Jeff's Side of the Story.
There's been an ongoing discussion of the Huge Cojones remailer situation on the related newsgroups. This has a lot of relevance to our issues, and this is one of the more illuminating articles. --Tim
From: toxic@hotwired.com (Jeff Burchell) Newsgroups: alt.privacy.anon-server,alt.fan.steve-winter,alt.religion.scientology,alt.anonymous,misc.misc,alt.censorship,news.admin.censorship,alt.cypherpunks,comp.org.eff.talk,news.admin.net-abuse.misc Subject: Jeff's Side of the Story. Followup-To: alt.privacy.anon-server,alt.fan.steve-winter,alt.religion.scientology,alt.anonymous,misc.misc,alt.censorship,news.admin.censorship,comp.org.eff.talk,news.admin.net-abuse.misc Date: 1 Jul 1997 20:02:22 GMT Organization: Content, Inc ...
Anonymous (nobody@REPLAY.COM) wrote:
: > Only Jeff knows the whole story.
Actually, not even I know the whole story. If I truely knew who it was that was orchestrating this attack, it would have stopped, one way or another. The problem is, I don't know all the players (I have some suspicions, which I'll elaborate on further in a little bit) but I don't _really_ know who did it, and I really don't know why (other than a "I don't like remailers, I think I'll shut one down"). And I really don't know the background or what precipitated this.
: > But I have to ask. Could this : > just be an" I'm sick of this shit, f**k it, I quit, who needs this : > aggravation, I'll just pull the plug and go have a beer" reaction : > to what really seems like a fairly small problem.
It is not a small problem anymore when you're getting >200 complaint messages a day, plus 5-10 phone calls to your employer (and your employer's legal department). Fortunately, Wired is a very progressive company, and supported my efforts to provide anonymity, but our lawyers aren't paid to answer phone calls on my behalf. Running a remailer is one thing... getting harassed at work is an entirely different matter, and getting a THIRD PARTY harassed at work is yet another one.
But yes, The ultimate "take this thing down" decision was one made because I was sick of this bullshit. But you know what? I volunteer my time, my computer equipment, and bandwidth that is given to me as part of my salary. I do (well did) all of this because I believe that anonymity is a right, and because I have the capabilities of helping to provide anonymity to the masses. When the remailer was self-sufficient (before the attacks started), it took maybe 10 minutes of my time a day, and minimal resources on my machine. Afterwards, even after I put in the auto-blocking feature (send a blank message to a particular address and get your address blocked) and the autoresponder on the remailer-admin account, I was still getting >100 messages a day reporting abuse... almost all of it spam-bait related. I receive no benefit from running the remailer (I don't even use it myself), and when it becomes a fairly major hassle without any rewards, the decision is not a hard one to make.
And frankly, I already have enough to do, and get enough mail on a daily basis (at last check it was hovering around 600 messages/day). As soon as the remailer started taking up a lot of my time, it became time to rethink why I was running it. The moment that the spam-baiter started alerting people who had been baited, and telling them to contact me, it became personal. And I don't have time to get into personal pissing-contests. Yes, I took the easy way out, but that was my choice to make.
Anyone who doesn't run a remailer has very little right questioning my choice, because you have no idea what precipitated it. Most people reading this group have the capabilities of running a remailer (it only takes a POP account and a Windows machine to run the Winsock remailer), but very few of us actually do. Why is that? I've been running huge. cajones for just under 2 years, and it averaged just over 3000 messages a day, so my remailer was responsible for about 2 million anonymous messages in its lifetime. I think I've done my part (at least for now), it's time for someone else to do theirs. If we had 15 disposable remailers that operated for 2-3 months each before moving/going away, we'd have paths for millions more anonymous messages. And isn't that what we're really trying to provide?
: The first was doing questionable things, like installing content-based : filtering in an attempt to placate the attacker. Giving in to the demands
When I first put the filters in, I was entirely unaware of exactly what the hell was going on. It seemed that someone had a bone to pick with databasix, and was using the remailer to get databasix harassed by third parties. So, Burnore's complaint seemed reasonable at the time, and I tried to come up with a way to block spam-bait abuse, without blocking anything else (like a reply to burnore in Usenet).
