| By Declan McCullagh |
| Article pulled from Security-Protocols |
|
Given this paper's Rimmesque, hysterical tone, unsupported
assertions, and
wildly inaccurate conclusions, I'd like to think it's
a joke.
Unfortunately, I think it's for real.
-Declan
// declan@eff.org // I do not represent the EFF // declan@well.com
//
http://www.strassmann.com/pubs/anon-remail.html
Harvard University, Kennedy School of Government
Information Infrastructure Project
Symposium on the Global Information Infrastructure:
Information, Policy & International Infrastructure
Cambridge, MA, January 28-30, 1996
Risk-Free Access Into The
Global Information Infrastructure
Via Anonymous Re-Mailers
by Paul A. Strassmann, US Military Academy, West Point;
and Senior
Advisor, SAIC and William Marlow, Senior Vice President,
Science
Applications International Corporation (SAIC)
Quoted portions are excerpted from Raph Levien's Remailer
List.
----------------------------------------------------------------------------
The Context
By far the greatest threat to the commercial, economic
and political
viability of the Global Information Infrastructure will
come from
information terrorists. Information terrorism has ceased
to be an amateur
effort and has migrated into the hands of well organized,
highly trained
expert professionals. Information terrorist attacks can
be expected to
become a decisive element of any combined threat to the
economic and social
integrity of the international community. Nations whose
life-line becomes
increasingly dependent on information networks should
realize that there is
no sanctuary from information-based assaults. Commercial
organizations,
especially in telecommunications, finance, transportation
and power
generation offer choice targets to massive disruption.
Information terrorism, as a particularly virulent form
of information
warfare, is a unique phenomenon in the history of warfare
and crime. For the
last two hundred years the theory of warfare has been
guided by
"force-exchange" equations in which the
outcome was determined by the rate
of attrition of each opposing force. In information attacks
these equations
do not apply because the attacker remains hidden and cannot
be retaliated
against.
Since biblical times, crimes have been deterred by the
prospects of
punishment. For that, the criminal had to be apprehended.
Yet information
crimes have the unique characteristic that apprehension
is impossible, since
even identification of the criminal is not feasible. Information
crimes can
be committed easily without leaving any telltale evidence
such as
fingerprints, traces of poison or bullets.
Changes Introduced By Anonymous Re-Mailers
The introduction of Anonymous Re-mailers into the Internet
has altered the
capacity to balance attack and counter-attack, or crime
and punishment. The
widespread use and easy access to acquiring the capacity
to launch anonymous
messages and software has so far not received adequate
attention from a
policy and legal standpoint. This topic is sufficiently
technical that it
has been largely avoided by experts who have so far concentrated
on debating
social, legal, political and economic consequences of
the Global Information
Infrastructure. Yet, unless there is a thorough understanding
of the
technologies that make the Anonymous Re-mailers sources
of a pathological
danger, there is little hope that effective preventive
measures and
safeguards can be put in place.
In many respects, the avoidance of technical discussions
about some of the
pathological aspects of the Internet remind me of the
state of medical
diagnosis prior to the recognition that bacteriology,
prophylactics and
inoculation can be only applied following the acceptance
of rigorous,
analytic and experimental disciplines.
Our Agenda
The purpose of this paper is to bring to the attention
of policy-makers some
of the relevant facts about Anonymous Re-mailers. All
of the material quoted
here comes from public sources which are easily accessible
to anyone. The
wide-spread current uses of Anonymous Re-mailers should
be sufficient
warning that this topic cannot be considered any more
as something hidden,
confidential or inappropriate for public discussion.
We find many similarities in the initial denials to the
threats from AIDS by
the medical and public health establishment. We are dismayed
by the
avoidance of a candid assessment by public officials about
the vulnerability
of the Global Information Infrastructure to destructive
information
epidemics. The purpose of this paper is to increase the
awareness of
potentially deadly risks that may inhibit the potential
gains from the
creation of a global information community.
What Is A Re-Mailer?
A re-mailer allows anyone to post messages to newsgroups
or to individuals
while remaining anonymous. The identity of the sender
is hidden from the
recipient and remains practically untraceable.
