Subject: RISKS DIGEST 15.27 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Tuesday 17 November 1993 Volume 15 : Issue 27 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: The Snakes of Medusa and Cyberspace (mathew, Alex Glockner, Perry E. Metzger, Jamie Dinkelacker, Arthur Abraham, Peter Leppik, Brad Hicks, Neil McKellar, Leonard Mignerey, L. Detweiler) The RISKS Forum is a moderated digest discussing risks; comp.risks is its USENET counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to risks@csl.sri.com, with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive problems, and other information to risks-request@csl.sri.com (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COMlogin anonymousAnyNonNullPW CD RISKS:GET RISKS-i.j" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*" gives directory; "bye" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". =CarriageReturn; FTPs may differ; UNIX prompts for username, password. There are also alternative repositories, such as bitftp@pucc.Princeton.EDU . If you are interested in receiving RISKS via fax, please send E-mail to risks-fax@vortex.com, phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for information regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- Date: 11 Nov 1993 12:13:34 -0000 From: mathew@mantis.co.uk (mathew) Subject: Re: The Snakes of Medusa and Cyberspace (RISKS-15.25) "L. Detweiler" writes at length about the evils of what he calls "pseudoanonymous posting". I shall try to keep this reply brief. I am interested not only in the issue of pseudonymity, but in the structure of Detweiler's allegations. His posting appears to me to be an artfully crafted conspiracy theory. He begins by defining "pseudoanonymously": >`Pseudoanonymously' -- the message identification is of a `fake' identity, a >person that does not exist despite the implicit indications of the message >(such as a signature with a realistic name, including a phone number, etc.) He notes that pseudoanonymous postings are active deception, rather than passive concealment of identity, and points out that he could set up a pseudonymous account for the purpose of fooling people into thinking that the pseudonym was a different person. Pardon me, but what on earth does this have to do with RISKS? The practice of publishing under a pseudonym has been common for centuries; ironically, Detweiler himself quotes "Shakespeare", believed by many to be a pseudonym. He does on to hypothesize that people might be less wary of pseudonymous identities they don't recognize than they are of anonymous ones; he talks of megalomaniacs stalking the net. Well, if I see someone post to the net under a name I don't recognize -- like (say) L. Detweiler -- then I assign that person (whom I don't know) exactly the same probability of being a megalomaniac as I assign an anonymous user I don't know. Perhaps even a higher probability, as what megalomaniac would wish to remain *anonymous*? Detweiler then points out that a user could post messages under a pseudonym, complimenting himself. Again, this is nothing new. Authors have been known to review their own books, written under pseudonyms; or to write letters to newspapers criticizing themselves. Detweiler claims that public use of pseudonyms is often "dishonest, immoral, and unethical"; he demands that "others should be informed if it is occurring". Well, I hereby inform everyone that it is occurring, and has occurred for centuries, and will carry on occurring. It is not a new risk brought in by technology. Perhaps the problem is that people have got used to the Internet being restricted to institutionalized settings, where user accounts are numbered, and verified to be unique by some central authority. As the Internet spreads into the real world, so the real-world practice of pseudonymity will inevitably spread into the Internet. When everyone has a computer, everyone can have a pseudonym; just as anyone with a pen and paper can develop a real-world pseudonym. Detweiler next moves on to consider the use of pseudonyms in private communication. This, again, is nothing new. Look at the "Henry Root" letters (or "The Lazlo Letters"), Victor Lewis-Smith's crank phone calls, or any of thousands of similar examples. He complains that digital signatures do not solve the problem; unfortunately, he seems to be under the mistaken impression that written signatures are better. In fact, it is quite possible for a person to have multiple handwritten signatures. Then, he moves on to what he calls the "dangerous, insideous [sic], and treacherous" uses of pseudonyms. He gives an example of an anarchist organization using pseudonyms to aid the destabilization of governments, democracy, law enforcement, and so on. Every good conspiracy must have a secret enemy trying to destroy the world. He speaks of carefully-guarded mailing lists and secret