From: Ken Williams <jkwilli2@unity.ncsu.edu>
Date: Fri, 27 Feb 1998 02:57:55 -0800 (PST)
To: cypherpunks@toad.com
Subject: (crosspost)  [IWAR] ANONYMITY HTML risk (fwd)
Message-ID: <Pine.SOL.3.96.980227055541.17123A-100000@c00954-100lez.eos.ncsu.edu>
MIME-Version: 1.0
Content-Type: text/plain



---------- Forwarded message ----------
>>From:  <jericho@dimensional.com>
---------- Forwarded message ----------
>From: 7Pillars Partners <partners@sirius.infonex.com>
To: g2i list <g2i@xmission.com>, IWAR list <iwar@sirius.infonex.com>
Date: Thu, 26 Feb 1998 09:30:06 -0800 (PST)
Reply-To: iwar@sirius.infonex.com
Subject: [IWAR] ANONYMITY HTML risk

Two points: military personal should be particularly aware of this problem, and
users with needs for anonymity should be certain to check out the options
provided by the Anonymizer. --MW

Is Web-Based Mail Bad for Your Anonymity?
 by Steve Silberman 

 5:03am 26.Feb.98.PST
 It's the kind of scare story, posted from an
 anonymous address, that makes the rounds of
 computer security mailing lists and newsgroups.
 This time, however, the scenario was so simple as
 to be highly plausible. 

 The post - made last week to the Cypherpunks
 mailing list - began ominously: "I just had my
 online pseudonym outed to my company's VP of
 marketing, with potentially serious internecine
 political consequences." 

 The author explained that, like many people, he
 maintains two separate email addresses: a work
 account, and an alternate account on a remote
 server at the local college. For the latter, the
 author employs a pseudonym. This, he says,
 allows him to speak his mind about political views,
 as well as his disdain for his employer's use of
 unsolicited bulk emailings - spam - without fear of
 reprisal. 

 The author's cover was blown, he said, the day he
 used Netscape Mail on his workstation to fetch a
 message mailed by his company to his account
 on the college server. 

 So where was the leak? 

 Like more and more email programs, Netscape
 Messenger - along with Outlook Express, Eudora
 4.0 and many free Web-based mail services such
 as Hotmail - offers users the ability to send and
 receive not only text messages, but fully-rendered
 Web pages, in all their graphical glory. If a user
 has both Eudora 4.0 and Internet Explorer, for
 instance, Eudora will borrow IE's HMTL-rendering
 capabilities to display Web pages sent in mail
 messages. 

 The mail targeted by the company to the author's
 pseudonymous address was written in HTML, and
 contained a standard image tag. When Netscape
 opened the mail and rendered the page, the tag
 sent a call to the company's Web server to fetch
 the image, which left a tell-tale footprint - the IP
 address of the author's machine - on his
 employer's logs. Busted! 

 As software designers aim for a seamlessly
 integrated desktop - with multiple email accounts,
 the Web, and local file access all a click away -
 the tools you select for everyday tasks are more
 important than ever. 

 "This isn't really a mail security issue," observes
 Eric S. Raymond, author of a remote mail-retrieval
 utility called fetchmail. "Email security is
 nonexistent anyway unless you use a strong
 end-to-end encryption method like PGP, but that
 wouldn't have helped here. The issue was an
 unintended side effect of having an intelligent
 agent read your mail and go off to the Web to get
 a piece of information. If he'd been using a [text
 mail] program like Elm or Pine or Mutt, he wouldn't
 have gotten bitten." 

 Cryptography consultant Bruce Schneier, author of
 E-Mail Security: How to Keep Your Electronic
 Messages Private, points out that exchanging
 text-only messages and exchanging HTML entail
 different levels of information exchange between
 sender and recipient. 

 "HTML is a robust protocol designed to make
 things run smoothly, therefore it passes a lot of
 information behind the scenes. That's why it's
 useful," he says. 

 Reading Web pages with an HTML-enabled mail
 program doesn't leave any more of a trail behind
 you than surfing through a site - but it doesn't
 leave any less of one, either. 

 You may not even know when you're on the Web
 when you read your mail with a Web-enabled
 program. Several online publications - including
 Wired News - are available in email form, via
 options such as Netscape In-Box Direct. The text
 portion of the publication is sent to your in-box,
 but images may be siphoned from a remote server
 when you open the message. Clicking on links
 may take you out on the Web while you still think
 you're reading mail on your own hard drive. 

 For Simson Garfinkel, author of Web Security and
 Commerce, the lessons to be gleaned from this
 incident are not about text vs. HTML mail
 software, but about workplace rights. 

 "This individual was using his computer at work,
 and he thought that because he was reading
 personal mail on another ISP, his computer was
 not subject to his employer's scrutiny. Employees
 have no rights to privacy in this country," Garfinkel
 says. "If you want to maintain a digital
 pseudonym, don't read your personal mail at
 work." 


Ken Williams

/--------------------------[   TATTOOMAN   ]--------------------------\
| ORG: NC State Computer Science Dept    VP of The  E. H. A. P. Corp. |
| EML: jkwilli2@adm.csc.ncsu.edu         ehap@hackers.com             |
| EML: jkwilli2@unity.ncsu.edu           ehap-secure@hackers.com      |
| WWW: http://www4.ncsu.edu/~jkwilli2/   http://www.hackers.com/ehap/ |
| FTP: ftp://152.7.11.38/pub/personal/tattooman/                      |
| W3B: http://152.7.11.38/~tattooman/w3board/                         |
| PGP: finger tattooman@152.7.11.38                                   |
\----------------[   http://152.7.11.38/~tattooman/  ]----------------/