Subject: RISKS DIGEST 15.25 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 10 November 1993 Volume 15 : Issue 25 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: No change in Ada policy (Robert I. Eachus) Groundhog Day, D-Day, Remembrance Day, and all that (Mark Brader) Not so easy to be anonymous (Robert L Ullmann) Snakes of Medusa and Cyberspace: Internet identity subversion (L. Detweiler) The RISKS Forum is a moderated digest discussing risks; comp.risks is its USENET counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive problems, and other information to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. There are also alternative repositories, such as bitftp@pucc.Princeton.EDU . If you are interested in receiving RISKS via fax, please send E-mail to risks-fax@vortex.com, phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for information regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: Wed, 10 Nov 1993 11:58:58 -0500 From: "Robert I. Eachus" Subject: No change in Ada policy elf@ee.ryerson.ca (luis fernandes) quotes AvLeak: > The use of Ada as the standard Defense Dept. computer language > should be rethought, the head of the Air Force Electronic System > Center told an audience recently. "The Defence Department lost power > years ago on computer development, but some don't realize it", Lt. > General Gordon E. Fornell told the Society of Experimental Test > Pilots. I don't see a direct connection to computer risks in that posting, other than the speed of propagation of information, whether true or misleading. In any case: The new Ada standard (Ada 9X) is out for ballot, both in ANSI and ISO. The mechanics of the situation insure another ballot next year, but the right time for substantive comments is now. The new Ada standard includes a Safety and Security Annex, Annex L, as well as other changes to reduce risks. Many readers of this group may want to check this out. Emmett Paige, Assistant Secretary of Defense for Command, Control, Communications and Intelligence recently said that his support for Ada was unwaivering. :-) However, the new Ada standard does mean that the DoD policies WILL change to recognize the existence of the new standard. The current plan is that no program using Ada will be forced to transition to Ada 9X. But given the improvements in the language and the high degree of upward compatibility most programs are expected to switch relatively quickly. Finally--and totally unrelated, other than the article as quoted is misleading--Lt. General Fornell retired on October 29th, after five years as head of Electronic Systems Center. Robert I. Eachus ------------------------------ Date: Tue, 9 Nov 1993 22:00:31 -0500 From: msb@sq.com Subject: Groundhog Day, D-Day, Remembrance Day, and all that A few days ago, in alt.folklore.computers, Michael Shapiro (mshapiro@netlink.nix.com) wrote: I do have one debugging rule, learned the day after a test of some date dependent software. "Never test date-dependent software on February 2, March 3, April 4, May 5, June 6, July 7, August 8, September 9, October 10, November 11, or December 12. You may not notice you've interchanged the month and day in your algorithm." (You probably don't need to worry about January 1, since it's a holiday ...) And one day early this month, *I* learned that it's also a good idea to test a program both during and after the first 9 days of the month. Gotta watch those 1- and 2-digit numbers! (And during both of the periods January-September and October-December...) Mark Brader, Toronto utzoo!sq!msb msb@sq.com "If the standard says that [things] depend on the phase of the moon, the programmer should be prepared to look out the window as necessary." Chris Torek ------------------------------ Date: Tue, 9 Nov 1993 22:39:12 -0500 From: ariel@world.std.com (Robert L Ullmann) Subject: not so easy to be anonymous In RISKS-15.19, Steven S. Davis points out that anonymous remailers (at least the one at anon.penet.fi) remove signatures beginning with -- lines. But there is a much more effective signature. On the two occasions that I have been curious enough to investigate the real identity of anonymous posters I have had no difficulty identifying them with a bit of searching about. Both of the people I was looking for had posted signed messages in the same or nearby groups, and were readily identified. How? Consider Steven's text: "In Risks 15.17, an32153@anon.penet.fi remarked upon the dangers of including a signature with anonymous postings. It's not quite as absurd as it seems, if someone uses a mailer that appends the signature automatically ( I can't imagine that anyone who cared about their anonymity, as opposed to those who just are assigned an anonymous id because they reply to somebody who uses one, would deliberately append a revealing signature ). The solution to that, at least on anon.penet.fi, is simple: The server considers anything after a line beginning with two dashes as a signature and cuts it off ( this can be a complication if someone tries to append a document to a message and uses a row of dashes to separate it from the main text ). So if you want to send mail anonymously, either dump your signature or be certain it starts with --." Now, look at the style: 1) he has a unique habit of adding spaces after ( and before ). 