Your Email Address and Usenet Earlier in this chapter, I claimed that your email address could expose you to spying on Usenet. In this section, I will prove it. Your email address is like any other text string. If it appears on (or within the source of) a Web page, it is reachable by search engines. When a spy has your email address, it's all over but the screaming. In fact, perhaps most disturbing of all, your email address and name (after they are paired) can reveal other accounts that you might have. To provide you with a practical example, I pondered a possible target. I was looking for someone who changed email addresses frequently and routinely used others as fronts. Fronts are third parties who post information for you. By using a front, you avoid being pinned down because it's the front's email address that appears, not your own. I decided to do a bit of research on a controversial person, Kirk D. Lyons of the Southern Legal Resource Center (SLRC). This name might not be too familiar to many people right away. Mr. Lyons is an outspoken attorney with a history of defending right-wing and extremist groups. He has also been a prominent voice and an active participant in several newsworthy incidents, especially in the last 10 years. Mr. Lyons has been directly involved with issues relating to the Oklahoma Federal Building bombing and Timothy McVeigh, the Ruby Ridge incident with Randy Weaver, and the Waco stand-off, to name a few. Note The following exercise is not an invasion of Mr. Lyons'privacy. All information was obtained from publicly available databases on the Internet. Instead, this exercise is very similar to the results of an article in a June 1997 Time magazine about Internet privacy. In that article, a Time reporter tracked California Senator Dianne Feinstein. The reporter did an extraordinary job, and even managed to ascertain Senator Feinstein's Social Security number. The article, "My Week as an Internet Gumshoe," is by Noah Robischon. At the time of this writing, it is available online here: http://www.pathfinder.com/time/magazine/1997/dom/970602/technology.my_wek.html. The first step in tracking an individual is to capture his or her email addresses. To find Kirk D. Lyons's email address, any garden-variety search engine will do, although http://www.altavista.com and http://www.google.com have the most malleable designs. That's where I started. (Remember that I have never met Mr. Lyons and know very little about him.) I began my search with AltaVista (http://www.altavista.com). AltaVista is one of the most powerful search engines available on the Internet and is provided as a public service by CMGI, Inc. It accepts various types of queries that can be directed toward WWW pages (HTML), images and video, and other forms of digital media. I followed up using Google (http://www.google.com), a newer but amazingly powerful search engine. Don't let the clean, simple interface fool you. Google quickly grew out of obscurity into one of the best search engines available. I chose AltaVista for one reason: It performs case-sensitive, exact-match regular expression searches. That means that it will match precisely what you search for. (In other words, there are no "close" matches when you request such a search. This feature enables you to narrow your results to a single page out of millions.) In order to force such a precise search, you must enclose your search string in double-quotation marks. I began by searching the Web for this string: "Kirk D. Lyons" This search returned nearly 200 matches, and I started sorting them looking for anything interesting. Most of what I found were various articles and publications either about Mr. Lyons or written by him. I was able to discover an older, shared email address used by Mr. Lyons and one of his colleagues, unreconfed@cheta.net. Searching for just this email address yielded very little, so I turned to Usenet postings. Using http://www.deja.com/usenet/, I was able to search thousands of postings. I came across some by Kirk himself using the email address above. What was interesting here is that the email header information was left intact, which gives quite a bit of information: Return-Path: unreconfed@cheta.net Received: from lexington.ioa.net (IDENT:root@lexington.ioa.net [208.131.128.7]) by mail.hal-pc.org (8.9.1/8.9.0) with ESMTP id DAA09388 for <abnrngrs@hal-pc.org>; Thu, 4 Nov 1999 03:23:08 -0559 (CST) Received: from 1861 (ppp227.arden.dialup.ioa.com [205.138.38.236]) by lexington.ioa.net (8.9.3/8.9.3) with SMTP id EAA29654; Thu, 4 Nov 1999 04:19:27 -0500 Message-ID: <1bed01bf26a5$a5ea0560$cb268acd@1861> To: <Undisclosed.Recipients@lexington.ioa.net> From: "Kirk D. Lyons or Dr. Neill H. Payne" <unreconfed@cheta.net> Subject: HELP From this, it is possible to determine who is using this address, and where they were connecting from and which service provider they were using to send the message. I can also determine that this is a dial-up account, possibly