The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 15 Issue 25

Weds 10 November 1993

Contents

o No change in Ada policy
Robert I. Eachus
o Groundhog Day, D-Day, Remembrance Day, and all that
Mark Brader
o Not so easy to be anonymous
Robert L Ullmann
o Snakes of Medusa and Cyberspace: Internet identity subversion
L. Detweiler
o Info on RISKS (comp.risks)

No change in Ada policy

"Robert I. Eachus" <eachus@spectre.mitre.org>
Wed, 10 Nov 1993 11:58:58 -0500
   elf@ee.ryerson.ca (luis fernandes) quotes AvLeak:

   > The use of Ada as the standard Defense Dept. computer language
   > should be rethought, the head of the Air Force Electronic System
   > Center told an audience recently. "The Defence Department lost power
   > years ago on computer development, but some don't realize it", Lt.
   > General Gordon E. Fornell told the Society of Experimental Test
   > Pilots.

   I don't see a direct connection to computer risks in that posting, other
than the speed of propagation of information, whether true or misleading.  In
any case:

   The new Ada standard (Ada 9X) is out for ballot, both in ANSI and ISO.  The
mechanics of the situation insure another ballot next year, but the right time
for substantive comments is now.

   The new Ada standard includes a Safety and Security Annex, Annex L, as well
as other changes to reduce risks.  Many readers of this group may want to
check this out.

   Emmett Paige, Assistant Secretary of Defense for Command, Control,
Communications and Intelligence recently said that his support for Ada was
unwaivering. :-)

   However, the new Ada standard does mean that the DoD policies WILL change
to recognize the existence of the new standard.  The current plan is that no
program using Ada will be forced to transition to Ada 9X.  But given the
improvements in the language and the high degree of upward compatibility most
programs are expected to switch relatively quickly.

   Finally--and totally unrelated, other than the article as quoted is
misleading--Lt. General Fornell retired on October 29th, after five
years as head of Electronic Systems Center.

                    Robert I. Eachus


Groundhog Day, D-Day, Remembrance Day, and all that

<msb@sq.com>
Tue, 9 Nov 1993 22:00:31 -0500
A few days ago, in alt.folklore.computers, Michael Shapiro
(mshapiro@netlink.nix.com) wrote:

  I do have one debugging rule, learned the day after a test of some
  date dependent software.  "Never test date-dependent software on
  February 2, March 3, April 4, May 5, June 6, July 7, August 8,
  September 9, October 10, November 11, or December 12.  You may not
  notice you've interchanged the month and day in your algorithm."

  (You probably don't need to worry about January 1, since it's a holiday ...)

And one day early this month, *I* learned that it's also a good idea
to test a program both during and after the first 9 days of the month.
Gotta watch those 1- and 2-digit numbers!

(And during both of the periods January-September and October-December...)

Mark Brader, Toronto  utzoo!sq!msb msb@sq.com
"If the standard says that [things] depend on the phase of the moon, the
programmer should be prepared to look out the window as necessary." Chris Torek


not so easy to be anonymous

Robert L Ullmann <ariel@world.std.com>
Tue, 9 Nov 1993 22:39:12 -0500
In RISKS-15.19, Steven S. Davis points out that anonymous remailers (at least
the one at anon.penet.fi) remove signatures beginning with -- lines.  But
there is a much more effective signature.

On the two occasions that I have been curious enough to investigate the real
identity of anonymous posters I have had no difficulty identifying them with a
bit of searching about. Both of the people I was looking for had posted signed
messages in the same or nearby groups, and were readily identified. How?
Consider Steven's text:

"In Risks 15.17, an32153@anon.penet.fi remarked upon the dangers of including a
signature with anonymous postings.  It's not quite as absurd as it seems, if
someone uses a mailer that appends the signature automatically ( I can't
imagine that anyone who cared about their anonymity, as opposed to those who
just are assigned an anonymous id because they reply to somebody who uses one,
would deliberately append a revealing signature ).  The solution to that, at
least on anon.penet.fi, is simple: The server considers anything after a line
beginning with two dashes as a signature and cuts it off ( this can be a
complication if someone tries to append a document to a message and uses a row
of dashes to separate it from the main text ).  So if you want to send mail
anonymously, either dump your signature or be certain it starts with --."

