[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | ARCHIVE-- Topics of Interest to Women, Volume 1 --ARCHIVE |
| Notice: | V1 is closed. TURRIS::WOMANNOTES-V5 is open. |
| Moderator: | REGENT::BROOMHEAD |
|
| Created: | Thu Jan 30 1986 |
| Last Modified: | Fri Jun 30 1995 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 873 |
| Total number of notes: | 22329 |
563.0. "Building an anonymous notes facility" by MAY20::MINOW (Je suis marxiste, tendance Groucho) Mon Nov 30 1987 12:51
This is a spinoff from the "member's only" conference discussion in 561.
As the person who first stated that you should assume that anything you
note is stapled to your resum�, I've wanted an anonymous noting facility
for some time.
It would be based on the Boston Globe's hundred year-old (!) "Confidential
Chat" section and (I think) would be relatively immune to misuse.
1. Registration: you run a program that asks for your pseudonym, and a
password. It would then one-way encrypt both (using a published procedure
such as the VMS password algorithm) and mail them to a central database.
If the encrypted pseudonym is not already registered, it would be
registered to you. Note that no record is kept of your real name or node.
2. The moderator of a notesfile must register the file as "accepting
anonymous entries." or "accepting entries after approval."
3. Posting notes: you would compose the note offline, then run a program
that asks for your pseudonym and password. The composition program would
then send them (one-way encrypted) to the registry program. If they are
present, the registry sends a two-way encryption session key, and the
composition program sends the pseudonym, one-way encrypted password,
notesfile, "action" (new note, reply, deletion request), and the message
text all encrypted using the one-time key. The unencrypted password
is never sent from your machine.
If everything checks out, a central notes-agent would post the note from
it's account. If the notesfile accepts entries only after approval, the
note would be set hidden.
Note that the owner of the "anonymous notes" agent could still spoof the
system, but no-one could accurately associate a note with an author without
privileged access to the author's system (or traffic analysis, of course).
Also, you would have to trust the registry program and central notes agent
to not archive the system/user from this particular session.
The Globe's system does maintain a registry of "real" and "Chat" names,
but has never released this information. This could be added to the above
proposal, but then the "who should we trust" question arises. The only
program that runs on the user's system could be written in DCL, and, except
when posting a note, transmits no private information -- the notes agent
doesn't have to know your system or login name.
The various programs and databases could be "published" in both source
and executable form, so the suspicious user could verify that the
actual program was not hiding anything. Again, this could be spoofed by
the owner of the notes agent, but a committee could probably keep things
honest.
I suspect some of the Security people could poke big holes in this, but
it might get something started.
Martin.
PS: some definitions for the non-technical:
One-way encryption: a way of "hashing" some text that VMS uses to store
your password. Even if you can read the encrypted text, you can't figure
out the original password. Even knowing the program used to one-way
encrypt text doesn't let you get at the information. By one-way encrypting
the pseudonym and passowrd, the registry can determine that only the
registered person is posting this note.
Two-way encryption: makes the text unreadable if you don't have the
decryption key. The notes mechanism uses this to send the actual notes
text so it's more difficult for someone watching the network to see who
posted something.
Traffic analysis: a way of accessing secret information by watching what
happens. For example, if I've tapped into your network and see a block of
1234 bytes of encrypted data go to the user agent from MAY20::MINOW, then see
a 1234 byte note in womannotes posted 2 minutes later from "What, me worry,"
I have a pretty good idea of who that pseudonym really belongs to.
Spoofing: maskquerading as someone else. If your machine is down (because
I pulled the fuse), and I have a machine on the same Ethernet, I can change
my machine's node name to yours and bring it online to the network. Then I
can create an account in your name and do something that other people think
was done by you.
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 563.1 | Get it canned... | ASD::LOW | Merge with Authority | Mon Nov 30 1987 13:07 | 18 |
| Re: .0
Yeah, that's it. And we'll have a 'laser umbrella' of star
wars defense satellites to protect us, too...