societies, and explains that the anarchists could send spoof communications to public addresses, magazines, and the like. I hate to sound repetitive, but again, this threat is nothing new. Look at the spoof "LSD tattoo" announcements purporting to come from police officers, or the pranks played against government departments. Consider campaigners who write multiple letters under pseudonyms to send to politicians. Detweiler then goes even further, talking about "pseudospoofers" as using "brainwashing and an illusion of peer pressure to manipulate unknowing subscribers", with campaigns of "mental assault" to attack doubters. Of course, sinister mind-control techniques are a classic part of any conspiracy theory. Next comes the masterstroke. He explains that the secret pseudospoofer cabal would attack people like him by "disparaging, discouraging and discrediting them publicly and privately as 'paranoid ranters' and 'conspiracy theorists'". So now anyone who criticizes his position is instantly One Of Them, a venomous snake who cannot be trusted, and further evidence of the Great Conspiracy. He suggests that they "might even be able to make a real-world pariah from simulated ire and criticism directed at a single strong opponent, say, L. Detweiler, from many simulated identities in cyberspace". Thus, he hopes, everyone who replies to RISKS criticizing his bizarre fears will become another piece of evidence in his favour. He finishes off by suggesting that the evil pseudospoofers might already be infiltrating public mailing lists, discussion lists concerning email and security software, network administrators' mailing lists, CERT, the DNS databases, and so on. He likens pseudospoofing to a virus infecting the Internet. Again, like most conspiracy theories, the picture painted is one of an insidious threat which has already subverted our most cherished institutions! I'm sorry if this seems impolite, but the entire article seems to me to be 10% misconceptions and 90% pure conspiracy theory. (Oh no! Mathew is One Of Them!) I find such things amusing, but I for one would appreciate it if this sort of nonsense was kept out of RISKS in future. mathew ------------------------------ Date: Thu, 11 Nov 93 14:37:22 EST From: Alex Glockner Subject: Re: Pseudospoofing (RISKS-15.25) While I should be grateful to L. Detweiler for reminding us of the possibility of pseudospoofing on the Internet (sidenote: his anonymity FAQ makes for great reading...), we should also remember that this is `just another' case of network problems that have always existed `out there in the real world'. The RTC (the US-sponsored agency that is responsible for selling off assets of failed Savings and Loan institutions) recently sold a beachfront property to the Audubon Society, a large US environmental group, which in cooperation with a developer would create a preserve from the property. Whoops. Turns out it wasn't the environmental group -- officially, the National Audubon Society incorporated in New York State -- but a group, allegedly associated with the original failed developer, that chose to register in another state with the name "Audubon Society". If the allegation is correct, the developer saved a lot of money from the original purchase price this way... (My apologies for the lack of a citation; this appeared in the Washington Post in October 1993) |> ... These are related to the potential of waging a systematic campaign of |> propaganda, disinformation, or brainwashing unleashed on an unsuspecting |> public by a subversive organization. In American politics, we call this `lobbying'. Any number of groups are misleadingly named and directed to achieve an agenda (*which* groups, of course, depend on your own beliefs, so I won't try to name any). The fact is that most (all?) states have rules that you can choose any name (or more to the point, *names*) that you want as long as 1) the state cannot prove that it is in the public interest to deny your name change or 2) you are not intending to defraud anyone or escape legal obligations. Stage names and pen names are also long-established instances of this, also. Pseudospoofing isn't anything new; it's just a new guise of something thousands of years old...what's the first C program everybody writes? "hello, world"? :-) Alexander Glockner, Asst. Professor, Dept. of Computer Science, Bowie State University Bowie MD 20715 (301) 464-6609 glockner@cosc.bsu.umd.edu ------------------------------ Date: Thu, 11 Nov 93 20:36:23 EST From: pmetzger@lehman.com (Perry E. Metzger) Subject: The Perils of Pseudospoofing (Detweiler, RISKS-15.25) I was amused to see that the article contained an elaborate, and amusingly paranoid, scenario, that describes, thinly veiled, the way that Mr. Detweiler apparently thinks that the "Cypherpunks" mailing list operates. "Cypherpunks" is an informal group of privacy and