CDR: Response to false statements about Zero-Knowledge

Declan, I would like to respond to some of the discussion and false statements being made about Zero-Knowledge. Please see my comments below and FWD: to Politech. Thank you. Regards, Austin

-----Original Message----- From: Declan McCullagh [mailto:declan@well.com] Sent: Wednesday, November 08, 2000 7:15 PM To: politech@politechbot.com Cc: shamrock@cypherpunks.to Subject: FC: Response to article on Zero Knowledge, marketing, and promises

********* A response to: http://www.politechbot.com/p-01464.html *********

Date: Wed, 01 Nov 2000 18:49:32 -0800 From: Lucky Green Subject: RE: Zero Knowledge, after poor software sales, tries new gambit To: declan@well.com

Declan,

I don't believe the conclusion that Internet users are unwilling to pay for enhanced privacy is warranted given the information currently available. If anything, ZKS' poor sales show that Internet users are unwilling to pay for software that claims to protect the user's privacy but doesn't. This is a very important distinction to make. Freedom (TM) as shipping does not adequately protect the users' privacy. ZKS' marketing machine and early promises notwithstanding, in the end the market was not fooled into buying product that doesn't deliver.

First to set the record straight, Declan's claim that our software sales have been poor is completely baseless. He has reported this as fact when during my interview with him I clearly stated that we are pleased with our results for Freedom and are seeing substantial growth, so much that we are still hiring more engineers (adding to the already 100 we have working on it) and adding more features and improvements to our consumer privacy product. Because we as a private company refuse to provide Declan with actual sales & revenue numbers he has persisted in reporting that this is because of poor software sales, based on what he described as anecdotal evidence that he has observed in the cypherpunk community. Declan fails to mention that Freedom was never targeted toward Cypherpunks; our goal was to incorporate Cypherpunk-level cryptography and philosophies into a privacy tool that would empower the average Internet user to manage their privacy online. Cypherpunks can build privacy tools for themselves; our target market for Freedom is consumers who are concerned with their privacy. Declan and his editor at Wired have received a complaint regarding what we feel was irresponsible reporting, that includes a transcript of the relevant parts of the interview. As of now, they have not made any correction or retraction. Declan, I invite you to FWD: our letter to you and your Wired editor, to Politech readers so they can make up their own minds regarding the current state of our software sales and your editorial on the launch of our additional corporate privacy services. For now Declan and I have agreed to disagree about the accuracy and quality of his article. Now leaving that issue aside, Lucky Green makes the claim that we have failed to deliver what we promise. I believe this is completely baseless and false. Our promised privacy protection is detailed extensively at a very technical level in our whitepapers, http://www.freedom.net/info/freedompapers/Freedom-Architecture-Protocols.pdf http://www.freedom.net/info/freedompapers/Freedom-NymCreation.pdf http://www.freedom.net/info/freedompapers/Freedom-Security.pdf In these papers we describe every attack we protect against and more importantly every attack that we don't protect against. These whitepapers include protocols, design goals and actual results of security audits against the architecture and the code. Unfortunately, Lucky hasn't done any analysis to add to the list. To further improve our security and privacy commitment and to ensure users do not have to rely on or trust Zero-Knowledge's claims, we have also published the source code for the system, which is available at, http://opensource.zeroknowledge.com We are the only privacy company that has published whitepapers on the full protocol, security attacks against the system, and the source code. We believe that this is responsible privacy, and that it is the only way to verify and support our claims to our users. If there is _ANY_ attack, weaknesses, flaw or security bug we have invited people to review our work and inform us, and we then update our documents to reflect our continued understanding of how to design and implement the best privacy infrastructure available. Based on this, we believe we are the strongest privacy solution on the market. (In fact most other privacy companies claim that we are 'killing a fly with a bazooka' by going overboard with strong crypto and multi-hop routing).

I think it is unfortunate that ZKS' failure to deliver on their promises will now be taken as an indication that there is no market for a product that ZKS never built.

The risk that the such a, in my view erroneous, conclusion would be drawn was of course the big risk to Internet privacy worldwide that followed from ZKS' foolish gamble to ship a product