a home user account in Arden, North Carolina. Further investigation helped me discover that this individual is heavily involved in Civil War re-enactment. This led me to discover Mr. Lyons's sideline business, Different Drummer, including more detailed information including the address, phone number, fax number and email for this business. Note Google acquired Deja's Usenet archive as this book went to press. The Deja URLs redirect to http://groups.google.com/, however, Google has yet to make available the entire archive, as Deja had done. Check in often with the Google site to check the progress of that endeavor. This may not seem like much information, but, in reality, it is enough that I could easily start pulling up business and tax records, property information, and other public data on Mr. Lyons. There is very little limit on how far this investigation could be taken. In just a few minutes using freely available Internet Web site based searching, I was able to gather a considerable amount of information about Mr. Lyons. That might not initially seem very important. You are probably thinking, "So what?" However, think back to what I wrote at the beginning of this chapter. Twenty years ago, the FBI would have spent thousands of dollars (and secured a dozen wiretaps) to discover the same information. Usenet is a superb tool for building models of human networks. (These are groups of people that think alike.) If you belong to such a group (and maintain controversial or unpopular views), do not post those views to Usenet. Even though you can prevent your Usenet posts from being archived by making x-no-archive: yes the first line of your post, you cannot prevent others from copying the post and storing it on a Web server. By posting unpopular political views to Usenet (and inviting others of like mind to respond), you are inadvertently revealing your associations to the world. DejaNews As previously noted in this chapter, Google bought the Usenet archives from Deja. At press time, the entire archive was not online as it had been with Deja. However, it's quite likely that the archives will be back online eventually. Check in with http://groups.google.com/ for the status. So do not assume that your postings cannot be found one day! To recap, assume that although your real name does not appear on Usenet postings, it does appear in the /etc/passwd file on the UNIX server that you use as a gateway to the Internet. Here are the steps someone must take to find you: 1. The snooping party sees your post to Usenet. Your email address is in plain view, but your name is not. 2. The snooping party tries to finger your address, but, as it happens, your provider pro hibits finger requests. 3. The snooping party telnets to port 25 of your server. There, he issues the expn command and obtains your real name. Having gotten that information, the snooping party next needs to find the state you live in. For this, he turns to the WHOIS service. The WHOIS Service The WHOIS service (centrally located at rs.internic.net) contains domain registration records of all American, non-military Internet sites. This registration database contains detailed information on each Internet site, including domain name, server addresses, technical contacts, the telephone number, and the address. Here is a WHOIS request result on the provider Netcom, a popular Northern California Internet service provider: NETCOM On-Line Communication Services, Inc (NETCOM-DOM) 3031 Tisch Way, Lobby Level San Jose, California 95128 US Domain Name: NETCOM.COM Administrative Contact: NETCOM Network Management (NETCOM-NM) dns-mgr@NETCOM.COM (408) 983-5970 Technical Contact, Zone Contact: NETCOM DNS Administration (NETCOM-DNS) dns-tech@NETCOM.COM (408) 983-5970 Record last updated on 03-Jan-97. Record created on 01-Feb-91. Domain servers in listed order: NETCOMSV.NETCOM.COM 192.100.81.101 NS.NETCOM.COM 192.100.81.105 AS3.NETCOM.COM 199.183.9.4 Take a good look at the Netcom WHOIS information. From this, the snooping party discovers that Netcom is in California. (Note the location at the top of the WHOIS return listing, as well as the telephone points of contact for the technical personnel.) Armed with this information, the snooping party proceeds to http://www.worldpages.com/. WorldPages is a massive database that houses the names, email addresses, and telephone numbers of several million Internet users. At WorldPages, the snooping party uses your real name as a search string, specifying California as your state. Instantly, he is confronted with several matches that provide name, address, and telephone number. Here, he might run into some trouble, depending on how common your name is. If your name is John Smith, the snooping party will have to do further research. However, assume that your name is not John Smith that your name is common, but not that common. The snooping party uncovers three addresses, each in a different California city: One is in Sacramento, one is in