ú Subject: Privacy & Anonymity on the Internet FAQ Archive-name: net-privacy Last-modified: 1993/2/3 Version: 1.0 IDENTITY, PRIVACY, AND ANONYMITY on the INTERNET ================================================ (c) 1993 L. Detweiler. Not for commercial use except by permission from author, otherwise may be freely copied. Not to be altered. Please credit if quoted. SUMMARY ======= Information on email and account privacy, anonymous mailing and posting, file encryption, and other privacy issues associated with use of the Internet and global networks in general. QUESTIONS ========= (Search for <#.#>.) IDENTITY -------- <1.1> What is `identity' on the internet? <1.2> Why is identity (un)important on the internet? <1.3> How does my email address identify me and my background? <1.4> How can I find out more about somebody from their email address? <1.5> Why is identification unstable on the internet? <1.6> What is the future of identification on the internet? PRIVACY ------- <2.1> What is `privacy' on the internet? <2.2> Why is privacy (un)important on the internet? <2.3> How private/secure is my account? <2.4> How private/secure is my email? <2.5> How do I provide more/less information to others on my identity? <2.6> Who is my sysadmin? What does s/he know about me? <2.7> Why is privacy unstable and nonexistent on the internet? <2.8> What is the future of privacy on the internet? ANONYMITY --------- <3.1> What is `anonymity' on the internet? <3.2> Why is `anonymity' (un)important on the internet? <3.3> How can anonymity be protected on the internet? <3.4> How do I send anonymous mail? <3.5> How do I post anonymously? <3.6> Why is anonymity unstable and nonexistent on the internet? <3.7> What is the future of anonymity on the internet? MISCELLANEOUS ------------- <4.1> What is ``digital cash''? <4.2> What is a ``hacker'' or ``cracker''? <4.3> What is a ``cypherpunk''? <4.4> What new standards are needed to guard electronic privacy? RESOURCES --------- <5.1> How can I run an anonymous remailer? <5.2> What is the cypherpunks mailing list? <5.3> What are some privacy-related newsgroups? FAQs? <5.4> What is the MIT ``CROSSLINK'' anonymous message TV program? <5.5> What are the standards for internet Privacy Enhanced Mail (PEM)? <5.6> What UNIX utilities are related to privacy? <5.7> How cam I learn about or use cryptography? FOOTNOTES --------- <6.1> Most Wanted list <6.2> Change history * * * IDENTITY ======== _____ <1.1> What is `identity' on the internet? Generally, today people's `identity' on the internet is primarily determined by their email address in the sense that this is their most unchanging 'face' in the electronic realm. This is your login name qualified by the complete address domain information, for example ``ld231782@longs.lance.colostate.edu''. People see this address when receiving mail or reading USENET posts from you and in other situations where programs record usage. Some obsolete forms of addresses (such as BITNET) still persist. In email messages, additional information on the path that a message takes is prepended to the message received by the recipient. This information identifies the chain of hosts involved in the transmission and is a very accurate trace of its origination. This type of identify-and-forward protocol is also used in the USENET protocol to a lesser extent. Forging these fields requires corrupted mailing software at sites involved in the forwarding and is very uncommon. Not so uncommon is forging the chain at the origination point, so that all initial sites in the list are faked at the time the message is created. Tracing these messages can be difficult or impossible when the initial faked fields are names of real machines and represent real transfer routes. _____ <1.2> Why is identity (un)important on the internet? The concept of identity is closely intertwined with communication, privacy, and security, which in turn are all critical aspects of computer networks. For example, the convenience of communication afforded by email would be impossible without conventions for identification. But there are many potential abuses of identity possible that can have very severe consequences, with massive computer networks at the forefront of the issue, which can potentially either exacerbate or solve these problems. Verifying that an identity is correct is called `authentication', and one classic example of the problems associated with it is H.G.Well's ``War of the Worlds'' radio broadcast that fooled segments of the population into thinking that an alien invasion was in progress. Hoaxes of this order are not uncommon on Usenet and forged identities makes them more insideous. People and their reputations can be assaulted by forgery. However, the fluidity of identity on the internet is for some one of its most attractive features. Identity is just as useful as it is harmful. A professor might carefully explain a topic until he finds he his talking to an undergraduate. A person of a particular occupation may be able to converse with others who might normally shun him. Some prejudices are erased, but, on the other hand, many prejudices are useful! A scientist might argue he can better evaluate the findings of a paper if he knows more about the authors. Likewise, he may be more likely to reject it based on unfair or irrelevant criteria. Identity is especially crucial in establishing and regulating `credit' (not necessarily financial) and `ownership' and `usage'. Many functions in society demand reliable and accurate techniques for identification. Heavy reliance will be placed on digital authentication as global economies become increasingly electronic. Many government functions and services are based on identification, and law enforcement frequently hinges on it. Hence, employees of many government organizations push toward stronger identification structures. But when does identification invade privacy? The growth of the internet is provoking social forces of massive proportions. Decisions made now on issues of identity will affect many future users, especially as the network becomes increasingly global, universal, widespread, and entrenched; and the positive or adverse affects of these actions, intended and inadvertent, will literally be magnified exponentially. _____ <1.3> How does my email address identify me and my background? Your email address may contain information that influences people's perceptions of your background. The address may `identify' you as from a department at a particular university, an employee at a company, or a government worker. It may contain your last name, initials, or cryptic identification codes independent of both. In the US some are based on parts of social security numbers. Others are in the form 'u2338' where the number is incremented in the order that new users are added to the system. Standard internet addresses also can contain information on your broad geographical location or nationhood. However, none of this information is guaranteed to be correct or be there at all. The fields in the domain qualification of the username are based on rather arbitrary organization, such as (mostly invisible) network cabling distributions. The only point to make is that early fields in the address are more specific (such as specific computer names or local networks) and the later ones the most general (such as continental domains). Typically the first field is the name of the computer receiving mail. Gleaning information from the email address alone is sometimes an inspired art or an inconsistent and futile exercise. (For more information, see the FAQs on email addresses and known geographical distributions below.) However, UNIX utilities exist to aid in the quest (see the question on this). Examples -------- jamison@csd4.csd.uwm.edu User named 'jamison' with university identified by `uwm', probably in the computer science department. fred@inode.com User named 'fred' at the commercial company identified as 'inode'. microman@black.ox.ac.uk An alias 'microman' for someone in the United Kingdom, possibly Oxford. _____ <1.4> How can I find out more about somebody with a given email address? One simple way is to send email to that address, asking. Another way is to send mail to the postmaster at that address (i.e. postmaster@address), although the postmaster's job is more to help find user ID's of particular people given their real name and solve mail routing problems. The sysadmin (i.e. `root@address') may also be able to supply information. Users with related email address may have information. However, all of these methods rely on the time and patience of others so use them minimally. One of the most basic tools for determining identity over the internet is the UNIX utility 'finger'. The basic syntax is: finger user@here.there.everywhere This utility uses communication protocols to query the computer named in the address for information on the user named. The response is generated completely by the receiving computer and may be in any format. Possible responses are as follows. - A message `unknown host' meaning some aspect of the address is incorrect, two lines with no information and '???' - A message 'In real life: ???' in which case the receiving computer could not find any kind of a match on the username. The finger utility may return this response in other situations. - A listing of information associated with multiple users. Some computers will search only for matching user IDs, others will attempt to find the username you specified as a substring of all actual full names of users kept in a local database. - At some sites 'finger' can be used to get a list of all users on the system with a `finger @address'. In general this is often considered weak security, however, because `attackers' know valid user ID's to `crack' passwords. More information on the fields returned by `finger' is given below. More information on `finger' and locating people's email addresses is given in the email FAQ. Just as you can use these means to find out about others, they can use them to find out about you. You can `finger' yourself to find out what is publicly reported by your UNIX system about you. Be careful; generally anyone with internet access worldwide can query this information. _____ <1.5> Why is identification unstable on the internet? Generally, identity is an amorphous and almost nonexistent concept on the Internet for a variety of reasons. One is the inherent fluidity of `cyberspace' where people emerge and submerge frequently, and absences are not readily noted in the `community'. Most people remember faces and voices, the primary means of casual identification in the 'real world'. The arbitary and cryptic sequences of letters and digits comprising most email addresses are not particularly noticeable or memorable and far from a unique identification of an individual, who may use multiple accounts on multiple machines anywhere in the world. Currently internet users do not really have any great assurances that the messages in email and USENET are from who they appear to be. A person's mailing address is far from an identification of an individual. First, anyone with access to the account, e.g. they know the password, either legitimately or otherwise, can send mail with that address in the From: line. Secondly, as part of current mailing protocol standards, forging the From: line is a fairly trivial operation for many hackers. Much less forgable is the status and path information prepended to messages by intermediate hosts. However, in general, while possible, forgeries are fairly rare on most newsgroups and in email. Besides these pathological cases there are simple problems with today's internet protocols affecting identification on the internet. Internet mail standards, described in RFC (?), are still evolving rapidly and not entirely orderly. For example, standards for mail address `munging' or `parsing' tend to vary slightly between sites and frequently mean the difference between finding addresses and bouncing mail (in other words, between identifying and contacting someone and not). Also, domain names and computer names are changed at sites. Addresses cannot be resolved when certain critical computers crash, such as the receiving computer or computers involved in resolving names into addresses. A whole slew of problems is associated with the `nameservers' in the latter category; if they are not updated they will not find name addresses, and even the operation of what constitutes `updating' has different interpretations at different sites. The current internet mailing and addressing protocols are slightly anachronistic in that they were created when the network was somewhat obscure and not widespread, with only a fraction of the traffic it now sees. Today a large proportion of internet traffic is email, comprising millions of messages. _____ <1.6> What is the future of identification