From: jonathon <grafolog@netcom.com>
Date: Fri, 21 Jun 1996 06:21:49 +0800
To: cypherpunks@toad.com
Subject: Access Via Anonymous Re-Mailers (fwd)
Message-ID: <Pine.SUN.3.94.960620132244.17963B-100000@netcom17>
MIME-Version: 1.0
Content-Type: text/plain



---------- Forwarded message ----------
Date: Wed, 19 Jun 1996 13:38:29 -0400
From: Matthew Gaylor <freematt@coil.com>
To: Matthew Gaylor <freematt@coil.com>
Subject: Access Via Anonymous Re-Mailers

Harvard University, Kennedy School of Government Information Infrastructure
Project

Symposium on the Global Information Infrastructure: Information, Policy &
International Infrastructure Cambridge, MA, January 28-30, 1996

Risk-Free Access Into The Global Information Infrastructure Via Anonymous
Re-Mailers

by Paul A. Strassmann, US Military Academy, West Point; and Senior Advisor,
SAIC  and William Marlow, Senior Vice President, Science Applications
International Corporation (SAIC)

Quoted portions are excerpted from Raph Levien's Remailer List.

The Context

By far the greatest threat to the commercial, economic and political
viability of the Global Information Infrastructure will come from
information terrorists. Information terrorism has ceased to be an amateur
effort and has migrated into the hands of well organized, highly trained
expert professionals. Information terrorist attacks can be expected to
become a decisive element of any combined threat to the economic and social
integrity of the international community. Nations whose life-line becomes
increasingly dependent on information networks should realize that there is
no sanctuary from information-based assaults. Commercial organizations,
especially in telecommunications, finance, transportation and power
generation offer choice targets to massive disruption.

Information terrorism, as a particularly virulent form of information
warfare, is a unique phenomenon in the history of warfare and crime. For
the last two hundred years the theory of warfare has been guided by
"force-exchange" equations in which the outcome was determined by the rate
of attrition of each opposing force. In information attacks these equations
do not apply because the attacker remains hidden and cannot be retaliated
against.

Since biblical times, crimes have been deterred by the prospects of
punishment. For that, the criminal had to be apprehended. Yet information
crimes have the unique characteristic that apprehension is impossible,
since even identification of the criminal is not feasible. Information
crimes can be committed easily without leaving any telltale evidence such
as fingerprints, traces of poison or bullets.

Changes Introduced By Anonymous Re-Mailers

The introduction of Anonymous Re-mailers into the Internet has altered the
capacity to balance attack and counter-attack, or crime and punishment. The
widespread use and easy access to acquiring the capacity to launch
anonymous messages and software has so far not received adequate attention
from a policy and legal standpoint. This topic is sufficiently technical
that it has been largely avoided by experts who have so far concentrated on
debating social, legal, political and economic consequences of the Global
Information Infrastructure. Yet, unless there is a thorough understanding
of the technologies that make the Anonymous Re-mailers sources of a
pathological danger, there is little hope that effective preventive
measures and safeguards can be put in place.

In many respects, the avoidance of technical discussions about some of the
pathological aspects of the Internet remind me of the state of medical
diagnosis prior to the recognition that bacteriology, prophylactics and
inoculation can be only applied following the acceptance of rigorous,
analytic and experimental disciplines.

Our Agenda

The purpose of this paper is to bring to the attention of policy-makers
some of the relevant facts about Anonymous Re-mailers. All of the material
quoted here comes from public sources which are easily accessible to
anyone. The wide-spread current uses of Anonymous Re-mailers should be
sufficient warning that this topic cannot be considered any more as
something hidden, confidential or inappropriate for public discussion.

We find many similarities in the initial denials to the threats from AIDS
by the medical and public health establishment. We are dismayed by the
avoidance of a candid assessment by public officials about the
vulnerability of the Global Information Infrastructure to destructive
information epidemics. The purpose of this paper is to increase the
awareness of potentially deadly risks that may inhibit the potential gains
from the creation of a global information community.

What Is A Re-Mailer?