Now, look at the style:

1) he has a unique habit of adding spaces after ( and before ).

2) the paren clauses come at the end of sentences. They are not dependent
   clauses, and the . comes outside the )

3) he uses commas before dependent clauses. (cf last sentence)

The meter is distinctive. (Read it aloud without paying attention to the
words.) Ta-d-d-d-d-d, COMMA, d-d-d-d-d-d-d ( Ta-d-d-d-d-d-d, COMMA, ta-d-d
-d-d-d-d-d ). Ta-d-d-d-d-d, COMMA, d-d-d-d-d-d-d ( Ta-d-d-d-d-d-d, COMMA,
ta-d-d-d-d-d-d-d ).

I'm not picking on Steven; anyone who doesn't write in a formal, carefully
corrected prose style will get caught by this.

It is real easy. And not so easy to really be anonymous.

  [PGN adds: By the way, you might have mentioned line lengths.  (But I use
  a standard of 78 for RISKS, so that the people who add "< " do not overflow,
  and I usually reblock longer or shorter lines.)  I also usually neutralize
  the time zone on authored mailings to RISKS for which the author wishes to
  remain anonymous.  You also did not mention giveaway mispelings.  (I try
  to run every issue through a speling corekter.)  As Tom Lehrer once wrote
  RISKS-11.48>,

      Don't write naughty words on walls that you can't spell.  ]


The Snakes of Medusa and Cyberspace: Internet identity subversion

"L. Detweiler" <ld231782@longs.lance.colostate.edu>
Tue, 02 Nov 93 23:52:05 -0700
I have long tracked the Internet debates on identity issues, such as
anonymity, with zeal and commitment. Recently I have become very alarmed by
the very serious potential RISKS of a practice I've termed `pseudospoofing'.

In short, there are a few basic categories under which identities may fall
under in Cyberspace. (This is not a comprehensive list.)

`True Name' -- a person sends a message under their legal identity.

`Anonymously' -- features of the message indicate it could be from anyone. One
such feature would include origination from an anonymity server, such as the
now-famous Finnish server anon.penet.fi, operated for nearly a year by J.
Helsingius.

`Pseudonymously' -- features of the message indicate it was issued under a
pseudonym other than a True Name. One might build up a reputation under
different pseudonyms. In a technical sense, anon.penet.fi aliases are
pseudonyms.

The above categories are well recognized, established, and even all largely
entrenched on the Internet. However, another distinct category exists:

`Pseudoanonymously' -- the message identification is of a `fake' identity, a
person that does not exist despite the implicit indications of the message
(such as a signature with a realistic name, including a phone number, etc.)

Note that pseudoanonymous postings are unequivocally a form of *active*
deception that transcends the *passive* concealment of anonymity, and therein
lies the danger. If I posted under the name Jim Riverman and set up a unique
phone number for the basic purpose of fooling others into thinking that Jim
Riverman was a unique person from myself, many very dark machinations of human
trust are possible.

A message that is anonymous could be `from anyone', including a known
megalomaniac, and people would be cautious in revealing information to that
nonentity -- and are encouraged to speculate on it. (I have advocated and
championed this form of anonymity on the Internet.) But someone who supposedly
`exists' automatically carries more implicit trust -- including a very
important kind of trust that they are unique from other individuals. I think
some social parasites increasingly are exploiting the tradition of openness
and honesty on the Internet to prey on others via this technique of
pseudospoofing, and that newer, more vicious and insidious forms are evolving.

