Tim May <tcmay@got.net> writes: [ Ryan Lackey on proposed hardware setup for his Eternity DDS ]
Will these be located in the U.S.? Will their locations be publicized? Will any offshore (non-U.S.) locations be publicized?
Any file system which can be identified as to *location in some legal jurisdiction*, espeically in the U.S. but also probably in any OECD/Interpol-compliant non-U.S. locations, will be subject to COMPLETE SEIZURE under many circumstances:
* if any "child porn" is found by zealous prosecutors to be on the system(s)
I think child porn is pretty much the canonical example -- the spooks / feds have a history of posting their own child porn if none is available to seize. (eg The Amateur Action BBS case which Tim cites classic case -- the Thomases had not had any dealings with child porn, but a US postal inspector mailed some to them, and busted them for it before they had even opened the package. They are still in jail now.) An article which got forwarded to cypherpunks a while back was a URL for some people who had created a for-pay web service which consisted soley of hypertext links to child porn articles in usenet. I never did investigate (the worry is always that it is a sting in itself, and I was interested in the techniques not the material), but it is interesting that these people considered this action safe enough for the monetary rewards to compensate. (Anyone save this post / URL, or know if these people are still in business, or what technique they used to be able to generally link to USENET articles... is it possible to link to news:alt.anonymous.messages/message-id in a way which is independent of news spool?) I agree with Tim that actually building distributed file systems where data can be traced back to the server serving it will cause problems for the operators. I think even if there are many operators, and even if the data is secret split, the operators would likely be held liable. Ross's paper describes some techniques for building a distributed database which makes it difficult for a server to discover what it is serving. (Necessary because an attacker will become a server operator if this helps him). The threat of seizure is the reason that I focussed on using USENET as a distributed distribution mechanism. All sorts of yucky stuff gets posted to USENET every day, and USENET seems to weather it just fine. The idea of using new protocols, and new services as Ross's paper describes is difficult to acheive a) because the protocols are more complex and need to be realised, and b) because you then face deployment problems with an unpopular service and supporting protocols who's only function is to facilitate publishing of unpopular materials. So I focussed on USENET, but the weakness of using USENET for building a distributed database where data is intended to persist for protracted periods of time is that USENET articles expire, existing in news spools often for only 3 days or so. The problem is really that USENET is essentially a distributed _distribution_ mechanism, and not a distributed database. Archiving USENET as a separable enterprise which charges for access (altavista for example charges via advertisements) seems less problematic than directly trying to build a database of controversial materials. Archiving it all partly reduces your liability I think, because you are not being selective, you just happen to have a business which archives USENET. However there are two problems with this: a) volume -- USENET daily volume is huge; b) the censors will ask you to remove articles they object to from the archive. The solution I am using is to keep reposting articles via remailers. Have agents which you pay to repost. This presents the illusion of persistance, because the eternity server will fetch the most recent version currently available in the news spool. This avoids centralised servers which would become subject to attack, all that is left is a local proxy version of an eternity server which reads news from an ordinary news spool. My current implementation is a CGI binary which is currently running as a remote eternity server. You can run it as a local eternity server if you have a local UNIX box, running say linux. Better would be a more general local proxy for other platforms. I am working on this local proxy version at present. This is the state of play for me. The reposter will be either the publisher of the article, or a reposting agent. In either case remailers can be used. Remailer resistance to attack has improved a lot since some of the remailers started using disposable hotmail etc accounts as exit nodes -- the remailer is no longer traceable without a much higher resources being spent by the attacker. Using a chain of mixmaster remailers, and a remailer using hotmail for delivery provides good anonymity.
I would have thought that a much more robust (against the attacks above) system would involve:
- nodes scattered amongst many countries, a la remailers
Better to have no nodes at all, as with USENET only solution. The reposting agent (which may be the publisher, or interested reader if they are fulfilling the role of reposting agent) is a node of sorts, however this node can be replicated, can move frequently, and only ever need communicate via remailers.
- no known publicized nexus (less bait for lawyers, prosecutors, etc.)
This one is crucial.
- changeable nodes, again, a la remailers
- smaller and cheaper nodes, rather than expensive workstation-class nodes
- CD-ROMS made of Eternity files and then sold or distributed widely
This is an interesting suggestion, but surely would open the distributor up for liability, especially if copyright software were amongst the documents. Were you thinking of
- purely cyberspatial locations, with no know nexus
(I point to my own "BlackNet" experiment as one approach.)
This is the best option. Make it entirely distributed, so there is no nexus, period. cyberspacial -> meatspace mappings are often easier to trace than we would wish, especially where there is continued usage (for example there are various active attacks which can make progress even against mixmaster remailers). This is the weak point of my reposting agent, be that human, or automated. However anonymous interchangeable reposting agents is an interesting concept. One way to view the reposting function would be to view it as a new function for remailers; that they would post a message a specified number of times at specified intervals. However it is probably better to separate the function into a separate agent because remailers are known, and few in number. A reposting agent need never advertise an address. Instructions to the agent would be via USENET (it would read news for instructions and eternity documents bundled with ecash payment for it's services, and repost these according to those instructions). The reposting agents would be motivated by profit, have reasonable chances at obscuring their identity through the use of remailers, and so would be willing to take the risks. A smart operator could further reduce risks by using resources intermittently and unpredictably, and by using multiple, automated entry nodes into the remailer net. Potentially agents could be left operating in cracked accounts, siphoning payments off to their owners, at fairly low risk to the owner. Agents could be rated for reliability in delivering services paid for, or payment could be enabled for each repost by a arbitration agent upon seeing the post.
It is also likely in the extreme that a working Eternity service will quickly be hit with attackers of various sorts who want to test the limits of the service, or who want such services shut down.
I agree with this prediction. Remailers have seen this pattern, with `baiting' of operators, and apparently people posting controversial materials and reporting the materials to the SPA or others themselves, etc. As you might guess part of the above are unimplemented. The local proxy is my current task. Reposting agents are unimplemented, as is integration of payment. Another comment is that reader anonymity is a separable aim which should be cleanly separated from the design. Services like anonymizer, crowds, pipenets, SSL encrypted news server access (supported by netscape 4), and local news feed can ensure anonymous access to eternity document space at varying cost trade-offs. Adam -- Now officially an EAR violation... Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`