cryptography advocates -- the lists members include such varied individuals as Phil Zimmerman (the author of PGP), Mike Godwin of EFF, John Gilmore, Phil Karn, a gentleman from CPSR who's name I forget, and other fairly illustrious crusaders for privacy and personal data security in the digital age. Some members of the list are radical libertarians such as myself, who often point out (with some glee) that cryptographic techniques, which are essentially unstoppable because even high school students can now implement extremely secure cipher systems, will likely ultimately eliminate the capacity of the government and others to nose in where they do not belong. With this introduction, I will explain what has happened: Mr. Detweiler has apparently decided that many members of the group are in fact the same person (posting under multiple identities) and that the entire mailing list is a monstrous plot to undermine Truth, Justice, and The American Way. The allegation that most of the mailing lists members are identical is bizarre -- anyone is free to check for themselves that people like Tim May, Eric Hughes, and others are real people. However, Mr. Detweiler became convinced that because so many people disliked his rantings on the list that they all had to, in fact, be the same person. I suppose the notion that more than one person might disagree with him did not cross his mind. I am not a qualified psychiatrist and do not pretend to be one, but I do know paranoid delusions when I see them. As an example: >The CryptoAnarchists might even be able to make a real-world pariah from >simulated ire and criticism directed at a single strong opponent, ... I suppose it never occurred to Mr. Detweiler that he could simply look up folks like Eric Hughes (whom I believe lives in Berkeley), Tim May (whom I believe lives in Aptos, CA), and others, and verify that they exist and have differing voices and the like. However, people who are suffering from insane fantasies rarely bother to listen if people tell them that they have insane fantasies. The following paragraph speaks for itself: >In fact, the CryptoAnarchists might even infiltrate sensitive internal mailing >lists like those maintained by CERT (Computer Emergency Response Team). ... Perry Metzger ------------------------------ Date: Thu, 11 Nov 1993 01:45:05 -0800 From: jamie@netcom.com (Jamie Dinkelacker) Subject: Personal Singularity In a recent Cypherpunk post, the venerated individual E.Hughes suggested individuals make themselves known, and mention L.Detweiler's amorphous post to .risks. First, I'm honored to be mentioned along with May, Szabo, Finney, Hughes, ... indeed, fine company these electrons keep! Jamie Dinkelacker is in fact and in blood an independent individual, living in Silicon Valley, who is finding profit from all the attention he's getting. He goes so far as to post his phone number for people who would care to call and offer consulting contracts for marketing management in the Bay Area. More to the point: Jamie Dinkelacker is the only name I've used posting on the net. Does Detweiler truly exist as an individual? Can anyone attest to his existence as separate from S.Boxx, Jim Riverman, David Sternlight? Who'll take a stand on his behalf? Jamie Dinkelacker Palo Alto CA Jamie@netcom.com 415.941.4782 ------------------------------ Date: Thu, 11 Nov 93 15:14:39 -0800 From: a2@ah.com (Arthur Abraham) Subject: "L. Detweiler"'s single personality problem I would like to attest from personal knowledge that the following personalities each emanate from a separate flesh and blood person: G.Broiles, A.Chandler, J.Dinkelacker, H.Finney, E.Hughes, M.Landry, T.C.May, N.Szabo I myself emanate from yet another flesh and blood person. I have communicated with "L. Detweiler" in the past, and have frequently been amazed by his postings. His/her decline in the past month or two has been somewhat disturbing. It seems to illustrate how it is occasionally possible for strongly held positions, that seem to rely on an slightly unbalanced view of the world, to actually originate in unbalanced minds. ------------------------------ Date: 15 Nov 1993 20:27:55 GMT From: leppik@uxa.cso.uiuc.edu (leppik peter) Subject: Re: pseudospoofing (RISKS-15.25) IMHO, I fail to see the real "risk" in pseudospoofing. Keep in mind that such famous people as Mark Twain and Marilyn Monroe never actually existed (they were "pseudospoofed," as it were, by Samuel Clemens, and Norma Jean, respectively). The only possible risk that exists is if people lose their perspective, and forget the distinction between the network and the real world. Beyond that, the use of realistic-sounding nom-de-plumes for various reasons is a long and time-honored tradition. I see no reason why it should stop merely because the medium has become modulated electric fields, rather than ink and paper. (Did William