At 05:06 PM 5/27/96 EDT, E. Allen Smith wrote:

Why, precisely, do you think that remailers don't do much good where the operator isn't root? The possibility of the sysop looking at the mail & getting the private key, the increased susceptibility to cracking of non-root accounts, possible sysop non-cooperation in an honest manner (as opposed to the first one), or what?

I think it's more difficult to covertly monitor communications through a remailer if the remailer operator isn't root; this is also the case if the primary MX record doesn't point directly to a machine under the operator's control. I think it'd be possible for a hostile party to monitor/intercept communications through any remailer; but it's more likely to cause an unexplained disruption or outage where the hostile party has less access to the target machine/network, and the operator (who we assume is trusted) has more access. I also think that where root is not the remailer operator, root is a lot less likely to say "fuck off you evil TLA I won't help you monitor remailer traffic." My hunch is that many/most remailer operators would shut down a remailer instead of letting a TLA monitor traffic, and/or would refuse to take clear steps to publically reestablish the integrity of a remailer if its confidentiality was in question. My hunch is that many/most "professional" sysadmins would let a TLA monitor traffic if a user was running a remailer, and wouldn't do anything to let either the user/operator or the clients of the remailer know anything was amiss. Look at the way that the WELL and Netcom and AOL (I'm probably missing some examples here) have been willing to let amateur and professional spooks & cops wander around their systems reading mail and looking in home directories while chasing "bad guys". How many ISP's are going to say "come back with a warrant" if cops show up with badges & guns, saying "User X is running a remailer which sends kiddie porn/drug sales transaction info/whatever"? I bet very, very few. (And no, the ECPA won't be much help, see _Steve Jackson Games_ re "what does intercept mean?") Obviously I'm talking about "more" and "fewer" and hunches, not a mathematical proof. This is really just another web-of-trust; I may trust X to run a remailer (and not log traffic or disclose it to outsiders), but I probably don't trust X to pick a service provider who will not be susceptible to "the Briefing" and who won't hire anyone as a sysadmin who isn't bribable or coercible. My intention is not to slam remailer operators who aren't root, just to point out that the level of protection we should expect from those remailers is relatively small. Ditto for remailers operated by unknown nyms who don't have well-known people willing to vouch for their integrity. Truly, no offense is intended. If I have some idea who the remailer operator is, and they are root, I feel like I learn something if the operator says "My system doesn't log traffic." If the operator isn't in a position to know (because they're not root) or if I don't have a reason to trust them, I assume the remailer is logging traffic. And a remailer that logs traffic may be more dangerous than no remailer at all, because the amount of security provided is illusory. -- Greg Broiles |"Post-rotational nystagmus was the subject of gbroiles@netbox.com |an in-court demonstration by the People http://www.io.com/~gbroiles |wherein Sgt Page was spun around by Sgt |Studdard." People v. Quinn 580 NYS2d 818,825.