;-) ;-)
In all seriousness, that will take some time/effort. I would suggest
that anonymous notes facility from SINGLES be borrowed/stolen.
I think the moderator of SINGLES is a contributor to this file as
well. It seems as though it would work well "off the shelf".
It hides the identity of the writer, but allows response via
MAIL and NOTES to the "real" author. This allows the moderators
to know who "really" wrote a note, but they seem trustworthy ;-)
Dave
|
| 563.2 | Yes, but... Reality in the workplace. | VAXRT::CANNOY | There are no fnords in the ads. | Mon Nov 30 1987 13:14 | 23 |
| That sounds neat, Martin, except I firmly believe that the moderators
of the conference *must* know who the anonymous noters are. We have
run up against problems (in Human_Relations) that show that the
moderators are responsible for the conference and must be able to
find/get ahold of/phone any noter very quickly. I don't think that
the upper levels of management, which sometimes get involved in
problem-solving in conferences, would allow that type of anonymous
facility.
What happens if someone just creates a persona for 1 note/reply and
then deletes the info about that persona? How can you make that
type of person responsible.
I strongly feel that if you can't trust at least one of the moderators
(a good argument for multiple moderators), with your identity, then
you may not wish to have 20,000 people reading your note.
I like the idea of having this information available to the moderators,
but perhaps not automatically. They could go look it up, but not
have a facility which tells them automatically who the anonymous
noters are.
Tamzen
|
| 563.3 | This is a *bad* idea | VCQUAL::THOMPSON | Noter at large | Mon Nov 30 1987 13:26 | 6 |
| I agree with Tamzen that a totally anonymous notes facility is
a very dangerous thing. The ability for abuse is very high.
Likewise if you can't trust at least one person with the identity
of a posting then you should think twice about entering it.
Alfred
|
| 563.4 | | QUARK::LIONEL | We all live in a yellow subroutine | Mon Nov 30 1987 13:34 | 15 |
| I have spoken with Rich Whalen about the mechanism he uses for
SINGLES. What reply 1 seems to have missed is that the posting of
anonymous notes in SINGLES is almost entirely manual. It is the
mechanism for sending mail to an author of an anonymous note that is
automated.
However, the program that Rich uses for this purpose, DELIVER, can
be easily modified to provide an anonymous posting method. While I
like the added security of Martin's suggestion, I feel that this
level of technology is a bit above what the average noter is willing
to use, but I'd love to see someone write such a thing.
I also believe that the moderators must be able to know the identity
of the author of each note.
Steve
|
| 563.5 | real names and other responsiblity issues | MAY20::MINOW | Je suis marxiste, tendance Groucho | Mon Nov 30 1987 14:54 | 36 |
| re: .2 (and similarly voiced concerns in other responses):
... the moderators
of the conference *must* know who the anonymous noters are.
What happens if someone just creates a persona for 1 note/reply and
then deletes the info about that persona?
The information doesn't exist -- there is no "real" username associated
with a pseudonym. The only human-readable information about a persona
is the pseudonym, and it appears in the database only in its one-way
encrypted form. I would regard multiple personae as a feature, rather
than a bug, by the way.
The problem of trashnote postings would be handled by the moderator either by
-- not registering the notesfile with the anonymous notes database (a potential
posting would be rejected), or
-- registering it as "set new contributions hidden" and deleting without
further discussion anything deemed inappropriate. Note that this inverts
the normal etiquette where notes aren't deleted without discussion and
appeal. By choosing to post under a pseduonym, the individual trades
the normal standards of protection for anonyminity.
One problem I don't know how to handle is that of anonymously posted
accusations. I.e., if I post -- through a pseudonym -- the claim that
so-and-so was stealing pencils, and that person objected; an interesting
problem of liability appears. Since anyone with privileged access to a
machine has the potential for anonymous postings now, I can't see that a
publicly available system entails any extra risk. When this problem came
up in a Swedish conference system, the government eventually ruled that
the citizen's right to free speech outweighed the prohibition against
registering "information harmful to personal integrity."
Martin.
|