* * *

For example, I could post public messages under the Jim Riverman identity
saying that L. Detweiler is the most eminent authority on anonymity issues the
Internet has ever seen. I could rip apart other's public arguments that
criticize L. Detweiler and get everyone else to argue about irrelevant details
-- an ingenious way to `change the subject' by derailing it with dynamite.
This would all be highly effective if I built up an independent reputation as
Jim Riverman with periodic, highly refined posts on software engineering or
some other topic of interest. And others might become unwitting accomplices to
the deception by quoting sentences or articles by Jim Riverman in their own
articles appearing in the same place or other more reputable forums, such as
RISKS.

These are just some of the alarming uses of pseudospoofing in *public*
environments, which I think most reasonable people would agree, depending on
the context and medium, are highly damaging to community trust, and
furthermore dishonest, immoral, and unethical. At the bare minimum, others
should be informed if it is occurring, or they may feel victimized by a
bizarre social experiment on unwilling and unsuspecting participants.

However, there are far more disturbing evils possible with use of
pseudospoofing in *private* email. I could contact others in email under the
identity Jim Riverman and ask them, `What do you think of L. Detweiler,
anyway?' I could even become an apologist for L. Detweiler under Jim Riverman.
`Dorothy, I really respect your contributions, but you are way out of line on
this one. L. Detweiler is a really nice guy. I've met him personally.' (One
Cypherpunk member called some of these uses the `intersection' of pseudonymous
identities.)

Even further, I could use this technique as a powerful espionage method of a
turncoat, agent provocateur, or double agent in eliciting valuable information
from anyone trusting and unsuspecting. One method to build up trust (and
perhaps the most basic way) is to provide relevant, valuable information, and
then ask for some `in return for the favor.' E.g. Jim Riverman says to the
Cyberspace Police, `Yes, I heard L. Detweiler is getting some major heat over
his pseudospoofing postings. In fact, he started subscribing to the Criminal
Techniques mailing list. What are you guys going to do with him, anyway?'
Again, if the message is pseudoanonymous as opposed to anonymous, even with a
built-up online reputation, the trap is dangerously plausible.

Note that `digital signatures' alone do not solve this problem of ensuring
that identities correspond to real people. A `true' signature, e.g. a written
one, has the property that it is unique to a given individual, outside of
illicit forgery. But it is quite feasible for a pseudospoofer to maintain
multiple digital signatures and juggle them readily among a large arsenal of
fake identities. In this sense what many are calling `digital signatures' are
really just `identification tags' if they lack corresponding mechanisms to
ensure correlations to actual human identity, e.g. relation to birth
certificates or any of the other mechanisms our society has evolved over
centuries to authenticate real identities.

* * *

Many jaded readers are probably thinking at this point that they have already
seen some of these subversive uses of pseudospoofing and are not alarmed by my
scenarios so far. But the uses of pseudospoofing that most alarm me, and form
the basis for my article here, are the extremely dangerous, insideous, and
treacherous refinements of this technique that could lead to far more serious
`real world' consequences outside of the loquacious frivolity of, say, most of
Usenet. These are related to the potential of waging a systematic campaign of
propaganda, disinformation, or brainwashing unleashed on an unsuspecting
public by a subversive organization.

Suppose that a criminal group called the CryptoAnarchists wished to take over
the Internet and future Cyberspace, and promote their agenda of pseudospoofing
as a way of aiding criminal behaviors such as tax evasion, black marketeering,
and general destabilization of governments, democracy, laws, and law
enforcement, partly with the aid of pseudospoofing techniques. Unfortunately,
the technique of pseudospoofing itself, coupled with the Internet's extreme
vulnerability to it, could be used as an extremely powerful tool in
accomplishing their goal of cyberspatial domination.