An anonymous re-mailer is a program that runs on a computer
somewhere on the
Internet. When you send mail to the re-mailer address,
the re-mailer takes
your name and your address off of the mail message and
forwards it to its
next destination. The recipient gets mail that has no
evidence of where it
originally came from, at least not in the headers. You
might give away your
secret identity in the body of the message, but that would
be the sender's
own fault.
Anonymous re-mailers can be "chained" so that a message
is passed on from
one anonymous re-mailer to another, in two or more separate
anonymous "hops"
as a way of making physical tracing or monitoring increasingly
difficult.
One of the most prominent anonymous re-mailers is <anon.penet.fi>
is in
Finland. It is frequently used by the Russian (ex-KGB)
criminal element.
<Anon.penet.fi> assigns a
numeric identification to each address from which
it receives mail. Internet recipients can reply to that
secret number.
<anon.penet.fi> will also assign
to them another anonymous number, and then
forward the reply. This creates a double-blind situation
where two people
could have an ongoing exchange and never know who the
other person was. This
method of communication is favorite for engaging services
of cybercriminals
and for authorizing payment for their acts through a third
party.
<Anon.penet.fi> can be also used
to post a message to Usenet as well. The
message can be read by thousands of people, and anyone
can send an anonymous
reply to the secret Finnish identity. The readers of this
paper can easily
avail themselves of these services without any special
training. Detailed
instructions for the use of a remailer service are usually
included in the
"help" software posted in the remailer's
files. For example:
To get an anonymous
re-mailer address follow the following
instruction.
First, you should send mail to: <help@anon.penet.fi>.
You'll get back a nice help file automatically.
Next, send mail to
<ping@anon.penet.fi>.
This will allocate your number--from now on
you'll be something like <anXXXXXX@anon.penet.fi>,
where XXXXXX is
your number. Once you have received
your anonymous address you can
use it like your
normal e-mail address.
These capabilities are not trivial, but a source of an
exhaustive body of
software and communications know-how which can be learned
best by consulting
one of the many tutorials about this topic, such as<ftp.csua.berkeley.edu:
/pub/cypherpunks/re-mailer/hal's.remailer.gz>:
Cyberpunk re-mailers allow a person to send mail with
no trace of identity.
To use a re-mailer simply do the following:
* Add the header Request-Remailing-To: and sending
to one of the
addresses listed below. These
headers must be typed in exactly. Mail
without
these headers is either rejected or delivered to the re-mailer
administrators.
* If you cannot add
the required headers, place two colons (::) on the
very first line of your message, then on the next
line type
Request-Remailing-To: and the address
you want to send anonymously to.
* Skip a line,
and then begin the message. By using this method you can
send the message through more than one re-mailer
which will certainly
ensure that it will be
anonymous.
* Many re-mailers only allow one recipient
per message. A number of
standard Cyberpunk
Re-mailers are available.
There is a wealth of easily accessible step-by-step instructional
material
available on the Internet how to use re-mailers and how
to evade
countermeasures or possibility of detection from any source.
Re-mailer
operators are in frequent contact with each other and
exhibit many of the
fraternal habits that previously were shared between amateur
radio
operators. Some of the most interesting sources of information
are:
AndrZ Bacard's anonymous re-mailer FAQ is an excellent
nontechnical
introduction.
For a different take on Net anonymity, see L.Detweiler's
home page.
Tools
* Private Idaho is an anonymous re-mailer
utility for Windows, supporting
PGP, the cypherpunks
re-mailers, and Mixmaster, and the <alpha.c2.org>
alias server. It too automatically configures
itself based on this
re-mailer list.
* <ChainMail> is a re-mailer chaining utility for
Mac users, by Jonathan
Rochkind. To use it,
you need Eudora, MacPGP, and applescript, in
addition to a number of applescript scripting additions.
* <Privtool> is a PGP-aware mailer that
also supports Mixmaster.
* The Community ConneXion
has put the Web-premail gateway on its SSL
server.
That means that you can send anonymous email from the
Web
without exposing your message in the clear
on the connection between
your Web browser and
the gateway.
* Sameer Parekh's NEXUS Berkeley
/ Community ConneXion has a web page set
up
for sending anonymous mail from your Web client.
