[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ANON: revealing penet id



Hm...

this topic seems to come up every few months - just today I was
reading the newest Risks digest and an32153 (or something like that)
was announcing the "risk" of using penet.  I mailed off a submission
describing how to avoid this.  I think people don't know about this
because it isn't published anywhere.  Or is it?

Maybe somebody could help Julf out and offer to write a new help file
that specifically mentions the an/na trick.  Last time I looked at the
penet help file, this wasn't mentioned.

It only takes a bit of work to avoid blowing your id - you just can't
hit 'r' and reply to the addressee; instead you must type in the
address manually (and be sure to type na#### instead of an####).  Last
week I responded to some email from a penet user.  I was careful to
respond to na####, or penet would have allocated me an id for
[email protected] (since I don't have one for this account) and
thus someone would have been able to correlate my penet id and this
account.  As a matter of fact, I think that I revealed the penet id
for an old account of mine ([email protected]) this exact way,
although this was before the an/na functionality.

-- 
Karl L. Barrus: [email protected]         
keyID: 5AD633 hash: D1 59 9D 48 72 E9 19 D5  3D F3 93 7E 81 B5 CC 32 

"One man's mnemonic is another man's cryptography" 
  - my compilers prof discussing file naming in public directories