on the internet? Some new technologies and standards are introducing facial images and voice messages into mail and these will improve the sense of community that comes from the familiarity of identification. However, they are not currently widespread, require large amounts of data transfer, standardized software, and make some compromises in privacy. Promising new cryptographic techniques may make 'digital signatures' and 'digital authentication' common (see below). Also, the trend in USENET standards is toward greater authentication of posted information. On the other hand, advances in ensuring anonymity (such as remailers) are forthcoming. See below. PRIVACY ======= _____ <2.1> What is `privacy' on the internet? Generally, while `privacy' has multiple connotations in society and perhaps even more on the internet, in cyberspace most take it to mean that you have exclusive use and access to your account and the data stored on and and directed to it (such as email), and you do not encounter arbitrary restrictions or searches. In other words, others may obtain data associated with your account, but not without your permission. These ideas are probably both fairly limiting and liberal in their scope in what most internet users consider their private domains. Some users don't expect or want any privacy, some expect and demand it. _____ <2.2> Why is privacy (un)important on the internet? This is a somewhat debatable and inflammatory topic, arousing passionate opinions. On the internet, some take privacy for granted and are rudely surprised to find it tenuous or nonexistent. Most governments have rules that protect privacy (such as the illegal search and seizure clause of the U.S. constitution, adopted by others) but have many that are antithetical to it (such as laws prohibiting secret communications or allowing wiretapping). These rules generally carry over to the internet with few specific rules governing it. However, the legal repercussions of the global internet are still largely unknown and untested (i.e. no strong legal precedents and court cases). The fact that internet traffic passes past international boundaries frequently complicates and discourages its regulation. _____ <2.3> How private/secure is my account? By default, not very. There are a multitude of factors that may reinforce or compromise aspects of your privacy on the internet. First, your account must be secure from other users. The universal system is to use a password, but if it is `weak' (i.e. easy to guess) this security is significantly diminished. Somewhat surprisingly and frighteningly to some, certain users of the system, particularly the administrator, generally have unlimited access regardless of passwords, and may grant that access to others. This means that they may read any file in your account. Furthermore, not universally known, UNIX systems keep fairly extensive accounting records of when and where you logged in, what commands you execute, and when they are executed (in fact, login information is public). Potentially, every keystroke you type could be intercepted by someone else. System administrators make extensive backups that are completely invisible to users which may record the states of an account over many weeks. Erased files can, under many operating systems, be undeleted. Some software exacerbates these problems. For example, the widespread Xwindow system is extremely insecure; anyone with an account on server machine can disrupt the display or read it electronically. There are no protections from this type of access (even the ``access control'' xhost command can be evaded by regular users). Generally, you should expect little privacy on your account. Be aware of the rights associated with your files and directories in UNIX. If the `x' (`execute') right on your parent directory is off for users, groups, and other, these users cannot gain information on anything in your directories. Anything less may allow others to read, change, or even delete files in your home directory. By default most accounts are accessable only to the owner, but the initial configuration varies between sites based on administrator preference. The default file mode specifies the initial rights associated with newly created files, and can be set in the shell. The details of rights implementations tend to vary between versions of UNIX. Consult man pages on `chmod' and `ls'. Examples -------- traver.lance % ls -ld ~ drwx------ 15 ld231782 1536 Jan 31 21:22 /users/ld231782/ Here is a listing of the rights associated with a user's home directory, denoted by `~'. The columns at the left identify what rights are available. The first column identifies the entry as a directory, and the next three columns mean that read, write, and execute rights, respectively, are permitted for that user. For directories, the `x' right means that contents (file and subdirectory names) within that directory can be listed. The subsequent columns indicate that no other users have any rights to anything in the directory tree originating at that point. They can't even `see' any lower files or subdirectories; the hierarchy is completely invisible to them. traver.lance % ls -l msg -rw-r--r-- 1 ld231782 35661 Jan 29 23:13 msg traver.lance % chmod u=rw,g=,o= msg traver.lance % ls -l msg -rw------- 1 ld231782 35661 Jan 29 23:13 msg Here the modes on the file `msg' were changed to take away rights from `group' and `other'. Indepedent of malevolent administrators are fellow users, a much more commonly harmful threat. There are multiple ways to help ensure that your account will not be accessed by others, and compromises can often be traced to failures in these guidelines: - Choose a secure password. Change it periodically. - Make sure to logout always. - Do not leave a machine unattended for long. - Make sure no one watches you when you type your password. - Avoid password references in email. - Be conservative in the use of the .rhost file. - Use utilities like `xlock' to protect a station, but be considerate. Be wary of situations where you think you should supply your password. There are only several basic situations where UNIX prompts you for a password: when you are logging in to a system or changing your password. Situations can arise in which prompts for passwords are forged by other users, especially in cases where you are talking to them (such as Internet Relay Chat). Also, be aware that forged login screens are one method to