Authenticated anonymity on Slashdot

Journal Just Some Guy's Journal: Authenticated anonymity on Slashdot 4

Journal by Just Some Guy on Wednesday December 31, 2003 @03:36PM

Want to post anonymously but verifiably? That is, do you want to be able to say things that you don't want traceable back to yourself, but you do want interested parties to be able to verify that multiple posts originate from the same person?

Right now, Anonymous Coward (AC) posts are stored without any identifying information. This means that while you may divulge some important information, another person can reply to your post, claiming to be you, and contradict your statements. Example:

You: I have proof that my company is making toxic waste.

Reply from twit: And no matter what you hear, I was not fired from my last job for making false accusations!

With common software, this is almost trivially easy. The idea is to post as an AC but always sign your messages with the same GPG ID. The advantage is that you can still be an AC when it's important, but interested observers can verify whether other a given set of posts come from you.

If you want do this, here's how:

Generate a GPG key.
Submit your key to a public keyserver.
Write your Slashdot text in an external editor.
Sign the post with your "anonymous" key.
Use <ecode> tags to encapsulate your signed message.
For added obscurity, add "no-version" to you gpg.conf file. If you're using GPG on Linux, that string may not narrow the field of candidates too much. If you hand-compiled it on your TI-85 calculator, and you've explained to your boss in great detail how cool it is to run crypto on your calculator, then it may reveal more information than you want.
Be sure to click the "Post Anonymously" checkbox!

Now people interested in such things can verify that all of your posts originate from the same person, even though they can't determine who that person is.

This isn't exactly a brilliant invention on my part; all of the pieces already existed in usable form. However, I've never seen anyone actually do this, and I thought it might be a useful idea for someone.

Caveats:

Assume that your IP is logged by Slashdot and the public keyserver and available to whomever you're trying to hide from by posting as an Anonymous Coward.
Be darn sure that you remember to check the "Post Anonymously" box or your cover is definitely blown in a big way; the people you're hiding from can now trace a whole batch of incriminating posts back to you. For example, when I first tested the idea, I made that mistake and forever ruined a key with a clever name (IMHO).
This method can't prove that a post did not come from you. In the example above where an anonymous twit is trying to negate your statements, your best course of action is to post a signed reply to him stating that the reply post was not from you.

A Note To Slashdot Editors

I'm not writing this to be a pain in the butt, honest - this seems like a legitimate need that I think needed to be addressed. This specific implemention relies on the idea of <ecode> tags keeping the contents in pristine condition. If people start using this, please don't change ecode's functionality so that old signed posts are broken.

A giant extra helping of karma to the authors if you add code to detect signed messages, keep a list of key IDs that've been used, assign a serial number to each one, and print that serial number in the message header of each signed message. Then, casual visitors could see that a string of messages were all signed by "Slashdot authed AC #243", although responsibilty for actual verification would still lie with interested end-users.

This discussion has been archived. No new comments can be posted.