Shakespeare really exist? Some people with nothing better to do still argue about this question....) Peter Leppik-- p-leppi@uiuc.edu If people have a hard time understanding General Relativity, what makes us think computers will do any better? ------------------------------ Date: 15 Nov 93 21:11:08 GMT From: mc/G=Brad/S=Hicks/OU1=0205925@mhs.attmail.com Subject: Re: Snakes of Medusa and Cyberspace (RISKS-15.25) "If your best friend jumped off of a cliff, would you? Did your mother ask you this? Every four years, lemmings jump off of cliffs. There are no five-year-old lemmings ... unless they've learned to think for themselves." - recent TV ad for radio KPNT 105.7 FM, St. Genevieve/St. Louis, MO OK, by now everybody knows that the lemmings story is a fake, but it's still a potent metaphor, and a relevant one to any discussion of what Mr. L. Deitweiler has termed "pseudospoofing." (Does Mr. Deitweiler exist? In my experience, most real people have first names.) For those of you who've just subscribed, "pseudospoofing" is the use of "spoofed" SMTP mail connections, multiple anonymous mail servers, or other techniques to enable one person to send e-mail messages appearing to be from multiple people. And if you missed Mr. Deitweiler's previous jeremiads, you might not know that this idea scares the water out of him. For example, consider this paragraph from the introduction to his latest lengthy posting on the subject, this one on RISKS Forum Digest, volume 15 issue 25, 10 Nov 1993: > ... These are related to the potential of waging a systematic campaign > of propaganda, disinformation, or brainwashing unleashed on an > unsuspecting public by a subversive organization. Propaganda? I'll answer to that charge myself; I write propaganda for a small not-for-profit educational organization ... if you'll allow me to define propaganda as anything intended to influence people's opinions. (When I do it, it's a forceful essay. When you do it, it's called spin doctoring. When somebody we both think is "evil" does it, it's called propaganda.) But the warnings of disinformation and brainwashing are something else altogether. Not for nothing did David Brin in his novel _Earth_ refer to a UseNet-like system as "the Net of a million lies." All manner of lies have appeared on the Net, from the US government's facile attempt to persuade us that Clipper is a harmless alternative to existing systems and won't be mandatory, to a recent (wonderfully funny) hoax having to do with modem taxes, that fooled even net veterans like Pat Townson of Telecom Digest. But does pseudospoofing make it easier to lie successfully via the Net? If I post a message here that says that I've met J. R. "Bob" Dobbs, and he really exists, will you believe me? Of course not; you know that I don't live in Dallas. (weak grin) You also know, by now, that J. R. "Bob" Dobbs is a myth built around a piece of 1950s clip art, and exists only in the same mystical realm as Santa Claus, Lazarus Long, the Easter Bunny, the World-Wide Satanic Conspiracy, John Galt, the Risen Lord Jesus Christ, the Tooth Fairy, and Wise and Benevolent Government. And you're not going to change your mind on the existence or non-existence of any of these things just because I, or anybody on the Net, told you otherwise. Would you change your mind if ten people on the Net told you so? A hundred? A thousand? Mr. Deitweiler has written that if I were to create (let us say) a hundred and twenty three alternate (fake) net.identities, and each of them sent him mail telling him that black was really white, that he would be in imminent danger of dying at the next zebra crossing. He calls this process "brainwashing." To compare pseudospoofed argumentation to brainwashing is to show that you are far, far too susceptible to peer pressure, and also to irresponsibly diminish the seriousness of brainwashing. As Wilson documented in Leary's _Neuropolitics_, there is a technology for breaking down a person's resistance to ideas and lifestyles that are foreign to them, and "re-imprinting" them with the ideas and values of a new group. But among other things, it requires control of a person's physical environment, food, movement, social environment, and all punishments and rewards. Not for nothing do cult leaders take their converts to remote retreats, "deprogrammers" tie their captives to chairs in remote hotel rooms, fundamentalist preachers preach "separation from the world," and the military isolate recruits from all outside contact, control their every waking moment, and bully them mercilessly during the early weeks of boot camp. But you cannot exert that kind of control over anyone's life or body or mind via the Net. All you can do is create fake peer pressure. And if you're that susceptible to peer pressure, Gods' pity on you. You need to learn to judge arguments by their quality, not by the number of