illegitimately obtain passwords. _____ <2.4> How private/secure is my email? By default, not very. The characters that you are reading are almost certainly encoded in ASCII, the American Standard Code for Information Interchange that maps alphabetic and symbolic characters onto numeric codes and vice versa. Virtually every computer system uses this code, and if not, has ways of converting to and from it. When you write a mail message, by default it is being sent in ASCII, and since the standard is virtually universal, there is no intrinsic privacy. `Theoretically' people at any site in the chain of sites with access to hardware and network media that forwards a given mail message over the Internet (globally about a half-dozen (?) on average, depending on the distances) could potentially compromise the privacy of that message and read it. Technologies exist to `tap' magnetic fields given off by electrical wires without detection. In reality these breaches are generally unlikely and rare, with disturbing but isolated incidents known. Something more common is instances of immature or unscrupulous system operators reading private mail in the `spool files' at a local site (i.e. the ultimate source or destination of the message), such as a university. System administrators may also release files to law enforcement agencies, but protocols for warrants have not been established and tested. Note that bounced messages go to postmasters at a given site in their entirety. This means that if you address mail with an incorrect address it has a good chance of being seen by a human other than the recipient. Typically new user accounts are always set up such that the local mail directory is private, but this is not guaranteed and can be overridden. Finally, be aware that some mailing lists (email addresses of everyone on a list) are actually publicly accessable via mail routing software mechanisms. This `feature' can be disabled. Most potential compromises in email privacy can be avoided with the use of strong cryptography, which has its own set of caveats (for example, unscrupulous administrators may still be a threat if the encryption site is shared or nonlocal). _____ <2.5> How do I provide more/less information to others on my identity? The public information of your identity and account is mostly available though the UNIX utility `finger' described above. You have control over most of this information with the utility `chfn', the amount varying between sites. You can provide unlimited information in the .plan file which is copied directly to the destination during the fingering. Your signature is determined by the environment variable SIGNATURE, and USENET signatures are usually kept in the .signature file in your home directory. Many people put disclaimers in these signatures that don't protect their identity but dissociate it from parent organizations as a precaution. Providing less information is more difficult and involved. One approach is to ask your system adminstrator to change or delete information about you (such as your full name). You may be able to obtain access on a public account or one from someone unrelated to you personally. You may be able to remotely login (via modem or otherwise) to computers that you are not physically near. There are tactics for hiding or masking your online activities but nothing is foolproof. Consult man pages on the 'chmod' command and the default file mode. Generally, files on a shared system have good safeguards within the user pool but very little protection is possible from corrupt system administrators. To mask your identity in email or on USENET you can use different accounts. More untraceable are new `anonymous posting' and remailing services that are very recently being established. See below. _____ <2.6> Who is my sysadmin? What does s/he know about me? The requirements and screening for getting a system administration job (and access to all information on a system) vary widely between sites and are sometimes frighteningly lax, especially at universities. Many UNIX systems at universities are largely managed by undergraduates with a background in computing and often `hacking'. In general, commercial and industrial sites are more strict on qualifications and background, and government sites are extremely strict. The system adminstrator (root user) knows what commands you used and at what times. S/he may have a record of files on your account over a few weeks. S/he can monitor when you send email or post USENET messages, and potentially read either. S/he may have access to records indicating what hosts you are using, both locally and elsewhere. As punishment or whatever, your system can revoke certain `privileges' such as emailing, USENET posting or reading certain groups, file transferring, remote communications, or generally any subset of capabilities available from your account. This all is completely at the discretion of the local administrator and under the local procedures followed at the site (which are generally rather arbitrary). _____ <2.7> Why is privacy unstable and nonexistent on the internet? For the numerous reasons listed above, privacy should not be an expectation with current use of the internet. Furthermore, large parts of the internet are funded by the U.S. NSF (National Science Foundation) which places certain restrictions on its use (such as prohibiting commercial use). Some high-level officials in this and other government agencies may be opposed to emerging techniques to guarantee privacy (such as encryption and anonymous services). However, traffic is generally completely unimpeded on the internet and only the most egregious offenders are pursued. Currently significant portions of USENET traffic, and less so internet traffic, are comprised of digitized images from copyrighted material, including amounts labelled `pornographic' by many. In some cases `abusive' posters to USENET are given admonitions from their system administrators as urged by others on the `net'. However, some argue that this is also used as a questionable means of attacking or silencing `harmless crackpots'. Currently there are virtually no guidelines for restricting use to any internet services and local administrators are free to make arbitrary decisions. Perhaps the most common example of this are the widespread occurrences of university administrators refusing to carry some portion of USENET newsgroups labelled as `pornographic'. The `alternative' hierarchy in the USENET system, which has virtually no restrictions on propagation and new group creation, is frequently targeted (although this material may appear anywhere). _____ <2.8> What is the future of privacy on the internet? Some argue that the internet currently has an adequate or appropriate level of privacy. Others will argue that as a prototype for future global networks it has woefully inadequate safeguards. The internet is growing to become a completely global, international superhighway for data, and this traffic will inevitably entail data such as voice messages, postal mail, and many other items of extremely personal nature. Computer items that many people consider completely private (such as their local hard drives) will literally be inches from global network connections. Also, sensitive industrial and business information is exchanged over networks currently and this volume may conceivably merge with the internet. Most would agree that, for these basic but sensitive uses of the internet, no significant mechanisms are currently in place to ensure much privacy. New standards are calling for uniform introduction of `privacy enhanced mail' (PEM) which uses encryption technologies to ensure privacy, so that privacy protection is automatic, and may significantly improve safeguards. The same technology that can be extremely destructive to privacy (such as with surreptitious surveilance) can be overwhelmingly effective in protecting it (e.g. with encryption). Some government agencies are opposed to unlimited privacy in general, and believe that it should lawfully be forfeited in cases of criminal conduct (e.g. court-authorized wiretapping). However, powerful new technologies to protect privacy on computers are becoming increasingly popular, provoking some to say that ``the cat is out of the bag'' and the ``genie can't be put back in the bottle''. In less idiomatic terms, they believe that the spread of strong cryptography is already underway will be socially and technically unstoppable. To date, no feasible system that guarantees both secure communication and government oversight has been proposed (the two goals are largely incompatible). Proposals for ``registration'' of secret keys (by D. Denning on sci.crypt, for example) have been met with hot controversy at best and ridicule and derision at worst, mainly because of concerns for the right to privacy and objections of inherent feasibility. Electronic privacy issues, and particularly the proper roles of networks and the internet, will foreseeably become highly visible and explosive over the next few years. ANONYMITY ========= _____ <3.1> What is `anonymity' on the internet? Simply stated, anonymity is the absence of identity, the ultimate in privacy. However, there are several variations on this simple theme. A person may wish to be consistently identified by a certain pseudonym and establish a reputation under it in some area, providing pseudo-anonymity. A person may wish to be completely untraceable for a single one-way message (a sort of `hit-and-run'). Or, a person may wish to be openly anonymous but carry on a conversation with others (with either known or anonymous identities) via an `anonymous return address'. A user may wish to appear as a `regular user' but actually be untraceable. Sometimes a user wishes to hide who he is sending mail to (in addition to the message itself). The anonymous item may directed at individuals or groups. All of these uses are feasible on the internet but are currently tricky to carry out in practice, because of all the tracking mechanisms inherent to operating systems and network protocols. Officials of the NSF and other government agencies may be opposed to any of these uses because of the potential for abuse. Nevertheless, the inherent facelessness of large networks will always guarantee a certain element of anonymity. _____ <3.2> Why is `anonymity' (un)important on the internet? Anonymity is another powerful tool that can be beneficial or problematic depending on its use. Arguably absence of identification is important as the presence of it. It may be the case that many strong benefits from electronic anonymity will be discovered that were unforeseen and unpredicted, because true anonymity has been historically very difficult to establish. One can use anonymity to make personal statements to a colleague that would sabotage a relationship if stated openly (such as employer/employee scenarios). One can use it to pass information and evade any threat of direct retribution. For example, `whistleblowers' reporting on government abuses (economic, social, or political) can bring issues to light without fear of stigma or retaliation. Sensitive, personal, potentially damaging information is often posted to some USENET groups, a risky situation where anonymity allows conversations to be carried on completely independent of the identities of the participants. Some police departments run phone services that allow anonymous reporting of crimes; such uses would be straightforward on the network. Unfortunately, extortion and harassment become more insideous with assurances of anonymity. _____ <3.3> How can anonymity be protected on the internet? The chief means, as alluded to above, are masking identities in email and posting. However, anonymous accounts (public accounts as accessable and anonymous as e.g. public telephones) may be effective as well, but this use is generally not officially supported and even discouraged by some system adminstrators and NSF guidelines. The nonuniformity in the requirements of obtaining accounts at different sites and institutions makes anonymous accounts generally difficult to obtain to the public at large. Many communications protocols are inherently detrimental to anonymity. Virtually every protocol in existence currently contains information on both sender and receiver in every packet. New communications protocols will likely develop that guarantee much higher degrees of secure anonymous communication. _____ <3.4> How do I send anonymous mail? One approach has been to set up an `anonymous server' that, when activated by email to its address, responds by allocating and supplying an `anonymous ID' that is unique to the person requesting it (based on his email address). This will vary for the same person for different machine address email originations. To send anonymous mail, the user sends email directed to the server containing