2) the paren clauses come at the end of sentences. They are not dependent clauses, and the . comes outside the ) 3) he uses commas before dependent clauses. (cf last sentence) The meter is distinctive. (Read it aloud without paying attention to the words.) Ta-d-d-d-d-d, COMMA, d-d-d-d-d-d-d ( Ta-d-d-d-d-d-d, COMMA, ta-d-d -d-d-d-d-d ). Ta-d-d-d-d-d, COMMA, d-d-d-d-d-d-d ( Ta-d-d-d-d-d-d, COMMA, ta-d-d-d-d-d-d-d ). I'm not picking on Steven; anyone who doesn't write in a formal, carefully corrected prose style will get caught by this. It is real easy. And not so easy to really be anonymous. [PGN adds: By the way, you might have mentioned line lengths. (But I use a standard of 78 for RISKS, so that the people who add "< " do not overflow, and I usually reblock longer or shorter lines.) I also usually neutralize the time zone on authored mailings to RISKS for which the author wishes to remain anonymous. You also did not mention giveaway mispelings. (I try to run every issue through a speling corekter.) As Tom Lehrer once wrote , Don't write naughty words on walls that you can't spell. ] ------------------------------ Date: Tue, 02 Nov 93 23:52:05 -0700 From: "L. Detweiler" Subject: The Snakes of Medusa and Cyberspace: Internet identity subversion I have long tracked the Internet debates on identity issues, such as anonymity, with zeal and commitment. Recently I have become very alarmed by the very serious potential RISKS of a practice I've termed `pseudospoofing'. In short, there are a few basic categories under which identities may fall under in Cyberspace. (This is not a comprehensive list.) `True Name' -- a person sends a message under their legal identity. `Anonymously' -- features of the message indicate it could be from anyone. One such feature would include origination from an anonymity server, such as the now-famous Finnish server anon.penet.fi, operated for nearly a year by J. Helsingius. `Pseudonymously' -- features of the message indicate it was issued under a pseudonym other than a True Name. One might build up a reputation under different pseudonyms. In a technical sense, anon.penet.fi aliases are pseudonyms. The above categories are well recognized, established, and even all largely entrenched on the Internet. However, another distinct category exists: `Pseudoanonymously' -- the message identification is of a `fake' identity, a person that does not exist despite the implicit indications of the message (such as a signature with a realistic name, including a phone number, etc.) Note that pseudoanonymous postings are unequivocally a form of *active* deception that transcends the *passive* concealment of anonymity, and therein lies the danger. If I posted under the name Jim Riverman and set up a unique phone number for the basic purpose of fooling others into thinking that Jim Riverman was a unique person from myself, many very dark machinations of human trust are possible. A message that is anonymous could be `from anyone', including a known megalomaniac, and people would be cautious in revealing information to that nonentity -- and are encouraged to speculate on it. (I have advocated and championed this form of anonymity on the Internet.) But someone who supposedly `exists' automatically carries more implicit trust -- including a very important kind of trust that they are unique from other individuals. I think some social parasites increasingly are exploiting the tradition of openness and honesty on the Internet to prey on others via this technique of pseudospoofing, and that newer, more vicious and insidious forms are evolving. * * * For example, I could post public messages under the Jim Riverman identity saying that L. Detweiler is the most eminent authority on anonymity issues the Internet has ever seen. I could rip apart other's public arguments that criticize L. Detweiler and get everyone else to argue about irrelevant details -- an ingenious way to `change the subject' by derailing it with dynamite. This would all be highly effective if I built up an independent reputation as Jim Riverman with periodic, highly refined posts on software engineering or some other topic of interest. And others might become unwitting accomplices to the deception by quoting sentences or articles by Jim Riverman in their own articles appearing in the same place or other more reputable forums, such as RISKS. These are just some of the alarming uses of pseudospoofing in *public* environments, which I think most reasonable people would agree, depending on the context and medium, are highly damaging to community trust, and furthermore dishonest, immoral, and unethical. At the bare minimum, others should be informed if it is occurring, or they may feel victimized by a bizarre social experiment on unwilling and unsuspecting participants. However, there are far more disturbing evils possible with use of pseudospoofing in *private* email. I could contact others in email under the identity Jim Riverman and ask them, `What do you think of L. Detweiler, anyway?' I could even become an apologist for L. Detweiler under Jim Riverman. `Dorothy, I really respect your contributions, but you are way out of line on this one. L. Detweiler is a really nice guy. I've met him personally.' (One Cypherpunk member called some of these uses the `intersection' of pseudonymous identities.) Even further, I could use this technique as a powerful espionage method of a turncoat, agent provocateur, or double agent in eliciting valuable information from anyone trusting and unsuspecting. One method to build up trust (and perhaps the most basic way) is to