PGP: sequencing messages

[John Drabik]

On Sun, 30 Apr 2000 13:20:22 -0700, Chris Adams wrote:

>>Simple sequencing won't do....
>
>There's no way to get what you want without sending each message 

Yes, I've come to the same conclusion.   The idea that several people
have given, a unique identifer, has gotten me thinking, and at the
very least, I think there may be away to examine an outbound message,
see if it is going to the group, and then applying a filter.  It does
involve stepping into the middle of the transmission process, but I
think PMMail / REXX scripts might be able to do the trick.  The
approach I'm working on now is not completely secure, however.  But
it *is* easy for me to detect, and would be difficult for someone
else to notice, I think

> If you did start including some unique identifier ("To: 
>leak@isp.net"?) in the part of the message which is signed and write a script 
>to sign each message separately, a message would either reveal the recipient 
>or fail the integrity checks. Of course, if they balk at providing digital 
>copies that might be time to point out how trivial it is to forge email and 
>how the only way to prove that you did in fact say something would be to 
>verify the digital signature.

This, I think, is at the heart of a more robust solution - if the
signature is missing, refuse to acknowledge the message because it is
an obvious forgery or tampered message, and state so to the Court. 
Then, indicate to the court whether (or perhaps not, if too heavily
modified), the TRUE content of the message could be ascertained by
demanding the full and unmodified text.  Then, the Plaintiff has to
reveal the source of the message.  Of course, that doesn't stop the
wasted time and money that are characteristics of SLAPP suits.  A
SLAPP isn't designed to uncover truth - it is meant to punish people
for speaking out on matters of public interest.  There are few down
sides for SLAPP Plaintiffs - all they have to do is intimdiate and
delay for a few years, and they've "won" by default, because in the
meantime, they can ram-rod whatever they want through the regulatory
process, with little or no opposition (or, by threatening more suits
against anybody else who opposes them).

>If you can't get digital copy, the only thing left is slightly altering the 
>contents of each message for each recipient. This has the best survivability 
>rate but is also by far the most work.

Couldn't scripts do this though?  The recipients list is (rather)
short, so it should be possible to build-in some kind of identifiable
signature, and then encrypt the message, and insert a signed message
with BOTH parts (the version of the text modified from the original,
encrypted and "inserted" into the key area, for example (where it
would be difficult to notice - unless you know what to look for), and
the name of the recipient or an index (perhaps in hex, and again,
inserted somewhere into a fixed, identifiable part of the message.) 
I don't know for sure yet - just an idea at this point.

> One approach would be a modified 
>mailing list program that you would send some specially formatted message to 
>containing multiple variants for various bits of text; the list software 
>would assemble a message for each recipient and store a list of which 
>combinations went to which people. This would require you to generate 
>alternate versions for enough blocks of text to produce unique combinations 
>for everyone on the list.

Yes, this is an excellent idea, and in keeping with the scripting
change I've been thinking of.  Kind of a "PP Wizard for E-mail" kind
of approach - but with the #include changing depending on the
recipient, and each recipient broken out of the list.  I could put
the "trigger" in my signature line, so that it invokes the script
properly just by signing the message with the Signature function.

>In theory you could produce some sort of script which could do this sort of 
>thing for you but I'm doubtful it would be good enough to produce real 
>sounding English consistently.

Who say's it has to be English?   ;-)

>As a side question, have you contacted the newsmedia and groups like the 
>ACLU? I don't think there's even the slightest chance of getting out of this 
>without a lengthy court battle and it sounds like it'd be well worth getting 
>other people to help fund it.

The local newsmedia has contacted me, and several radio and TV
stations, newspapers, and a magazine have indicated interest in the
case.  So has the ACLU, and a few other "interesting" groups.  The
difficulty is only that one must tread carefully, since you don't
want to compound matters, or step on the judges toes, for example.

Thanks for the ideas everyone.  I'll keep you posted if I come up
with a usable solution - some of you may need it too, especially if
you're the type who ever, say, speaks to your elected officials, or
otherwise "gets involved".  In the meantime, a suggestion: be VERY
careful who you send e-mail too - you never know how they might be
using it, all the while claiming to be your friend.

John