the final destination. The server `anonymizes' the message by stripping of identification information and forwards the message, which appears to originate from the anonymous server only from the corresponding anonymous user id. This is the `interactive' use of anonymity or pseudonymity mentioned above. Another more `fringe' approach is to run a `cypherpunk' remailer from a regular user account (no root system privileges are required). These are currently being pioneered by Eric Hughes and Hal Finney How do I post anonymously? For this use anonymous servers have been established as well with all the associated caveats above (monitored traffic, capricious or risky local circumstances, logging). anon.penet.fi operated by @DATAPHONE@ julf@penet.fi can be used here too; mail to help@penet.fi for information. Make sure to test the system at least once by e.g. anonymous posting to misc.test. Make sure no signature data slips through. Another direct route involves using NNTP protocols to submit a message directly to a newserver with arbitrary field information. This practice, not uncommon to hackers, is also generally viewed with hostility by most system administrators, and similar consequences can ensue. _____ <3.5> What are some known anonymous remailing and posting sites? Following are some anonymous remailing and posting sites. Make sure to test the system at least once by e.g. sending anonymized mail to yourself. Make sure no signature data slips through. Be courteous to the system operator, who may be personally risking his account for your convenience. Do not send abusive, harrassing or threatening messages, or anything else that may endanger the operator of the site. anon.penet.fi ------------- Anonymized mail, posting, and return addresses (no encryption). Send mail to help@penet.fi for information. elee7h5@rosebud.ee.uh.edu ------------------------- Experimental anonymous remailer run Karl Barrus . Send to the site name a message with the following text: :: command: help user@host where `user@host' is the return address. hal@alumni.caltech.edu ---------------------- Experimental remailer with encryption and return addresses. Request information from above address. nowhere@bsu-cs.bsu.edu ---------------------- Experimental remailer allowing chaining. Run by Chael Hall. Request information from above address. phantom@mead.u.washington.edu ----------------------------- Experimental remailer with encryption. `finger' site address for information. Notes: Currently the most stable of anonymous remailing sites is probably anon.penet.fi operated by julf@penet.fi for several months, who has system adminstrator privileges. So far, all encryption is based on public-key cryptography and PGP software (see the question on cryptography). Encryption aspects (message text, destination address, replies) vary between sites. _____ <3.6> Why is anonymity unstable and nonexistent on the internet? As noted, many factors compromise the anonymity currently available to the general internet community, and these services should be used with great caution. To summarize, the technology is in its infancy and current approaches are unrefined, unreliable, and not completely trustworthy. No standards have been established and troubling situations of loss of anonymity and bugs in the software are prevalent. (For example, one anonymous remailer reallocated already allocated anonymous return addresses. Others passed signature information embedded in messages unaltered. Address resolution problems resulting in anonymized mail bounced to a remailer are common.) Source code is being distributed, tested, and refined for these systems, but standards are progressing slowly and weakly. The field is not likely to improve without official endorsement and action by network agencies. The whole idea is still viewed with suspicion and distrust by many on the internet and seen as illegitimate or favorable to criminality. A very sophisticated anonymous posting system was recently set up by dclunie@pax.tpa.com.au that used cryptography in both directions (to/from) the server for the highest degree of confidentiality seen so far. However, it was running on a public access account, and he had to shut it down after receiving requests and conditions apparently ultimately originating from NSF representatives. _____ <3.7> What is the future of anonymity on the internet? New anonymous protocols effectively serve to significantly increase safeguards of anonymity. For example, the same mechanism that routes email over multiple hosts, thereby threatening its privacy, can also be used to guarantee it. In a scheme called `chaining' an anonymous message is passed through multiple anonymous servers before reaching a destination. In this way generally multiple links of the chain have to be `broken' for security to be compromised. Re-encryption at each link makes this scenario even more unlikely. Even more significantly the anonymous remailers could be spread over the internet globally so that local weaknesses (such as corrupt governments or legal wiretapping within a nation) would be more unlikely to sacrifice overall security by message tracing. However, remailers run by corrupt operators are possible. The future of anonymous services on the internet is, at this time, highly uncertain and fraught with peril. Nevertheless, its widespread introduction and use may be inevitable and its implementation could carry significant and unforeseen social repercussions. However, if its use is continued to be generally regarded as subversive it may be confined to the underground. MISCELLANEOUS ============= _____ <4.1> What is ``digital cash''? With digital encryption and authentication technologies, the possibility of a widespread digital cash system may someday be realized. A system utilizing codes sent between users and banks (similar to today's checking except entirely digital) may be one approach. The issues of cryptography, privacy, and anonymity are closely associated with transfer of cash in an economy. See the article in Scientific American by David Chaum. An experimental digital bank is run by Karl Barrus based on suggestions by Hal Finney on the cypherpunks mailing list. To use the server send mail to elee7h5@rosebud.ee.uh.edu message with the following text: :: command: help user@host where `user@host' is your email address. _____ <4.2> What is a ``hacker'' or ``cracker''? These terms arouse strong feelings by many on their