The Secret Macintosh - Part 2 (As continued from HackAddict 10 and will be finished in HackAddict 12) Disappearing Cryptography Steganography or covert writing, also known as disappearing cryptography or information hiding was invented by a Benedictine monk, Johannes Trithemius, in the 13th century. Stego for Macintosh PICT and sound files: http://www.stego.com http://www.fqa.com/romana http://www.best.com.80/~fqa/romana/ e-mail: machado@fqa.com machado@glamazon.com machado@newton.apple.com Java Newer still, is Romana Machado’s Java-based (rather than platform-based) application, EZStego, available from the URLs above. NB. You will need to be running System 7.6 or Mac OS 8 with Macintosh Runtime for Java (MRJ) to use EZStego: http://applejava.apple.com/ EZStego is still is the beta testing stage and cannot be downloaded, however, it can be used from the Stego Home Page--not too bad a remailing system. Hide and Seek Of course, you can also simply make files invisible on your Mac using ResEdit, MacTools and other applications but this provides an extremely low level of protection from anyone who knows a few tricks. I suppose it depends on who you have to hide from. Only slightly more secure than this are many commercial, shareware and freeware encryption applications available. Most are simple solutions for the blindly naive. I won’t dignify the bad ones by naming them. You can determine this yourself after reading The Snakeoil FAQ listed in the reading list. There may also well be good ones. Not being a professional cryptographer, I personally wouldn’t trust my will to one. Anonymous Remailers “I am not a name! I’m a number!” [or a prisoner...] WHEN FIRST USING ANY REMAIL SERVER, SEND A TEST MESSAGE TO YOURSELF FIRST TO MAKE SURE YOU UNDERSTAND HOW TO USE THE REMAILER AND THAT THE RESULTS MEET YOUR SECURITY REQUIREMENTS. PRACTICE MAKES PERFECT! REMEMBER: REMAILERS ONLY STRIP OFF YOUR ADDRESS. IF ANYONE IS MONITORING YOUR MAILBOX YOUR MAIL CAN STILL BE READ IF UNENCRYPTED! “I would to God thou and I knew where a commodity of good names were to be bought.” Shakespeare (Henry IV, Part 1) To avoid electronic links to your e-correspondents, consider using other people’s computers to send your e-mail. In fact, many remailers require that you use an outside computer for your first contact with them. Realise, however, that a PGP-encrypted message tells your recipient in whose name the public key was created. You must first generate a public key using a pseudonym to transact your anonymous business. Internet cafes, cyberpubs, office services, hotel business centres, all offer e-mail services and charge either by kilobyte or minutes of use; often you can do this for free from offices or computer shops you visit. You can save money by bringing your own diskette of messages, then copying and pasting into e-mail format. This, of course, only works if your external computer uses the same platform, e.g., Mac or PC (see Translation Options below). Direct use may prove to be too expensive or time-consuming, particularly for attachments. Another simple alternative to remailers is to use one of the free e-mail services on the Web which pay for themselves by advertising. Yahoo!Mail: http://www.yahoo.com Rocketmail: http://www.rocketmail.com HotMail: http://www.hotmail.com MailCity: http://www.mailcity.com Netforward: http://www.netforward.com Net@ddress: http://www.netaddress.com MailExcite: http://www.mailexcite.com LycosEmail: http://www.lycos.com Bigfoot: http://www.bigfoot.com Mailmasher: http://www.mailmasher.com Anonymous remailers, continued All can be totally pseudonymous but let the buyer beware! All have subtle differences to prevent total anonymity such as using your full pseudonym and/or Internet Provider location on outbound mail, not being able to login without setting a cookie or caching your IP locations, dates and times of each login [see Cookies, below]. Be cautious and check first! After creating your new personal details, signing up and logging on at remote locations using Anonymizer below, this approach is quite bulletproof, especially if your communications are encrypted with PGP. Another consideration is longevity; although all these services claim free lifetime e-mail