provide relevant, valuable information, and then ask for some `in return for the favor.' E.g. Jim Riverman says to the Cyberspace Police, `Yes, I heard L. Detweiler is getting some major heat over his pseudospoofing postings. In fact, he started subscribing to the Criminal Techniques mailing list. What are you guys going to do with him, anyway?' Again, if the message is pseudoanonymous as opposed to anonymous, even with a built-up online reputation, the trap is dangerously plausible. Note that `digital signatures' alone do not solve this problem of ensuring that identities correspond to real people. A `true' signature, e.g. a written one, has the property that it is unique to a given individual, outside of illicit forgery. But it is quite feasible for a pseudospoofer to maintain multiple digital signatures and juggle them readily among a large arsenal of fake identities. In this sense what many are calling `digital signatures' are really just `identification tags' if they lack corresponding mechanisms to ensure correlations to actual human identity, e.g. relation to birth certificates or any of the other mechanisms our society has evolved over centuries to authenticate real identities. * * * Many jaded readers are probably thinking at this point that they have already seen some of these subversive uses of pseudospoofing and are not alarmed by my scenarios so far. But the uses of pseudospoofing that most alarm me, and form the basis for my article here, are the extremely dangerous, insideous, and treacherous refinements of this technique that could lead to far more serious `real world' consequences outside of the loquacious frivolity of, say, most of Usenet. These are related to the potential of waging a systematic campaign of propaganda, disinformation, or brainwashing unleashed on an unsuspecting public by a subversive organization. Suppose that a criminal group called the CryptoAnarchists wished to take over the Internet and future Cyberspace, and promote their agenda of pseudospoofing as a way of aiding criminal behaviors such as tax evasion, black marketeering, and general destabilization of governments, democracy, laws, and law enforcement, partly with the aid of pseudospoofing techniques. Unfortunately, the technique of pseudospoofing itself, coupled with the Internet's extreme vulnerability to it, could be used as an extremely powerful tool in accomplishing their goal of cyberspatial domination. The CryptoAnarchists would first seek to consolidate their supporters in a secret society with very strict membership requirements. They could have a secret mailing list that reaches all of those in the group, from which to plot in secret their activities `in the open'. The secret mailing list would be dedicated to insiders describing their activities, such as the new fake identities they have succeeded in acquiring, who is in charge of which identities, coordinating the software and databases used to prevent `crossings', or leaks that reveal a link between pseudospoofed identities, and gauging the extent of seized domains and `new territories' to be invaded. The CryptoAnarchists require public manipulation to achieve their ends, however. For this purpose they would find a public mailing list extremely useful. They would promote themselves on this mailing list through the techniques of pseudospoofing, perhaps even to the extent of misleading reporters and obtaining favorable media accounts in newspapers or magazines. They would find it useful to disguise their agenda, of course, say under the guise of `privacy for the masses' or `the cryptographic revolution.' They might post fake status reports of ongoing `real-world' projects and have insiders confirm them to increase the prestige and respectability of the organization. `Eric May' says, `Oh yes! We are very far along on the anonymous digital cash server!' `T.C. Hughes' says, `Oh yes! I saw the server yesterday! A fine piece of machinery!' They might consistently talk about the beautiful consequences of `pure and true anonymity' when really referring to pseudoanonymity and pseudospoofing. In fact, they might develop an entire mythology, philosophy, even *religion* that promotes pseudospoofing as a liberating capability, and refine and espouse it on their public mailing list. This might include, for example, elevating instances of multiple personality disorder to legendary virtuous status. They would consistently talk about famous science fiction by respected authors that refers to the blurring of identities, even though it would not really specifically address the issue of pseudospoofing, and implying that it did was just another obfuscatory fabrication. The disinformation campaign would be self-reinforcing: even outsiders, `real people', could themselves become independent proselytizers after being sufficiently converted. In promoting this philosophy, they would use the techniques of brainwashing and an illusion of peer pressure to manipulate unknowing subscribers. If any subscriber expressed any doubt, the CryptoAnarchists could wage a concerted campaign of mental assault on the victim both on the public mailing list and in private email, to the point that real people would feel isolated, alone, and unsupported -- but only because of the perceived consensus of nonexistent identities. Even more treacherously, they could target individuals who suspect the existence of conspiracies by disparaging, discouraging, and discrediting them