meaning, especially on the internet. In the general news media in the past a person who uses computers and networks to malicious ends (such as breaking into systems) has been referred to as a hacker, but most internet users prefer the term ``cracker'' for this. Instead, a ``hacker'' is perceived as a benign but ambitious and intensely curious computer user who explores obscure areas of a system, for example---something of an electronic pioneer and patriot. This is the sense intended in this document. See also the ``Hacker's Dictionary'' and the alt.security FAQ. _____ <4.3> What is a ``cypherpunk''? From the charter of the cypherpunk mailing list: > Cypherpunks assume privacy is a good thing and wish there were > more of it. Cypherpunks acknowledge that those who want privacy > must create it for themselves and not expect governments, > corporations, or other large, faceless organizations to grant > them privacy out of beneficence. Cypherpunks know that people > have been creating their own privacy for centuries with whispers, > envelopes, closed doors, and couriers. Cypherpunks do not seek > to prevent other people from speaking about their experiences or > their opinions. See information on the cypherpunk mailing list below. _____ <4.4> What new standards are needed to guard electronic privacy? General ------- - Recognition of anonymity, cryptography, and related privacy shields as legitimate, useful, desirable, and crucial by the general public and their governments. - Widespread use and implementation of these technologies in hardware, software, and standards, implemented `securely,' `seamlessly,' and `transparently'. - General shift of use, dependence, and reliance to means other than wiretapping and electronic surveillance by law enforcement agencies. - Publicity, retraction, and dissolution of laws and government agencies opposed to privacy, replaced by structures dedicated to strengthening and protecting it. Remailing/Posting ----------------- - Stable, secure, protected, officially sanctioned and permitted, publicly and privately operated anonymous servers and hubs. - Official standards for encryption and anonymity in mail and USENET postings. - Truly anonymous protocols with source and destination information obscured or absent and hidden routing mechanisms (chaining, encrypted addresses, etc.) - Standards for anonymous email addressing, embedding files, and remailer site chaining. RESOURCES ========= _____ <5.1> How can I run an anonymous remailer? Cypherpunk remailer source is at soda.berkeley.edu in the /pub/cypherpunks directory. It's written in PERL, and is relatively easy to install (no administrative rights are required). Karl Barrus has more information and modifications. Also, most remailer operators mentioned above are amenable to discussing features, problems, and helping new sites become operational. _____ <5.2> What is the cypherpunks mailing list? Eric Hughes runs the `cypherpunk' mailing list dedicated to ``discussion about technological defenses for privacy in the digital domain.'' Send email to cypherpunks-request@toad.com to be added or subtracted from the list. From the charter: > The most important means to the defense of privacy is encryption. > To encrypt is to indicate the desire for privacy. But to encrypt > with weak cryptography is to indicate not too much desire for > privacy. Cypherpunks hope that all people desiring privacy will > learn how best to defend it. _____ <5.3> What are some privacy-related newsgroups? FAQs? Newsgroups ========== alt.cyberpunks -------------- Virtual reality, (science) fiction by William Gibson and Bruce Sterling, cyberpunk in the mainstream. alt.hackers ----------- USENET Network News Transfer Protocol (NNTP) posting mechanisms, Simple Mail Transfer Protocol (SMTP), `obligatory hack' reports. alt.security.pgp ---------------- Dedicated to discussing PGP, or ``Pretty Good Privacy'' Software developed by Phil Zimmerman for public key encryption. sci.crypt --------- Considers scientific and social issues of cryptography. Examples: legitimate use of PGP, public-key patents, DES, cryptographic security, cypher breaking, etc. alt.privacy ----------- General privacy issues involving taxpaying, licensing, social security numbers, etc. comp.society.privacy -------------------- Privacy issues associated with computer technologies. Examples: caller identification, social security numbers, credit applications, mailing lists, etc. Moderated. comp.eff.news comp.eff.talk ------------- Moderated and unmoderated groups associated with the Electronic Frontier Foundation started by Mitch Kapor for protecting civil and constitutional rights in the electronic realm. alt.comp.acad-freedom.news alt.comp.acad-freedom.talk -------------------------- Moderated and unmoderated issues related to academic freedom and privacy at universities. Documented examples of violated privacy in e.g. email. Documented examples of `censhorship' as in e.g. limiting USENET groups local availability. alt.security comp.security.misc ------------------ Computer related security issues. FAQ in news.answers below. FAQs ==== FAQs or ``Frequently-Asked Questions'' are available in the newsgroup news.answers or via anonymous FTP to pit-manager.mit.edu [18.172.1.27] from the directory /pub/usenet/news.answers. network-info/part1 ------------------ Sources of information about the Internet and how to connect to it, through the NSF or commercial vendors. alt-security-faq ---------------- Computer related security issues arising in alt.security and comp.security.misc, mostly UNIX related. ssn-privacy ----------- Privacy issues associated with the use of the U.S. Social Security number (SSN). pdial ----- Public dialup internet accounts list. college-email/part1 ------------------- How to find email addresses for undergraduate and graduate students, faculty and staff at various colleges and universities. ripem/faq --------- Information on RIPEM, a program for public key mail encryption officially sanctioned by Public Key Partners Inc., the company that owns patents on public key cryptography. unix-faq/faq/part1 ------------------ Frequently-asked questions about UNIX, including information on `finger' and terminal spying. distributions/* --------------- Known geographic, university, and network distributions. _____ <5.4> What is the MIT ``CROSSLINK'' anonymous message TV program? > CROSSLINK is an anonymous message system run on MIT Student > Cable TV-36. It