March 10, 2008
—
CSO
—
By Fred Hapgood
In the mid-1990s a device appeared called the anonymizer. As the name suggests, this service allowed you to request files without disclosing your IP address. You would send the request to the anonymizer with the desired To: address tucked away on another field; it would strip out your address from the Reply field, replace it with its own, swap in the address of the destination server and send the request on. When the requested file was received, it would reverse the actions and (in theory) erase all evidence of the transaction, keeping your IP address a secret forever. Arbitrarily high degrees of security could be achieved by daisy-chaining two or more anonymizers.
When anonymizers appeared they were embraced as a pure good—a tool that defended against identity theft scams and allowed citizens suffering under oppressive regimes to use the Internet without fear, advancing human rights and the cause of progress. Among other considerations, in a world where data-retention policies were spreading and prosecutors in jurisdictions around the world seemed increasingly likely to file charges against foreign citizens for violating local ordinances, anonymization seemed only prudent. In time, distribution broke along the usual lines: open-source solutions, led by a program called TOR backed by the Electronic Freedom Foundation, and a proprietary segment of the industry, dominated by Anonymizer.com (which, given its name, prefers the term “non-attribution solutions”).
After a few years, however, a new side to the technology emerged, one that wasn’t quite so pure. “Non-attribution solutions” started to be used to spread worms and spam. People on blacklists for any reason—both good and bad—discovered that they could use the tools to evade detection. And employees found that anonymizers allowed them to surf the Internet freely at work, without their activities being detected or blocked by monitoring and control procedures. Some of these tools do, after all, make sense. According to sextracker.com, most porn traffic occurs during work hours. (To learn more about web monitoring, see CSO’s in-depth story "Keystroke Cops.")
All these more problematic usages have triggered a counter-industry and created something of an arms race between the anonymizers and the anti-anonymizers. One of the first anti-anonymizer ideas was to maintain a blacklist of the proxy sites and block requests from those sites. That worked for a while, but then the “non-attribution” sites just started changing their IP addresses, and their numbers grew out of control. (There might be
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.
Prudential Financial Protects its Brand with Symantec Data Loss Prevention Solutions
FORTUNE 100 insurance leaders rely on Symantec.Information Security: Data Drains and How to Prevent Loss
Do you know where your confidential data is?Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands
Learn what the thought-leaders at PricewaterhouseCoopers have to say.7 Requirements of Data Loss Prevention
Incorporate best practices from many companies using DLP solutions.Ponemon Study: How Much Does a Data Breach "Cost"?
35 U.S. organizations that lost confidential information and had a regulatory requirement to publicly notify affected individuals are studied in this report.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Data Loss Prevention
-
November 13, 2008The Roosevelt HotelRegister now »
New York, NY 10017
(ISC)2 members can earn up to 6 CPE Credits
Reference priority code ONLINE and attend this program as our guest — that's a $295 savings!