publicly and privately as `paranoid ranters' and `conspiracy theorists'. They would say that while pseudospoofing is possible, it is certainly not widespread, no non-Draconian mechanisms could be implemented to prevent it, and besides, people shouldn't be `punished' for the misdeeds of a few, no one really takes the Internet seriously anyway, people aren't really influenced by propaganda and `peer pressure', and pseudospoofing is simply a `fact of life' of cyberspace. The arguments would usually be couched in the terms of moral relativism. `Hal Dinkelacker' says, `is anything *really* inherently evil? everyone *I've* met who thought so was a fascist!' The CryptoAnarchists might even be able to make a real-world pariah from simulated ire and criticism directed at a single strong opponent, say, L. Detweiler, from many simulated identities in cyberspace, who are mistaken to be other real, reputable people by L. Detweiler's cyberspatial and real-world associates `under the influence' of the mailing list or other infected outlet, who consequently shun him in both realms. Unfortunately, because the CryptoAnarchist techniques are so readily concealed, evidence for their conspirational [sic] machinations would be extremely difficult to detect and obtain. When one `tentacle', or fake identity, is discovered, they would simply `cut it off' (stop using it, and dissociate themselves) with no fatal loss to the continued growth of the overall body. Before that, however, they might engage in further disinformation attacks to prevent the `exposure'. I might send information as L. Detweiler to Dorothy saying, `Dorothy-- what makes you think Jim Riverman does not exist? I've met him personally. There are others who can attest that he is real. You are doing nothing but inventing elaborate, insane fantasies by believing otherwise.' Also in this manner of conspirational manipulation, they would find it very useful to subscribe to, or rather infiltrate, very many Internet mailing lists, particularly those that are extremely sensitive and dedicated to developing Internet protocols, and related to identification and email, such as SMTP (Simple Mail Transfer Protocol), PEM (Privacy Enhanced Mail) or DNS (Domain Name Service). They could find others with queries from another tentacle, say `Nick Chandler', in the form, `does anyone know of lists dedicated to identification protocols? please email me.' Once subscribed, the CryptoAnarchists could use the aforementioned techniques of pseudospoofing to build up the reputations of their tentacles and manipulate others with those tentacles. If someone suggested a robust protocol for identification on one of these mailing lists, they could engage a single or even multiple tentacles into sabotaging the proposal with scathing criticism and derailing discussion into irrelevant areas. They could bombard the particularly strong supporters of identity mechanisms with a barrage of flames in the victim's private mail box, with many similar messages from seemingly unique identities saying, in slight variations. `Greg Landry' says, `I respect what you've done so far in so-and-so area, but your ideas on preventing pseudospoofing are just way too impractical, Draconian, undesirable, and unpleasant, and I think you should give up pursuing them. You've really gone off the deep end. The cat is out of the bag on the Internet and there's just no way to go backwards.' In fact, the CryptoAnarchists might even infiltrate sensitive internal mailing lists like those maintained by CERT (Computer Emergency Response Team). This would be roughly analogous to a criminal gaining access to insides of the telephone system or a police station. They would be informed ahead of time of law enforcement's knowledge of their conspiracies, and may even be able to thwart their investigations and countermeasures with further insidious manipulations. They might even subvert the existing Internet SMTP and DNS identification databases. In a sense, the overall effect would ultimately be as devastating as AIDS, like a virus invading the protective and defensive machinery itself designed to stop contagious infections. Once a few snakes of Medusa had their fangs into Cyberspace, an antidote to the invisible, spreading, self-reinforcing poison would be virtually impossible to administer -- Medusa would certainly do *anything* to avoid swallowing it! * * * I have become aware of these serious abuses possible with pseudoanonymous posting from my long affiliation with the Cypherpunks, an allegiance I have now severed because of my realization of their basic hidden agenda in promoting the practice of pseudospoofing, or using pseudoanonymous identities in the aforementioned ways to manipulate and systematically deceive others in cyberspace. I urge others involved with the group to reconsider their own affiliation and crystallize their own position on pseudospoofing. In `exposing' this practice of pseudospoofing I have written much material, including an essay entitled `The Joy of Pseudospoofing' which I will make available to anyone who contacts me in email. Also, results of an informal survey will be available in a few weeks. For the highly literate and technically savvy RISKS readers I would like to simply point out some of the most treacherous and insidious uses of this practice -- which, in my view, constitutes an extant, active, slow-creeping poison spreading over the Internet. Unfortunately, as evidence in this