Anonymity needs to be preserved in some situations, but in the case of some security threats, total anonymity is dangerous. Michael Kassner looks at the problem of remailers.
My neighbor -- a native of Pittsburgh -- was really upset last night. "I'd like to get my hands on the scum." Not a pleasant thought considering few standard-sized cars fit around him.
Staying out of harm's way, I asked what was wrong. "They're messing with my granddaughter," he said. "You know the one that goes to ‘Pitt'." Who in their right mind would do that, I wondered. My neighbor's wife handed me a copy of this letter from the Dean of Students:
"First and foremost, I want to reiterate that your safety is our primary concern, and that no explosive devices have been found in any of our buildings after thorough evacuations and searches. We will continue to increase the police presence and security on campus and work with the FBI, the U. S. Attorney's office, and local authorities to bring an end to these threats."
You may remember that the University of Pittsburgh had a shooting incident in March. If that's not enough, the university now has received several bomb threats -- the reason my neighbor is so upset. According to this Pittsburgh Post Gazette article, the threats began as bathroom graffiti, graduating to emails sent to local newspapers.
One quote in the article immediately grabbed my attention:
"It would be very difficult if not impossible to trace this," Ms. Cranor said.
You may recognize the name Cranor. Dr. Lorrie Faith Cranor provided insight on numerous articles of mine. Lorrie oversees Carnegie Mellon University's CyLab Usable Privacy and Security Lab -- only a few blocks from the Pitt campus.
The article also mentioned that remailer technology was used to send the threat emails. I knew very little about remailers, and less yet as to why it's hard to determine the sender. I did know that needed to change.
Remailers are Internet-connected servers designed to forward email without revealing any information about the sender. Remailer technology is divided into two major categories -- "traceable" and "anonymous."
Services like Craig's List or Match.com use the traceable (pseudo-anonymous) version. It's where the service provider replaces the email address of the sender with a pseudonym before the email is sent to the recipient. This way, neither the sender nor recipient knows the other's address.
But the provider does, and that could be a problem for the sender wanting to remain anonymous. Law-enforcement agencies could obtain a court order to release the information.
Anonymous remailers are different:
"By not keeping any list of users and corresponding anonymizing labels for them, a remailer can ensure that any message that has been forwarded leaves no internal information behind that can later be used to break identity confidentiality."
Routing information is not stored, hence nothing to turn over. So, anonymous remailers are preferred by those wanting complete anonymity.
My first thought was; why even use traceable remailers? Then I found out why. Anonymous remailers are not user-friendly and difficult to setup. That fact is not lost on the investigators when they determined Mixmaster -- an anonymous remailer -- was the weapon of choice for sending threats to the University of Pittsburgh.
"Mixmaster is an anonymous remailer which sends messages in fixed-size packets and reorders them, preventing anyone watching the messages go in and out of remailers from tracing them."
It seems that Mixmaster is up to the task of anonymizing:
- No retention of routing data
- No way to check the remailing servers
I'm afraid there's more. It's possible to employ several Mixmaster servers in a chain; each stripping information from the previous server before forwarding the email. The email eventually gets to the recipient, but all traces of the original sender are gone. Finally, if the sender is super-serious, the intermediary remailing servers could be located in different countries -- to leverage the lack of cooperation across borders.
Now I understand why Lorrie said it's almost impossible to determine the email's origin if remailers are used.
I'm not sure how I would feel if my son received a letter like the one sent to my neighbor's granddaughter. How about you?