From: ld231782@longs.lance.colostate.edu
Date: Mon, 25 Jan 93 13:20:00 PST
To: cypherpunks@toad.com
Subject: anonymous server compilation?
Message-ID: <9301252119.AA27366@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


Hello. To my knowledge no public listing of known anonymous servers has
been compiled.  I'd like to start one.  This could possibly turn into a
FAQ if response is good.  I will put in this newbie-type introductory
information at the end of this document for review.  Please help me
improve this by sending constructive/informative feedback, esp.
sections flagged with (?).  This all is very weak right now but with
your help it could become very thorough and valuable.

pax.tpa.com.au
--------------
The most sophisticated anonymous posting system to my knowledge.  Uses
public key encryption for traffic in both ways (to/from) the server. 
No anonymous remailing capabilities yet but dclunie@pax.tpa.com.au, the
administrator, says he's considering it.  Had a serious bug recently
fixed that caused a reassignment of previously allocated anonymous
addresses.  Located in Australia.

anon.post.g@pax.tpa.com.au   for anonymous USENET posting where `g' is the group
anon.info@pax.tpa.com.au   for information
anon.subscribe@pax.tpa.com.au   to subscribe to the mailing list


acs@n7kbt.rain.com
------------------
no info (?). given to me by dclunie@pax.tpa.com.au


godiva.nectar.cs.cmu.ed
-----------------------
operated by Karl_Kleinpaste@cs.cmu.edu.  Mentioned by julf@penet.fi in
an introductory information.  This person has posted code to
alt.sources that implements anonymous server capabilities. (?)

anon.penet.fi
-------------
operated by julf@penet.fi.  Both anonymous posting and remailing capabilities. (?)


hh@pmantis.berkeley.edu
-----------------------
no info (?).  given to me by tcmay@netcom.com



Anonymity and Identity on the Internet
======================================

Generally, identity is amorphous and almost nonexistent on the Internet
for a variety of reasons.  One is the inherent fluidity of "cyberspace"
where people emerge and submerge frequently, and absences are not
readily noted in the "community".  You currently do not really have any
great assurance that the messages you get in mail and the messages you
see on USENET are from the people they appear to be from, nor do others
have of you.  Be careful not to be led astray; gullibility is perhaps
the greatest crime here, and skepticism the most useful virtue. 
Neither are there currently good assurances of privacy in your personal
email, and cases where it has been compromised are not uncommon.  New
encryption technologies are slowly gaining acceptance and penetration
into systems that make possible digital encryption and authentication
that will make the systems more trustworthy.  These can also protect
your identity and privacy by offering anonymous posting and mailing capabilities.

USENET

USENET is a worldwide decentralized news distribution system, adhering
to Internet standards described in RFC977 (?).

MAIL

The characters that you are reading are almost certainly encoded in
ASCII, the American Standard Code for Information Interchange that maps
alphabetic and symbolic characters onto numeric codes and vice versa. 
Virtually every computer system uses this code, and if not, has ways of
converting to and from it.  When you write a mail message, it is being
sent in ASCII, and since the standard is virtually universal, there is
no intrinsic privacy.  Anyone with access to hardware involved in
forwarding the message can theoretically read it.

Internet mail standards, described in RFC (?), are still evolving
rapidly and not entirely orderly.  For example, standards for mail
address `munging' or `parsing' tend to vary slightly between sites and
frequently mean the difference between finding addresses and bouncing
mail.  New standards are calling for uniform introduction of "privacy
enhanced mail" (PEM) which uses encryption technologies to ensure
privacy.  The current internet mailing protocol is slightly
anachronistic in that it was created when the system was somewhat
obscure and not widespread, with only a fraction of the traffic it now
sees.  Today about (?) of internet traffic is mail, comprising about
(?) messages.  (Source: (?))

A person's mailing address is far from an identification of an
individual.  First, anyone with access to the account, e.g. they know
the password, either legitimately or otherwise, can send mail with that
address in the From: line.  Secondly, as part of current mailing
protocol standards, forging the From: line is a fairly trivial
operation for many hackers.  Much less forgable is the status and path
information prepended to messages by intermediate hosts.

Note that bounced messages go to postmasters at a given site in their
entirety.  This means that if you address mail with an incorrect
address it has a good chance of being seen by a human other than the recipient.

Theoretically people at any site in the chain of sites that forwards a
given mail message over the Internet (about a half-dozen (?) on
average, depending on the distances) could potentially compromise the
privacy of that message and read it.  In practice, this appears to be
rare or unheard of.  Something more common is instances of immature and
unscrupulous system operators reading private mail at a local site,
such as a university.  The requirements and screening for getting a
system administration job (and access to *all* information on a system)
vary widely between sites and are sometimes frighteningly lax.

ANONYMOUS MAILING
-----------------

Some people find it useful to send anonymous mail to others.  Examples
of this include (?).  Here the distinction should be made between sort
of "hit and run" mail, where the sender does not want to carry on any
further communication, and anonymized mail, where the recipient can
respond but has no idea of the sender or origination of a message.  The
servers listed above allow for the latter type of communication.  The
former type is now largely confined to hackers who find it convenient
for scurrilous threats or whatever, but probably has legitimate uses as
well (?).  Another category is people who want to appear to have
regular but not traceable appearances, i.e. the userid and site
origination do not obviously flag their mail as anonymous.

Unfortunately, no set of standards is in place to handle the procedures
for anonymous posting.  Typically the approach is to set up an
"anonymous server" that, when activated by email to its address,
responds by allocating and supplying an "anonymous ID" that is unique
to the person requesting it (based on his email address).  This will
vary for the same person for different machine address email
originations.  To send anonymous mail, the user sends email directed to
the server containing the final destination. The server "anonymizes"
the message by stripping of identification information and forwards the
message, which appears to originate from the anonymous server only from
the corresponding anonymous user id.