provides an anonymous medium through which MIT > students can say those things they might otherwise find > difficult, inconvenient or impossible to say in person. It's > also a way to send fun or totally random messages to your > friends over the air. It is similar to the anonymous message > pages found in many college newspapers, except that it's > electronic in nature and it's free. Messages can be posted to the service via email. For more information send email to crosslink@athena.mit.edu. _____ <5.5> What are the standards for internet PEM (Privacy Enhanced Mail)? Internet drafts on Privacy Enhanced Mail (PEM), a standard under revision for six years delineating the official protocols for email encryption. - ``Privacy Enhancement for Internet Electronic Mail: Part I: - ``Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management'' - ``Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers'' - ``Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services'' _____ <5.6> What UNIX utilities are related to privacy? For more information, type `man [cmd]' or `apropos [keyword]' at the UNIX shell prompt. finger - obtain information about a remote user chfn - change information about yourself obtainable by remote users chmod - change the rights associated with a file or directory umask - (shell) change the default (on creation) file access rights ls - list the rights associated with files and directories xhost - allow or disable access control of particular users to an Xwindow server last - list the latest user logins on the system and their originations who - list other users, login/idle times, originations w - list other users and what they are running .signature - file in the home directory appended to USENET posts $SIGNATURE - used as name in email and USENET postings _____ <5.7> How can I learn about or use cryptography? A general introduction to mostly theoretical cryptographic issues, especially those frequently discussed in sci.crypt, is available in FAQ form: > Compiled by: > cme@ellisun.sw.stratus.com (Carl Ellison) > Gwyn@BRL.MIL (Doug Gwyn) > smb@ulysses.att.com (Steven Bellovin) NIST (U.S. National Institute for Standards and Technology) publishes an introductory paper on cryptography, special publication 800-2 ``Public-Key Cryptograhy'' by James Nechvatal (April 1991). Available via anonymous FTP from csrc.ncsl.nist.gov (129.6.54.11), file pub/nistpubs/800-2.txt. Also via available anonymous FTP from wimsey.bc.ca as crypt.txt.Z in the crypto directory. Covers technical mathematical aspects of encryption such as number theory. More general information can be found in a FAQ by Paul Fahn of RSA Labortories via anonymous FTP from rsa.com in /pub/faq.ps.Z. See the `readme' file for information on the `tex' version. Also available as hardcopy for $20 from RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Send questions to faq-editor@rsa.com. Phil Zimmerman's PGP (Pretty Good Privacy) public-domain package for public key encryption is available at numerous sites, and is in widespread use over the internet for general UNIX-based file encryption (including email). Consult the archie FTP database. Also see the newsgroup alt.security.pgp. Mailing list requests to info-pgp-request@lucpul.it.luc.edu. From the RIPEM FAQ by Marc VanHeyningen on news.answers: > RIPEM is a program which performs Privacy Enhanced Mail (PEM) > using the cryptographic techniques of RSA and DES. It allows > your electronic mail to have the properties of authentication > (i.e. who sent it can be confirmed) and privacy (i.e. nobody can > read it except the intended recipient.) > > RIPEM was written primarily by Mark Riordan > . Most of the code is in the public domain, > except for the RSA routines, which are a library called RSAREF > licensed from RSA Data Security Inc. > > RIPEM is available via anonymous FTP to citizens and permanent > residents in the U.S. from rsa.com; cd to rsaref/ and read the > README file for info. > > RIPEM, as well as some other crypt stuff, has its `home site' on > rpub.cl.msu.edu, which is open to non-anonymous FTP for users in > the U.S. and Canada who are citizens or permanent residents. To > find out how to obtain access, ftp there, cd to pub/crypt/, and > read the file GETTING_ACCESS. Note: cryptography is generally not well integrated into email yet and some system proficiency is required by users to utilize it. FOOTNOTES ========= _____ <6.1> Most Wanted list Hopefully you have benefitted from this creation, compilation, and condensation of information from various sources regarding privacy, identity, and anonymity on the internet. The author is committed to keeping this up-to-date and strengthening it, but this can only be effective with your feedback. In particular, the following information would be useful: - How large is internet traffic? How much is email? How much USENET? What are the costs involved? - What are NSF standards and regulations on the use and privacy associated with the internet? - What laws have been passed and are under consideration regarding privacy on networks? - What are references on privacy? - What are some famous or obscure examples of compromised privacy on the internet? (Esp. pointers to info on the Steve Jackson Games incident.) - What RFCs are available on privacy-related subjects? What are FTP sites? - What are the exact details of Xwindow security? Particularly MIT-MAGIC-COOKIE-1, described in `man Xsecurity' at some sites. - Where is the code (FTP site) to turn the .plan file into a named pipe for sensing/reacting to remote `finger's? email feedback to ld231782@longs.lance.colostate.edu. Please note where you saw this (which newsgroup, etc.). _____ <6.2> Change history 2/3/93 v1.0 (current) More newsgroups & FAQs added. More `Most Wanted'. Posted to news.answers. Future monthly posting to sci.crypt, alt.privacy. 2/1/93 v0.3 Formatted to 72 columns for quoting etc. `miscellaneous,' `resources' sections added with cypherpunk servers and use warnings. More UNIX examples (`ls' and `chmod'). Posted to alt.privacy, comp.society.privacy. 1/29/93 v0.2 `Identity' and `Privacy' sections added. `Anonymity' expanded. Remailer addresses removed due to lack of information and instability. Posted to sci.crypt. 1/25/93 v0.1 Originally posted to the cypherpunks mailing list on 1/25/93 as a call to organize a list of anonymous servers. email ld231782@longs.lance.colostate.edu for earlier versions. -- ld231782@longs.LANCE.ColoState.EDU