addresses, this is dependent upon the lifetime of the service--check first for number of clients. Free homepages are even available for your alter-ego: Geocities: http://www.geocities.com TownSquare 2000: http://townsquare.usr.com Tripod: http://www.tripod.com Angelfire Communications: http://www.angelfire.com Webspawner: http://www.webspawner.com All these free e-mail services are located in the USA. While it would be difficult to impossible for any government to perform traffic analysis on these because of sheer numbers, nevertheless, I would be more comfortable with a service outside the US--do readers know of any? Translation options--Mac Rulez! PC Sux! At your favourite cyber-pub across town, you've just downloaded your encrypted e-mail onto diskette. But when you plug it in at home, a dialogue box screams, "This disk is unreadable by this Macintosh. Do you want to initialize it?" and offers two option buttons--"Eject" and "Initialize". Initializing, or formatting, a disk simply erases it: your information is gone. The reason for this message, of course, is that you've downloaded from a PC onto a PC diskette. (Oh, no, Mr. Bill!) But salvation is at hand because you're a Mac user. So try this at home: All PC files are recognizable by their boring, generic icons and names that end in a DOS (Dumb Operating System) suffix, e.g., “.TXT” for text documents and “.DOC” for Microsoft Word documents. Make sure to save your document as text (which translates to the Mac as SimpleText) from your remote PC or save your file as the type you commonly use for text, such as Word 5.1 for Macintosh, and that the DOS suffix is included for each document. Anonymous remailers, continued PC Exchange, in Control Panels, and MacLink Plus are translation options installed with the MacOS. These make a PC diskette readable by your Mac and translate a file bearing a DOS suffix to an equivalent Macintosh word processing application. Once your PGP-encrypted PC file becomes legible on your Mac, proceed to decrypt as usual. Can’t do that on a PC! Aren’t you glad we don’t all live in a drab, grey PC world? [And give that file a groovy icon, too!] Remailer list Anonymous remailers come and go frequently. Most are free services run by volunteers; even the “commercial” remailers that charge for the service are basically non-profit. You simply cannot set up a system and expect to depend on it. Remailers are a challenge that work, in part, because of frequent changes which is beneficial to your security. Although I have compiled the following extensive list of remailers, some or all of them may be gone by the time you read this. To use remailers most effectively, first download remailer lists from the following: http://www.publius.net/rlist.html http://www.cs.berkeley.edu/~raph/remailer-list.html http://electron.rutgers.edu~gambino/anon_servers/anonserv.html http//anon.efga.org/anon/rlist http://www.stack.nl/~galactus/remailers/index-anon.html http://kiwi.cs.berkeley.edu/mixmaster-list.html http://www.stack.nl/~galactus/remailers/index-mix A few remailers are Web-based, most are accessed through e-mail. The second step is to download help files for the remailers from the list above that seem most dependable. Some are commercial (that does not necessarily mean more dependable); they usually charge a small amount for an account. Make sure you send them the money in an anonymous fashion--little point in using your own credit card, is there? Then try your first choice out by sending mail back to your own pseudonymous address, then trying an encrypted message, then an encrypted message with the entire mail headers and message encrypted uing the remailer’s public key from their help file. The third step is to add remailers to the chain (see Remailer Chaining below), trying the above steps one at a time. An excellent descriptive document is Chaining Remailers Help from TheMacCryptographyFTPSite: ftp://ftp.erg.ucd.ie/public/macintosh/cryptography/ PUBLIC KEYS FOR REMAILERS ARE AVAILABLE AT http://kiwi.cs.berkeley.edu/pgpkeys DOUBLE-BLIND REMAILERS (also called Type 0 remailers or nymservers) provide you a pseudonym, allowing others to reply to your anonymity. These must be configured for your alias first and often require a paid