A re-mailer allows anyone to post messages to newsgroups or to individuals
while remaining anonymous. The identity of the sender is hidden from the
recipient and remains practically untraceable.

An anonymous re-mailer is a program that runs on a computer somewhere on
the Internet. When you send mail to the re-mailer address, the re-mailer
takes your name and your address off of the mail message and forwards it to
its next destination. The recipient gets mail that has no evidence of where
it originally came from, at least not in the headers. You might give away
your secret identity in the body of the message, but that would be the
sender's own fault.

Anonymous re-mailers can be "chained" so that a message is passed on from
one anonymous re-mailer to another, in two or more separate anonymous
"hops" as a way of making physical tracing or monitoring increasingly
difficult.

One of the most prominent anonymous re-mailers is <anon.penet.fi> is in
Finland. It is frequently used by the Russian (ex-KGB) criminal element.
<Anon.penet.fi> assigns a numeric identification to each address from which
it receives mail. Internet recipients can reply to that secret number.
<anon.penet.fi> will also assign to them another anonymous number, and then
forward the reply. This creates a double-blind situation where two people
could have an ongoing exchange and never know who the other person was.
This method of communication is favorite for engaging services of
cybercriminals and for authorizing payment for their acts through a third
party.

<Anon.penet.fi> can be also used to post a message to Usenet as well. The
message can be read by thousands of people, and anyone can send an
anonymous reply to the secret Finnish identity. The readers of this paper
can easily avail themselves of these services without any special training.
Detailed instructions for the use of a remailer service are usually
included in the "help" software posted in the remailer's files. For
example:

To get an anonymous re-mailer address follow the following instruction.
First, you should send mail to: <help@anon.penet.fi>. You'll get back a
nice help file automatically. Next, send mail to <ping@anon.penet.fi>. This
will allocate your number--from now on you'll be something like
<anXXXXXX@anon.penet.fi>, where XXXXXX is your number. Once you have
received your anonymous address you can use it like your normal e-mail
address.

These capabilities are not trivial, but a source of an exhaustive body of
software and communications know-how which can be learned best by
consulting one of the many tutorials about this topic, such
as<ftp.csua.berkeley.edu: /pub/cypherpunks/re-mailer/hal's.remailer.gz>:

Cyberpunk re-mailers allow a person to send mail with no trace of identity.
To use a re-mailer simply do the following:

Add the header Request-Remailing-To: and sending to one of the addresses
listed below. These headers must be typed in exactly. Mail without these
headers is either rejected or delivered to the re-mailer administrators.If
you cannot add the required headers, place two colons (::) on the very
first line of your message, then on the next line type
Request-Remailing-To: and the address you want to send anonymously to. Skip
a line, and then begin the message. By using this method you can send the
message through more than one re-mailer which will certainly ensure that it
will be anonymous. Many re-mailers only allow one recipient per message. A
number of standard Cyberpunk Re-mailers are        available.

There is a wealth of easily accessible step-by-step instructional material
available on the Internet how to use re-mailers and how to evade
countermeasures or possibility of detection from any source. Re-mailer
operators are in frequent contact with each other and exhibit many of the
fraternal habits that previously were shared between amateur radio
operators. Some of the most interesting sources of information are:

André Bacard's anonymous re-mailer FAQ is an excellent nontechnical
introduction.

For a different take on Net anonymity, see L.Detweiler's home page.

Tools

Private Idaho is an anonymous re-mailer utility for Windows, supporting
PGP, the cypherpunks re-mailers,and Mixmaster, and the <alpha.c2.org> alias
server. It too automatically configures itself based on this re-mailer
list.        <ChainMail> is a re-mailer chaining utility for Mac users, by
Jonathan Rochkind. To use it, you need Eudora, MacPGP, and applescript, in
addition to a number of applescript scripting additions. <Privtool> is a
PGP-aware mailer that also supports Mixmaster. The Community ConneXion has
put the Web-premail gateway on its SSL server. That means that you can send
anonymous email from the Web without exposing your message in the clear on
the connection between your Web browser and the gateway. Sameer Parekh's
NEXUS Berkeley / Community ConneXion has a web page set up for sending
anonymous mail from your Web client.        Michael Hobbs has set up Web
gateway to premail. Now you can send anonymous email directly from your Web
browser. Don't use this for extremely sensitive stuff, though, because it
isn't quite as secure as running premail yourself (in particular, the
connection between your Web browser and the gateway is not
encrypted). A good source for re-mailer information is the Anonymity,
re-mailers, and your privacy page compiled by  "Galactus". This is also the
best place to look for information about anon.penet.fi.