Los Angeles, and one is in San Diego. How does he determine which one is really you? He proceeds to the host utility. The host utility will list all machines on a given network and their relative locations. With large networks, it is common for a provider to have machines sprinkled at various locations throughout a state. The host command can identify which workstations are located where. In other words, it is generally trivial to obtain a listing of workstations by city. These workstations are sometimes even named for the cities in which they are deposited. Therefore, you might see an entry such as the following: chatsworth1.target_provider.com Chatsworth is a city in southern California. From this entry, we can assume that chatsworth1.target_provider.com is located within the city of Chatsworth. What remains for the snooper is to reexamine your Usenet post. By examining the source code of your Usenet post, he can view the path the message took. That path will look something like this: [View full width] news2.cais.com!in1.nntp.cais.net!feed1.news.erols.com!howland.erols.net! ix.netcom.com!news By examining this path, the snooping party can now determine which server was used to post the article. This information is then coupled with the value for the NNTP posting host: grc-ny4-20.ix.netcom.com The snooping party extracts the name of the posting server (the first entry along the path). This is almost always expressed in its name state and not by its IP address. For the snooping party to complete the process, the IP address is needed. Therefore, he telnets to the posting host. When the Telnet session is initiated, the hard, numeric IP is retrieved from DNS and printed to STDOUT. The snooping party now has the IP address of the machine that accepted the original posting. This IP address is then run against the outfile obtained by the host query. This operation reveals the city in which the machine resides. Tip If this information does not exactly match, the snooping party can employ other methods. One technique is to issue a traceroute request. When tracing the route to a machine that exists in another city, the route must invariably take a path through certain gateways. These are main switching points through which all traffic passes when going in or out of a city. Usually, these are high-level points, operated by telecommunication companies such as MCI, Sprint, and so forth. Most have city names within their addresses. Bloomington and Los Angeles are two well-known points. Thus, even if the reconciliation of the posting machine's name fails against the host outfile, a traceroute will reveal the approximate location of the machine. Having obtained this information (and having now differentiated you from the other names), the snooping party returns to WorldPages and chooses your name. Within seconds, a graphical map of your neighborhood appears. The exact location of your home is marked on the map by a circle. The snooping party now knows exactly where you live and how to get there. From this point, he can begin to gather more interesting information about you. For example: The snooping party can determine your status as a registered voter and your political affiliations. He obtains this information at http://www.wdia.com/lycos/voter-records.htm. From federal election records online, he can determine which candidates you support and how much you have contributed. He gets this information from http://www.tray.com/fecinfo/zip.htm. He can also get your Social Security number and date of birth. This information is available at http://kadima.com/. Many people minimize the seriousness of this. Their prevailing attitude is that all such information is available through other sources anyway. The problem is that the Internet brings these sources of information together. Integration of such information allows this activity to be conducted on a wholesale basis, and that's where the trouble begins. As a side note, complete anonymity on the Internet is possible, but usually not achievable by legal means. Given enough time, for example, authorities could trace a message posted via anonymous remailer. (Although, if that message were chained through several remailers, the task would be far more complex.) The problem is in the design of the Internet itself. As Ralf Hauser and Gene Tsudik note in their article On Shopping Incognito: From the outset the nature of current network protocols and applications runs counter to privacy. The vast majority have one thing in common: they faithfully communicate end-point identification information. "End-point" in this context can denote a user (with a unique ID), a network address or an organization name. For example, electronic mail routinely communicates sender's [sic] address in the header. File transfer (e.g., FTP), remote login (e.g., Telnet), and hypertext browsers (e.g., WWW) expose addresses, host names and IDs of their users. Then there is the question of whether users are entitled