27
************************






Thread