people who say that they agree with them. Does pseudospoofing have dire implications for democracy? Well, no, because in the political context, pseudospoofing isn't that different from what interest groups do now. Do you really think that, for example, everybody who joins the AARP to get the club discounts agrees with everything that organization's lobbyists tell Congress? I doubt it, and any Congressman with any sense doubts it, too. What's more, with the rise of 800-number generated automatic telegrams, clipped coupons, and so forth, a new term has entered American political discourse, the term "astroturf campaign" -- that is, a fake grass roots campaign. Sure, pseudospoofing provides another way to create a fake grass roots campaign. But will anybody be fooled? No. Congressional staff already look for close similarities between supporting messages and inform their bosses of them. Somebody with enough determination could hand-write a thousand letters to Congress trying to influence a piece of legislation, carefully varying each one so that they look like they came from separate constituents. Without pseudospoofing, they would put them in separate envelopes and drop them in mailboxes all over the city over a course of days. With pseudospoofing, they could write a program to batch them out to anon mail servers or spoof them into SMTP mailers over the course of many days. But either way, the =real= work would not be in the mailing process, but in the laborious task of hand-writing a thousand entries while keeping them all different. Who is capable of such an effort? Now, after thinking about the arguments above, if you are still terrified of the possibilities of pseudospoofing, take this challenge: try to design a system that allows anonymous email and anonymous transactions that =doesn't= permit pseudospoofing. Such a system, it seems to me, will have to have =some= entity that knows which aliases go with which real.people, and such a system is by definition not anonymous. After a hundred-plus lines, I am not going to go into the arguments about whether or not anonymity is itself a good or a bad thing. Suffice it to say that there are people, not involved in plotting the overthrow of society or any of Mr. Deitweiler's other paranoid fancies, who believe that anonymity is valuable. All that I hope that I hope to accomplish with this message is to persuade you of is that there is little basis for fear that "the treacherous and toxic effects of pseudospoofing" will lead to "brainwashing" or "general destabilization of governments, democracy, laws, and law enforcement." J. Brad Hicks Internet: mc!Brad_Hicks@mhs.attmail.com X.400: c=US admd=ATTMail prmd=MasterCard sn=Hicks gn=Brad ------------------------------ Date: Mon, 15 Nov 1993 15:22:51 -0700 From: Neil McKellar Subject: Conspiracy 101? (Detweiler, RISKS-15.27) In his article, " The Snakes of Medusa and Cyberspace: Internet identity subversion", L. Detweiler outlines a variety of methods by which 'pseudospoofing' can be used to influence public opinion and research (at least on the Internet). Having read a fair share of spy fiction in my time, none of these methods comes as a surprise to me. :-) And all these methods can be used AGAINST the conspirators in his scenario. Perhaps it's time to pull out my copy of "Schroedinger's Cat" by Robert Anton Wilson, and bone up on conspiracy theory. :-) Neil McKellar (mckellar@cs.ualberta.ca) "Just because you aren't paranoid, doesn't mean they aren't out to get you." ------------------------------ Date: Thu, 11 Nov 1993 14:39:20 -0500 (EST) From: Leonard Mignerey Subject: Re: Snakes of Medusa and Cyberspace... I fail to see the difference between electronic pseudospoofing and print media pen names. It to me that all of Mr. Detweilers arguments hold for that scenario as well. The problem is not in pseudospoofing as much as in an individual relying on a single medium as a source of information. Certainly in the "War of the Worlds" incident, Orsen Wells pseudospoofed a number of people into believing that the Martians and actually landed. This unhappy group of individuals relied solely on their radios (and a single channel at that) for their information. If we are to dive so deeply into cyberspace that it becomes the total extent of our research on important issues, then I think the problem is not in the pseudospoofers but in the pseudospoofed. Leonard J. Mignerey, The Catholic University of America, Washington, DC 20064 Director, Management Information Systems INTERNET: mignerey@cua.edu ------------------------------ Date: Sun, 14 Nov 93 19:57:16 -0700 From: "L. Detweiler" Subject: Pseudospoofing (ld, RISKS-15.25) Many people have emailed me to say that they are skeptical of my scenario about the Internet CryptoAnarchist pseudospoofing conspiracy published in RISKS-15.25. The scenario was built painstakingly from hundreds