Software

The dark side of anonymous remailers

Anonymity needs to be preserved in some situations, but in the case of some security threats, total anonymity is dangerous. Michael Kassner looks at the problem of remailers.

My neighbor -- a native of Pittsburgh -- was really upset last night. "I'd like to get my hands on the scum." Not a pleasant thought considering few standard-sized cars fit around him.

Staying out of harm's way, I asked what was wrong. "They're messing with my granddaughter," he said. "You know the one that goes to ‘Pitt'." Who in their right mind would do that, I wondered. My neighbor's wife handed me a copy of this letter from the Dean of Students:

"First and foremost, I want to reiterate that your safety is our primary concern, and that no explosive devices have been found in any of our buildings after thorough evacuations and searches. We will continue to increase the police presence and security on campus and work with the FBI, the U. S. Attorney's office, and local authorities to bring an end to these threats."

The Story

You may remember that the University of Pittsburgh had a shooting incident in March. If that's not enough, the university now has received several bomb threats -- the reason my neighbor is so upset. According to this Pittsburgh Post Gazette article, the threats began as bathroom graffiti, graduating to emails sent to local newspapers.

One quote in the article immediately grabbed my attention:

"It would be very difficult if not impossible to trace this," Ms. Cranor said.

You may recognize the name Cranor. Dr. Lorrie Faith Cranor provided insight on numerous articles of mine. Lorrie oversees Carnegie Mellon University's CyLab Usable Privacy and Security Lab -- only a few blocks from the Pitt campus.

The article also mentioned that remailer technology was used to send the threat emails. I knew very little about remailers, and less yet as to why it's hard to determine the sender. I did know that needed to change.

Remailers

Remailers are Internet-connected servers designed to forward email without revealing any information about the sender. Remailer technology is divided into two major categories -- "traceable" and "anonymous."

Services like Craig's List or Match.com use the traceable (pseudo-anonymous) version. It's where the service provider replaces the email address of the sender with a pseudonym before the email is sent to the recipient. This way, neither the sender nor recipient knows the other's address.

But the provider does, and that could be a problem for the sender wanting to remain anonymous. Law-enforcement agencies could obtain a court order to release the information.

Anonymous remailers are different:

"By not keeping any list of users and corresponding anonymizing labels for them, a remailer can ensure that any message that has been forwarded leaves no internal information behind that can later be used to break identity confidentiality."

Routing information is not stored, hence nothing to turn over. So, anonymous remailers are preferred by those wanting complete anonymity.

My first thought was; why even use traceable remailers? Then I found out why. Anonymous remailers are not user-friendly and difficult to setup. That fact is not lost on the investigators when they determined Mixmaster -- an anonymous remailer -- was the weapon of choice for sending threats to the University of Pittsburgh.

Mixmaster

Per Wikipedia:

"Mixmaster is an anonymous remailer which sends messages in fixed-size packets and reorders them, preventing anyone watching the messages go in and out of remailers from tracing them."

It seems that Mixmaster is up to the task of anonymizing:

  • No retention of routing data
  • No way to check the remailing servers

I'm afraid there's more. It's possible to employ several Mixmaster servers in a chain; each stripping information from the previous server before forwarding the email. The email eventually gets to the recipient, but all traces of the original sender are gone. Finally, if the sender is super-serious, the intermediary remailing servers could be located in different countries -- to leverage the lack of cooperation across borders.

Now I understand why Lorrie said it's almost impossible to determine the email's origin if remailers are used.