The CryptoAnarchists would first seek to consolidate their supporters in a
secret society with very strict membership requirements. They could have a
secret mailing list that reaches all of those in the group, from which to plot
in secret their activities `in the open'. The secret mailing list would be
dedicated to insiders describing their activities, such as the new fake
identities they have succeeded in acquiring, who is in charge of which
identities, coordinating the software and databases used to prevent
`crossings', or leaks that reveal a link between pseudospoofed identities, and
gauging the extent of seized domains and `new territories' to be invaded.

The CryptoAnarchists require public manipulation to achieve their ends,
however. For this purpose they would find a public mailing list extremely
useful. They would promote themselves on this mailing list through the
techniques of pseudospoofing, perhaps even to the extent of misleading
reporters and obtaining favorable media accounts in newspapers or magazines.
They would find it useful to disguise their agenda, of course, say under the
guise of `privacy for the masses' or `the cryptographic revolution.' They
might post fake status reports of ongoing `real-world' projects and have
insiders confirm them to increase the prestige and respectability of the
organization. `Eric May' says, `Oh yes! We are very far along on the anonymous
digital cash server!' `T.C. Hughes' says, `Oh yes! I saw the server yesterday!
A fine piece of machinery!' They might consistently talk about the beautiful
consequences of `pure and true anonymity' when really referring to
pseudoanonymity and pseudospoofing.

In fact, they might develop an entire mythology, philosophy, even *religion*
that promotes pseudospoofing as a liberating capability, and refine and
espouse it on their public mailing list. This might include, for example,
elevating instances of multiple personality disorder to legendary virtuous
status. They would consistently talk about famous science fiction by respected
authors that refers to the blurring of identities, even though it would not
really specifically address the issue of pseudospoofing, and implying that it
did was just another obfuscatory fabrication. The disinformation campaign
would be self-reinforcing: even outsiders, `real people', could themselves
become independent proselytizers after being sufficiently converted.

In promoting this philosophy, they would use the techniques of brainwashing
and an illusion of peer pressure to manipulate unknowing subscribers. If any
subscriber expressed any doubt, the CryptoAnarchists could wage a concerted
campaign of mental assault on the victim both on the public mailing list and
in private email, to the point that real people would feel isolated, alone,
and unsupported -- but only because of the perceived consensus of nonexistent
identities.

Even more treacherously, they could target individuals who suspect the
existence of conspiracies by disparaging, discouraging, and discrediting them
publicly and privately as `paranoid ranters' and `conspiracy theorists'. They
would say that while pseudospoofing is possible, it is certainly not
widespread, no non-Draconian mechanisms could be implemented to prevent it,
and besides, people shouldn't be `punished' for the misdeeds of a few, no one
really takes the Internet seriously anyway, people aren't really influenced by
propaganda and `peer pressure', and pseudospoofing is simply a `fact of life'
of cyberspace. The arguments would usually be couched in the terms of moral
relativism. `Hal Dinkelacker' says, `is anything *really* inherently evil?
everyone *I've* met who thought so was a fascist!'

The CryptoAnarchists might even be able to make a real-world pariah from
simulated ire and criticism directed at a single strong opponent, say, L.
Detweiler, from many simulated identities in cyberspace, who are mistaken to
be other real, reputable people by L. Detweiler's cyberspatial and real-world
associates `under the influence' of the mailing list or other infected outlet,
who consequently shun him in both realms.

Unfortunately, because the CryptoAnarchist techniques are so readily
concealed, evidence for their conspirational [sic] machinations would be
extremely difficult to detect and obtain. When one `tentacle', or fake
identity, is discovered, they would simply `cut it off' (stop using it, and
dissociate themselves) with no fatal loss to the continued growth of the
overall body.  Before that, however, they might engage in further
disinformation attacks to prevent the `exposure'. I might send information as
L. Detweiler to Dorothy saying, `Dorothy-- what makes you think Jim Riverman
does not exist? I've met him personally. There are others who can attest that
he is real. You are doing nothing but inventing elaborate, insane fantasies by
believing otherwise.'

