1993-02-23 - dispatches from the front lines of anonymity

Header Data

From: “L. Detweiler” <ld231782@longs.lance.colostate.edu>
Message Hash: 52034e4885da881c0b09f943564409b8d613f8145f255cb3653ec4a442eac5c0
Message ID: <9302232001.AA01786@longs.lance.colostate.edu>
Reply To: <930223022107_74076.1041_DHJ66-1@CompuServe.COM>
UTC Datetime: 1993-02-23 20:03:18 UTC
Raw Date: Tue, 23 Feb 93 12:03:18 PST

Raw message

From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Tue, 23 Feb 93 12:03:18 PST
Subject: dispatches from the front lines of anonymity
In-Reply-To: <930223022107_74076.1041_DHJ66-1@CompuServe.COM>
Message-ID: <9302232001.AA01786@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain

A few notes on the progress in anonymity:

Eric Hughes suggests an alt.whistleblower with localized anonymizing. I
like this, but I don't see how NNTP provides it. Wouldn't every server
have to be modified or upgraded to support anonymizing? It would be
trivial but I think we will find that the people in charge of NNTP are
looking for ways to increase authentication and validation mechanisms,
and would be hostile to the idea, althought that's definitely the place
for it.  As I hinted in an earlier message, the possibility of a
centralized moderator stripping addresses, while already currently
supported in the software mechanisms, is problematic because it is a
single location with all the traffic--hence the need to go through
independent anonymous servers first. But I think the localized
header-stripping is totally superior to all this. Having a message
bounce around a net a bit with *real* information is very vulnerable,
when the ID could be stripped off at the source.

Regarding the alt.whistleblower group, someone has proposed starting a
.gov hierarchy on news.admin.policy very recently, and I sent along the
proposal to him. Watch for new RFCs and vote with your email.  For now
I think the route to go is to get a group and let independent servers
take care of anonymizing the traffic. Maybe the moderating address
could pick a random remailer from a list of active ones--?

I'd like to say a few things about what's going on in news.admin.policy
right now. The thing has turned into quite a conflagation. But most
notable is that Julf@penet has broken his silence on the really
voracious drubbing he's getting, and come forward to say that he has
taken actions against abusive posters, and is under severe amounts of
stress--he said he spends 5 hrs some days answering email
(administrative queries?) on the server. In one case an abusive poster
crashed his system by mailbombing (filling it up with junk). K.
Kleinpaste, who wrote original scripts that julf is using, IMHO is at
best a hypocrite and at worst a traitor to the cause. He has attacked
julf repeatedly on news.answers (most recently calling him a `bastard')
for not implementing the `fire extinguisher' (killing abusive posters)
or restricting group access, or using his own software for any of these
purposes, despite originally providing it.  In private email to him I
find him very authoritarian and narrowminded on issues of anonymity and
am frankly quite stunned he ever partook in the project.  I think
history will show very clearly that the great and tremendous popularity
of the penet server (10,000 users in a few months) is due *precisely*
to julf's decision to allow postings to all groups.

Anyway, if ever there was a call for other server operators (not just
account remailers)--this is it. We need people with as much control
over their own site as possible. Stuff that is running without the
knowledge of sysadmins at the site is great for experiments but its
just not going to cut it for some very serious future uses that are
approaching at the speed of light.  Also, if anyone from EFF is
listening, I think this could turn out to be one of the most important
net.issues over the coming years.  How about an EFF sponsored server?

I suspect, if anybody did a fairly impartial study, instead of all the
ranting and prejudice that is going on right now in news.admin.policy,
that anonymous abuse is not extremely problematic or unmanagable
compared to regular phantom/untraceable postings on Usenet. People are
so vocal about `abuses' right now, but only because they tend to be
highly visible. The anonymity is a red herring here. If julf@penet has
10,000 anonymous users, do we now have 10,000 times the problems on
Usenet in general?  Or *any* measurable fraction more than previously?

I think this anonymous use is getting very high use right now. We are
right in the midst of a major trend toward greater anonymized traffic.
Stats on news.lists show that a lot of traffic is starting to get
anonymized, traffic that was once (previously, probably) simply forged.
They'll be plenty of people complaining from upset status quo. Tell
them to take some virtual alkaseltzer.

- - -

I apologize for not bringing this to the attention of the list earlier,
as it sort of seems to be a recent epiphany on the list, but julf@penet
told me he added the password protection precisely for the forgery
questions that are popping up. Also, something to note on forgery is
that the forger may not necessarily *know* a person has an anonymous
mail address on a given server, and the forgery may result in
allocating a new anonymous ID for the forged address. The forger can
tell the difference if the message simply goes through or he gets back
a `you have been allocated xxx ID..'

Also, note the simple scheme of serially allocating anonymous ID's
could be a problem. If the infiltrator knows the rough date that
someone was allocated a new ID, he could narrow down the range of IDs.
For this reason randomly allocated IDs is a better idea.  The
infiltrator could even go around to new accounts all the time (or forge
them) to get an idea where the server is in the allocation cycle. It
seems to me that there are probably a lot of ID's that are not being
used on these servers and the issue of when to get rid of old ID's is a big problem.

Regarding some notes from Mr. Finney:

>You have these security threats which involve people being tricked into
>sending messages through the remailer in such a way that the recipient
>knows the true email address from where the messages are coming.

These are completely analogous to users being tricked into supplying
passwords in regular login situations. Not a new problem. And anybody
who hasn't figured out that you should *never* put any identifying
information in the message itself is probably a little too clueless to
be using the service in the first place. However, the idea of giving a
warning in the use introduction is ok: ``under NO CIRCUMSTANCES EVER DO
THIS'' type thing.

>Another problem that people have complained about is when they respond
>to an anonymous posting, they get a message from Penet saying that they
>now have an anonymous ID assigned.  This confuses and bothers some people.

Tell them to try not to be so sensitive that a breeze causes themselves
to panic.  Its a new scheme but they need to get used to it. They can
throw off the anonymity voluntarily any time they want by just
including their ID in their message. But they shouldn't do this if they
ever want to use the server in the future.  Really, all this comes down
to is that they get one extra reply in their mailbox other than
usual--the one from the server saying `you now have this ID'.  I think
most people are recognizing that people complaining about this are just
trying to be troublesome. The argument was called `pedantic' on news.admin.answers.

>there is positive harm that can occur by automatically anonymizing
>all messages which pass through a remailer.

The problem is that the anonymity is implicitly requested by a message
to the server. Hence replies are getting this anonymity. One
possibility is an override switch in the header that leaves it entirely
intact and the server just acts like another hub forwarder. But what is
this `harm'? We have to recognize these complaints as completely
frivolous and without merit.  Please, don't find a problem where there
is none, you will only complicate simplicity.

One thing I'd like to see that no one has done is an `unlink' feature
for servers that carry address alias tables, so the user can erase all
trace of any previous transactions through the server (other than the
mail).  But maybe this is too close to the hit-and-run abuse out there.
Maybe there is a compromise somewhere, like a waiting period before
unlinking, during which complaints can be registered and possibly
prohibit future use.