[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RESULT: comp.org.cauce passes 548:122




Jari Aalto -- AT poboxes.com <[email protected]> wrote:

> | Anon.penet.fi was *NOT* an anonymous remailer, though.  It was a "pseudonym
> | server".  The fact that it maintained a database by which posts could be
> | "traced back to a real address" is the main reason why it's no longer in
> | operation.
>    
> You give wrong inmpression about PENET; which was after all, the first
> anonymnous service. There are levels of anonymity. For penet strory,
> refer to this:
> 
> http://www2.thecia.net/users/rnewman/scientology/anon/penet.html

I'm not knocking the anon.penet.fi experiment.  We've all learned a lot from
it.  Let's not forget those lessons.

The same attack has been tried on two different remailers.  In 1996, the
anon.penet.fi remailer was the subject of an attack by the Co$.  As part of
that attack, the remailer's database which linked the "anonymous" accounts
to their actual holders. The operator valiantly defended the integrity of
that database, and it was not compromised.  But the potential was certainly
there.

This year, Jeff Burchell's "Huge Cajones Remailer" came under attack.
Alleging "abuse" involving that remailer, Gary Burnore and Belinda Bryan of 
DataBasix demanded that Jeff turn over ALL his logs to them.  Fortunately, 
Jeff wisely kept no such logs.  Even though the remailer was eventually 
harassed out of existence, the privacy of its users was preserved because the 
information the attackers demanded simply wasn't there to demand.  That's a 
wise idea for the same reason that retail merchants remove the cash from 
their cash registers when they're closed, leaving the cash drawers unlocked.  
There's less temptation to stage an attack if you know in advance that you 
won't get what you're seeking (the identity of someone you'd like to 
silence, for example) by staging such an attack.  Any operator that keeps 
identifying information is inviting litigation, or worse.  If you're an ISP 
and are making money, then perhaps that risk is justified.  But you can't 
expect a volunteer operator of a free remailer to take such a risk for 
nothing.

You're right.  For those who only need a superficial level of "anonymity"
and don't really care if their identity is eventually revealed publicly,
some of the alternatives such as Hotmail would perhaps suffice.  But that's
a decision best left to the user, and not to be mandated by others with a
lesser stake in the consequences.

--