See, if someone was doing to me what they appeared to be doing to Burnore, I would be pissed. I figured placating him would be the best thing to do. In hindsight, I was wrong, but at the time, it seemed like the correct decision. (Also at the same time, the SPA threatened Wired with a lawsuit because of The MailMasher, so things were a little tense between me and the legal department already, I didn't need to make them any worse.)
The final content-based-filter (there was an interim one) looked for the following things:
1. Any address at databasix (Yes, at the request of Burnore) 2. Any address from my destination block list 3. More than 5 addresses in a row, one line each, without other content in-between. 4. Patterns of particular Usenet groups. 5. Particular subject lines.
If any THREE of these items were spotted, the message got thrown into a reject bin. I periodically examined the reject bin, and can personally attest that it didn't block ANYTHING that it wasn't intended to. (The test posts reeked of spam-bait to me, and I believe were correctly blocked)
FWIW, the filters were removed about a week ago.
Because the filters were looking for a specific form of ABUSE, and not just doing basic pattern matches, I don't consider them to be "content filters". I would think that just about anyone would agree that posting lists of email addresses to mlm newsgroups would qualify as abuse, and _should_ be blocked. Blocking of this nature does NOT restrict free speech (or at least that is not the intentions of it), and it would keep the remailer out of lawsuit territory.
See, the big problem with lawsuits is not the fact that _I_ don't want to be sued. The problem is that anyone with half a brain can determine that Wired is somehow related to any remailer that I am running on their bandwidth. Wired has deeper pockets than Mr. Burchell, so they are a much better group to sue... and they are a lot more willing to give in to a threat than I am.
: What I *MIGHT* have done was to respond as follows: : : Your legal demands are unacceptable. I'd rather close the remailer than : compromise its integrity to suit your whims. But understand this -- unless : you withdraw your demands, I will not only close the remailer but also make : damn sure all of its users know exactly who forced me to take this action!
I did respond in a fashion much like this, about a week before the attacks started coming. Mr. Burnore requested a copy of my (non-existant) logs. I told him to get me something in writing, signed by his lawyer that stipulated that the logs were confidential, and not to be revealed to anyone outside of the lawyer's office.
I received a letter from Belinda Bryan. She is not registered with the State Bar of California, and is thus, not a California lawyer. I then ignored the request, and forwarded the correspondence to the State Attorney General's office (as impersonating a lawyer in CA is defined as fraud with extenuating circumstances). They have been working with me and the San Francisco DA's office. Look out DataBasix... I'm not done with you yet.
: The second mistake I perceive is not fully disclosing the circumstances that : brought down Huge Cajones, and *NAMING NAMES*. That way, even if the remailer : shuts down, other remailer operators will learn about the tactics employed : against it, know *WHO* made the demands, etc. IOW, when you get an innocent : sounding, polite complaint from xxxx@yyy.com alleging "abuse", here's the : scenario that's likely to follow ... (It's not too late to make that : disclosure, Jeff.)
In fact, now is the time to. Making a disclosure like this while I was still running the remailer would have probably been a bad move. Now that the remailer is closed, I'll name the names that I've got.
Beware... all of this is speculation, because huge.cajones was an anonymous service, not even I can say with any authority that any of the people named below had anything to do with the shutdown of huge.cajones (or The MailMasher). However, there are a number of coincidences of timing.
I still don't know what the hell is going on with DataBasix, Wells Fargo and Gary Burnore, but I suspect that someone used huge.cajones to say something extremely unflattering about Burnore (from what I can tell, he had it coming). Burnore then decided that he would make things difficult for me. First, he wanted the user who had posted something "inflammatory" about him revealed. When I told him that I couldn't do that, he carried on about mail logs and identifying the host that a message came from (the usual). I didn't explain to him that my machine keeps logs, but not anything involving a *@cajones.com address. He then requested the logs, which I denied (and told him to get his lawyer to send a request...)
I'll admit, after my second or third contact with Mr. Burnore, I no longer was particularly civil with the guy. He's a kook, and really didn't deserve my courtesy.
Between the time he first contacted me, and the time I received the letter from Belinda Bryan, is when the baiting of databasix addresses began (slowly, with just a few posts). After a while, I received requests from the other members of DataBasix (including William McLatchie (sp) (aka wotan) who actually seems to be a remailer supporter (?)).
It was at this point that I realized something was completely amiss. I asked McLatchie to please tell me the story of DataBasix, and he said that he was going to, but never did. Anyone who can tell me the story is invited to do so.