Matt Ghio's re-mailer list is available by finger
ingremailer.help.all@chaos.taylored.com. This file also has all the public
keys for PGP-friendly re-mailers. Matt also has a pinging service similar
to this one, available by fingering re-mailer-list@chaos.taylored.com.
Chaos is having problems getting recognized on the Net. Try
re-mailer.help.all@204.95.228.28 and see if that works any better. Newer
information can be gotten by sending mail to
mg5n+re-mailers@andrew.cmu.edu. Help for the Alpha alias server (also
available in a plain email version. This is the best way to create an alias
for anonymous replies to mail. Not only is it the most cryptographically
secure, but you get to pick the alias nickname of your choice. The email
addresses are of the form <alias@alpha.c2.org>. Highly recommended. Usura's
home page has a bunch of re-mailer related stuff on it, including a help
page on chaining re-mailers.       The Armadillo re-mailer now has its own
Web page. Crown re-mailer help and statistics. Ecafe re-mailer has its own
Web page, including quickie info about how to use the re-mailer without
encryption or any other extras.

Other resources

You want to send secure mail to someone, but don't know their key. Where
are you going to get it? Try the keyserver at MIT. Vince Cate's Cryptorebel
and Cypherpunk page has pointers to lots of cypherpunk resources. John
Perry's jpunix page has info on his MX service for hidden re-mailers, as
well as cool links for Mixmaster and other stuff. Lance Cottrell's home
page, which has his Chain script, the Mixmaster re-mailer client (including
Sun        binaries!) as well as other cypberpunk related topics. Vince
Gambino's re-mailer page has a good collection of re-mailer help files.

Where Do You Find Re-Mailers?

Computers that offer remailing capabilities are operated by individuals or
organizations as a public service, almost always at no charge because it
costs so little to set one up. They are available globally. We offer a
partial list of re-mailers:

$remailer{"extropia"} = "<remail@extropia.wimsey.com> cpunk pgp special";
$remailer{"portal"} = "<hfinney@shell.portal.com> cpunk pgp hash";
$remailer{"alumni"} = "<hal@alumni.caltech.edu> cpunk pgp hash";
$remailer{"bsu-cs"} = "<nowhere@bsu-cs.bsu.edu> cpunk hash ksub";
$remailer{"c2"} = "<remail@c2.org> eric pgp hash reord";
$remailer{"penet"} = "<anon@anon.penet.fi> penet post";
$remailer{"ideath"} = "<remailer@ideath.goldenbear.com> cpunk hash ksub
reord";        $remailer{"hacktic"} = "<remailer@utopia.hacktic.nl> cpunk
mix pgp hash latent cut post ek";        $remailer{"flame"} =
"<remailer@flame.alias.net> cpunk mix pgp. hash latent cut post ek reord";
$remailer{"rahul"} = "<homer@rahul.net> cpunk pgp hash filter";
$remailer{"mix"} = "<mixmaster@remail.obscura.com> cpunk mix pgp hash
latent cut ek ksub        reord ?";        $remailer{"syrinx"} =
"<syrinx@c2.org> cpunk pgp hash cut reord mix post";
$remailer{"ford"} = "<remailer@bi-node.zerberus.de> cpunk pgp hash ksub";
$remailer{"hroller"} = "<hroller@c2.org> cpunk pgp hash latent ek";
$remailer{"vishnu"} = "<mixmaster@vishnu.alias.net> cpunk mix pgp. hash
latent cut ek ksub        reord";        $remailer{"robo"} = "<robo@c2.org>
cpunk hash mix";        $remailer{"replay"} = "<remailer@replay.com> cpunk
mix pgp hash latent cut post ek";        $remailer{"spook"} =
"<remailer@valhalla.phoenix.net> cpunk mix pgp hash latent cut ek reord";
$remailer{"rmadillo"} = "<remailer@armadillo.com> mix cpunk pgp hash
latent cut";        $remailer{"ecafe"} = "<cpunk@remail.ecafe.org> cpunk
mix";        $remailer{"wmono"} = "<wmono@valhalla.phoenix.net> cpunk mix
pgp. hash latent cut ek";        $remailer{"shinobi"} =
"<remailer@shinobi.alias.net> cpunk mix hash latent cut ek reorder";
$remailer{"amnesia"} = "<amnesia@chardos.connix.com> cpunk mix pgp hash
latent cut ek        ksub";        $remailer{"gondolin"} =
"<mix@remail.gondolin.org> cpunk mix pgp hash latent cut ek reord";
$remailer{'alpha'} = '<alias@alpha.c2.org> alpha pgp';
$remailer{'gondonym'} = '<alias@nym.gondolin.org> alpha pgp';        Much
of the knowledge about the characteristics of these re-mailers is available
from        <remailer-list@kiwi.cs.berkeley.edu>