* Michael Hobbs has set up Web gateway to premail.
Now you can send
anonymous email directly from
your Web browser. Don't use this for
extremely
sensitive stuff, though, because it isn't quite as secure
as
running premail yourself (in particular,
the connection between your
Web browser and
the gateway is not encrypted).
* A good source
for re-mailer information is the Anonymity, re-mailers,
and your privacy page compiled by "Galactus".
This is also the best
place to look for information
about anon.penet.fi.
* Matt Ghio's re-mailer list
is available by fingering
re-mailer.help.all@chaos.taylored.com.
This file also has all the
public keys for PGP-friendly
re-mailers. Matt also has a pinging
service
similar to this one, available by fingering
re-mailer-list@chaos.taylored.com.
* Chaos is
having problems getting recognized on the Net. Try
re-mailer.help.all@204.95.228.28 and see if that
works any better.
Newer information can be gotten
by sending mail to
mg5n+re-mailers@andrew.cmu.edu.
* Help for the Alpha alias server (also available
in a plain email
version. This is the best way
to create an alias for anonymous replies
to
mail. Not only is it the most cryptographically secure,
but you get
to pick the alias nickname of your
choice. The email addresses are of
the form
<alias@alpha.c2.org>. Highly recommended.
* Usura's home page has a bunch of re-mailer related stuff
on it,
including a help page on chaining re-mailers.
* The Armadillo re-mailer now has its own Web
page.
* Crown re-mailer help and statistics.
* Ecafe re-mailer has its own Web page, including quickie
info about how
to use the re-mailer without
encryption or any other extras.
Other resources
* You want to send secure
mail to someone, but don't know their key.
Where
are you going to get it? Try the keyserver at MIT.
* Vince Cate's Cryptorebel and Cypherpunk page has
pointers to lots of
cypherpunk resources.
* John Perry's jpunix page has info on his MX service
for hidden
re-mailers, as well as cool links
for Mixmaster and other stuff.
* Lance Cottrell's
home page, which has his Chain script, the Mixmaster
re-mailer client (including Sun binaries!) as well
as other cypberpunk
related topics.
* Vince Gambino's re-mailer page has a good collection
of re-mailer help
files.
Where Do You Find Re-Mailers?
Computers that offer remailing capabilities are operated
by individuals or
organizations as a public service, almost always at no
charge because it
costs so little to set one up. They are available globally.
We offer a
partial list of re-mailers:
$remailer{"extropia"}
= "<remail@extropia.wimsey.com> cpunk pgp
special";
$remailer{"portal"} = "<hfinney@shell.portal.com>
cpunk pgp hash";
$remailer{"alumni"} = "<hal@alumni.caltech.edu>
cpunk pgp hash";
$remailer{"bsu-cs"} = "<nowhere@bsu-cs.bsu.edu>
cpunk hash ksub";
$remailer{"c2"} = "<remail@c2.org>
eric pgp hash reord";
$remailer{"penet"} = "<anon@anon.penet.fi>
penet post";
$remailer{"ideath"} = "<remailer@ideath.goldenbear.com>
cpunk hash
ksub reord";
$remailer{"hacktic"}
= "<remailer@utopia.hacktic.nl> cpunk mix pgp
hash latent cut post ek";
$remailer{"flame"}
= "<remailer@flame.alias.net> cpunk mix pgp.
hash latent cut post ek reord";
$remailer{"rahul"}
= "<homer@rahul.net> cpunk pgp hash filter";
$remailer{"mix"} = "<mixmaster@remail.obscura.com>
cpunk mix pgp
hash latent cut ek ksub reord
?";
$remailer{"syrinx"} = "<syrinx@c2.org>
cpunk pgp hash cut reord
mix post";
$remailer{"ford"} = "<remailer@bi-node.zerberus.de>
cpunk pgp hash
ksub";
$remailer{"hroller"}
= "<hroller@c2.org> cpunk pgp hash latent
ek";
$remailer{"vishnu"} = "<mixmaster@vishnu.alias.net>
cpunk mix pgp.