As a side note (and just because I am naming names). Peter Hartly (hartley@hartley.on.ca) yesterday spam-baited me. Fortunately, I've got good filters in place.
As another side note, I've seen nothing to make me believe that Belinda Bryan is even a real person. Anyone?
: > Given the importance of what Jeff was doing, I hope that he : > did all that he could, before declaring defeat. If that is the case, : > I commend him for a job well done. If not, why?
I can't claim to have done _everything_ that I could have done, but I did certainly make an effort. I'm not willing to go to court to defend a practice like spam-baiting (and given the current public-opinion situation and impending anti-UCE legislation, this would be a terrible test-case).
I am not new to threats of lawsuit, even ones that come from legitimate lawyers. About 8 months previous, I was threatened repeatedly by the legal wing of the "Church" of Scientology. I answered with a letter from my lawyer that explained the policies of the remailer, and threatened a harrassment lawsuit if the "Church" contacted me again asking for information (that they now knew I didn't have) about a remailer user. They complied, and went away (and haven't been too difficult with other remailer operators lately).
: Agreed. Otherwise, these "asshole(s)" are simply going to do it all over : again against another remailer, eventually taking them all down one at a time. Except that right now, new remailers are springing up. If we could get three more online for every one shut down, it wouldn't much matter, would it? I may very well end up running a mailer again in the future, but if I do, it will probably be either a throwaway exit-man or a truely anonymous middleman (i.e. nobody will actually know who is running it). It also will probably be hosted outside of the United States (Floating in international waters with a sat feed would be nice).
: It's time for them to stand up and say "Next time you come for one of us : he's : not going quietly as the others have. You'll have to face ALL of us at once, : instead."
Aah, you imagine much more solidarity among remailer operators than actually exists. It doesn't work that way. It would be nice if it did, but many of us are running remailers on borrowed bandwidth (or have other "situations" to be concerned about). Being the squeaky wheel is not always a good idea for many of the operators (most of whom try to keep a low profile).
The reality is, for all the good they do, remailers are tools that can very easily be abused. And, as the internet gets more and more commonplace, the average Joe and Joesphine, who don't have the strict Cyber-Libertarian viewpoints that are shared by most of us old-timers, will start to wonder just why anyone would want to run a service that allows anyone to speak their mind without fear of reprisal. When you get people with more extreme viewpoints (the ones who have a really legitimate need for anonymity) posting all kinds of stuff to all kinds of places, it will get the attention of Middle-America, which will then bring it to the attention of legislators. Any time a legislator can say "This is a blow to Child Pornographers and others who hide behind anonymity to commit crimes without fear of reprisal" you can guarantee that the bill will pass.
When that happens, we're in trouble. America is scared of computers, and remailers are thought to be havens for the big 3 (Terrorists, Organized Crime and Child Pornographers). Now that the spammers are involved (spammers possibly being hated more than the big 3), most users are exposed to anonymous remailers in negative ways (Imagine what you would think if the first time you heard about the existance of remailers, it was because someone had spam-baited you, and then told you about it).
The right to anonymity in the US will be legislated away within 18 months, partially because of spam. I do hope there's a _good_ test case waiting, and someone willing to fight it to the end, but I have my doubts. Ultimately the remailer network will be forced to move offshore, the way Crypto development currently has.
Don't like the News? Go out and make some of your own.
-Jeff
|o| |o| |o| Jeff Burchell toxic@wired.com |o| |o|- - - - - - - - - - - - - - - - - - - - - - - - - -|o| |o| I am not speaking for anyone but myself. |o| |o| |o|
-- There's something wrong when I'm a felon under an increasing number of laws. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On Tue, Jul 01, 1997 at 08:46:53PM -0700, Tim May wrote:
There's been an ongoing discussion of the Huge Cojones remailer situation on the related newsgroups.
This has a lot of relevance to our issues, and this is one of the more illuminating articles.