Also in this manner of conspirational manipulation, they would find it very
useful to subscribe to, or rather infiltrate, very many Internet mailing
lists, particularly those that are extremely sensitive and dedicated to
developing Internet protocols, and related to identification and email, such
as SMTP (Simple Mail Transfer Protocol), PEM (Privacy Enhanced Mail) or DNS
(Domain Name Service). They could find others with queries from another
tentacle, say `Nick Chandler', in the form, `does anyone know of lists
dedicated to identification protocols? please email me.'

Once subscribed, the CryptoAnarchists could use the aforementioned techniques
of pseudospoofing to build up the reputations of their tentacles and
manipulate others with those tentacles. If someone suggested a robust protocol
for identification on one of these mailing lists, they could engage a single
or even multiple tentacles into sabotaging the proposal with scathing
criticism and derailing discussion into irrelevant areas. They could bombard
the particularly strong supporters of identity mechanisms with a barrage of
flames in the victim's private mail box, with many similar messages from
seemingly unique identities saying, in slight variations. `Greg Landry' says,
`I respect what you've done so far in so-and-so area, but your ideas on
preventing pseudospoofing are just way too impractical, Draconian,
undesirable, and unpleasant, and I think you should give up pursuing them.
You've really gone off the deep end. The cat is out of the bag on the Internet
and there's just no way to go backwards.'

In fact, the CryptoAnarchists might even infiltrate sensitive internal mailing
lists like those maintained by CERT (Computer Emergency Response Team). This
would be roughly analogous to a criminal gaining access to insides of the
telephone system or a police station. They would be informed ahead of time of
law enforcement's knowledge of their conspiracies, and may even be able to
thwart their investigations and countermeasures with further insidious
manipulations. They might even subvert the existing Internet SMTP and DNS
identification databases. In a sense, the overall effect would ultimately be
as devastating as AIDS, like a virus invading the protective and defensive
machinery itself designed to stop contagious infections. Once a few snakes of
Medusa had their fangs into Cyberspace, an antidote to the invisible,
spreading, self-reinforcing poison would be virtually impossible to administer
-- Medusa would certainly do *anything* to avoid swallowing it!

* * *

I have become aware of these serious abuses possible with pseudoanonymous
posting from my long affiliation with the Cypherpunks, an allegiance I have
now severed because of my realization of their basic hidden agenda in
promoting the practice of pseudospoofing, or using pseudoanonymous identities
in the aforementioned ways to manipulate and systematically deceive others in
cyberspace. I urge others involved with the group to reconsider their own
affiliation and crystallize their own position on pseudospoofing.

In `exposing' this practice of pseudospoofing I have written much material,
including an essay entitled `The Joy of Pseudospoofing' which I will make
available to anyone who contacts me in email. Also, results of an informal
survey will be available in a few weeks. For the highly literate and
technically savvy RISKS readers I would like to simply point out some of the
most treacherous and insidious uses of this practice -- which, in my view,
constitutes an extant, active, slow-creeping poison spreading over the
Internet. Unfortunately, as evidence in this claim I cannot be more specific
than the previous seemingly fictional account, except to offer an assurance
that it is based on true events in my own mailbox in particular, and perhaps
on the global Internet in general (I fervently hope energetic and ingenious
readers with more resources than I can fill in the blanks, and perhaps become
effective pseudospoofed ghost exorcists.)

While many will brand me a frothing alarmist, on the other hand there are
absolutlely no mechanisms anyone can point to on the Internet that discredit
my scenario -- quite to the contrary, its decentralized, unregulated, and
open-access traditions validate it -- and the rhetorical question `who could
possibly be depraved enough to do all this?' is intended to be answered by
this article! Particularly when the Internet is being used for increasingly
deathly serious endeavors such as Presidential opinion gathering and
commercial activities, I pray that disastrous reliance is never entrusted to
the security of phantoms.