hash latent cut ek ksub reord";
$remailer{"robo"} = "<robo@c2.org> cpunk
hash mix";
$remailer{"replay"} = "<remailer@replay.com>
cpunk mix pgp hash
latent cut post ek";
$remailer{"spook"} = "<remailer@valhalla.phoenix.net>
cpunk mix
pgp hash latent cut ek reord";
$remailer{"rmadillo"} = "<remailer@armadillo.com>
mix cpunk pgp
hash latent cut";
$remailer{"ecafe"}
= "<cpunk@remail.ecafe.org> cpunk mix";
$remailer{"wmono"} = "<wmono@valhalla.phoenix.net>
cpunk mix pgp.
hash latent cut ek";
$remailer{"shinobi"} = "<remailer@shinobi.alias.net>
cpunk mix
hash latent cut ek reorder";
$remailer{"amnesia"} = "<amnesia@chardos.connix.com>
cpunk mix pgp
hash latent cut ek ksub";
$remailer{"gondolin"} = "<mix@remail.gondolin.org>
cpunk mix pgp
hash latent cut ek reord";
$remailer{'alpha'} = '<alias@alpha.c2.org>
alpha pgp';
$remailer{'gondonym'} = '<alias@nym.gondolin.org>
alpha pgp';
Much of the knowledge about the
characteristics of these
re-mailers is available
from <remailer-list@kiwi.cs.berkeley.edu>
Role Of Encryption
For added protection, users of Anonymous Re-mailers tend
to encrypt their
messages just in case one of the remailing links are compromised.
PGP
(Pretty Good Privacy) encryption is favored because it
is freely available
and easy to use. A typical digital signature would look
like this:
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMPDy4WV5hLjHqWbdAQEqYwQAm+o313Cm2ebAsMiPIwmd1WwnkPXEaYe9
pGR5ja8BKSZQi4TAEQOQwQJaghI8QqZFdcctVYLm569I1/8ah0qyJ+4fOfUiAMda
Sa2nvJR7pnr6EXrUFe1QoSauCASP/QRYcKgB5vaaOOuxyXnQfdK39AqaKy8lPYbw
MfUiYaMREu4=
=9CJW
-----END
PGP SIGNATURE-----
For responses the sender will choose a passphrase. This
phrase will be used
to encrypt messages sent back to you. The encryption will
be single-key
encryption, not PGP's normal public-private key encryption.
The reason for
this is that public key encryption is usually not necessary
in such cases.
Single-key encryption does not require a database (such
as in the widely
used <anon.penet.fi> database for mapping aliases
onto addresses), thus
increasing the security of communications among anonymous
users.
When a recipient responds to the e-mail, his response
will be encrypted with
the sender's pass-phrase. The sender can read the response
by saving it to a
file and using PGP on it. PGP will ask for the passphrase,
enter the
sender's reply, which will make it possible for the recipient
to see the
response to the e-mail. This feature allows both parties
to be securely
encrypted, protecting privacy and anonymity in both directions.
How Reliable Are The Re-Mailers?
The knowledge about the characteristics, reliability and
trustworthiness of
re-mailers is widely distributed through various bulletin
boards. These are
consulted by persons deeply immersed in Internet-related
developments. There
is an agile and very active global community that keeps
track of the average
latency time, uptime of frequently used re-mailers. They
post their
findings, which in many cases is superior to what a commercial
customer is
likely to find out about their own data center performance,
or about the
service quality offered by Compuserve, America-On-Line
of Prodigy. Here is
an excerpt from such a bulletin:
hacktic remailer@utopia.hacktic.nl **** *******
7:10 99.85%
c2 remail@c2.org -.-++ ++-.-+
2:10:42 99.83%
rmadillo remailer@armadillo.com +++++ ++++++
37:03 99.69%
flame remailer@flame.alias.net ** * *******
14:55 99.64%
mix mixmaster@remail.obscura.com _ _-__...-++
17:40:48 99.21%
amnesia amnesia@chardos.connix.com -+ +--+---
2:04:43 99.20%
ecafe cpunk@remail.ecafe.org ## ##-## #--
1:26:54 99.06%
extropia remail@extropia.wimsey.com .- -.----_.
