1993-02-24 - Front lines of anon.

Header Data

From: Hal <74076.1041@CompuServe.COM>
Message Hash: ed8ecb7bef68cd2fea900968b0e1d42db5be692399d52735a8bbab1ce220b173
Message ID: <93022407170374076.1041_DHJ29-1@CompuServe.COM>
Reply To: _N/A

UTC Datetime: 1993-02-24 07:23:25 UTC
Raw Date: Tue, 23 Feb 93 23:23:25 PST

Raw message

From: Hal <74076.1041@CompuServe.COM>
Date: Tue, 23 Feb 93 23:23:25 PST
Subject: Front lines of anon.
Message-ID: <930224071703_74076.1041_DHJ29-1@CompuServe.COM>
MIME-Version: 1.0
Content-Type: text/plain

Lance Detweiler writes:

> >You have these security threats which involve people being tricked into
> >sending messages through the remailer in such a way that the recipient
> >knows the true email address from where the messages are coming.
> These are completely analogous to users being tricked into supplying
> passwords in regular login situations. Not a new problem. And anybody
> who hasn't figured out that you should *never* put any identifying
> information in the message itself is probably a little too clueless to
> be using the service in the first place. However, the idea of giving a
> warning in the use introduction is ok: ``under NO CIRCUMSTANCES EVER DO
> THIS'' type thing.

It's not that simple.  "Deadbeat" reported that he discovered this problem
when he sent mail via Penet to a list member asking a question.  When that
person replied, it exposed his anonymous ID.  There was no need to put
identifying information in the message itself.  The mere fact that a
particular message is being replied to gives away the true email address
of the sender (because that is the address to which the question was

This means that if you receive mail asking an innocent question, like,
"what is the address to subscribe to cypherpunks?", you need to be aware
of whether that question came from the Penet remailer or one like it.  If
so, you need to take extra care when you respond so that your anonymous
ID is not revealed.

> The problem is that the anonymity is implicitly requested by a message
> to the server. Hence replies are getting this anonymity. One
> possibility is an override switch in the header that leaves it entirely
> intact and the server just acts like another hub forwarder. But what is
> this `harm'? We have to recognize these complaints as completely
> frivolous and without merit.

I don't think so.  It seems to me that the current system makes it easy
to accidentally expose your anonymous ID.  If more people start operating
pseudonym-based remailers it will be that much more difficult to keep
track of whether you want to be anonymized or not.

I think technical solutions are needed along the lines suggested by Eric
Hughes and Deadbeat.


P.S. How about Deadbeat posting a public key?  He keeps signing his
messages but I can't check them.