to anonymity. I believe they are. Certainly, there are plenty of legitimate reasons for allowing anonymity on the Internet. The following is excerpted from Anonymity for Fun and Deception: The Other Side of "Community" by Richard Seltzer: Some communities require anonymity for them to be effective, because without it members would not participate. This the case with Alcoholics Anonymous, AIDS support groups, drug addiction support and other mutual help organizations, particularly when there is some risk of social ostracism or even legal consequences should the identity of the members be revealed. This is a recurring theme in the now-heated battle over Internet anonymity. Even many members of the "establishment" recognize that anonymity is an important element that might preserve free speech on the Internet not just here, but abroad. This issue has received increased attention in legal circles. An excellent paper on the subject was written by A. Michael Froomkin, a lawyer and prominent professor. In Anonymity and Its Enmities, Froomkin writes Persons who wish to criticize a repressive government or foment a revolution against it may find remailers invaluable. Indeed, given the ability to broadcast messages widely using the Internet, anonymous email may become the modern replacement of the anonymous handbill. Other examples include corporate whistle-blowers, people criticizing a religious cult or other movement from which they might fear retaliation, and persons posting requests for information to a public bulletin board about matters too personal to discuss if there were any chance that the message might be traced back to its origin. Anonymity and Its Enmities by Professor Froomkin is an excellent source for links to legal analysis of Internet anonymity. The paper is an incredible resource, especially for journalists. It can be found on the Web at http://warthog.cc.wm.edu/law/publications/jol/froomkin.html. However, not everyone feels that anonymity is a good thing. Some people believe that if anonymity is available on the Internet, it amounts to nothing but anarchy. A rather ironic quote, considering the source, is found in Computer Anarchy: A Plea for Internet Laws to Protect the Innocent, by Martha Seigel: People need safety and order in cyberspace just as they do in their homes and on the streets. The current state of the Internet makes it abundantly clear that general anarchy isn't working. If recognized governments don't find a way to bring order to the growing and changing Internet, chaos may soon dictate that the party is over. You might or might not know why this quote is so incredibly ironic. The author, Martha Seigel, is no stranger to "computer anarchy." In her time, she has been placed on the Internet Blacklist of Advertisers for violating network policies against spamming the Usenet news network. The Inter net Blacklist of Advertisers is intended to curb inappropriate advertising on Usenet newsgroups and via junk e-mail. It works by describing offenders and their offensive behavior, ex pecting that people who read it will punish the offenders in one way or another. The following is quoted from the docket listing on that Blacklist in regards to Cantor & Seigel, Ms. Seigel's law firm: The famous greencard lawyers. In 1994, they repeatedly sent out a message offering their services in helping to enter the U.S. greencard lottery to almost all Usenet newsgroups. (Note in passing: they charged $100 for their service, while participating in the greencard lottery is free and consists merely of sending a letter with your personal information at the right time to the right place.) When the incoming mail bombs forced their access provider to terminate their account, they threatened to sue him until he finally agreed to forward all responses to them. The Internet Blacklist can be found on the Web at http://math-www.uni-paderborn.de/~axel/BL/blacklist.html. However, all this is academic. As we move toward a cashless society, anonymity might be built in to the process. In this respect, at least, list brokers (and other unsavory information collectors) had better do all their collecting now. Analysis of consumer-buying habits will likely become a thing of the past, at least with relation to the Internet. The majority of electronic payment services being developed (or already available) on the Internet include anonymity as an inherent part of their design. Several digital electronic payment systems exist today. A lot of research has been done in this area. Several companies currently developing systems are eCash Technologies Zero-Knowledge Systems CyberCash Millicent What I have a hard time understanding is how these systems can provide anonymous transactions. The reason I bring this up is simply that records must be maintained, log files generated, transactions authorized, and people involved to ensure the system works. Therefore, these "anonymous" transactions really aren't and that brings you to my warning. |