-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Major Variola (ret) wrote:
At 02:20 PM 4/25/03 -0400, someone claiming to be Patrick Chkoreff wrote:
(-: The sig is valid for the key at http://fexl.com/keys/patrick.txt)
I was mistakenly thinking that because my sacred code did not
in fact record any IP-based transmission logs, users were safe as far as anonymity and privacy were concerned. What I missed was that if someone put a gun to my head
Generally in security analysis you want to list threat models and how you resist (or not) them. From this you can derive a spec. ... This leads to the conclusion that security is economics + physics. The goal is to make attacks more expensive to your adversary, at "reasonable" cost to you.
Subpeonas are cheap to some.
True. From the thrashing I took yesterday, I conclude that subpoenas and other forceful means of system compromise are very cheap indeed. That assumes the system is big enough to matter to the bad guys, which is definitely false at initial rollout but from the looks of this crowd is likely to remain false forever if the system cannot guarantee protection against that threat. Everybody here wants an improvement over book-entry systems, but nobody will settle for anything less than fully blinded digital notes. The question of whether digital notes can circulate in the wild without server contact but with the ability to identify double-spenders later is up for grabs. Hettinga likes that feature for intrinsic reasons having nothing to do with network reliability or ubiquity. I find it a bit appealing myself because it can help support small social nets of accountability. I have not reviewed the math in detail, but am I to understand that under this protocol ONLY double-spenders can be identified? That is, if you do not double-spend can you be guaranteed anonymity from other recipients down the spend chain? Obviously those in the know share a common threat model that demands blinding. Certainly that has serious implications for the server. In a non-blinded system you can just store a small number of unspent coins and the server can do tricks like include an lseek number in the coin data to make lookup extremely fast. But nobody wants an non-blinded system. Consequently, the server must store a large number of spent coins and because coin identifiers are created randomly out in the wild there is no convenient embedded lseek number. But yes, it is extremely cool that you can get the bank's signature on X without actually revealing X to the bank. Certainly there are more detailed threats than forced compromise to consider. Some precautions you take just because you can -- lock and randomize memory for example. But whether you turn on internal churning mechanisms to prevent timing attacks, put ceramic caps on memory components, put boxes in Faraday cages, etc. is another story altogether. - -- Patrick http://fexl.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPqmwOVA7g7bodUwLEQIW2QCgqNLLeEA/PbOe3dgazARsXvEJJVoAoLYi nPzuhTdEBoXQs0BJ8ysLz92c =E5lc -----END PGP SIGNATURE-----