X-Message-Number: 2450 From: Ralph Merkle <> Subject: CRYONICS Identity and the internet Date: Wed, 10 Nov 1993 17:42:50 PST The following article might be of interest to readers of this list: Snakes of Medusa and Cyberspace: Internet identity subversion (L. Detweiler) ------------------------------------------------------------------ RISKS-LIST: RISKS-FORUM Digest Weds 10 November 1993 Volume 15 : Issue 25 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: No change in Ada policy (Robert I. Eachus) Groundhog Day, D-Day, Remembrance Day, and all that (Mark Brader) Not so easy to be anonymous (Robert L Ullmann) Snakes of Medusa and Cyberspace: Internet identity subversion (L. Detweiler) The RISKS Forum is a moderated digest discussing risks; comp.risks is its USENET counterpart. Undigestifiers are available throughout the Internet, but not from RISKS. Contributions should be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to , with appropriate, substantive "Subject:" line. Others may be ignored! Contributions will not be ACKed. The load is too great. **PLEASE** INCLUDE YOUR NAME & INTERNET FROM: ADDRESS, especially .UUCP folks. PLEASE SEND REQUESTS FOR SUBSCRIPTIONS, archive problems, and other information to (not automated). BITNET users may subscribe via your favorite LISTSERV: "SUBSCRIBE RISKS". Vol i issue j, type "FTP CRVAX.SRI.COM<CR>login anonymous<CR>AnyNonNullPW<CR> CD RISKS:<CR>GET RISKS-i.j<CR>" (where i=1 to 15, j always TWO digits). Vol i summaries in j=00; "dir risks-*.*<CR>" gives directory; "bye<CR>" logs out. The COLON in "CD RISKS:" is essential. "CRVAX.SRI.COM" = "128.18.10.1". <CR>=CarriageReturn; FTPs may differ; UNIX prompts for username, password. There are also alternative repositories, such as . If you are interested in receiving RISKS via fax, please send E-mail to , phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for information regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; instead, as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail . ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ---------------------------------------------------------------------- ...... Several deleted articles ......... Date: Tue, 02 Nov 93 23:52:05 -0700 From: "L. Detweiler" <> > Subject: The Snakes of Medusa and Cyberspace: Internet identity subversion I have long tracked the Internet debates on identity issues, such as anonymity, with zeal and commitment. Recently I have become very alarmed by the very serious potential RISKS of a practice I've termed `pseudospoofing'. In short, there are a few basic categories under which identities may fall under in Cyberspace. (This is not a comprehensive list.) `True Name' -- a person sends a message under their legal identity. `Anonymously' -- features of the message indicate it could be from anyone. One such feature would include origination from an anonymity server, such as the now-famous Finnish server anon.penet.fi, operated for nearly a year by J. Helsingius. `Pseudonymously' -- features of the message indicate it was issued under a pseudonym other than a True Name. One might build up a reputation under different pseudonyms. In a technical sense, anon.penet.fi aliases are pseudonyms. The above categories are well recognized, established, and even all largely entrenched on the Internet. However, another distinct category exists: `Pseudoanonymously' -- the message identification is of a `fake' identity, a person that does not exist despite the implicit indications of the message (such as a signature with a realistic name, including a phone number, etc.) Note that pseudoanonymous postings are unequivocally a form of *active* deception that transcends the *passive* concealment of anonymity, and therein lies the danger. If I posted under the name Jim Riverman and set up a unique phone number for the basic purpose of fooling others into thinking that Jim Riverman was a unique person from myself, many very dark machinations of human trust are possible. A message that is anonymous could be `from anyone', including a known megalomaniac, and people would be cautious in revealing information to that nonentity -- and are encouraged to speculate on it. (I have advocated and championed this form of anonymity on the Internet.) But someone who supposedly `exists' automatically carries more implicit trust -- including a very important kind of trust that they are unique from other individuals. I think some social parasites increasingly are exploiting the tradition of openness and honesty on the Internet to prey on others via this technique of pseudospoofing, and that newer, more vicious and insidious forms are evolving. * * * For example, I could post public messages under the Jim Riverman identity saying that L. Detweiler is the most eminent authority on anonymity issues the Internet has ever seen. I could rip apart other's public arguments that criticize L. Detweiler and get everyone else to argue about irrelevant details -- an ingenious way to `change the subject' by derailing it with dynamite. This would all be highly effective if I built up an independent reputation as Jim Riverman with periodic, highly refined posts on software engineering or some other topic of interest. And others might become unwitting accomplices to the deception by quoting sentences or articles by Jim Riverman in their own articles appearing in the same place or other more reputable forums, such as RISKS. These are just some of the alarming uses of pseudospoofing in *public* environments, which I think most reasonable people would agree, depending on the context and medium, are highly damaging to community trust, and furthermore dishonest, immoral, and unethical. At the bare minimum, others should be informed if it is occurring, or they may feel victimized by a bizarre social experiment on unwilling and unsuspecting participants. However, there are far more disturbing evils possible with use of pseudospoofing in *private* email. I could contact others in email under the identity Jim Riverman and ask them, `What do you think of L. Detweiler, anyway?' I could even become an apologist for L. Detweiler under Jim Riverman. `Dorothy, I really respect your contributions, but you are way out of line on this one. L. Detweiler is a really nice guy. I've met him personally.' (One Cypherpunk member called some of these uses the `intersection' of pseudonymous identities.) Even further, I could use this technique as a powerful espionage method of a turncoat, agent provocateur, or double agent in eliciting valuable information from anyone trusting and unsuspecting. One method to build up trust (and perhaps the most basic way) is to provide relevant, valuable information, and then ask for some `in return for the favor.' E.g. Jim Riverman says to the Cyberspace Police, `Yes, I heard L. Detweiler is getting some major heat over his pseudospoofing postings. In fact, he started subscribing to the Criminal Techniques mailing list. What are you guys going to do with him, anyway?' Again, if the message is pseudoanonymous as opposed to anonymous, even with a built-up online reputation, the trap is dangerously plausible. Note that `digital signatures' alone do not solve this problem of ensuring that identities correspond to real people. A `true' signature, e.g. a written one, has the property that it is unique to a given individual, outside of illicit forgery. But it is quite feasible for a pseudospoofer to maintain multiple digital signatures and juggle them readily among a large arsenal of fake identities. In this sense what many are calling `digital signatures' are really just `identification tags' if they lack corresponding mechanisms to ensure correlations to actual human identity, e.g. relation to birth certificates or any of the other mechanisms our society has evolved over centuries to authenticate real identities. * * * Many jaded readers are probably thinking at this point that they have already seen some of these subversive uses of pseudospoofing and are not alarmed by my scenarios so far. But the uses of pseudospoofing that most alarm me, and form the basis for my article here, are the extremely dangerous, insideous, and treacherous refinements of this technique that could lead to far more serious `real world' consequences outside of the loquacious frivolity of, say, most of Usenet. These are related to the potential of waging a systematic campaign of propaganda, disinformation, or brainwashing unleashed on an unsuspecting public by a subversive organization. Suppose that a criminal group called the CryptoAnarchists wished to take over the Internet and future Cyberspace, and promote their agenda of pseudospoofing as a way of aiding criminal behaviors such as tax evasion, black marketeering, and general destabilization of governments, democracy, laws, and law enforcement, partly with the aid of pseudospoofing techniques. Unfortunately, the technique of pseudospoofing itself, coupled with the Internet's extreme vulnerability to it, could be used as an extremely powerful tool in accomplishing their goal of cyberspatial domination. The CryptoAnarchists would first seek to consolidate their supporters in a secret society with very strict membership requirements. They could have a secret mailing list that reaches all of those in the group, from which to plot in secret their activities `in the open'. The secret mailing list would be dedicated to insiders describing their activities, such as the new fake identities they have succeeded in acquiring, who is in charge of which identities, coordinating the software and databases used to prevent `crossings', or leaks that reveal a link between pseudospoofed identities, and gauging the extent of seized domains and `new territories' to be invaded. The CryptoAnarchists require public manipulation to achieve their ends, however. For this purpose they would find a public mailing list extremely useful. They would promote themselves on this mailing list through the techniques of pseudospoofing, perhaps even to the extent of misleading reporters and obtaining favorable media accounts in newspapers or magazines. They would find it useful to disguise their agenda, of course, say under the guise of `privacy for the masses' or `the cryptographic revolution.' They might post fake status reports of ongoing `real-world' projects and have insiders confirm them to increase the prestige and respectability of the organization. `Eric May' says, `Oh yes! We are very far along on the anonymous digital cash server!' `T.C. Hughes' says, `Oh yes! I saw the server yesterday! A fine piece of machinery!' They might consistently talk about the beautiful consequences of `pure and true anonymity' when really referring to pseudoanonymity and pseudospoofing. In fact, they might develop an entire mythology, philosophy, even *religion* that promotes pseudospoofing as a liberating capability, and refine and espouse it on their public mailing list. This might include, for example, elevating instances of multiple personality disorder to legendary virtuous status. They would consistently talk about famous science fiction by respected authors that refers to the blurring of identities, even though it would not really specifically address the issue of pseudospoofing, and implying that it did was just another obfuscatory fabrication. The disinformation campaign would be self-reinforcing: even outsiders, `real people', could themselves become independent proselytizers after being sufficiently converted. In promoting this philosophy, they would