Final thoughts

I'm not sure how I would feel if my son received a letter like the one sent to my neighbor's granddaughter. How about you?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

68 comments
dayen
dayen

My Kids the Hunt would be on, this is one were it depends on who you know and what you know, someone going to have a real bad day

j2will
j2will

In an ideal world, we would probably not need such things but this is the real world . . . With the government getting more and more big brotherly, less and less becomes the privacy of the individual citizen. Thus the need for anonomous remailers. Also, with the availability of anonomous remailers, the bad guy may not use some poor naive worker's email account to send hate mail or threats from the PC they left unsecure while going on break.

valduboisvert
valduboisvert

There are many other ways to hide your identity online. If there were no options to hide your identity online do you think these people would not do what they are already doing? Does anybody think they won't find other means of sending threats outside of internet? Blaming remailers sounds like an excuse for a serious police investigation and I can see the reasoning behind that as well but I won't go into details defending the police work here.

Zzyzyx
Zzyzyx

How did anonymity get tied to freedom of speech? As I recall the founding fathers didn't send an anonymous letter to the King of England. I think it was a Declaration of Independence that 56 people signed with their true name. That doesn't sound anonymous to me. I don't think anonymity has anything to do with freedom of speech. As I see it there is an inherent distrust of others and the potential abuse of power by the government. Both of these are of great concern and a reason why anonymity is desired. On the first point, there are people who will without regard to the consequences to themselves or others cause harm to another. I think Zwort described such an incident. This is why internet aliases may provide some degree of protection against the actions of another individual. On the second point, there are many with power including governments that abuse their power for their own ends and find ways of justifying its use such as in restricting the freedom of speech. This is what I believe the founding fathers were addressing. I don't think they were advocating that people hide in the shadows, but that people should be able to speak their ideas without fear of another using power to stop them or harm them. Of course, that is an ideal world...

Thumper1
Thumper1

The better, more streamlined the technology does not come without either a price or drawbacks. There will always be scum-of-the-earth bottom feeders to either cash in or persecute someone for their own sick purposes.

LokiTM
LokiTM

I wrote Mixmaster back in the early 1990's. I would be happy to answer questions about it. My thinking about anonymity has always been that there are lots of ways for bad people, especially if they are not worried about breaking the law, to be anonymous. There are lots of reasons for good people without technical skills to want to be strongly anonymous. This suggests that tools such as Mixmaster, in general, will do more good than harm.

sysop-dr
sysop-dr

There are a lot of other ways to be anonymous then the use of remailers. Things that are truly anonymous, but we won't go into them here. So will making remailers go away make it easier to find people? No, and getting rid of them will not be easy anyway as they are so spread out and there are so many of them. Most likely the way these people will be caught is because they will mess up, either they are known to the university and have a grudge or/and they will let it slip to someone that they are the one.

jhoward
jhoward

I am not denying these are terrible things but it is a slippery slope to begin tracking and marking internet traffic. This may be perfectly fine for China to implement but where does it stop? Is it even feasible to believe we could do anything? More to the point, the internet is global and connects people in new ways that would have been thought inconceivable until the late 20th century. Can we always trace back snail mail to the original sender? Had this been a hand written letter originating from some middle eastern country would we be shouting to require proper identification to send a letter? Let's be realistic. Again, I am not saying what happened wasn't horrible, but how many civil liberties must we all give up because of the few misguided? How much freedom are you willing to give up to feel safe? Once that snow ball starts rolling it becomes harder and harder to stop.

Al_nyc
Al_nyc

This is no different than someone dumping a letter in a mail box. It's anonymous with little information to trace back to the origin. This looks like it will be another excuse to invade someone's computer privacy.