of messages I have reviewed on the subject over many weeks. I would like to present some of the more interesting pieces of `evidence' (but withhold the more substantial pieces) that there is at least, in one quarter of the Internet, a very strong, systematic, and dedicated attempt to pseudospoof, and a very concerted effort, possibly, to cover it up and viciously attack those who seek to expose it. My informal poll of pseudospoofing posted to the cypherpunks mailing list and talk.politics.crypto was unanswered by top Cypherpunk leadership, and many poll responses were very evasive, and several in the form `yeah, I have done it' with little additional information. The Cypherpunk mailing list and my private mail were my greatest source of inspirations for `Medusa's Snakes in Cyberspace'. For example, three prominent cypherpunks have suggested to me that there is a secret mailing list for `project development' free of `paranoid ranters'. I asked a cyperpunk leader about the existence of the list, and he said that `your question does not allow anything other than an incriminating answer.' * * * Here is a paragraph from a posting on the Cypherpunks list on Oct. 18 1993: ``In my limited experience creating Internet pseudonyms, I've been quite distracted by the continual need to avoid leaving pointers to my True Name lying around -- excess mail to/from my True Name, shared files, common peculiarities (e.g. misspellings in written text), traceable logins, etc. The penet.fi site explicitly maintains a list of pointers to the original address. All kinds of security controls -- crypto, access, information, inference -- have to be continually on my mind when using pseudonymous accounts. The hazards are everywhere. With our current tools it's practically impossible to maintain an active pseudonym for a long period of time against a sufficiently determined opponent, and quite a hassle to maintain even a modicum of decent security. Pointers to info and/or tools to enable the establishment and maintenance of a net.nym, beyond the standard cypherpunks PGP/remailer fare with which I'm now familiar, greatly appreciated. Especially nice would be a list of commercial net providers that allow pseudonymous accounts''. This paragraph contains an astounding amount of data on the possibility of a highly refined, intense, extended, insidious, global, and systematic pseudospoofing effort. Some of the details it suggests, in particular: 1) Based on the context that surrounded this excerpt and the message, the author is intentionally conflating `pseudonymity' (identification of the message implicitly indicates, `this is a pseudonym', such as origination from anon.penet.fi) with `pseudoanonymity' (the deception that `I am a real person'). This is a classic cypherpunk tactic. I have hundreds of subtle variations of this obfuscation in my collection. 2) The author starts with `in my limited experience in creating'... but clearly the author has *extensive* experience with meticulous practice and knowledge that rivals that of the most literate RISKS postings on the subject (for example, the anon.penet.fi site, the possibility of style analysis for identification, etc.) 3) The author clearly has an obsession to completely dissociating all traceability to his actual identity and a virtually fanatical aversion to `pointers to my True Name lying around'. This includes extensive considerations for deleting mail, detecting shared files on a filesystem, and `common peculiarities' like consistent misspellings. 4) The author refers to his efforts at deception as `security controls' and categorizes them in general categories of `crypto, access, information, inference' -- clearly he has dedicated an extreme amount of systematic thinking and effort to the `project' of pseudospoofing. He laments, sounding somewhat like an NSA administrator, that it's `quite a hassle to maintain even a modicum of decent security'. 5) There is an identifiable tone of paranoia in the message that most rational humans would not associate with casual anonymity. `The hazards are everywhere'. The author laments, `It's practically impossible to maintain an active pseudonym for a long period of time against a sufficiently determined opponent'. 6) The objective characterization of a `sufficiently determined opponent' indicates the author considers attempts to trace the pseudoanonymity by what I have been calling `demon exorcists' is an inevitable inconvenience that must be addressed. The author clearly considers it a routine hazard and has encountered and evaded it before. He considers his routine deceptions something like a game strategy. 7) Despite already obviously being an unsurpassed expert, the author requests `pointers to info and/or tools to enable the establishment and maintenance of a [`pseudoanonym'], beyond the standard cypherpunks PGP/remailer far with which I'm now familiar, greatly appreciated.' This may also disguise an attempt to appear to be unsophisticated or determine what extent other `octopuses' are existent in Cyberspace. 