use the techniques of brainwashing and an illusion of peer pressure to manipulate unknowing subscribers. If any subscriber expressed any doubt, the CryptoAnarchists could wage a concerted campaign of mental assault on the victim both on the public mailing list and in private email, to the point that real people would feel isolated, alone, and unsupported -- but only because of the perceived consensus of nonexistent identities. Even more treacherously, they could target individuals who suspect the existence of conspiracies by disparaging, discouraging, and discrediting them publicly and privately as `paranoid ranters' and `conspiracy theorists'. They would say that while pseudospoofing is possible, it is certainly not widespread, no non-Draconian mechanisms could be implemented to prevent it, and besides, people shouldn't be `punished' for the misdeeds of a few, no one really takes the Internet seriously anyway, people aren't really influenced by propaganda and `peer pressure', and pseudospoofing is simply a `fact of life' of cyberspace. The arguments would usually be couched in the terms of moral relativism. `Hal Dinkelacker' says, `is anything *really* inherently evil? everyone *I've* met who thought so was a fascist!' The CryptoAnarchists might even be able to make a real-world pariah from simulated ire and criticism directed at a single strong opponent, say, L. Detweiler, from many simulated identities in cyberspace, who are mistaken to be other real, reputable people by L. Detweiler's cyberspatial and real-world associates `under the influence' of the mailing list or other infected outlet, who consequently shun him in both realms. Unfortunately, because the CryptoAnarchist techniques are so readily concealed, evidence for their conspirational [sic] machinations would be extremely difficult to detect and obtain. When one `tentacle', or fake identity, is discovered, they would simply `cut it off' (stop using it, and dissociate themselves) with no fatal loss to the continued growth of the overall body. Before that, however, they might engage in further disinformation attacks to prevent the `exposure'. I might send information as L. Detweiler to Dorothy saying, `Dorothy-- what makes you think Jim Riverman does not exist? I've met him personally. There are others who can attest that he is real. You are doing nothing but inventing elaborate, insane fantasies by believing otherwise.' Also in this manner of conspirational manipulation, they would find it very useful to subscribe to, or rather infiltrate, very many Internet mailing lists, particularly those that are extremely sensitive and dedicated to developing Internet protocols, and related to identification and email, such as SMTP (Simple Mail Transfer Protocol), PEM (Privacy Enhanced Mail) or DNS (Domain Name Service). They could find others with queries from another tentacle, say `Nick Chandler', in the form, `does anyone know of lists dedicated to identification protocols? please email me.' Once subscribed, the CryptoAnarchists could use the aforementioned techniques of pseudospoofing to build up the reputations of their tentacles and manipulate others with those tentacles. If someone suggested a robust protocol for identification on one of these mailing lists, they could engage a single or even multiple tentacles into sabotaging the proposal with scathing criticism and derailing discussion into irrelevant areas. They could bombard the particularly strong supporters of identity mechanisms with a barrage of flames in the victim's private mail box, with many similar messages from seemingly unique identities saying, in slight variations. `Greg Landry' says, `I respect what you've done so far in so-and-so area, but your ideas on preventing pseudospoofing are just way too impractical, Draconian, undesirable, and unpleasant, and I think you should give up pursuing them. You've really gone off the deep end. The cat is out of the bag on the Internet and there's just no way to go backwards.' In fact, the CryptoAnarchists might even infiltrate sensitive internal mailing lists like those maintained by CERT (Computer Emergency Response Team). This would be roughly analogous to a criminal gaining access to insides of the telephone system or a police station. They would be informed ahead of time of law enforcement's knowledge of their conspiracies, and may even be able to thwart their investigations and countermeasures with further insidious manipulations. They might even subvert the existing Internet SMTP and DNS identification databases. In a sense, the overall effect would ultimately be as devastating as AIDS, like a virus invading the protective and defensive machinery itself designed to stop contagious infections. Once a few snakes of Medusa had their fangs into Cyberspace, an antidote to the invisible, spreading, self-reinforcing poison would be virtually impossible to administer -- Medusa would certainly do *anything* to avoid swallowing it! * * * I have become aware of these serious abuses possible with pseudoanonymous posting from my long affiliation with the Cypherpunks, an allegiance I have now severed because of my realization of their basic hidden agenda in promoting the practice of pseudospoofing, or using pseudoanonymous identities in the aforementioned ways to manipulate and systematically deceive others in cyberspace. I urge others involved with the group to reconsider their own affiliation and crystallize their own position on pseudospoofing. In `exposing' this practice of pseudospoofing I have written much material, including an essay entitled `The Joy of Pseudospoofing' which I will make available to anyone who contacts me in email. Also, results of an informal survey will be available in a few weeks. For the highly literate