13:48:11 99.04%
replay remailer@replay.com + +** *****
5:36 98.84%
shinobi remailer@shinobi.alias.net -- -- - - +
54:43 98.78%
spook remailer@valhalla.phoenix.net * ***** - *
35:07 98.36%
vishnu mixmaster@vishnu.alias.net ** #-*#
7:44 98.20%
bsu-cs nowhere@bsu-cs.bsu.edu # # ##.#
28:07 97.78%
gondolin mix@remail.gondolin.org - --_.----
9:45:55 97.62%
wmono wmono@valhalla.phoenix.net ** * *
12:23 97.57%
hroller hroller@c2.org #*+### -.. #
1:37:24 96.71%
ford remailer@bi-node.zerberus.de ._...--._.
21:21:22 95.83%
portal hfinney@shell.portal.com ########*#
27:36 95.55%
alumni hal@alumni.caltech.edu # # * +
25:47 95.29%
penet anon@anon.penet.fi . -- --
13:55:20 87.78%
rahul homer@rahul.net +* *+**+* #
4:34 93.71%
robo robo@c2.org #-##
5:59 27.86%
History key
# response in less than 5 minutes.
* response in less than 1 hour.
+ response
in less than 4 hours.
- response in less than 24
hours.
. response in less than 2 days.
Specialization Of Services
The operators of various re-mailers are specialized in
that they cater to
select communities of Internet dwellers. They offer unique
services to
customers who are seeking different degrees of anonymity.
Cognoscenti in the
field can readily identify remailers who offer meets diffferent
tastes and
preferences. Here is an example of remailer characterizations:
<cpunk> A major class of remailers.
Supports Request-Remailing-To:
field.
<eric> A variant of the cpunk style. Uses Anon-Send-To:
instead.
<penet> The third class of remailers
(at least for right now).
Uses X-Anon-To: in
the header.
<pgp> Remailer supports encryption
with PGP. A period after the
keyword means that
the short name, rather than the full email
address,
should be used as the encryption key ID.
<hash>
Supports ## pasting, so anything can be put into the
headers of outgoing messages.
<ksub>
Re-mailer always kills subject header, even in non-pgp
mode.
<nsub> Re-mailer always
preserves subject header, even in pgp
mode.
<latent> Supports Matt Ghio's Latent-Time:
option.
<cut> Supports Matt Ghio's Cutmarks:
option.
<post> Post to Usenet using Post-To:
or Anon-Post-To: header.
<ek> Encrypt
responses in reply blocks using Encrypt-Key: header.
<special> Accepts only pgp encrypted messages.
<mix> Can accept messages in Mixmaster
format.
<reord> Claims to foil traffic
analysis by reordering messages.
<mon>
Re-mailer has been known to monitor contents of private
email.
<filter> Re-mailer has
been known to filter messages based on
content.
If not listed in conjunction with <mon>, then only
messages destined for public
<alpha>
Supports nyms according to the protocol used by
alpha.c2.org. This list will be featuring reliability
and latency
measurements soon for these nymservers.
A fascinating example of specialization is a re-mailer
service advertising
the capacity to defeat "traffic analysis" used by intelligence
agencies. All
mail to each destination is first sent through <remail@sitename>
which is a
standard "cypherpunk" re-mailer with PGP with a few added
features. The
outgoing mail is not forwarded immediately upon receipt.
Outgoing messages
are stored in a pool until five minutes after each hour,
when all messages
in the pool are re-transmitted in a random order, ignoring
the order in
which they came in. Each message from the re-mailer is
sent through a random
path of other re-mailers in the re-mailernet. This usually
involves between
five to 20 "hops" from one re-mailer to another. In each
case care is taken
for at least one of the "hops" to be in a country with
especially relaxed
laws concerning electronic messages. Such measures would
greatly complicate
any tracing that may be contemplated by a law-enforcement
agency.
Why Re-Mailers?
