On Wed, 12 Dec 2001, Faustine wrote:
I don't know, how about traffic analysis?
Yes, but see my previous post.
Exploiting (publicly) undisclosed holes in the remailer software?
Same problem as traffic analysis if you are talking about compromising the remailer. Doesn't work after the fact. (Plus, the risk of detection is certainly non-zero.) If you're talking about exploiting flaws in the remailer message encryption or in the mix-net protocol, that would work, but also would rely upon having remailer traffic be intercepted and collected for later analysis.
Good old-fashioned deception isn't exactly rocket science, either. How about suckering people into routing traffic through an ever-increasing number of corrupt nodes, either by: 1) running them covertly 2) buying off "trusted
Stats manipulation has been discussed before. (LEAs run remailers, and then ensure that their remailers are at the top of the stats pages, either by falsifying stats or causing legitimate remailers to sink lower on the stats then LEA remailers.) Another half-decent attack if planned in advance.
pillars of the crypto community" and trading on their reputation capital? A sobering thought.
I'm not skeptical as to how effective that would be. Look at all the times that Phil Zimmermann has been accused of being in bed with the Government. I'm not sure there are any "trusted pillars of the crypto community".
Or how about this one: enticing people interested in developing cryptography into an closed system based in Canada (international, so using full-blown Echelon technology against it isn't a problem)
Except for the pesky fact that the NSA can't spy on US citizens, even if they're in Canada. (Exceptions can be made, but the hoops become higher and more numerous than a simple FBI investigation.)
offering "secure" messaging, file storage, sharing and transmission etc. while promising them the moon about being a no-compromise information-haven phuck-the-state all-your-eggs-in-one -basket crypto system?
Oh wait, it's called CryptoHeaven. Nevermind.
Yes, well. My thoughts on CryptoHeaven are already on the record on this list.
Not that I'm claiming the first thing about them--it's just that if I were trying to come up with a way to gather information on people interested in developing privacy and cryptography technology, setting up a compromised CryptoHeaven-like system on behalf of the United States Government would be IDEAL. Or at the very least,inserting some bad actors into the system to root up the vulnerabilities couldn't hurt. Not to mention cultivating "trusted insider" informants.
Smells like entrapment, though. -MW-