claim I cannot be more specific than the previous seemingly fictional account, except to offer an assurance that it is based on true events in my own mailbox in particular, and perhaps on the global Internet in general (I fervently hope energetic and ingenious readers with more resources than I can fill in the blanks, and perhaps become effective pseudospoofed ghost exorcists.) While many will brand me a frothing alarmist, on the other hand there are absolutlely no mechanisms anyone can point to on the Internet that discredit my scenario -- quite to the contrary, its decentralized, unregulated, and open-access traditions validate it -- and the rhetorical question `who could possibly be depraved enough to do all this?' is intended to be answered by this article! Particularly when the Internet is being used for increasingly deathly serious endeavors such as Presidential opinion gathering and commercial activities, I pray that disastrous reliance is never entrusted to the security of phantoms. In writing this I hope to - alert others, particularly those with noncasual scientific and professional interests in the Internet, to the existence and evils of pseudospoofing, its potentially deadly flourishing status, and to be alert for personal encounters with it - help delineate the `rights' and `recourses' of Cyberspatial participants related to pseudospoofing, particularly with the view of the Internet as a model for future cyberspace -- for example, does everyone at least have the `right' to bar pseudospoofed identities from their own mailbox? to form mailing lists that outlaw it? - help establish at least a strong, universal taboo against pseudospoofing among those in the online community, particularly the occurrence of `intersections', hopefully on the strong level of the current widespread repulsions for censorship - encourage others to develop procedures, algorithms, and protocols to dampen the treacherous and toxic effects of pseudospoofing where appropriate, particularly sensitive mailing lists relating to serious project or Internet development efforts - energize a strong resistance against those who criticize these noble aims of making cyberspace more honest and hospitable via identity and authentication mechanisms - alert others to the possibility of apologists and reactionaries for the `fluidity of identity on the Internet' who may themselves be pseudospoofed phantom tentacles - alert others to the possibilities, dangers, and perversions of `infiltrations' into mailing lists, particularly of a systematic and widespread campaign - urge those running mailing lists to condemn pseudospoofing and require promises to refrain from it as part of membership requirements, and urge members to police each other - urge anyone conducting surveys or polls on the Internet to view results with extreme prejudice or use greater authentication techniques than mere reliance on email addresses and signatures alone, because of the possibility of increasing, concerted, poisonous pseudospoofing - hear from others more systematic and scientific measurements and analyses on the degree, and ramifications of, and preventive measures for pseudospoofing on the Internet, particularly on the possibilities and vulnerabilities of SMTP and DNS database subversions (maybe a mailing list dedicated to the subject of thwarting pseudospoofing could be started) - promote the general area of identification and authentication as a scholarly research subject of the utmost importance, in resolving a key, even primary and paramount element of the current `ideal future cyberspatial infrastructure' debate ``That which can never be enforced should not be prohibited. The claim that a person should have only one pseudonym per forum indicates profound misunderstanding. If someone wants to have multiple ... pseudonyms, they will be able to; that is one of the main goals of cypherpunks software. The situations you despise will occur. This is reality. Change your own psychology or change your own software. You will not be able to change the other person.'' --E.Hughes, cofounder, Cypherpunks ``Better to live with the occasional vagaries of digital pseudonyms than to ban them.'' --T.C.May, cofounder, Cypherpunks ``In a false quarrel there is no true valour.'' --Shakespeare ``Propaganda is to democracy what violence is to totalitarianism.'' --N. Chomsky ``Oh what a tangled web we weave, when first we practice to deceive.'' --Sir Walter Scott ``I'm not going anywhere. I like it here.'' --Snake #7 I thank the following eminent Cypherpunks for ideas in this article, although it should not be construed to be representative of their opinions, and neither can I provide any guarantee they represent unique people: G.Broiles, A.Chandler, J.Dinkelacker, H.Finney, E.Hughes, M.Landry, T.C.May, N.Szabo Notes: 1) human-readable subscription requests to E.Hughes' Cypherpunks mailing list go to cypherpunks-request@toad.com. 2) a treatise on the history and psychology of anonymity on the Internet (but not specifically pseudoanonymity) can be obtained from rtfm.mit.edu: /pub/usenet/news.answers/net-anonymity. Some other areas related to this article are covered in [...]/net-privacy. 3) The Cypherpunk archives, including their charter and many documents overtly relating to anonymity (covertly to pseudoanonymity), can be obtained from soda.berkeley.edu:/pub/cypherpunks. ------------------------------ End of RISKS-FORUM Digest 15.25 ************************