[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: anon.penet.fi hacking
> Well, I think I have deduced the identity of "Deadbeat" from his posting
> style. I don't think Julf should say who he is. This was an important
> demonstration of a weakness in the security of the remailers.
Definitely!
> The Penet remailer seems now to require a password for all messages; at
> least, I wasn't able to send to [email protected] ("Deadbeat") without
> using my password. So chaining through Cypherpunks remailers to Penet would
> seem not to be possible now.
Unless you include your password in the message! Remember that
anon.penet.fi can pick up the X-Anon-To: and X-Anon-Password: lines from
the start of the message text - they don't have to be header fields.
> Unless Eli's suggestion works - having our remailers put out a random
> "From:" line (perhaps just on mail to Penet?) might cause Penet to issue a
> new pseudonym for that apparent new user. This would be kind of wasteful
> from Penet's perspective - all those pseudonyms are never going to be
> re-used. But it might allow this form of chaining, without compromising the
> pseudonym of the remailer operator.
The social implications are more important.
> Another possibility would be for there to be a command to Penet to allow
> users to send truly anonymous mail, mail which does not have a meaningful
> "From" line (and in particular which does not have the user's Penet
> pseudonym displayed as the "From" address). We could set our remailers to
> use that command for any mail sent to Penet. Mail sent with that command
> would not need a password. This would be an alternative way for users to
> deal with some of the other attacks, such as the one Deadbeat demonstrated.
I repeat: for general postings, we have to come up with a way to provide
anonymity while retaining a return path. Otherwise chaos ensues, just
look at the most blatant misuses of anon postings witnessed recently!
> P.S. - My, the list has sure been lively today. Looks like we beat
> Extropians again on volume!
Yeah... Haven't ben able to get away from my machine to have my morning
shower yet (it's 10:30am in Finland).
Julf