On Sat, Dec 22, 2001 at 01:12:02PM -0800, Tim May wrote: | On Saturday, December 22, 2001, at 11:29 AM, Adam Shostack wrote: | | > On Fri, Dec 21, 2001 at 01:21:27PM -0800, Len Sassaman wrote: | > | | > | In conclusion, I leave you with a question: if remailer users are | > reduced | > | to a small number of high-paying remailer customers for whom | > anonymity is | > | not a game, but a matter of life or death, could a mix-net be made to | > | provide any sufficient degree of security? "No" is the easy answer. | > Say | > | yes, and prove it. | > | > No. If your anonymity set is small, then using the system calls | > attention to you, and your adversary can simply attack all the users | > with physical layer attacks (bugged keyboards, video cameras in | > ceilings, tempest, etc.). Further, if the user set is small you're | > probably more concerned with unobservability than with unlinkability | > or untracability. | | | Likewise, if only a small number of people are using Swiss banks, or Yap | stone wheels, or nearly any other particular financial instrument then | the anonymity set is too small. It's not too hard to know who is | spending that Yap stone wheel. Yes, but I found it suprising to realize that the number of people who need to use a Swiss bank for it to be private is much smaller than the number who use a remailer. (In addition, Swiss banks have natural cover traffic provided by the ever-efficient local Swiss.) Survielling a bank is more expensive than a remailer, and a bank will not tend to have an 'upstream ISP' where all patrons of the bank, wearing tags, can be identified. | I say "nearly" because gold, say, has some nice physical properties | which things like currency notes, bank accounts, diamonds, etc. don't | have: gold can be melted and all traces of origin lost, save for some | expensive tinkering with isotopic ratios, maybe. Note that I am not | advocating gold, and especially not E-Gold, just noting facts.) | | A lot of the complaints we see about cryptographic implementations of | things are also echoed in the real world. It's unreasonable to expect | crypto to solve all problems. To emphasize this point: When we hear | about limitations on the privacy of remailers or digital cash | implementations, we should think about comparable situations with | ordinary mail, ordinary currency, etc. A lot of systems seemingly fail! | The fact that we continue to use them, because they are embedded in a | larger system (of reputations, ontological speed bumps, etc.) tells us | that crypto is only a part of the overall picture. Too many crypto folks | find flaws and declare the whole approach dead. This is absolutely correct, and Ryan's points about latency mattering a great deal to users are also bang-on. | On Len's earlier point, DC Nets are the answer. The 1992 design for | "envelopes within envelopes remailers" is just the 1981 Chaumian | untraceable e-mail. He knew even then that it was subject to the types | of attacks described above. Hence the DC Net. A huge amount of stuff is | available on DC Nets, on the Web, in the CP archives, in the literature | (Crypto and Eurocrypt Proceedings, esp. by Chaum, Pfitzmann, etc.). | | Even with DC Nets, the concern is immediately one of "collusion sets" | (or "compromised sets," if the FBI/FinCEN/NSA have instrumented nodes). | | By the way, the attack that Adam describes, of the attacker placing | video cameras and monitoring devices, is not inexpensive. For example, I | doubt that Swiss banks in Geneva and Zurich have been compromised in | this way...though I expect that wire transfers into and out of such | banks are observed and recorded. Probably; but if the end points are both expensive to trace, watching those transfers may not buy you a lot. | I think the continued existence of private banking systems for high net | worth individuals shows that even relatively small sets of interacting | parties can achieve privacy. This may not be doable with remailers which | are operated by, for example, 22-year-old grad students who have spent a | couple of hours setting up a remailer on their 600 MHz Celeron box, or | even by computer professionals like Len willing to spend more time and | effort, but it looks doable. | | Paid remailers are just as necessary for the longterm health of the | remailer business as paid banks were and are for the banking business. | "Swiss bank in a box" may look like a neat little bit of code to play | with in the latest Debian code release, but it ain't really a Swiss bank. As Dan Geer pointed out, banks are in the risk management business. If you put your risk management algorithm in a box and expect me not to game it, its because you have too little money to pay for the analysis. LTCM had this problem; their banks decided it was more profitable to squueze them than to let them live, and they had no escape plan. (Its too bad the banks didn't know what their liabilities were, but thats another rant.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume