.

17 Dec 2003

      ...
...
A few rules of thumb result from even cursory examination
of the likely environment:
...
...
5. Ultimately, the only way the remailers will provide
   what might be described as Pretty Good Security will
   be when we have software that maintains a regular
   or random rate of messages to and from the remailer
   cloud, a stream into which the meaningful messages
   can be inserted with no visible change in traffic.
   Until then, the best we can do is try to keep traffic
   levels up, and to send and receive frequently enough
   to frustrate end-to-end traffic analysis.
Well, the existing remailer net doesn't make "Pretty Good" anonymity very
feasible. I'd think something based on the general idea behind Crowds.

(Furthermore, most remailer structures still can't erase some other security
concerns --
  1: remailers acutally can be hacked or physically compromised
  2: clients really can be screwed
  3: etc.

To help solve the first, you'd want a two-box setup doing remailing, with the
security-critical stuff loaded on a box not directly connected to the Net with
something 140-1ish to make tampering harder, a secure OS, etc. -- or, of
course, you can scrap all that to get really big remailer count.

To help solve the second problem, there needs to be a better web-of-trust 
setup -- that is, one which applies to code as well as keys. Those who wish to
verify code get a .sig-verifying program from a trusted source then use a WoT
to authenticate various facets of the program necessary for security.

A solution to the third problem is expected RSN.)
...
6. Don't send anything that can have grave consequences.
Remember the consequences to an adversary who uses its secret decoder ring,
though: the more plausible it becomes that a certain source is being used for
intelligence-gathering, the more likely it is that that source will promptly
begin to run dry as the spied-upon realize that Something Got Broke.  My
advice, however, agrees with that of the other Anonymous. That is, unless
you've really thought things out, think of an remailed message as merely
.sigless, not anonymous.
...
7. Take names. Always take names. Some day...
FUDBusterMonger
It Ain't FUD til I SAY it's FUD!