-----BEGIN PGP SIGNED MESSAGE----- In article <199406300128.SAA25746@jobe.shell.portal.com> you write:
standpoint. Hitting a remailer at a slack time when, let's say, only one message arrives over a period of several hours would seem most unwise.
This is what junk messages are for. A good remailer should mail out random packets at random times 24 hrs a day, only some of which would contain valid messages. Making the sender of the message try to time its delivery to a "busy" time would be silly.
Can someone familiar with remailer software answer something? When a message is encrypted, using the "Encrypted: PGP" header, will everything after the end of the encrypted message itself be ignored? I ask, because this seems like a good place to introduce "padding" into the message length to thwart detection of identical messages, assuming that such extraneous material wouldn't screw something up.
Another thing that a good remailer should do, randomly pad messages that it sends out. I don't know if any of the current crop actually do this though.
What's the best strategy for utilizing a given group of remailers in a chain? Which ones would be most advantageous as the FIRST link in the chain, since this is the one link that has direct address to the originator's address.
I can't really think of any criteria. It doesn't matter if the first remailer knows your address or even if they decide to tell the NSA you're using their remailer - as long as the other remailers ( or most of them anyways ) aren't compromised, it should still be very hard to trace any given message.
Let's say that a message traveled down the chain A -> B -> C. Couldn't someone with enough clout ask "C" where a certain message (based on header data) originated, find out it was relayed by "B", ask "B" for the source, etc. and trace it all the way back to the source? What, if anything, would prevent that?
Absolutely nothing. If a message passes through x number of people, and everyone of those people are working for the government/intimitdated by the government - nothing on this earth will keep your identity secret. Think about it. This is another reason we should have *lots* of remailers - not only does the difficulty in traffic analysis increase, but if one or more remailers is compromised (read: bribed/threatened etc), you should still be ok.
military secrets. IOW, a scenario where powerful agencies are motivated enough to invest considerable resources in tracking the culprit down.
There is a possibility they are still sunk - we don't know what they know, so they might know something we don't know - you know? But... if most (I don't know how many or what percentage) of the remailers were secure (not compromised/working for the gov't) when the messages were sent and they kept *no* logs, even going so far as to wipe from memory and disk any trace of incoming and outgoing messages, then the problem the gov't agencies face is not a problem of "clout" - it is a problem of cryptanalysis. The only way, at this point, to find the sender is to start decrypting messages send to/from remailers (the gov't would have had to capture them previously or they would be gone now) and track what messages went where. This brings up another point, even if the remailers aren't/weren't compromised, they *do* have the secret keys that the message was encrypted with along each hop, so theoretically, unless every remailer operator wiped his secret key immediately after such an event, the government could tap/bribe/intimidate/rubber-hose its way to the remailer's secret key and track the sender (with its previously tapped messages to and from every remailer) long after the event. Perhaps remailers should get in the habit of changing keys often or automatically. If you wanted, you could "subscribe" to a remailer to use it, and it would send you a new key say, every 24 hours. Perhaps there could be another key for casual users who can't be bothered.
While we might agree that in those two cases, the persons deserve to be caught, what's to prevent a President or other highly placed federal bureaucrat from MISusing those same resources on something less critical, such as tracking down and persecuting someone who anonymously posts "Clinton is a prick" or "Clipper sucks"?
Nothing at all.. unless you can code PGE - Pretty Good Ethics and get the Gov't to use it. - -- Baba baby mama shaggy papa baba bro baba rock a shaggy baba sister shag saggy hey doc baba baby shaggy hey baba can you dig it baba baba E7 E3 90 7E 16 2E F3 45 * 28 24 2E C6 03 02 37 5C Stuart Smith <stu@nemesis.wimsey.com> -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLhLdu6i5iP4JtEWBAQEoDwP9GneWXsrTVWAanvOYY/NahfDeq9vLBzMw pwdxzm7rBvFNCq25YX6bsxo5i7h6BMyQT8SRJ4hcuOQ3kXxU9DCrm8aKfMcyjNme 4hMBsnQL3Gt9sAQomZcyHSAqitI+H8PcTQ/GbY2q2wZWfBHIzIM0sPmkru6/KFAX PtNH+B2G47g= =lI+K -----END PGP SIGNATURE-----