Role Of Encryption

For added protection, users of Anonymous Re-mailers tend to encrypt their
messages just in case one of the remailing links are compromised. PGP
(Pretty Good Privacy) encryption is favored because it is freely available
and easy to use. A typical digital signature would look like this:

-----BEGIN PGP SIGNATURE-----     Version: 2.6.2

iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9
pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda
Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw
MfUiYaMREu4=     =9CJW     -----END PGP SIGNATURE-----

For responses the sender will choose a passphrase. This phrase will be used
to encrypt messages sent back to you. The encryption will be single-key
encryption, not PGP's normal public-private key encryption. The reason for
this is that public key encryption is usually not necessary in such cases.
Single-key encryption does not require a database (such as in the widely
used <anon.penet.fi> database for mapping aliases onto addresses), thus
increasing the security of communications among anonymous users.

When a recipient responds to the e-mail, his response will be encrypted
with the sender's pass-phrase. The sender can read the response by saving
it to a file and using PGP on it. PGP will ask for the passphrase, enter
the sender's reply, which will make it possible for the recipient to see
the response to the e-mail. This feature allows both parties to be securely
encrypted, protecting privacy and anonymity in both directions.

How Reliable Are The Re-Mailers?

The knowledge about the characteristics, reliability and trustworthiness of
re-mailers is widely distributed through various bulletin boards. These are
consulted by persons deeply immersed in Internet-related developments.
There is an agile and very active global community that keeps track of the
average latency time, uptime of frequently used re-mailers. They post their
findings, which in many cases is superior to what a commercial customer is
likely to find out about their own data center performance, or about the
service quality offered by Compuserve, America-On-Line of Prodigy. Here is
an excerpt from such a bulletin:

hacktic  remailer@utopia.hacktic.nl       **** *******     7:10  99.85% c2
remail@c2.org                    -.-++ ++-.-+  2:10:42  99.83%
rmadillo remailer@armadillo.com           +++++ ++++++    37:03  99.69%
flame    remailer@flame.alias.net         ** * *******    14:55  99.64% mix
mixmaster@remail.obscura.com     _ _-__...-++ 17:40:48  99.21% amnesia
amnesia@chardos.connix.com        -+ +--+---   2:04:43  99.20% ecafe
cpunk@remail.ecafe.org           ## ##-## #--  1:26:54  99.06% extropia
remail@extropia.wimsey.com       .- -.----_. 13:48:11  99.04% replay
remailer@replay.com               + +** *****     5:36  98.84% shinobi
remailer@shinobi.alias.net       -- -- - - +     54:43  98.78% spook
remailer@valhalla.phoenix.net    *  ***** - *    35:07  98.36% vishnu
mixmaster@vishnu.alias.net       **      #-*#     7:44  98.20% bsu-cs
nowhere@bsu-cs.bsu.edu              #  # ##.#    28:07  97.78% gondolin
mix@remail.gondolin.org           - --_.----   9:45:55  97.62% wmono
wmono@valhalla.phoenix.net          **  *   *    12:23  97.57% hroller
hroller@c2.org                   #*+### -.. #  1:37:24  96.71% ford
remailer@bi-node.zerberus.de     ._...--._.  21:21:22  95.83% portal
hfinney@shell.portal.com         ########*#      27:36  95.55% alumni
hal@alumni.caltech.edu           #     # *  +    25:47  95.29% penet
anon@anon.penet.fi                  . -- --   13:55:20  87.78% rahul
homer@rahul.net                  +* *+**+*  #     4:34  93.71% robo
robo@c2.org                       #-##            5:59  27.86% History key
# response in less than 5 minutes.   * response in less than 1 hour.   +
response in less than 4 hours.   - response in less than 24 hours.   .
response in less than 2 days.

