1993-02-23 - Re: Beware of anon.penet.fi message!

Header Data

From: Johan Helsingius <julf@penet.FI>
To: deadbeat <an5877@anon>
Message Hash: d4e6f25da43318fe2fbea86289873f58a8e3a4ca67145ac0aafadc09ad4a6b39
Message ID: <9302230851.aa19921@penet.penet.FI>
Reply To: <9302230604.AA04535@anon.penet.fi>
UTC Datetime: 1993-02-23 08:04:20 UTC
Raw Date: Tue, 23 Feb 93 00:04:20 PST

Raw message

From: Johan Helsingius <julf@penet.FI>
Date: Tue, 23 Feb 93 00:04:20 PST
To: deadbeat <an5877@anon>
Subject: Re: Beware of anon.penet.fi message!
In-Reply-To: <9302230604.AA04535@anon.penet.fi>
Message-ID: <9302230851.aa19921@penet.penet.FI>
MIME-Version: 1.0
Content-Type: text/plain

> I meant only slight malice here:  I had intended to "expose" a few
> email/anon associations to highlight the problem.  The problem became
> apparent to me when I sent pseudonymous mail to a prominent person on
> this list; his reply exposed his pseudonymous id at anon.penet.fi,
> surely without his knowledge.

I think this would be fixed by the "X-Anon-Anonymize: no" (or whatever)
hack. But for reasons I have outlined in the earlier round of
discussions, it can't be the default. Comments? 

> > an5877's message appears to be a trick, designed to collect
> > anonymous/real address pairs.  Johan Helsingius should take
> > action against this trickster.  Since he is learning other
> > people's real addresses, perhaps it would be appropriate for his
> > own real address to be revealed.
> Now that would be a _very_ serious "bug" in the anon.penet.fi remailer
> (or, more accurately, in its administration); I am confident Johan
> Helsingius will reject this suggestion.

Definitely. I might block someone from using the server, but never (ok,
"never say never") expose somebody.

> > But, this does point out that these systems which automatically
> > assign anonymous addrsses have several security flaws.  Johan
> > has already had to introduce a "password" feature to make it
> > more difficult to send fakemail that appears to be from a
> > particular email address through the server, thus revealing the
> > corresponding anonymous address when it is delivered.
> I think that merely masks the real problem.

It fixes *one* problem. I really appreciate suggestions for other

> > These are serious problems.  We need some discussion of how to
> > avoid these simple tricks for defeating the anonymity while
> > still having an easy-to-use system.
> Any ideas?  For starters, I think the default behavior of anon.penet.fi
> is badly broken.

There has been a lot of discussion about this, and I'm afraid it's too
late to change the *default* behavior now...

> But a more serious problem with anon.penet.fi and the
> other remailers I am aware of is the necessity that we pseudonymous
> clients have to rely on the integrity of their administrators to keep
> our pseudonyms private.  In the face of social pressure, such as
> Xavier's, that may be asking a lot.

True. And that's why PGP-based stuff & remailer chains is the way to go
for "hard" anonymity. But for posting to general newsgroups, we also
need a system with working return paths. This doesn't seem possible with
current remailer chain systems.

	Julf (admin@anon.penet.fi)

P.S. In case I forgot to announce it, as you could see from the message
I'm replying to, PGP stuff doesn't get stripped at anon.penet.fi