Re: HELP NEEDED FROM S'ONE WHO DEEPLY UNDERSTANDS EMAIL & WEB SECURITY

From: ThePsyko (thepsyko@itookmyprozac.com)
Date: 02/26/02 

From: ThePsyko <thepsyko@itookmyprozac.com>
Date: Tue, 26 Feb 2002 09:51:29 GMT

On 25 Feb 2002 in that fucked up hellhole known as
alt.hackers.malicious, an identity claiming to be Dave Korn spewed forth
news:Nzqe8.2747$5o.1729267@newsr2.u-net.net:

> "John Smith" <silentzzpartner@yahoo.com> wrote in message
> news:e3fd4fa6.0202240210.4e5f62eb@posting.google.com...
>
>> 2. Here's my situation. I've been working in this organization for 19
>> years. The last couple of years, the top management has been acting
>> strangely, firing a lot of senior managers. Some of my colleagues
>> suspect that a major purge of veteran (i.e. more expensive) workers
>> is on the way. The union is responding very apathetically, and we
>> fear may have been bought off.
>> 3. What I want to do is put up an anonymous web site to which workers
>> & others can contribute information anonymously by e-mail about
>> what's happening in various echelons of the company, and provide
>> secure ways for people to access it and write to it.
>> 4. If any juicy info about top management will be on the site (and I
>> believe it will) it is certain that they will put cyber detectives on
>> the trail to try and find out who is responsible, and my head may
>> roll. They may also try all kinds of ways to punish those they
>> discover accessing the site, or to close the site down. The company
>> has a central network from which virtually all workers have e-mail
>> access.
>> 5. Other limitations &#8211; I need the web site besides being secure
>> and anonymous &#8211; also to be free and extremely simple to use
>> &#8211; my knowledge of HTML etc. is somewhere between non-existent
>> to very limited, and I'm highly un-confident of my computing
>> abilities to boot!
>>
>> I'm writing to this group because you guys probably know about this
>> stuff more than anyone else.
>
> [ahm added; recent discussions there have touched on the anonymous web
> publishing topic; although in that case there was the added
> requirement of needing a service that would allow cgi scripts or log
> access, which is not the case here.]
>
> Some of the free webhosts provide a friendly web-based frontend for
> editing a simple site. I think http://www.xoasis.com/ is one of
> those; this is probably what you need if you're only going to be
> accessing it from cybercafes and so on where you might not be allowed
> to bring in files on a floppy for uploading.
>
> "Lance Delacroix" <lance_delacroix@fastmail.fm> wrote in message
> news:v69i7us09bqab6duvps8tfn6ijco9qsnng@4ax.com...
>> Advise people to post using fake-name accounts only; Hotmail is great
>> for this. Then edit the addresses out of the posted copies.
>
> No, hotmail is LOUSY for this, since it tracks the originating IP
> address,
> and since it is run by microsoft, and would surely be glad, as one
> large company to another, to hand over server logs to any firm waving
> a lawyer around.
>
> For anonymous posting, use the remailer network. There are many
> good web
> interfaces around, for example https://xenophon.r0x.net/ and to be
> precise,
>
> https://xenophon.r0x.net/cgi-bin/mixemail-user.cgi/
>
> Note that the 'https' does mean that someone accessing from work
> could not
> be monitored by the local system admins; however, I would agree with
> and emphasise the advice offered here by others, that to do so would
> almost certainly be giving your bosses a degree of power and leverage
> and grounds for complaint over you that you do not want them to have.
>
> Secondly, anonymous publishing on the web is pretty difficult:
> whatever
> free webhost you go to will also keep server logs and will know which
> IP address logged in to create the account or edit/update the site.
> Use public access points such as cybercafes and libraries; otherwise
> it gets an *awful* lot harder and technically complicated to attempt
> any serious degree of anonymity that will protect you against someone
> with a court order. You might even consider saving the updates for a
> weekend afternoon when you can travel to one in a town a couple of
> hundred miles from your home, if you want to make it really hard to
> track you down.
>
> DaveK

If it were me, I would find a host that will allow prepayment of 6-12
months, cash. Then for the initial setup of the site, bounce through
proxies in as many unfriendly countries as possible... since you don't
want the unsuspecting coworker to visit the site and leave his/her
footprints all over it, you can force visitors to use an anonymizing
service via PHP (ie if they connect from an IP not known to belong to an
anonymizing service, the script bounces them over to the anonymizer,
using javascript (since it's run clientside) to utilize a popup window
which gives instructions on submissions... in addition, since that
visitor already had his/her GET request logged by the server itself, the
script would then create a fluffy of GET requests from random hosts... to
make it truly effective, it would have to do this at random intervals
even when there was no visitor activity.... participants could submit via
the anon gateway to the account mailbox, which (ok, so I'm assuming php
is going to be compiled correctly here :) a seperate script would
periodically check the mail, parse the content and then add it to the
appropriate part of the site...

And if you think about it, what is there saying that the site host even
has to be in this country? I'm sure there are plenty of far away
countries that don't give a rats ass about our political system and would
just LOVE to get their hands on some good ol american cash... 

-- 
ThePsyko
Public Enemy #7
"God told me to skin you alive"

http://prozac.iscool.net