account. Because there is a log kept (encrypted) of pseudonyms and e-mail addresses, nymservers are the easiest to use but possibly the easiest to compromise. Nymserver remailer help: http://electron.rutgers.edu/~gambino/anon_servers/Nymservers.txt Nymserver List: nymserver config@anon.nymserver.com Info: http://www.nymserver.com E-mail: request@anon.nymserver.com nym config@nym.alias.net Info: http://www.publius.net/n.a.n.html http://www.stack.nl/~galactus/remailers/nym.html E-mail: help@nym.alias.net weasel config@weasel.owl.de redneck config@anon.efga.org AS-Node Info: http://www.iks-jena.de/mitarb/lutz/anon/as-node.en.html E-mail: anon@as-node.jena.thur.de Subject: help mailanon Info: http://www.mailanon.com CYPHERPUNK REMAILERS (also called Type-1 remailers) send your mail anonymously but cannot receive and forward incoming mail and replies back to you. Some accept only plaintext headers, others plaintext or encrypted headers, others only encrypted headers and encrypted messages and a few support encrypted reply blocks. Finding out what each remailer requires is largely a process of trial-and-error. a. In plaintext (i.e., unencrypted): -The first non-blank line in the message must start with two colons (::). -The next line must contain the user-defined header: Request-Remailing-To: [Most will also accept Anon-To: ] -This must be followed by a blank line. -Next append your message: :: Request-Remailing-To: [body of message] [Remember: there is no return address for you to receive replies!] b. Encrypted: -First, encrypt your message in the public key of the person ultimately receiving the message. -Then add the remailing header and encrypt it again using the public key for the remailer. :: Encrypted: PGP ---BEGIN PGP MESSAGE-- Version 2.x [body of PGP message] --END PGP MESSAGE-- Cypherpunk Remailer List: mix mixmaster@remail.obscura.com replay remailer@replay.com Info: http://www.replay.com/remailer/replay.html jam remailer@cypherpunks.ca winsock winsock@rigel.cyberpass.net nsock@rigel.cyberpas [Cypherpunk remailer for, yecchh, Windows; requires software download.] squirrel mix@squirrel.owl.de reno middleman@cyberpass.net cracker remailer@anon.efga.org bureau42 remailer@bureau42.ml.org neva remailer@neva.org valdeez valdeez@juno.com arrid arrid@juno.com hera goddesshera@juno.com htuttle h_tuttle@rigel.cyberpass.net tea tea@notatla.demon.co.uk privacy remailer@privacynb.ml.org htp mixer@htp.org charm charmquark@juno.com palnu palnu@juno.com anonmail anonymailer@juno.com grit grit_remailer@juno.com ALPHA REMAILERS Accept PGP header encryption Alpha Remailer List: cyber alias@alias.cyberpass.net MIXMASTER REMAILERS Mixmaster (or Type-2) remailers use Mixmaster 2.03 client software, utilising rsaref cryptography. Mix has not yet been ported to Macintosh, but purports to be more secure than Cypherpunk remailer technology. Until Mixmaster can be used on your Mac, this system will be useful at your remote PC. Mixmaster remailer list: http://kiwi.cs.berkeley.edu/mixmaster-list.html http://www.stack.nl/~galactus/remailers/index-mix “mix” 28) mixmaster@remail.obscura.com “replay” 29) remailer@replay.com Info: http://www.replay.com/remailer/replay.html “jam” 30) remailer@cypherpunks.ca “squirrel” 31) mix@squirrel.owl.de “reno” 32) middleman@cyberpas.net “cracker” 33) remailer@anon.efga.org “bureau42” 34) remailer@bureau42.ml.org “magus” 35) mix@magusnet.com “lcs” 36) mix@anon.lcs.mit.edu “medusa” 37) medusa@weasel.owl.de “mccain 38) mccain@notatla.demon.co.uk “tea” 39) tea@notatla.demon.co.uk “privacy” 40) remailer@privacynb.ml.org “htp” 39) mixer@htp.org “xenu” 41) hendersn@zeta.org.au Remailer Chaining To minimise any discovery of your real whereabouts, you might want to run anonymous mail through a chain of several remailers: :: Request-Remailing-To: [body of message] [always end with a period.] :: Request-Remailing-To: [body of message] [always end with a period.] :: Request-Remailing-To: , etc. The same process can also be accomplished in the PGP-encrypted format above following the same steps. Each remailer has slightly different protocols so a little experimentation may be necessary. Of course, e-mail yourself a test message before using. Anonymous remailers are voluntary