8) The author asks for a `list of commercial net providers that allow [pseudoanonymous] accounts' without regard to *geography* whatsoever, suggesting that it is no constraint. That is, the author may have no problem with accounts spread very wide geographically. This is in stark contrast to the standard request, `does anyone know a site in [x] area?' to avoid long distance charges. Clearly, the author has an *obsession* with maintaining *multiple* `pseudoanonyms', possibly over a very *widespread* geographical area, has a paranoia over exposure of one of his `tentacles' but also has conceived and probably practiced countermeasures, and spends a great deal of time polishing his techniques and arsenal. The author is not interested in casual anonymity as a hobby. He is interested in systematic pseudospoofing, virtually as a *profession*. He may even be spreading *disinformation* about his own practices and the extent of his own knowledge. The author continues: ``Another big problem I see with [pseudoanonymous] reputations is entry. If most people are blocking posts from new pseudonyms, how does one get a new reputation established? I've had several years to establish a net.reputation for [...], and it might take a long time for any of my [pseudoanonyms] to catch up. Altruistic sponsorship requires trusted friends knowing the True Name, but that public sponsorship itself provides important clues to that Name.'' This paragraph further promotes pseudospoofing, now suggesting its use in reputable forums: 1) Again, the author alludes to his arsenal of multiple pseudoanonyms, and expresses regret that it will take *a long time* of concerted pseudospoofing for before his other pseudoanonyms may `catch up'. 2) The author appears to be attempting to subvert mechanisms that bar pseudoanonymous identities, trampling on their right to do so in his obsessive promotion of the `reputation' associated with his various name tags. 3) From the context of the message, and the references to `sponsorship by a true name', the author appears to actually be alluding to *identity databases* and ways of infiltrating them with pseudoanonyms. He laments that this `public sponsorship itself provides important clues pointing to that name.' This could be interpreted as a deliberate attempt at deception and corruption of a `True Name' database by conspiracy, and the `clues' that would `point' to a perpetrator of the crime. Actually, because of the blurring of identities and misinformation this author promotes, I think that this paragraph may potentially be another disinformation stab -- the apparent owner of the message may be *itself* a pseudoanonymous identity, *itself* built up over `several years'! (The author posts from the site netcom.com, a site that is notorious for requiring essentially no proof of identity to receive an Internet account.) The author continues with classic cypherpunk dogma that blurs pseudonymous and anonymous identities with pseudoanonymity (`pure anonymity'), and vilifies those who feel `threatened' by the latter: ``I hope that we stick to experimenting with pure anonymity in many venues. I suggest we'll find out that purely anonymous vposts are not so bad, overall. [...] Pure anonymity is a strange, threatening, fascinating beast in our panoptic social-welfare world. Even those of us at the forefront of harnessing this monster shrink back in fear when it whinnies. [...]'' Now, superimpose the `Medusa's Snake's and Cyberspace' essay in your mind as you read the following: ``Pure anonymity provides a voice for a wide variety of new kinds of expression that up until now have been suppressed. [...] I hope we continue experimenting with pure anonymity for a while longer [...]. Some of what comes out might look very strange, something like tapping into previously concealed areas of our social psyche. I suspect the result will be a more honest dialog, a more productive conversation freed from posturing and, ironically, from the concealment of threatening truth. I hope we will observe with Zen patience and allow this quite interesting experiment to continue.'' * * * Since the above posting was to a public list, I will reveal the author of the message I have been dissecting. He is the same person who took my short comment at the end of the `Medusa's Snakes & Cyberspace' essay as an *accusation* that some pseudanonyms may be listed. He writes in RISKS-15.26: >I'd like to assure the readers of RISKS that I am in fact a unique person, >distinct from the other names L. Detweiler listed. Of the people on his list >I know from personal contact, all are distinct people in Real Life(tm). Well >before his post to RISKS, L. Detweiler was provided means of