Zwort
Zwort

Ah yes. As you may remember me saying a year or two back, I was stalked and my stalker learned how to use first cypherpunk then mixmaster mailers. I taught myself even to 'roll my own' in pursuit of learning what was happening. In short this individual used remailers in pursuit of a private agenda, driven by his distorted view of what the world owed him, and tried to destroy many careers. He used one of the standard ploys on me, accusing me of paedophilia, thereby also demonstrating his ignorance of dotted IP numbers, DHCP and so on. One professional, now very well known for his useful and money earning website, even found himself facing legal threats from this anonymous creep. At the end of it all I have to thank the hacking community (and I do mean hackers, not script kiddies) for the novel and amusing ways in which they dealt with him. I learned a thing or two. I also found myself laughing with tears streaming down my face at the things they did to my stalker. I believe that he will remember the nightmares they gave him. True anonymity is almost impossible to find, though Jack B Nymble, mixmaster remailers and older versions of windows make it impossible to all but the most powerful, who may be able to attack using man in the middle techniques. I haven't paid any attention to this for probably 10 years, so I can't remember the theoretical line of attack that was articulated by a prominent member of that part of the online community, in the days when there were not very many of us. I've forgotten how to configure it, and I don't know if there are any newer packages, but it's possible to be a very busy nuisance with very little risk at all. Is it wrong for such a powerful degree of anonymity to be so easily available? In spite of my experiences I do not think so. I have used my ability to make anonymous contact for the purpose of whistle blowing. I do not know what I would have done without it, and I know of other cases where more needy people than I have been grateful for it.

tsnow
tsnow

What about DKIM and SPF (especially in combination)? Both of these technologies exist today and would ensure email could not use remailers, wouldn't they? The only way email could then be delivered would be if the sending server could be verified. You could blacklist remailer servers when located. If they are as hard to set up as you say, then re-configuring or creating new ones would discourage would be admins. This would also seriously combat spam.

Matt Nawrocki
Matt Nawrocki

I happen to have witnessed the aftermath of the tragic shootings back in March, and I can only say that this bomb threat business is a disturbing side-effect, probably generated from someone with way too much time on their hands wanting to instill further fear. I do hope someone will find out who is behind these baseless, anonymous threats. It's a darn shame services like Mixmaster are abused in this way. What a travesty...

Kenogami
Kenogami

In contacts list add a letter or number in front of all your contacts. This prevents anyone from using the contacts list to re-mail. It goes to postmaster and comes back as un-deliverable. I know it's an inconvenence because you have to edit contacts to remove the letter or number but it works. Randy

Michael Kassner
Michael Kassner

Universities are such magical places. So when problems like this creep in, it touches all of us.

Michael Kassner
Michael Kassner

It's not an ideal world. And your comment about an individual's email account being utilized for slander is big-time scary.

Michael Kassner
Michael Kassner

I wasn't trying to blame anything specific. I wanted to shed light on a technique used for seemingly wrongful purposes. I was hoping for some insight in possible solutions for those in similar situations.

LokiTM
LokiTM

The Federalist Papers? I would think that China, Iran, Egypt, Libya, Myanmar, etc. would make a strong case for why anonymity often equals free speech. I completely agree that people SHOULD be able to speak without fear, but the world does not seem to actually work that way. Even in America voicing political opinions can be a career limiting move depending on your employer.

andrew232006
andrew232006

Can anyone speak without fear? Today almost everything we say or do is tracked and can be used against you. A politician you critisize could be a favorite of a prospective employer. Speak out against certain groups and you may be harassed and slandered relentlessly or in the case of certain popular criminal organizations, killed. People can speak freely without being anonymous, but if they go against popular opinion, they're going to be punished for it in some way. And most people will think twice before they do it again. I imagine the founding fathers were not so public when they were a group of 2 or 3 planning treason against the crown.

Michael Kassner
Michael Kassner

I for one appreciate you pointing out the difference: Hiding in the shadows versus speaking without fear. That struck me as an important point.

Michael Kassner
Michael Kassner

That is very true, all one has to do is look at the history of weapons.

NickNielsen
NickNielsen

The problem is not the tool, but the way the tool is used.

Michael Kassner
Michael Kassner

I sincerely appreciate your taking the time and offering to answer questions. I did not realize Mixmaster was started in the 90s. I think you are finding that most of the members are in agreement with you.

Zwort
Zwort

I think the long term potential may outweigh the damage. Thanks for writing it. I've used it, enjoyed it, and like all the little bells and whistles that can be used. Something like chaff among other things, ISTR. Truly beautiful stuff.

