On Saturday, December 22, 2001, at 11:29 AM, Adam Shostack wrote:
On Fri, Dec 21, 2001 at 01:21:27PM -0800, Len Sassaman wrote: | | In conclusion, I leave you with a question: if remailer users are reduced | to a small number of high-paying remailer customers for whom anonymity is | not a game, but a matter of life or death, could a mix-net be made to | provide any sufficient degree of security? "No" is the easy answer. Say | yes, and prove it.
No. If your anonymity set is small, then using the system calls attention to you, and your adversary can simply attack all the users with physical layer attacks (bugged keyboards, video cameras in ceilings, tempest, etc.). Further, if the user set is small you're probably more concerned with unobservability than with unlinkability or untracability.
Likewise, if only a small number of people are using Swiss banks, or Yap stone wheels, or nearly any other particular financial instrument then the anonymity set is too small. It's not too hard to know who is spending that Yap stone wheel. I say "nearly" because gold, say, has some nice physical properties which things like currency notes, bank accounts, diamonds, etc. don't have: gold can be melted and all traces of origin lost, save for some expensive tinkering with isotopic ratios, maybe. Note that I am not advocating gold, and especially not E-Gold, just noting facts.) A lot of the complaints we see about cryptographic implementations of things are also echoed in the real world. It's unreasonable to expect crypto to solve all problems. To emphasize this point: When we hear about limitations on the privacy of remailers or digital cash implementations, we should think about comparable situations with ordinary mail, ordinary currency, etc. A lot of systems seemingly fail! The fact that we continue to use them, because they are embedded in a larger system (of reputations, ontological speed bumps, etc.) tells us that crypto is only a part of the overall picture. Too many crypto folks find flaws and declare the whole approach dead. On Len's earlier point, DC Nets are the answer. The 1992 design for "envelopes within envelopes remailers" is just the 1981 Chaumian untraceable e-mail. He knew even then that it was subject to the types of attacks described above. Hence the DC Net. A huge amount of stuff is available on DC Nets, on the Web, in the CP archives, in the literature (Crypto and Eurocrypt Proceedings, esp. by Chaum, Pfitzmann, etc.). Even with DC Nets, the concern is immediately one of "collusion sets" (or "compromised sets," if the FBI/FinCEN/NSA have instrumented nodes). By the way, the attack that Adam describes, of the attacker placing video cameras and monitoring devices, is not inexpensive. For example, I doubt that Swiss banks in Geneva and Zurich have been compromised in this way...though I expect that wire transfers into and out of such banks are observed and recorded. (One of the early remailers was located in a vault formerly used for an accelerator near Amsterdam. Pretty hard for FinCEN or NSA to get cameras in there. Ditto for some of the vaults in the U.K. being used for colo. Ditto for HavenCo (though I am not necessarily endorsing the use of platforms in the North Sea),) I think the continued existence of private banking systems for high net worth individuals shows that even relatively small sets of interacting parties can achieve privacy. This may not be doable with remailers which are operated by, for example, 22-year-old grad students who have spent a couple of hours setting up a remailer on their 600 MHz Celeron box, or even by computer professionals like Len willing to spend more time and effort, but it looks doable. Paid remailers are just as necessary for the longterm health of the remailer business as paid banks were and are for the banking business. "Swiss bank in a box" may look like a neat little bit of code to play with in the latest Debian code release, but it ain't really a Swiss bank. And folks saying Swiss banks can't provide privacy because "Swiss bank in a box" doesn't really work very well.... --Tim May "Stupidity is not a sin, the victim can't help being stupid. But stupidity is the only universal crime; the sentence is death, there is no appeal, and execution is carried out automatically and without pity." --Robert A. Heinlein