personally >verifying that many of the names he listed are distinct True Names (eg phone >numbers he can call), but it doesn't seem to help. Let's dissect these statements with an eye to rigor. `I am in fact a unique person [...]' means nothing in the question of pseudanonymity -- Medusa may have one of her Snakes claim that `I am a unique person' without lying. Next, `Of the people on his list I know from personal contact, all are distinct people in Real Life(tm)'. But this can be taken to mean only that more than one person is represented by a list of pseudoanonyms. Note the author is careful not to mention *which* people he knows from personal contact. That, after all, might reveal `important clues pointing to that Name'! Also, there is a problem that members of a `cult of pseudospoofers', who subscribe to the `pseudoreligion of pseudoanonymity', as this person apparently does, may twist language to the point of actually maintaining that different pseudoanonymous identities *are* different `people', even when typed in at a keyboard by the same individual! This would not be unlike a fanatic religious sect maintaining that acts of `terrorism' are actually `holy liberation' when commited in the name of God! The author says he is `distinct from the other names L. Detweiler listed.' But again, this is not a guarantee of uniqueness of flesh! The use of the word `name' instead of `people' is quite suspicious in our context! The whole *issue* is that beyond the uniqueness of mere ASCII `names'! The person goes on to state that `Well before his post to RISKS, L. Detweiler was provided means of personally verifying that many of the names he listed are distinct True Names (eg phone numbers he can call) but it doesn't seem to help.' The people I listed are separated by vast geography in their posting sites, with a concentration in California. Furthermore, I have been in private correspondence with all of them over many weeks, and I am unsure of what specifically Mr. Szabo is referring to as my opportunity to verify that `many of the names' are `distinct True Names'. I have never before posted a list of this set of names before! The lack of specific information is highly suspicious in our context! Furthermore, in our context, the issue would not be whether `some' real people are represented in the list, but whether *all* names listed correspond to the legal identities of *unique* human beings! (A complex and widespread pseudospoofing effort actively being orchestrated by some, which very possibly spans many states, may not even be thwarted by the necessity of establishing interstate telephone numbers!) * * * Finally, I have very strong tangential cues that the `Medusa's Snakes in Cyberspace' essay is far more true than hypothetical. Over many weeks I have encountered strong stonewalling, evasion, and counterattacks from some of the most prominent cypherpunks in response to my specific allegations in email. This included a mailbombing, a mailbombing threat, four letters to my site postmaster, two from cypherpunk leaders, one referring to `your latest paranoid descent into fantasy in RISKS', my `violent threats', without quoting any of my statements in particular (I find the thought of a physical threat abhorrent), and suggested `I have a strong feeling you are going to have a very hard time getting a job in the computer industry' in part from the essay. Another called my efforts against pseudospoofing a `a nonsensical, paranoid, one-man jihad against cypherpunks'. Apparently because the lamentations and supplications to my postmaster have largely been ignored, one cypherpunk suggested that `I intend to go beyond your postmaster on the next try, to various former classmates and old friends of mine who are computation center employees, faculty, and administration members at CSU now.' Incidentally, there is a strong overlap between the people perpetrating the above activities and those I credited at the end of my essay. Elsewhere, one cypherpunk suggested that `I better start looking over my shoulder'. Another, in what might be termed `psychopunk humor,' wrote `I'm going to come kill your family with a rusty razor blade' (the latter broadcast on the entire mailing list) and suggested it demonstrated my personal problems in being upset by such a message. These tactics are all quite shocking to me, and I am not sure how to respond to these letters except to perceive them as outrageous and desperate attempts to intimidate and censor me indirectly where other approaches have failed. I warn others of the searing hostility they may encounter on the cypherpunks list -- with philosophies promoted there that are increasingly blurred with raw criminality -- and against any attempts to find an antidote to poisonous pseudospoofing. L. Detweiler ------------------------------ End of RISKS-FORUM Digest 15.27 ************************