and technically savvy RISKS readers I would like to simply point out some of the most treacherous and insidious uses of this practice -- which, in my view, constitutes an extant, active, slow-creeping poison spreading over the Internet. Unfortunately, as evidence in this claim I cannot be more specific than the previous seemingly fictional account, except to offer an assurance that it is based on true events in my own mailbox in particular, and perhaps on the global Internet in general (I fervently hope energetic and ingenious readers with more resources than I can fill in the blanks, and perhaps become effective pseudospoofed ghost exorcists.) While many will brand me a frothing alarmist, on the other hand there are absolutlely no mechanisms anyone can point to on the Internet that discredit my scenario -- quite to the contrary, its decentralized, unregulated, and open-access traditions validate it -- and the rhetorical question `who could possibly be depraved enough to do all this?' is intended to be answered by this article! Particularly when the Internet is being used for increasingly deathly serious endeavors such as Presidential opinion gathering and commercial activities, I pray that disastrous reliance is never entrusted to the security of phantoms. In writing this I hope to - alert others, particularly those with noncasual scientific and professional interests in the Internet, to the existence and evils of pseudospoofing, its potentially deadly flourishing status, and to be alert for personal encounters with it - help delineate the `rights' and `recourses' of Cyberspatial participants related to pseudospoofing, particularly with the view of the Internet as a model for future cyberspace -- for example, does everyone at least have the `right' to bar pseudospoofed identities from their own mailbox? to form mailing lists that outlaw it? - help establish at least a strong, universal taboo against pseudospoofing among those in the online community, particularly the occurrence of `intersections', hopefully on the strong level of the current widespread repulsions for censorship - encourage others to develop procedures, algorithms, and protocols to dampen the treacherous and toxic effects of pseudospoofing where appropriate, particularly sensitive mailing lists relating to serious project or Internet development efforts - energize a strong resistance against those who criticize these noble aims of making cyberspace more honest and hospitable via identity and authentication mechanisms - alert others to the possibility of apologists and reactionaries for the `fluidity of identity on the Internet' who may themselves be pseudospoofed phantom tentacles - alert others to the possibilities, dangers, and perversions of `infiltrations' into mailing lists, particularly of a systematic and widespread campaign - urge those running mailing lists to condemn pseudospoofing and require promises to refrain from it as part of membership requirements, and urge members to police each other - urge anyone conducting surveys or polls on the Internet to view results with extreme prejudice or use greater authentication techniques than mere reliance on email addresses and signatures alone, because of the possibility of increasing, concerted, poisonous pseudospoofing - hear from others more systematic and scientific measurements and analyses on the degree, and ramifications of, and preventive measures for pseudospoofing on the Internet, particularly on the possibilities and vulnerabilities of SMTP and DNS database subversions (maybe a mailing list dedicated to the subject of thwarting pseudospoofing could be started) - promote the general area of identification and authentication as a scholarly research subject of the utmost importance, in resolving a key, even primary and paramount element of the current `ideal future cyberspatial infrastructure' debate ``That which can never be enforced should not be prohibited. The claim that a person should have only one pseudonym per forum indicates profound misunderstanding. If someone wants to have multiple ... pseudonyms, they will be able to; that is one of the main goals of cypherpunks software. The situations you despise will occur. This is reality. Change your own psychology or change your own software. You will not be able to change the other person.'' --E.Hughes, cofounder, Cypherpunks ``Better to live with the occasional vagaries of digital pseudonyms than to ban them.'' --T.C.May, cofounder, Cypherpunks ``In a false quarrel there is no true valour.'' --Shakespeare ``Propaganda is to democracy what violence is to totalitarianism.'' --N. Chomsky ``Oh what a tangled web we weave, when first we practice to deceive.'' --Sir Walter Scott ``I'm not going anywhere. I like it here.'' --Snake #7 I thank the following eminent Cypherpunks for ideas in this article, although it should not be construed to be representative of their opinions, and neither can I provide any guarantee they represent unique people: G.Broiles, A.Chandler, J.Dinkelacker, H.Finney, E.Hughes, M.Landry, T.C.May, N.Szabo Notes: 1) human-readable subscription requests to E.Hughes' Cypherpunks mailing list go to 2) a treatise on the history and psychology of anonymity on the Internet (but not specifically pseudoanonymity) can be obtained from rtfm.mit.edu: /pub/usenet/news.answers/net-anonymity. Some other areas related to this article are covered in [...]/net-privacy. 3) The Cypherpunk archives, including their charter and many documents overtly relating to anonymity (covertly to pseudoanonymity), can be obtained from soda.berkeley.edu:/pub/cypherpunks. ------------------------------ End of RISKS-FORUM Digest 15.25 ************************ Rate This Message: http://www.cryonet.org/cgi-bin/rate.cgi?msg=2450