Michael Kassner
Michael Kassner

You brought up several good points. I'm thinking it's the age-old story, just with fancier tools.

JCitizen
JCitizen

just good detective work. Even Kaczynski could have been caught earlier this way.

Michael Kassner
Michael Kassner

But, as I've been asking other members what would you suggest be done. What would you say to the students and professors at Pitt?

Zwort
Zwort

A good summary of my concern, and thank you. To repeat, I was harassed by someone using these techniques. The extent to which he felt empowered and able to pursue me can be summed by thus; I used to think I'd worked out what he'd do next, but he started to surprise even me. He must have sat there for hours, working out how to use his armamentarium of anonymous tools but he could. He had no job and no life. That is a part of the clue.

Michael Kassner
Michael Kassner

I was hoping for a discussion on what we could possibly do. What would you say to the students at Pitt?

JCitizen
JCitizen

Very interesting as well! I think many in law enforcement forget that just good ol' smart gumshoe work can reveal who the suspects are, even in cases like Pitt.

JCitizen
JCitizen

campus security would never know a nut had bad designs on the University. Maybe if the email were redirected to a security concern, or law enforcement; then I could advocate that kind of plan.

Michael Kassner
Michael Kassner

You and the people of Pittsburgh are in our thoughts. Hopefully this will end without anyone getting hurt.

ultimitloozer
ultimitloozer

What you are referring to is pretty much one of the first defenses against code running in Outlook back in the late 90s that when opened even in the preview pane would email itself to everyone in your contact list. These remailers are not the same thing. They are on the server side of email delivery, not the client endpoints.

Michael Kassner
Michael Kassner

The person wanting to remain anonymous does not have to use a bogus email address. That real address gets stripped along the way.

valduboisvert
valduboisvert

My apologies, I didn't mean to imply your article is attacking this technology, but just to express my opinion that we are looking in the wrong place. Not all problems can be solved with a computer. I believe a classic investigation would be a much better start, not to mention that this will eliminate a LOT of potential suspects by not considering any internet user who has the possibility of sending anonymized emails. I would expect the person/s who does this are there. What are the motives? Police is very good at this type of investigations, but they need a "case" to start something like this. There are other options besides police though, like private detectives for example.

Michael Kassner
Michael Kassner

I appreciate your voicing a different way of looking at the situation. It's not a perfect system, is it?

Michael Kassner
Michael Kassner

As always, simple and to the point. You have a way of cutting out the chaff.

jhoward
jhoward

That is a good question. What action do you take against anonymous threats to which the merit cannot be determined? You try your best to find the culprit and do your best to be on alert but after that it is life as usual with some idiot being an idiot. In theory you go after the root cause but what is the root cause here? Political unrest? An angry student hiding behind the guise of a political agenda? No one knows really except the perpetrator(s). So what do you go after? How do you fight terrorism? It is an idea - not a person or even a real tangible thing. Reminds me of "the war on terror" - what does that even mean? What are the tangible goals you can achieve? So to answer your original question the answer is I don't know - but the answer is also not giving up my civil liberties that countless others have died securing and protecting before me.