--Tim
This probably has been suggested 20 years ago, but wouldn't Jeff's problem have been solved if the following slight modification were made to the algorithm: If you are the last remailer in a chain, then with probability p you pick another randomly choosen remailer to send through. If p is 1 end user mail would never come from you; if p is 0.5 then half the time you send the mail on one more step. The end user, then, can never be sure of which remailer will ultimately deliver the message. If all remailers used this algorithm it has the disadvantage that mail could float for a very long, non-deterministic time in the network -- if p were globally 1/2, for example, then with probality 1/1024, a message would float on for 10 more hops. But it has the advantage that the end user cannot pick which remailer will ultimately deliver the message, thus making it much more difficult to pick on a single remailer. It makes annonymous mailing a less attractive service, since you introduce significant delays, and an increased probability of loss. But maybe making anon remailing less attractive would be a good thing. The non-deterministic retention time in the network could probably be solved, but at the expense of some significant complexity. I have not been able to think of a secure way to do it, however. [If the remailers know and trust each other, the problem is easy.] -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
On Wed, 2 Jul 1997, Kent Crispin wrote:
The non-deterministic retention time in the network could probably be solved, but at the expense of some significant complexity. I have not been able to think of a secure way to do it, however. [If the remailers know and trust each other, the problem is easy.]
Remailers using this could be configured to not modify the "date" header until final delivery. Then you can base the probablity of final delivery upon some function of date/time or another header "X-Remailer-Max-Delay-Time:" If you're worried about traffic analysis, it is possible to randomly modify the date/time header by small amounts at each hop. (This however only helps and somewhat loaded systems..) ----------------------------------------------------------------------- Ryan Anderson - <Pug Majere> "Who knows, even the horse might sing" Wayne State University - CULMA "May you live in interesting times.." randerso@ece.eng.wayne.edu Ohio = VYI of the USA PGP Fingerprint - 7E 8E C6 54 96 AC D9 57 E4 F8 AE 9C 10 7E 78 C9 -----------------------------------------------------------------------
On Wed, Jul 02, 1997 at 11:53:56AM -0400, Ryan Anderson wrote:
On Wed, 2 Jul 1997, Kent Crispin wrote:
The non-deterministic retention time in the network could probably be solved, but at the expense of some significant complexity. I have not been able to think of a secure way to do it, however. [If the remailers know and trust each other, the problem is easy.]
Remailers using this could be configured to not modify the "date" header until final delivery. Then you can base the probablity of final delivery upon some function of date/time or another header "X-Remailer-Max-Delay-Time:" If you're worried about traffic analysis, it is possible to randomly modify the date/time header by small amounts at each hop. (This however only helps and somewhat loaded systems..)
The Evil One can always masquerade as the next to the last remailer, with suitably altered date fields or whatever. I wasn't thinking in terms of traffic analysis -- I was thinking in terms of guaranteeing that the last remailer in the chain, the one that actually delivers the message, cannot be predicted in advance. The current remailer algorithm allows an evil user to cause a particular remailer to be the source of Bad Stuff, which makes that remailer a target of those who don't like the Bad Stuff. The basic problem is that the end user is able to specify the remailer chain. [Digital postage can't do much to solve this problem, BTW. The offensiveness of a message is not measured by the postage.] On the face of it, this seems like a relatively simple problem. The current algorithm allows the end user to specify the final remailer -- change it so that the final remailer is not under the end user's control. The problem is, how does the final remailer know whether it was chosen by the end user, or by another remailer who *used* to be the final. Incidentally, another useful modification of having the final remailer forward one more time is this: if( destination address is in my legal jurisdiction )then with higher probability forward to another randomly chosen remailer else with lower probability forward to another remailer endif -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
On Wed, 2 Jul 1997, Kent Crispin wrote:
The Evil One can always masquerade as the next to the last remailer, with suitably altered date fields or whatever. I wasn't thinking in terms of traffic analysis -- I was thinking in terms of guaranteeing that the last remailer in the chain, the one that actually delivers the message, cannot be predicted in advance.
Well, to make the remailers more intelligent, have them count incoming mail from the list of remailers participating in the system. (either that or a rate) when one remailer seems to be sending much more mail than the others (which shouldn't happen if all remailers are randomly distributing the mail to each other) you automatically do the random forward to another remailer. There still exists a problem if a coordinated attack on the whole system occurs, with large amounts of mail seeking to discredit a group of remailers at once... ----------------------------------------------------------------------- Ryan Anderson - <Pug Majere> "Who knows, even the horse might sing" Wayne State University - CULMA "May you live in interesting times.." randerso@ece.eng.wayne.edu Ohio = VYI of the USA PGP Fingerprint - 7E 8E C6 54 96 AC D9 57 E4 F8 AE 9C 10 7E 78 C9 -----------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- At 03:32 PM 7/2/97 -0400, Ryan Anderson wrote:
Well, to make the remailers more intelligent, have them count incoming mail from the list of remailers participating in the system. (either that or a rate) when one remailer seems to be sending much more mail than the others (which shouldn't happen if all remailers are randomly distributing the mail to each other) you automatically do the random forward to another remailer.
