Re: HELP NEEDED FROM S'ONE WHO DEEPLY UNDERSTANDS EMAIL & WEB SECURITY

From: Dave Korn (no.spam@my.mailbox.invalid)
Date: 02/25/02 

From: "Dave Korn" <no.spam@my.mailbox.invalid>
Date: Mon, 25 Feb 2002 12:02:51 -0000

"John Smith" <silentzzpartner@yahoo.com> wrote in message
news:e3fd4fa6.0202240210.4e5f62eb@posting.google.com...

> 2. Here's my situation. I've been working in this organization for 19
> years. The last couple of years, the top management has been acting
> strangely, firing a lot of senior managers. Some of my colleagues
> suspect that a major purge of veteran (i.e. more expensive) workers is
> on the way. The union is responding very apathetically, and we fear
> may have been bought off.
> 3. What I want to do is put up an anonymous web site to which workers
> & others can contribute information anonymously by e-mail about what's
> happening in various echelons of the company, and provide secure ways
> for people to access it and write to it.
> 4. If any juicy info about top management will be on the site (and I
> believe it will) it is certain that they will put cyber detectives on
> the trail to try and find out who is responsible, and my head may
> roll. They may also try all kinds of ways to punish those they
> discover accessing the site, or to close the site down. The company
> has a central network from which virtually all workers have e-mail
> access.
> 5. Other limitations &#8211; I need the web site besides being secure
> and anonymous &#8211; also to be free and extremely simple to use
> &#8211; my knowledge of HTML etc. is somewhere between non-existent to
> very limited, and I'm highly un-confident of my computing abilities to
> boot!
>
> I'm writing to this group because you guys probably know about this
> stuff more than anyone else.

[ahm added; recent discussions there have touched on the anonymous web
publishing topic; although in that case there was the added requirement of
needing a service that would allow cgi scripts or log access, which is not
the case here.]

Some of the free webhosts provide a friendly web-based frontend for editing
a simple site. I think http://www.xoasis.com/ is one of those; this is
probably what you need if you're only going to be accessing it from
cybercafes and so on where you might not be allowed to bring in files on a
floppy for uploading.

"Lance Delacroix" <lance_delacroix@fastmail.fm> wrote in message
news:v69i7us09bqab6duvps8tfn6ijco9qsnng@4ax.com...
> Advise people to post using fake-name accounts only; Hotmail is great
> for this. Then edit the addresses out of the posted copies.

  No, hotmail is LOUSY for this, since it tracks the originating IP address,
and since it is run by microsoft, and would surely be glad, as one large
company to another, to hand over server logs to any firm waving a lawyer
around.

  For anonymous posting, use the remailer network. There are many good web
interfaces around, for example https://xenophon.r0x.net/ and to be precise,

  https://xenophon.r0x.net/cgi-bin/mixemail-user.cgi/

  Note that the 'https' does mean that someone accessing from work could not
be monitored by the local system admins; however, I would agree with and
emphasise the advice offered here by others, that to do so would almost
certainly be giving your bosses a degree of power and leverage and grounds
for complaint over you that you do not want them to have.

  Secondly, anonymous publishing on the web is pretty difficult: whatever
free webhost you go to will also keep server logs and will know which IP
address logged in to create the account or edit/update the site. Use public
access points such as cybercafes and libraries; otherwise it gets an *awful*
lot harder and technically complicated to attempt any serious degree of
anonymity that will protect you against someone with a court order. You
might even consider saving the updates for a weekend afternoon when you can
travel to one in a town a couple of hundred miles from your home, if you
want to make it really hard to track you down.

         DaveK 

--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
>
> >3. What I want to do is put up an anonymous web site to which workers
> >& others can contribute information anonymously by e-mail about what's
> >happening in various echelons of the company, and provide secure ways
> >for people to access it and write to it.
>
> Hmmmm...  You can get free web space from a lot of hosting companies
> if you can put up with the ads.  Register the space under a fake name.
> Then use protected directories to receive and store messages, and use
> other protected directories to post them.  Somebody will have to
> actively manage this unless you want to allow write permission to
> everybody you trust with the password.
>
>
> You could also start a listserve mailing list.   This would be a *lot*
> easier than a web site.  You can control access to the mailing list by
> subscription and advise people to only use anon accounts or fake-id
> accounts to post.
>
> Don't under any circumstances use company e-mail or web servers for
> any of this kind of stuff.
>
> Understand that whatever you do, there's going to be a leak.  Protect
> yourself by keeping your true identity completely hidden.  Post from
> internet cafes.
>
> >Final request, please respond to the email address because I have
> >trouble tracking responses by thread.
>
> Just this one time.
>
> > I appreciate any assistance and
> >advice.
>
> Ummmm... better upgrade your skills fast.

Relevant Pages