organisations and so they do come and go, sysops have to move, equipment must be serviced, modems get hung, etc. Try a simple system, keep a record of what you did and send a test message into the aether. Accept that it will take a little time to learn this and become comfortable with it. As you achieve successful results, increase your levels of security using the same process. The renowned and long-lived privacy guardian anon.penet.fi, the first Type 0 remailer, was the most simple to use and the easiest to compromise; double-blind remailers using a somewhat more sophisticated technology are better. Certainly foreign remailers are safer than those based in the USA because of the volatile state of Amerikan politics and laws. Cypherpunks remailers are somewhat more secure but you mostly cannot receive replies through them. These remailers are also subject to a timing attack; i.e., your system can be monitored by the times you log on and then the forwarding times and even the file sizes can be correlated even if your headers and messages are encrypted. There are fewest Alpha remailers and they’re more complicated to learn, nevertheless offer the security of batching messages for forwarding and padding them with random garbage. Mixmaster is the cutting edge of remailer technology and it may even be the most secure. Don’t get too frustrated: make trying all these systems an enjoyable learning experience. The addresses you send to from your mailbox can, of course, still be monitored, so it’s important for your secret friends to have their own Remailer chaining, continued Anonymous addresses A remailer chain is only as secure as its weakest link so it is always safest to run e-mail through several remailers. Chainmail is a Mac application that may make all this easier for you: http://nately.ucsd.edu/~loki/Chain.html http://www.oberlin.edu/~brchkind/home/ An extremely useful document about remailers in general and chaining remailers specifically is Chaining Remailers Help from The MacCryptography FTPSite: ftp://ftp.erg.ucd.ie/public/macintosh/cryptography/ The latest development on the remailer front lines encrypts using Java: http://www.ozemail.com.au/~geoffk/anon/anon.html and the most promising, called an Eternity Server, functions like spies placing classified ads. Instead the messages are posted to Usenet where they only make sense to your intended recipient! Check out: http://www.replay.com/aba/eternity/ REMAILER INFORMATION VIA E-MAIL Use “remailer-help”, “info” or “help” in subject line and/or in message body: help@nym.alias.net remailer@cypherpunks.ca help@weasel.owl.de remailer@remailer.nl.com anon@as-node.jena.thur.de privacy@interlink-bbs.com INTERNET ADDRESSES FOR REMAILER INFORMATION The Cypherpunks Remailer Page: ftp://ftp.csua.berkeley.edu/pub/cypherpunksHome.html http://www.stack.urc.tue.nl/~galactus/remailers/index-cpunk.html Send anonymous mail from your Web client: http://www.mailanon.com Remailer list: http://www.publius.net/rlist.html http://www.cs.berkeley.edu/~raph/remailer-list.html http://anon.efga.org/anon/rlist http://www.stack.nl/~galactus/remailers/index-anon.html http://kiwi.cs.berkeley.edu/mixmaster-list.html http://www.stack.nl/~galactus/remailers/index-mix PGP Keys for anonymous remailers: http://kiwi.cs.berkeley.edu/pgpkeys Usenet: alt.privacy.anon-server http://www.sabotage.org/~don/mail2news.html REMAILER HELP http://electron.rutgers.edu/~gambino/anon_servers/anon.html Nymserver remailer help: http://electron.rutgers.edu/~gambino/anon_servers/Nymservers.txt Vox remailer help: http://electron.rutgers.edu/~gambino/anon_servers/vox.html http://www.cs.berkeley.edu/~raph/vox.html Usura remailer help: http://www.replay.com/people/usura/ http://www.xs4all.nl/~usura/ http://www.cs.berkeley.edu/~raph/usura.html Soda remailer help: http://electron.rutgers.edu/~gambino/anon_servers/soda_rem.html http://www.cs.berkeley.edu/~raph/soda-remailer.html E-mail: remailer@soda.csua.berkeley.edu Subject: remailer-info Kaiwan remailer help: http://www.cs.berkeley.edu/~raph/kaiwan.html Shinobi remailer help: http://www.ee.siue.edu/~avankla/mix.help.html E-mail: remailer@shinobi.alias.net Part 2 of 3 - CJ If you wish to contact CJ, all e-mail may be routed to: weasel@yatho.com