Specialization Of Services

The operators of various re-mailers are specialized in that they cater to
select communities of Internet dwellers. They offer unique services to
customers who are seeking different degrees of anonymity. Cognoscenti in
the field can readily identify remailers who offer meets diffferent tastes
and preferences. Here is an example of remailer characterizations:

<cpunk> A major class of remailers. Supports Request-Remailing-To: field.
<eric> A variant of the cpunk style. Uses Anon-Send-To: instead. <penet>
The third class of remailers (at least for right now). Uses X-Anon-To: in
the header. <pgp> Remailer supports encryption with PGP. A period after the
keyword means that the short name, rather than the full email address,
should be used as the encryption key ID. <hash> Supports ## pasting, so
anything can be put into the headers of outgoing messages. <ksub> Re-mailer
always kills subject header, even in non-pgp mode. <nsub> Re-mailer always
preserves subject header, even in pgp mode. <latent> Supports Matt Ghio's
Latent-Time: option. <cut> Supports Matt Ghio's Cutmarks: option. <post>
Post to Usenet using Post-To: or Anon-Post-To: header. <ek> Encrypt
responses in reply blocks using Encrypt-Key: header. <special> Accepts only
pgp encrypted messages. <mix> Can accept messages in Mixmaster format.
<reord> Claims to foil traffic analysis by reordering messages. <mon>
Re-mailer has been known to monitor contents of private email. <filter>
Re-mailer has been known to filter messages based on content. If not listed
in conjunction with <mon>, then only messages destined for public <alpha>
Supports nyms according to the protocol used by alpha.c2.org. This list
will be featuring reliability and latency measurements soon for these
nymservers.

A fascinating example of specialization is a re-mailer service advertising
the capacity to defeat "traffic analysis" used by intelligence agencies.
All mail to each destination is first sent through <remail@sitename> which
is a standard "cypherpunk" re-mailer with PGP with a few added features.
The outgoing mail is not forwarded immediately upon receipt. Outgoing
messages are stored in a pool until five minutes after each hour, when all
messages in the pool are re-transmitted in a random order, ignoring the
order in which they came in. Each message from the re-mailer is sent
through a random path of other re-mailers in the re-mailernet. This usually
involves between five to 20 "hops" from one re-mailer to another. In each
case care is taken for at least one of the "hops" to be in a country with
especially relaxed laws concerning electronic messages. Such measures would
greatly complicate any tracing that may be contemplated by a
law-enforcement agency.

Why Re-Mailers?

E-mail is as fast and casual as a voice phone call, but can be stored and
retrieved with infinitely greater efficiency than paper letters or taped
conversations. An e-mail message can be re-broadcast the world over, by
anyone who comes across a copy of the transmission. Parts of any message
can be extracted, edited and easily modified. Meanwhile, the e-mail address
of the originator remains a label of its origin. If the storage of that
message is not protected - and it rarely is - it can be accessed by anyone
who takes the trouble to rummage through any of the many archived computer
records that may have received such message. A casual e-mail exchange, with
an identifying address, can be then used to compromise the originator. As
e-mail traffic takes over an ever increasing share of personal
communications, inspection of e-mail traffic can yield more comprehensive
evidence than just about any wire-tapping efforts. E-mail-tapping is less
expensive, more thorough and less forgiving than any other means for
monitoring personal communications. Without protection of privacy, browsing
through e-mail archives would become the preferred way for gathering
evidence in law enforcement cases. It would also be used as the favorite
means for collecting incriminating statements by lawyers engaged in civil
litigation.

