One of the toughest problems in Internet security is attribution. The distributed and decentralized system allows traffic to come from virtually anywhere and it is impossible to know a packet’s true origination. Every so often I hear a suggestion that users of the Internet should have to register themselves in order to send traffic.

The Yemen package bomb brought this into focus for me again, but in terms of physical security. Maybe the physical world will give perspective on the problem. Does a Post Office require a return address on mail and does this provide any real security? I found conflicting answers online and no official policy.

Take the statement in “A Customer’s Guide to Mailing” dmm100.pdf, available on USPS.gov, for example:

Return Address: A return address is required on most mail.

I find that unclear. In other words some mail is allowed without a return address.

I want to know what mail is allowed to be sent anonymously and what will be turned down (not to mention the question of why).

Set aside the risk of a lost or destroyed package. I know it is higher (a receiver may not exist, or some receivers have a policy to destroy anything without a return address) but will the US Post Office still attempt to deliver some mail to an address without any return address?

I decided to test the policy in person to find out more; I walked into my local Post Office with a package to mail.

It turns out postal workers are trained to check for a return address and demand one, despite the point above. The woman behind the counter checked carefully a package I handed to her and then told me it was a requirement to put on my return address.

“I read your ‘Customer Guide to Mailing’ and it did not say it is required.” I protested, trying to conjure up a voice of innocent inquiry.

“Required” she fired back with an impatient tone and blank stare.

“Is not” I thought maybe she preferred brief conversation.

“Put your address on or I will not accept the package” she said as she inhaled and exhaled a deep breath, like making a sigh while speaking. I could see I was not getting anywhere.

“Will not or can not? I am as certain as all the junk mail you deliver every week to my mailbox without return addresses that you can accept it. Can you show me a policy in writing that says you can not accept it?”

She disappeared from the counter almost immediately. Thirty minutes later, no exaggeration, after the entire neighborhood had come and gone through the “wait here” line, she came back with a piece of paper in her hand. The paper had a big blue marker circle in the middle and a star on the side to emphasize a paragraph next to number 1.2.

Domestic Mail Manual – Updated 10-4-10
Retail Mail: Priority Mail Preparation
125.1.2
125 Mail Preparation
1.2 Required Use
The sender’s domestic return address must appear legibly on Priority Mail.

The words Priority Mail were underlined several times by the same blue marker.

“I see” I said, feeling a bit deflated “but I do not want to send my package Priority Mail.”

“You are using a Priority Mail package” she pointed out with a smirk. “You can buy a different box or put it inside an envelope. If you put it inside an envelope it will cost $4.95 to mail. Anything over five ounces also requires a return address.”

At this point I was tempted to shift the inquiry and put my Post Office address as the return address to make a point about authenticity (it is where I was mailing from), but instead I decided to repeat the test.

I know now that Priority Mail may force you to give a return address, but you can ship regular mail without a return address. I went a block away, almost next door, to a private mail store and started over. They offered UPS, FedEx and USPS. I handed the box to the man behind the counter and said I wanted to mail it for $4.95 or less.

“No problem!” he said enthusiastically. “Fill out this ‘To’ sticker. I’ll wrap it in paper and then send it regular mail. That will be $3.60 for USPS.” He then wrapped it in plain paper, placed the address sticker on and stamped it in front of me.

Done. No hassle, no return address. It was delivered only a couple days later, same as Priority Mail.

Regular mail does not require a return address. We thus pay for “Priority Mail” in more ways than one. I find it interesting that the option to upgrade service has led the Post Office to require attribution. I have also seen this recently in wireless networks where you can get faster service only if you agree to pay an extra fee and provide identity information. The parallels are probably not a coincidence. Neither system seems to require proof that the information is real, just that you have more information for them to record.

The NIST Information Technology Laboratory complex information systems group has started to discuss a new cloud computing model simulation meant to discover and characterize infrastructure “resource allocation algorithms”.

They call it the “Koala project” in a recent presentation and will publish “initial project findings” early next year. They also soon will provide draft use cases as part of their Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC).

Updated to add: I found the use cases online here

5. Cloud Security Use Cases
5.1 Identity Management – User Account Provisioning
5.2 Identity Management – User Authentication in the Cloud
5.3 Identity Management – Data Access Authorization Policy Management in the Cloud
5.4 Identity Management – User Credential Synchronizaton Between Enterprises and the Cloud
5.5 eDiscovery
5.6 Security Monitoring
5.7 Sharing of Access to Data in a Cloud