That's a way to guarantee that the remailers that aren't working get more of the traffic..... :-) -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQBVAwUBM7r1xfthU5e7emAFAQHsCwH/eB0TRsFrGQZEmbeVmjENFRdFgPjAVJ3+ g5gwuraubYuU4XRtv7n6H/RDpfJLeljfknP4CYGQa5PTUqxTqk8FVw== =a3Fs -----END PGP SIGNATURE----- # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
On Wed, 2 Jul 1997, Bill Stewart wrote:
Well, to make the remailers more intelligent, have them count incoming mail from the list of remailers participating in the system. (either that or a rate) when one remailer seems to be sending much more mail than the others (which shouldn't happen if all remailers are randomly distributing the mail to each other) you automatically do the random forward to another remailer.
That's a way to guarantee that the remailers that aren't working get more of the traffic.....
So there's a few problems still, sheeeeeeshk. Actually, if you haven't heard anything from a remailer for a while, you'd probably drop it from your calculations. I'd also assume that the mailers participating in this random forwarding system were at least somewhat stable.. :-) ----------------------------------------------------------------------- Ryan Anderson - <Pug Majere> "Who knows, even the horse might sing" Wayne State University - CULMA "May you live in interesting times.." randerso@ece.eng.wayne.edu Ohio = VYI of the USA PGP Fingerprint - 7E 8E C6 54 96 AC D9 57 E4 F8 AE 9C 10 7E 78 C9 -----------------------------------------------------------------------
At 7:40 AM -0700 7/2/97, Kent Crispin wrote:
This probably has been suggested 20 years ago, but wouldn't Jeff's problem have been solved if the following slight modification were made to the algorithm: If you are the last remailer in a chain, then with probability p you pick another randomly choosen remailer to send through. If p is 1 end user mail would never come from you; if p is 0.5 then half the time you send the mail on one more step. The end user, then, can never be sure of which remailer will ultimately deliver the message. ...
This general sort of thing has been discussed...though not 20 years ago! :-0 I don't know about this particular mathematical algorithm, but things generally like it. Long before a remailer shuts down, he should certainly adopt a strategy like this. Sending "his" traffic through randomly selected other remailers is certainly an option. (Any remailer can at any point insert additional hops, or even chains of hops, merely be addressing them correctly. Of course, the "original" (which may not be the real original, of course, as other remailers may have done the same thing) needs to "get back on track," else the decryptions won't work. But this is all a simple problem. I don't know what gets discussed on the "remailer operators list," not being on it, but it sure seems to me that remailers have stagnated, and that some of the robust methods of reducing attacks on any particular remailer are not being used. --Tim May There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
I agree that there has been a certain stagnation, but I think things are going up again -- despite of the recent attack. There are three reliable nym servers in operation (nym.alias.net, weasel.owl.de, and redneck), and I understand that people are working on an improved system. There are at least three mail2news gateways, and Mixmaster remailers in at least four different countries (6 in the US, two in Germany, one each in the Netherlands, Canada and the UK, and two at unknown locations). Four of these have started operation last month -- hopefully others will follow. Not to forget the Geoff Keating's remailer applet, and a new web page with remailer statistics and reliability information that will be announced soon. Mixmaster 2.0.4, which is in beta test at four remailers, has the option to forward messages to a randomly selected remailer if used as the last hop (as Kent describes it, but it is known in advance whether a remailer will deliver a message directly, to avoid mail being bounced around infinitely.) Version 2.0.4 will be released soon; see http://www.thur.de/ulf/mix/ for information about the current beta. Cypherpunk remailers have been in operation for five years now. The remailer network has survived attacks by the Church of Scientology and by others. The recent incidents are annoyig, but there is no reason for dispair because of a bunch of bozos. As our friend Paul Strassman put it: "Conclusion: Anonymous re-mailers are here to stay. Like in the case of many virulent diseases, there is very little a free society can do to prohibit travel or exposure to sources of infection." Tim May wrote:
At 7:40 AM -0700 7/2/97, Kent Crispin wrote:
This probably has been suggested 20 years ago, but wouldn't Jeff's problem have been solved if the following slight modification were made to the algorithm: If you are the last remailer in a chain, then with probability p you pick another randomly choosen remailer to send through. If p is 1 end user mail would never come from you; if p is 0.5 then half the time you send the mail on one more step. The end user, then, can never be sure of which remailer will ultimately deliver the message. ...
