1993-02-23 - Re: Beware of anon.penet.fi message!

Header Data

From: an5877@anon.penet.fi (deadbeat)
To: cypherpunks@toad.com
Message Hash: 00974a148e2970de12b90b73061dc6d8390c1e6ac02688599c328c1a12eb3820
Message ID: <9302230608.AA04870@anon.penet.fi>
Reply To: N/A
UTC Datetime: 1993-02-23 07:12:55 UTC
Raw Date: Mon, 22 Feb 93 23:12:55 PST

Raw message

From: an5877@anon.penet.fi (deadbeat)
Date: Mon, 22 Feb 93 23:12:55 PST
To: cypherpunks@toad.com
Subject: Re: Beware of anon.penet.fi message!
Message-ID: <9302230608.AA04870@anon.penet.fi>
MIME-Version: 1.0
Content-Type: text/plain



> As was said, the doubleblind system is a great idea, but incomplete
> if you want to correspond to someone without revealing your anon id.

Well, I don't agree that doubleblind is a great idea.

For example, if at any time, Alice sends pseudonymously to Bob, Bob can
not reply directly: this would expose his identity at anon.penet.fi.
Bob must reply through a remailer.

Note the irony -- Bob must take special steps to protect his pseudonym
because anon.penet.fi is acting affirmatively to conceal his actual
identity.  If Bob slips up and simply replies, he is exposed.


> (It's interesting that he also sent his message via one of the Cypherpunks
> remailers.  Maybe he thought they worked like the Penet remailer and
> he could break anonymity on those as well.)

Actually, I don't know why my message went through a Cypherpunks
remailer -- I didn't ask it to.  I don't know of any weaknesses in
the Cypherpunks remailers (other than extreme vulnerability to social

> Evidentally there is positive harm that can occur by automatically
> anonymizing all messages which pass through a remailer.  ... For
> anonymous posting and for mail to a non-anonymous address, it's more
> reasonable to assume that anonymization is desired.  ... But when
> sending a message to an anonymous address, it's not known whether the
> sender wants to be anonymized or not.

I think it's imperative that the sender use X-Anon-To to be
pseudonymous.  This is consistent with the principle of least

> It might seem that people should just be careful about what they
> send through Penet, but there are some problems with this.  What do
> you do if you get a message from an5877@anon.penet.fi asking for
> advice on cryptography mailing lists?  If you reply, your questioner
> can figure out who the reply is coming from, and sees your Penet
> alias.  There is no way to prevent this from happening currently.

A Cypherpunks remailer can be used to conceal the correspondent's
pseudonymous identity.

> Also, I have seen proposals that anonymous ID's should be made less
> recognizable, so that instead of an5877@anon.penet.fi we would have
> joe@serv.uba.edu.  In such a situation it might be tedious to
> scrutinize every email address we send to (via replies, for example)
> to make sure it isn't a remailer where you have an anonymous ID.

It would be a real boon to make pseudonyms less prominent -- this
seems to have kicked over a hornet's nest on USENET (even though
pseudonyms have been quietly in use for years).  But were this the
case, scrutiny would be an understatement.

> All in all, I think some changes need to be made in how anonymous
> addresses are used and implemented in order to provide reasonable
> amounts of security.

I agree that more discussion is in order.  I'm especially concerned 
about the broader issues regarding anonymity through remailers.


Version: 2.1

To find out more about the anon service, send mail to help@anon.penet.fi.
Due to the double-blind system, any replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to admin@anon.penet.fi.
*IMPORTANT server security update*, mail to update@anon.penet.fi for details.