[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Need to Declare Policies on Remailer Record-Keeping
Tim said:
> It would be nice if the operators of the current remailers made clear
> their archiving/record-keeping policies on remailer traffic.
Here's the policy paragraph from my remailer blurb:
--------------------
Policy, security, and legal cruft:
The remailer has the capability to log source and destination
addresses, as well as full message text. This is presently turned
off. If I need to debug some weirdness, though, I'll turn it on
again. I cannot guarantee, for both technical and political
reasons, that anonymous mail will be secure. In particular, I
explicitly disclaim the security of messages which are in themselves
harmful and illegal, such as extortion and libel. I will block mail
from my remailer to any particular address upon request of its
owner. I may request some form of verification, to thwart
denial-of-service attacks based on this mail blocking.
By sending a message through my remailer, you are trusting me,
like it or not. I could be a sting operation, or a blackmailer
gathering information -- it *will* happen eventually. If you do not
trust me, ask someone you do trust to do the remailing.
Please remember that anti-social behavior or truly excessive
traffic through the remailer will probably cause my sysadmins to
ask me to remove it. Thank you for being polite. Please ask me
if you have any questions.
------------------------------
Addenda to the above: I do keep usage logs ("date >>log"), which
perhaps I should mention. jarthur is not my machine (fortunately!),
so it keeps mail logs and I can't do anything about it (unless we
make the remailers avoid getting logged in the first place...). I'd
like to run a personal linux box, but I really can't unless somebody
would like to give me a second machine.
The muttering about "disclaiming the security" of extortion
threats is pretty much moot, because I can't do do any outing unless
somebody says "I'm going to extort an upstanding citizen through
your server; please turn logging on."
Mail logs are a problem, because lots of machines keep them and most
remops (uh, that coinage is a lose) can't fix this. I think that
the user-mode orientation of the remailer package should extend to
letting J. User install it and *have it be secure*, too. Really,
anonymity with mail logs is security only through obscurity.
I presume you can do socket coding in perl. It should be possible
to have the remailer interpret mailings to "<keyword>@<machine>" to
mean "open a socket to the remailer on <machine> and dump the message
to it." The remailers do their own mail handling; all the transport
system does is dump it in their laps. To fix logging on the final
transmission to the recipient would require batching, which if most
people get sufficient traffic (I don't) might be preferable to this
whole mess.
Eli [email protected]