[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anon.penet.fi hacking

To: Hal <[email protected]>
Subject: Re: anon.penet.fi hacking
From: Johan Helsingius <[email protected]>
Date: Tue, 23 Feb 93 10:36:16 +0200
Cc: Cypherpunks <[email protected]>
In-Reply-To: Your message of "23 Feb 93 02:47:43 EST." <[email protected]>


> Well, I think I have deduced the identity of "Deadbeat" from his posting
> style.  I don't think Julf should say who he is.  This was an important
> demonstration of a weakness in the security of the remailers.

Definitely!

> The Penet remailer seems now to require a password for all messages; at
> least, I wasn't able to send to [email protected] ("Deadbeat") without
> using my password.  So chaining through Cypherpunks remailers to Penet would
> seem not to be possible now.

Unless you include your password in the message! Remember that
anon.penet.fi can pick up the X-Anon-To: and X-Anon-Password: lines from
the start of the message text - they don't have to be header fields.

> Unless Eli's suggestion works - having our remailers put out a random
> "From:" line (perhaps just on mail to Penet?) might cause Penet to issue a
> new pseudonym for that apparent new user.  This would be kind of wasteful
> from Penet's perspective - all those pseudonyms are never going to be
> re-used.  But it might allow this form of chaining, without compromising the
> pseudonym of the remailer operator.

The social implications are more important.

> Another possibility would be for there to be a command to Penet to allow
> users to send truly anonymous mail, mail which does not have a meaningful
> "From" line (and in particular which does not have the user's Penet
> pseudonym displayed as the "From" address).  We could set our remailers to
> use that command for any mail sent to Penet.  Mail sent with that command
> would not need a password.  This would be an alternative way for users to
> deal with some of the other attacks, such as the one Deadbeat demonstrated.

I repeat: for general postings, we have to come up with a way to provide
anonymity while retaining a return path. Otherwise chaos ensues, just
look at the most blatant misuses of anon postings witnessed recently!

> P.S. - My, the list has sure been lively today.  Looks like we beat
> Extropians again on volume!

Yeah... Haven't ben able to get away from my machine to have my morning
shower yet (it's 10:30am in Finland).

	Julf

References:
- anon.penet.fi hacking
  - From: Hal <[email protected]>

Prev by Date: Re:
Next by Date: Re: anon.penet.fi remailers
Prev by thread: anon.penet.fi hacking
Next by thread: Re: anon.penet.fi hacking
Index(es):
- Date
- Thread