Re: author identifiability

From: James Wetterau (jwjr@panix.com)
Date: Mon Aug 21 2000 - 10:30:04 MDT


ABlainey@aol.com wrote:
...
> I have already given Max the info. The Loz-feliz library has a policy
> that anyone using their public workstations must provide ID (library card or
> drivers licence). Their personal details are logged. Users can only have 30
> minute sessions and the time is recorded against the user. so jamiro is as
> good as found. That is if the library has been following policy. ...

Not necessarily. If the machine is hackable, someone else sitting at
home anywhere in the world could have possibly hacked a connection to
the computer in the public library and caused it to initiate the
outbound SMTP connection which sent the message. Additionally,
someone could have spoofed the IP address of the computer in the
library. IP spoofing is not that hard. While none of these are
likely contingencies, they cannot be ruled out.

The bottom line is, as this lists' users ought to know from our
discussions of cryptography for security and authentication, if you
want true authentication you must *use digital signatures* with a
well-known signed key. If a message arrives without a digital
signature you can have absolutely no assurance that it comes whence it
appears to come.

Everything else is like an unsigned typed postcard -- there's no
privacy and no authentication. Meanwhile I do hope the malefactor is
found and forced to pay the penalty for libel. But I agree with Spike
that we can expect more and more garbage on mailing lists and
websites; perhaps we may even see counter-intelligence type posts in
which people with a grudge post calumnies while masquerading as
well-known members of the list. It is feasible that this could be
done with software to aid in mimicking the vocabulary and
Markov-chains of word sequences that characterize that poster's style,
not to mention using IP spoofing, hacked accounts, etc.

To be sure that mail *really* comes from whom it claims, a digital
signature guarded by a strong passphrase is required. Fortunately, I
believe this list's readers to be intelligent enough to discriminate
among information sources and learn to expect and adopt authentication
for important communications.

All the best,
James Wetterau



This archive was generated by hypermail 2b29 : Mon Oct 02 2000 - 17:36:23 MDT