I actually believe that Lucky's false statements and accusations stem from Zero-Knowledge shipping a solution that does not include the solution to one of the original design goals, which was a traffic-analysis-resistant network. During our first attempt to build the FREEDOM infrastructure and an AnonymousIP protocol we also tried to build it to be resistant to traffic analysis and large statistical attacks. (This remains a design goal, but we think there are open research issues to be solved before we (or anyone) can ship a system that meets this design goal). The techniques we attempted to use to facilitate this were: -Constant packet sizing -Link padding -Traffic shaping (introducing extra bogus traffic or limiting traffic to disguise the actual amount of traffic being sent through the network) During our tests of the first alpha versions of FREEDOM, we found a number of problems with this including: 1. Speed & performance degradation that made the system unusable 2. Huge costs increases in operating the backbone infrastructure (Packets were being sent with a huge increase in 'stuffed' payloads and there had to be constant traffic on the network) 3. Incomplete understanding of the effect in the security and resistances to these attacks (we found there was not enough research in the area of traffic analysis to determine if the extra delays and huge costs increased gained us anything in the protection from traffic analysis. In fact, upon review we found that since the costs of doing the bare minimum padding (full link padding from the client node to the first server node) could not be supported by what we felt users were willing to pay for privacy, we reviewed our threat model and lowered the bar on the what we were trying to accomplish. We consider traffic analysis to be an area in need of basic research. We have some information-theoretical and computationally secure proposals but minimal work on secure systems with work-factors less than computationally secure. Simple things like how to define and discuss the work-factor of these systems are missing. We do not have equivalents of basic constructs like Feistel-networks, s-boxes, or chaining modes. We have easy attacks which seem very powerful, but can't judge if those attacks are the equivalent of statistical attacks on ceaser ciphers or something more powerful. We do not have powerful techniques such as differential or linear cryptanalysis, the impossible variants, or any sort of trade-off attacks. There's not a great deal of discussion of the case where flood the pipe is not an option, or where we want to limit delays. We think the situation is analogous to the state of our understanding of block cipher analysis in 1970. We had an information-theoretically secure system. But we had little or no knowledge of the Enigma breaks (Bletchly Park is not mentioned in the index of the 1967 ed. of the Codebreakers). When the NBS proposed the DES, many were at a loss as to how to critique it beyond asking for the design criteria to be published. Compare and contrast this situation with the AES competition. Our Director of Technology, Adam Shostack raised this issue in a rump session talk at the 'Design Issues in Anonymity and Unobservability' workshop, and we're looking for other ways to bring the problem to the attention of the academic community. Our users are primarily Win 95/98 users who are worried about their privacy (i.e. email address; cookies; profiling by ad networks; pseudonyms for chat rooms and Usenet). They are not worried about the NSA doing traffic analysis on their communications. We were way too ambitious with that design goal and we decided it was not a 'must have' that would prevent us from shipping our current solution. More than that, we did so publicly (see our whitepapers) and we are also working on increasing academic research in this area (we have a few scientists working on it) so that if we decide to attack this problem in the future there will be more information available to us to review. Lucky claims that there is large market demand (in terms of $$ and/or people) for traffic-analysis-resistant, completely anonymous networking. I disagree, but would invite him to take our source code and go out and build a business based on this. The published source code is the result of 3 years of engineering by more than 100 developers and we would invite him to take this start and improve on it. We would be interested in his results both technically (how to achieve traffic analysis resistant networking) and on the business side (how do you build a business to support fully traffic analysis resistant networking). We have 250+ people working very hard on privacy systems, and have taken huge steps in making sure we are accurate in our claims, transparent in our systems and are delivering privacy services that we can be very proud of. Lucky, by claiming that we are misleading our users or not protecting their privacy because of the lack of resistance to traffic analysis is irresponsible and is allowing the best to be the enemy of the good.* * For those who don't follow security debates, this refers to idealists who want to build great systems with really neat provable properties and other useful underpinnings. Unfortunately, none of those systems have ever shipped, and in the real world, we get by with good. Freedom is the strongest privacy system that's shipping. Is it as good as we would like it to be in an ideal world? Of course not. But there is a braintrust at Zero-Knowledge of really smart people who want to make it even better, so while we've decided to ship a strong and working system that offers consumers the best privacy available today, we also have 100 engineers working to continually make it better. Regards, -Austin that didn't meet market demand. A risk

that I on more than one occasion impressed upon the principals was to great to take.

--Lucky Green

"Anytime you decrypt... its against the law". Jack Valenti, President, Motion Picture Association of America in a sworn deposition, 2000-06-06

_________________________________________________________________________ Austin Hill Zero-Knowledge Systems Inc. President Montreal, Quebec Phone: 514.286.2636 Fax: 514.286.2755 mailto:a_hill@zeroknowledge.com http://www.zeroknowledge.com Are you fast enough? Are you smart enough? We are hiring those who are! http://www.zeroknowledge.com/jobs/ PGP Fingerprints RSA = 7BDB A72C 1130 BC09 CD5A 2712 F51D 72AC DH/DSS = F783 7187 E174 0C5C DD4C B1FA 0392 C7DC AF5A 1FAB _________________________________________________________________________ -- Resistance is futile! http://jobs.zeroknowledge.com