This general sort of thing has been discussed...though not 20 years ago! :-0
I don't know about this particular mathematical algorithm, but things generally like it.
Long before a remailer shuts down, he should certainly adopt a strategy like this. Sending "his" traffic through randomly selected other remailers is certainly an option. (Any remailer can at any point insert additional hops, or even chains of hops, merely be addressing them correctly. Of course, the "original" (which may not be the real original, of course, as other remailers may have done the same thing) needs to "get back on track," else the decryptions won't work. But this is all a simple problem.
I don't know what gets discussed on the "remailer operators list," not being on it, but it sure seems to me that remailers have stagnated, and that some of the robust methods of reducing attacks on any particular remailer are not being used.
--Tim May
There's something wrong when I'm a felon under an increasing number of laws. Only one response to the key grabbers is warranted: "Death to Tyrants!" ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1398269 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On Wed, Jul 02, 1997 at 09:00:04AM -0700, Tim May wrote:
At 7:40 AM -0700 7/2/97, Kent Crispin wrote:
This probably has been suggested 20 years ago, but wouldn't Jeff's problem have been solved if the following slight modification were made to the algorithm: If you are the last remailer in a chain, then with probability p you pick another randomly choosen remailer to send through. If p is 1 end user mail would never come from you; if p is 0.5 then half the time you send the mail on one more step. The end user, then, can never be sure of which remailer will ultimately deliver the message. ...
This general sort of thing has been discussed...though not 20 years ago! :-0
Just teasing.
I don't know about this particular mathematical algorithm, but things generally like it.
Long before a remailer shuts down, he should certainly adopt a strategy like this. Sending "his" traffic through randomly selected other remailers is certainly an option. (Any remailer can at any point insert additional hops, or even chains of hops, merely be addressing them correctly. Of course, the "original" (which may not be the real original, of course, as other remailers may have done the same thing) needs to "get back on track," else the decryptions won't work. But this is all a simple problem.
I don't think it is so simple. It is, as you say, easy to add interior hops, but they don't do the remailers any good -- they add cover for the end user only. It is the "exterior edge" remailers that are at risk, and such a remailer has no easy way of knowing if it was selected at random, or was chosen as a specific target. At least, I can't think of an easy way. A particular remailer may have cohorts it trusts to be sources of random selection, but remailer trust is a flimsy foundation.
I don't know what gets discussed on the "remailer operators list," not being on it, but it sure seems to me that remailers have stagnated, and that some of the robust methods of reducing attacks on any particular remailer are not being used.
It's a problem with any infrastructure, though -- once it is in place, change becomes hard. The next generation remailer infrastructure should support a great many remailers, and it should be impossible to target any single remailer. The infrastructure as a whole should be resistant to attack. This seems to imply 1) that remailers be small, cheap, easy to install and run, 2) mail volume through any particular remailer should be small, 3) the infrastructure should support transient remailers -- I guess that is just a particular of a general robustness requirement; 4) the infrastructure should support volume restrictions from source addresses -- for example, allow only 1 message per day from a particular address. Also, the "routing algorithm" should involve two stages -- the first stage should be for the benefit of and controlled by the end user, to bury the message in the network so that it can't be traced (unless a secure retrace path is built in to the message). The second stage is for the benefit of the remailers, and controlled by them. During the first stage the message is masked, and the destination address is unavailable, during the second stage the message is unmasked, and the destination address and message (probably) are clear, and the remailer network is trying to decide which remailer to make the final delivery. (When I say "unmasked" I mean only at the remailer node -- not in transit -- the message is *always* encrypted in transit.) -- Kent Crispin "No reason to get excited", kent@songbird.com the thief he kindly spoke... PGP fingerprint: B1 8B 72 ED 55 21 5E 44 61 F4 58 0F 72 10 65 55 http://songbird.com/kent/pgp_key.html
participants (6)
-
Bill Stewart -
Kent Crispin -
Ryan Anderson -
tcmay@got.net -
Tim May
-
ulf@fitug.de