E-mail is as fast and casual as a voice phone call, but
can be stored and
retrieved with infinitely greater efficiency than paper
letters or taped
conversations. An e-mail message can be re-broadcast the
world over, by
anyone who comes across a copy of the transmission. Parts
of any message can
be extracted, edited and easily modified. Meanwhile, the
e-mail address of
the originator remains a label of its origin. If the storage
of that message
is not protected - and it rarely is - it can be accessed
by anyone who takes
the trouble to rummage through any of the many archived
computer records
that may have received such message. A casual e-mail exchange,
with an
identifying address, can be then used to compromise the
originator. As
e-mail traffic takes over an ever increasing share of
personal
communications, inspection of e-mail traffic can yield
more comprehensive
evidence than just about any wire-tapping efforts. E-mail-tapping
is less
expensive, more thorough and less forgiving than any other
means for
monitoring personal communications. Without protection
of privacy, browsing
through e-mail archives would become the preferred way
for gathering
evidence in law enforcement cases. It would also be used
as the favorite
means for collecting incriminating statements by lawyers
engaged in civil
litigation.
In casual e-mail exchanges it is easy to make an error.
When the message is
archived it could be used to haunt a person for decades
afterwards. A
message intended for a particular individual may be passed
on to hundreds or
even thousands of others. Unless its origin is anonymous,
all e-mail can be
traced through identifying addresses that preserve the
name of the
originator - as well as the names of those who forwarded
it - wherever the
message traversed. Unless a message is handled anonymously,
a trace is left
about everyone who received it or passed it on. It would
be like a letter
that not only identifies the name and address of its author,
but also
fingerprints of anyone who ever touched it.
It is one of the fundamental strengths of the Internet
that it offers an
almost universal capacity for free expression of ideas.
A person's opinions
can be sent anywhere in the world in a matter of minutes,
with the
originator's name displayed at the top. Is it consistent
with the rights to
individual privacy and freedom of expression to have one's
name clearly
associated with a message than may be easily disseminated
to unintended
recipients?
The issues here are the rights to the freedom of speech
and to the rights to
personal privacy. Having the right to free speech may
work well in the case
of verbal expression, but it may cease to have its intended
purpose in face
of retaliation that may take place decades later. In a
system that
theoretically can have infinitely large memory and indefinitely
long
remembrance, the freedom of expression and become abused
and perverted by a
government that does not respect individual rights.
With the widespread acceptance of Internet-mediated communications
it was
recognized that the simplest way of securing privacy is
through anonymity.
That's how anonymous re-mailers came into being. Given
the technical
characteristics of Internet, there is nothing to prevent
anyone to set up a
private (or public) anonymous remailing service. Any attempt
to prohibit or
regulate the use of anonymous re-mailers is technically
unfeasible. In a
democratic society it becomes politically unacceptable
to suppress remailers
as potential sources of criminal acts. Such absolute prohibitions
would
never pass through a legislative process in a free society.
Conclusion
Anonymous re-mailers are here to stay. Like in the case
of many virulent
diseases, there is very little a free society can do to
prohibit travel or
exposure to sources of infection. The best one can do
is to start treating
the pathologies inherent in the Internet in the same way
as we have learned
to deal with infectious epidemics. That calls for constructing
new
institutions and processes that are analogues to inoculation,
immunization,
prophylactics, clean water supply, sewers, hygiene, early
detection of
outbreaks of diseases, quarantine, the offices of health
examiners, the
Center of Disease Control and the World Health Organization.
The introduction of most of these restrictive means, imposed
mostly by
government, were often opposed by those who saw in public
health injunctions
infringement of individual rights. In due course an informed
electorate
found it expedient to accept most of the sanitary measures
for disease
control a bargain that was well worth it.
The history of public health teaches us that suppression
of any disease must
be preceded by a thorough understanding of its behavior,
its method of
transmission and how it creates its own ecology. As in
the case of smallpox,
yellow fever, flu epidemics, AIDS or malaria, it will
take disasters before
the public may accept that some forms of restrictions
on the electronic
freedom of speech and privacy may be worthwhile.
It was the purpose of this paper to explain the characteristics
of anonymous
remailers as one of the potential sources of infectious
threats to the
well-being of our information-based civilization. We trust
that this will be
seen as a useful contribution to an already raging debate
of how to find a
balance between the desirable and the dangerous.
Paul@Strassmann.com and William_Marlow@cpqm.saic.com will
be pleased to
respond to identifiable commentators on the points of
view expressed herein
|
|
