From: fc@all.net (Dr. Frederick B. Cohen)
To: cypherpunks@toad.com
Message Hash: 7e4ba10c448c53816a6aa3ca6012b9e613f4ae331601913f1b323b162aba26bb
Message ID: <9511021110.AA01070@all.net>
Reply To: <199511020504.AAA19291@thor.cs.umass.edu>
UTC Datetime: 1995-11-02 11:41:54 UTC
Raw Date: Thu, 2 Nov 1995 19:41:54 +0800
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Thu, 2 Nov 1995 19:41:54 +0800
To: cypherpunks@toad.com
Subject: Re: [FRED] Anonymity and Integrity
In-Reply-To: <199511020504.AAA19291@thor.cs.umass.edu>
Message-ID: <9511021110.AA01070@all.net>
MIME-Version: 1.0
Content-Type: text
> Dr. Frederick B. Cohen writes:
> > I have been convinced for some time that you can't have both integrity and
> > anonymity.
> [and in a followup]
> > I might be misinterpreted as having meant that it is impossible to have
> > both integrity and anonymity. That is not what I meant, [...]
>
> Er, thanks for the clarification....
A typical quotation taken out of context. You missed the part after "I
meant" where I explained that I meant you couldn't assure ... - That
is, you could have both or not have both, but you couldn't be certain
that you had both.
> > Integrity:= 1) Steadfast adherence to a strict moral and ethical code.
> > 2) A state of being unimpaired; soundness.
> > 3) The quality or condition of being whole or undivided; soundness
> > Also) soundness, completeness,
> > Alternatively:
> > 1) Strict personal honesty and independence...
> > 2) Completeness; unity...
> > 3) The state of being unimpaired; soundness...''
> >
> > In this context, I might be misinterpreted as having meant that it is
> > impossible to have both integrity and anonymity. That is not what I
> > meant, although it is probably also true in a very strict sense.
>
> All right, what makes you think that ? Lest we wave our hands too much and
> totally misunderstand each other, let me lay down a more concrete scenario.
> If you have a substantially different scenario in mind, let me know.
>
> Suppose that I send an anonymous message to a public forum such as this. I
> and the message seem to "have anonymity" by any standard I can presently
> imagine. Now, in what ways might I or the message lack integrity in this
> situation ?
If the message was not of any particular import to anyone, integrity
would not be a very big issue, but suppose you took quotes out of
context and cleverly tried to construct a picture of the other person
as not being reputable. People who read the message might believe that
what you said was true, or at least had a grain of truth to it. That
sort of message lacks integrity, and the reason it lacks integrity is
because it has anonymity, not just because it's false and misleading.
To clarify even further, I seem to recall a posting some months ago from
an anonymous source declaring a new on-line for-sale forum called the
Internet Security Newsletter (or some such thing). The anonymity of the
poster in the context of asking for money and the fact that one of the
people who was claimed to be on the board of editors was not, in fact, a
participant, led to the question of who the person was. It turned out
that this person had a substantial history of putting forth falsehoods
as well as other related things that might have been very helpful in
evaluating the credence of his statements. It turned out that the
newsletter was, at least in some sense and without making value
judgements, legitimate; but the anonymity of the person making the posts
made it harder to assure the integrity of the statements made, which
exacerbated the assurance issue.
> I haven't broken my personal ethical codes, although perhaps
> I've violated someone else's. I have been honest, at least as much as I am
> generally honest in anything I write. I am not lying by donning the cloak of
> anonymity; I have not misrepresented my identity, merely refused to reveal
> it. The content of the message can be considered sound as much as anything
> else can. The message is incomplete in the sense that it does not include
> the true identity of the author -- is this what you would claim as a
> failure of integrity ? All messages are incomplete in the sense that
> various important facts are absent from them.
I don't know you, which also means that I don't know your motives. This
brings up the problem that, even though your postings may be true and
your motives honorable, they may not be, and there is no way to look
into your background and evaluate your history in order to assess your
statements. In many cases, I believe statements because of their source
and my experience with that source.
I understand that over time, reputations can be built up for pseudonyms
(which are not necessarily anonyms) but then, with a pseudonym we might
reasonably ask what the motive is for hiding the real identity. Is it
for fun? Because it's there? In solidarity for those who have legitimate
reasons for remaining anonymous? Or is it a means to influence others
for personal or national gain? Is it a way of spreading disinformation?
Is it a way to escape liability for slanderous statements? Is it a way
to keep people from finding out that there is a personal grudge being
played out? Without knowing the motive, how can we assess the
statements? In fact, how can we know that the original pseudonym still
applies? Someone could kill you and take over your pseudonym, and even
though we might hear of your death, the pseudonym might continue based
on your reputation but with another actual source.
It's an interesting concept that each statement should/could be taken on
its own and evaluated independently of the rest of a person's life
context, but in my experience, that has serious problems.
> > To clarify, I don't think you can assure integrity when you have anonymity.
> >
> > This follows from my earlier writings (circa 1984-89), which are fairly
> > extensive, and in which I made the only marginally supported claim that
> > you can't have (i.e., assure) both integrity and secrecy in a system
> > with sharing. This came originally from the result that integrity +
> > secrecy = no sharing (ala the combination of Biba and Bell-LaPadula)
> > which was extended into a POset which characterizes the extent to which
> > integrity and secrecy can be maintained based on transitive information
> > flow.
> >
> > The less mathematical reasoning is that in order to be able to verify
> > integrity, you have to be able to examine the information that is
> > secret, while having secrecy requires that you not be able to have
> > independent verification. Thus the two limit each other.
> >
> > Anonymity, in this copntext, can be thought of as secrecy.
>
> I understand the nature of the information flow argument, but I don't see
> that it's applicable. You appear to contend that the assurance of the
> integrity of an anonymous message depends upon the examination of
> information that is "secret", that is, _not part of the message_. But no
> message is complete -- all messages have many such associated "secrets" not
> available as part of the messages. So the claim seems to be vacuous: we
> can assure the integrity of neither anonymous nor verinymous messages.
An important point. The more we know, the more certain we can be. With
computer-based anonymity as it is practiced today, and ignoring the
examples of the pseudonyms that were broken by legal warrant, we have
very little knowledge about the originator of a message, and thus we
have very little assurance of the integrity of their messages. The
history built up over time for a given pseudonym certainly increases the
assurance associated with it, but there are other problems with this.
Example: I have two (N) pseudonyms that put forth different points of
view specifically directed to create different kinds of credence to
different audiences. If the audiences knew that both (several) of the
pseudonyms were in fact the same person, they would have very different
beliefs about the individual given the combined picture than they might
get from any one of the pictures.
> Perhaps the rejoinder will be that anonymous messages have a
> _characteristic_ piece of missing "secret" information, namely the senders'
> True Names. But you have yet to offer any argument that only certain special
> "secrets" must be examined in order to verify integrity.
It's not only the True Name that's at issue. It's the association of a
set of messages and historical information with a source. For example,
if we knew you were a KGB agent working in the disinformation and
economic espionage branches, we might evaluate your postings differently
than if we knew you were a high-school student from Deluth whose father
taught her a lot about cryptography when she was young.
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to November 1995
Return to “shields@tembel.org (Michael Shields)”