In casual e-mail exchanges it is easy to make an error. When the message is
archived it could be used to haunt a person for decades afterwards. A
message intended for a particular individual may be passed on to hundreds
or even thousands of others. Unless its origin is anonymous, all e-mail can
be traced through identifying addresses that preserve the name of the
originator - as well as the names of those who forwarded it - wherever the
message traversed. Unless a message is handled anonymously, a trace is left
about everyone who received it or passed it on. It would be like a letter
that not only identifies the name and address of its author, but also
fingerprints of anyone who ever touched it.

It is one of the fundamental strengths of the Internet that it offers an
almost universal capacity for free expression of ideas. A person's opinions
can be sent anywhere in the world in a matter of minutes, with the
originator's name displayed at the top. Is it consistent with the rights to
individual privacy and freedom of expression to have one's name clearly
associated with a message than may be easily disseminated to unintended
recipients?

The issues here are the rights to the freedom of speech and to the rights
to personal privacy. Having the right to free speech may work well in the
case of verbal expression, but it may cease to have its intended purpose in
face of retaliation that may take place decades later. In a system that
theoretically can have infinitely large memory and indefinitely long
remembrance, the freedom of expression and become abused and perverted by a
government that does not respect individual rights.

With the widespread acceptance of Internet-mediated communications it was
recognized that the simplest way of securing privacy is through anonymity.
That's how anonymous re-mailers came into being. Given the technical
characteristics of Internet, there is nothing to prevent anyone to set up a
private (or public) anonymous remailing service. Any attempt to prohibit or
regulate the use of anonymous re-mailers is technically unfeasible. In a
democratic society it becomes politically unacceptable to suppress
remailers as potential sources of criminal acts. Such absolute prohibitions
would never pass through a legislative process in a free society.

Conclusion

Anonymous re-mailers are here to stay. Like in the case of many virulent
diseases, there is very little a free society can do to prohibit travel or
exposure to sources of infection. The best one can do is to start treating
the pathologies inherent in the Internet in the same way as we have learned
to deal with infectious epidemics. That calls for constructing new
institutions and processes that are analogues to inoculation, immunization,
prophylactics, clean water supply, sewers, hygiene, early detection of
outbreaks of diseases, quarantine, the offices of health examiners, the
Center of Disease Control and the World Health Organization.

The introduction of most of these restrictive means, imposed mostly by
government, were often opposed by those who saw in public health
injunctions infringement of individual rights. In due course an informed
electorate found it expedient to accept most of the sanitary measures for
disease control a bargain that was well worth it.

The history of public health teaches us that suppression of any disease
must be preceded by a thorough understanding of its behavior, its method of
transmission and how it creates its own ecology. As in the case of
smallpox, yellow fever, flu epidemics, AIDS or malaria, it will take
disasters before the public may accept that some forms of restrictions on
the electronic freedom of speech and privacy may be worthwhile.

It was the purpose of this paper to explain the characteristics of
anonymous remailers as one of the potential sources of infectious threats
to the well-being of our information-based civilization. We trust that this
will be seen as a useful contribution to an already raging debate of how to
find a balance between the desirable and the dangerous.

Paul@Strassmann.com and William_Marlow@cpqm.saic.com will be pleased to
respond to identifiable commentators on the points of view expressed
herein.



****************************************************************************
Subscribe to Freematt's Alerts: Pro-Individual Rights Issues
Send a blank message to: freematt@coil.com with the words subscribe FA
on the subject line. List is private and moderated (7-30 messages per week)
Matthew Gaylor,1933 E. Dublin-Granville Rd.,#176, Columbus, OH  43229
****************************************************************************