Zwort
Zwort

It's possible to register with some remailers and have anonymous stuff barred (obviously this is more useful in Usenet, where intelligently used kill filters can work a treat) . Also filters in email systems work well, filtering on the IP # and so on. The problem is that, if a remailer is filtered out and a genuine warning comes through the whole thing seems to have been a wasted effort; what if someone dies or is seriously hurt because a Mixmaster message does not make it through? Perhaps some offenders will be caught if filtering is not adopted (and as I said I can defeat pattern matching software), and some will get through. There was a case in the UK a few years back, in which an elderly lady had been dropping poison pen letters through the letter boxes of her fellow villagers. It was a nightmare and, although her anonymity was in the end broken, she managed to cause mental illness in a few of her targets. This is not greatly different to Mixmaster remailing IMNSVHO, and let's remember that Mixmaster/Cypherpunk remailers have been around for a long time. A few cases like the 'Territickle' case demonstrate the power of marrying intelligent nastiness to IT. Ban Mixmaster remailers as much as we want, there are many ways to be a nuisance. Tho' I've forgotten the specifics, I knew how to telnet into an appropriate server and send messages to Usenet that did not betray my IP#; add to that the increasing presence of free Wi-Fi in public places and useable free proxies that can be chained up, and you can see that the Mixmaster controversy misses the point, namely that there are too many useable facilities that can be used in different combinations for the purposes of harassment. Pattern matching is one of the few hopes that are left, but as I say I can defeat it. Such harassment is usually carried out by individuals whose profile can be with a reasonable degree of certainty predicted. This is only the start though; the point would be to profile vulnerable kids in schools and determine how such disorders (and they are disorders) can be prevented in the first place. This would be to the benefit of offenders and victims. As an example a Scottish forensic psychologist in the UK has been working on a very difficult category of childhood disorders which is implicated in very serious crimes in the mature individual. There have been signs of success in staving these things off. Thus it may be of more help to obviate the problem using educational, psychological and psychiatric methods and, better still, trying to find an optimal size and way of running communities. I have my pet examples, for example the age-cohort systems run in tribal African societies (which admittedly have their own drawbacks, such as 'witchcraft' trials which end in death and no evidence of witchcraft). Groups tend to be self policing, self healing and detect it more quickly and easily when one of their own 'goes wrong'. Sorry for the length of the answer, which is more psychological than IT, precisely because the problem lies, not with the technology, but with the person using it.

Zwort
Zwort

Thanks for that. I caught him out by using hand cranked pattern matching and a grep tool. Subsequently I've developed a significant interest in pattern matching software, and intend to take this to its logical academic extreme. There are ways to avoid even pattern matching software though. As to gumshoe work, have a laugh at what one of my friends did. She nailed the IP# of another, very well known stalker down, rigged up her system to text her each time the poster was at it; with a friend she discreetly positioned herself in the student computing hall where the deeds were done, snaffled the Netscrape Hx files to confirm the target's identity, and maintained obs on her until enough dirt came together. The target was arrested and all because of some good old fashioned detective and hacking work. 'I have detailed files', some of which I posted through a mixmaster chain as a warning which the target ignored. I hadn't thought about this for years now. Happy days.

tsnow
tsnow

Of course but if it was a required component of the mail infrastructure, remailers would stop being used. Then the crazies would have to find another avenue of communication (hopefully leaving a trail).

Michael Kassner
Michael Kassner

In the bio at the end of the article is a contact button. Thanks.

Zwort
Zwort

I've never used the system to contact a Tech Rep member and don't know how to do it, even though I've temporarily allowed all scripts. Would you mind initiating contact so that I can respond? Ta.

Zwort
Zwort

Heh. I'm so used to not divulging data that I won't reveal specifics in public. If you could assure the data would be handled sensitively I can put them your way. A lot took place in public.

Zwort
Zwort

All our text and speech contains idiosyncrasies that identify us, give us away. I've done pattern analysis 'by hand' as it were, but now see there is plenty of good pattern matching software that works online. It can be used in plagiarism ( http://plagiarism.bloomfieldmedia.com/z-wordpress/ see also http://www.claremontmckenna.edu/writing/Examining%20Anti.htm ) and it can be use to track offenders. The interface between offenders and the net has grown into a major interest of mine, as I've hinted before, and I'm hoping to set up a full time academic research project this year. You will be the one of the first to know Michael if my labours are not fruitless! The hand cranked pattern matching using a grep tool would essentially be boolean searches of saved material for standard phrases, misspellings and so on. I don't want to give any more away if you don't mind.

Michael Kassner
Michael Kassner

You have me interested. Could you explain what you are referring to, please?