In writing this I hope to

- alert others, particularly those with noncasual scientific and professional
interests in the Internet, to the existence and evils of pseudospoofing, its
potentially deadly flourishing status, and to be alert for personal encounters
with it

- help delineate the `rights' and `recourses' of Cyberspatial participants
related to pseudospoofing, particularly with the view of the Internet as a
model for future cyberspace -- for example, does everyone at least have the
`right' to bar pseudospoofed identities from their own mailbox? to form
mailing lists that outlaw it?

- help establish at least a strong, universal taboo against pseudospoofing
among those in the online community, particularly the occurrence of
`intersections', hopefully on the strong level of the current widespread
repulsions for censorship

- encourage others to develop procedures, algorithms, and protocols to dampen
the treacherous and toxic effects of pseudospoofing where appropriate,
particularly sensitive mailing lists relating to serious project or Internet
development efforts

- energize a strong resistance against those who criticize these noble aims of
making cyberspace more honest and hospitable via identity and authentication
mechanisms

- alert others to the possibility of apologists and reactionaries for the
`fluidity of identity on the Internet' who may themselves be pseudospoofed
phantom tentacles

- alert others to the possibilities, dangers, and perversions of
`infiltrations' into mailing lists, particularly of a systematic and
widespread campaign

- urge those running mailing lists to condemn pseudospoofing and require
promises to refrain from it as part of membership requirements, and urge
members to police each other

- urge anyone conducting surveys or polls on the Internet to view results with
extreme prejudice or use greater authentication techniques than mere reliance
on email addresses and signatures alone, because of the possibility of
increasing, concerted, poisonous pseudospoofing

- hear from others more systematic and scientific measurements and analyses on
the degree, and ramifications of, and preventive measures for pseudospoofing
on the Internet, particularly on the possibilities and vulnerabilities of SMTP
and DNS database subversions (maybe a mailing list dedicated to the subject of
thwarting pseudospoofing could be started)

- promote the general area of identification and authentication as a scholarly
research subject of the utmost importance, in resolving a key, even primary
and paramount element of the current `ideal future cyberspatial
infrastructure' debate

``That which can never be enforced should not be prohibited. The claim that a
person should have only one pseudonym per forum indicates profound
misunderstanding.  If someone wants to have multiple ... pseudonyms, they will
be able to; that is one of the main goals of cypherpunks software.  The
situations you despise will occur.  This is reality.  Change your own
psychology or change your own software.  You will not be able to change the
other person.''  --E.Hughes, cofounder, Cypherpunks

``Better to live with the occasional vagaries of digital pseudonyms than to
ban them.''  --T.C.May, cofounder, Cypherpunks

``In a false quarrel there is no true valour.''  --Shakespeare

``Propaganda is to democracy what violence is to totalitarianism.''  --N.
Chomsky

``Oh what a tangled web we weave, when first we practice to deceive.''  --Sir
Walter Scott

``I'm not going anywhere. I like it here.''  --Snake #7

I thank the following eminent Cypherpunks for ideas in this article, although
it should not be construed to be representative of their opinions, and neither
can I provide any guarantee they represent unique people:

G.Broiles, A.Chandler, J.Dinkelacker, H.Finney, E.Hughes, M.Landry, T.C.May,
N.Szabo

Notes:

1) human-readable subscription requests to E.Hughes' Cypherpunks mailing list
go to cypherpunks-request@toad.com.

2) a treatise on the history and psychology of anonymity on the Internet (but
not specifically pseudoanonymity) can be obtained from rtfm.mit.edu:
/pub/usenet/news.answers/net-anonymity. Some other areas related to this
article are covered in [...]/net-privacy.

3) The Cypherpunk archives, including their charter and many documents overtly
relating to anonymity (covertly to pseudoanonymity), can be obtained from
soda.berkeley.edu:/pub/cypherpunks.

Please report problems with the web pages to the maintainer

Top