Re: Detweiler abuse again
-----BEGIN PGP SIGNED MESSAGE----- hughes@ah.com (Eric Hughes):
The automatic broadcast property of Usenet is profoundly broken for the long run, since there is no upper bound on the amount of resources required. More immediately, this property also requires a 100%
One can only reach the conclusion that Usenet is broken if one assumes that the remailers _aren't_. The automatic broadcast property if Usenet is not a problem if you can always determine the source of a message. This isn't an argument against anonymity, but just saying it's a little backwards to say that Usenet has to be redesigned because it doesn't work with the remailers. Why not use technology to solve a technological problem? The difficulty here is that it is impossible for any one remailer operator to prevent someone, say LD, from using the remailer system. The best he can do is stop LD from using his site as an entry point. So why not introduce a little cooperation among operators? This can be accomplished without collusion of the sort that would break anonymity. Pretty much all the remailer operators are 'punks, right? If a critical mass of operators get together and agree to block a standardized set of sources and destinations, then that group of operators will have enough pull to force the other operators to toe the line. The trick is to block messages from remailer _operators_ who refuse to agree to behave as part of the community, effectively isolating the wildcats. An isolated remailer is useless. Should be easy enough to work out -- a posted alert PGP signed by any two remailer operators is immediately implemented, no questions asked. Remailer scripts should include blocking by source, destination, or _content_, as in posts on a certain subject to a certain newsgroup. This would allow blocking of a nutcase using encrypted hops to post to Usenet without having to collude and blow his anonymity. Just say "Sorry, due to abuse of the remailers, we're not going to forward messages about the creatures from Uranus using microwave mind-control any more". This is a complicated idea in a general case, but scanning for subject lines, for instance, could be implemented as easily as scanning for destinations. What we have now is a bunch of single remailers. It's a very small step to create a cooperative group of remailers, and it would provide avenues for solutions to a lot of the potential problems. This is not perfect, but it's better. tytso@ATHENA.MIT.EDU (Theodore Ts'o):
Lance is, unfortunately, pointing out some huge, gaping holes in the current architecture of the Cypherpunks remailers. It would be good if
LD is smart enough to know that you _chain_ remailers for anonymity. I think he wanted us to know it was him, and wanted to see whether or not Hal would blow his anonymity when it came down to it. -- Will -----BEGIN PGP SIGNATURE----- Version: 2.3 iQCVAgUBLWCOLPfv4TpIg2PxAQHOCgP9E2Q4R6ngHIeIv/IPePhcFqJgDaA8B4OO CDS0akeyVXZXMB5b5nCGY2Q0b52LcSHnzUlJ0N/o1COjVNLADNOlcF2k9BcBYUuC cqSWy1fJlx4lwd3P2kMgtk8v+pLHlVLJ4riopp2RXgLVfsesw8aJWOdSBf3bA7ft cBxNJhcI9t8= =BycG -----END PGP SIGNATURE-----
The trick is to block messages from remailer _operators_ who refuse to agree to behave as part of the community, effectively isolating the wildcats. An isolated remailer is useless.
But an community of isolated remailers could get larger than the cooperating set. And coercing wildcats is, well, like herding cats. Eric
But an community of isolated remailers could get larger than the cooperating set.
No problem -- just add them to the killfile. Sure, new `rogue' remailers could slip by, but so can any fool with a telnet 25. Participating remailers would have some assurance that they're not sending material from someone in the source killfile. Non- participators wouldn't, and could take the moral high-ground all they like.
Eric
Eli ebrandt@jarthur.claremont.edu
But an community of isolated remailers could get larger than the cooperating set.
No problem -- just add them to the killfile.
A set of remailers isolated from a restriction cooperative is a fully operative set of remailers. Adding them to the killfile doesn't prevent these remailers from directly posting and directly mailing. Eric
Eric Hughes wrote:
A set of remailers isolated from a restriction cooperative is a fully operative set of remailers. Adding them to the killfile doesn't prevent these remailers from directly posting and directly mailing.
Are there any killfiles for mail around? I mean like scripts for killing selected 'from's in Mail,Elm or, hopefully, Pine?
Are there any killfiles for mail around? I mean like scripts for killing selected 'from's in Mail,Elm or, hopefully, Pine?
There may be killfiles for certain mail readers, but I would prefer a solution which filters the mail before it gets to my mail reader. On Unix, such filters can be installed as pipes in the .forward file. One such filter is called procmail. I just started using procmail, and it's great. I'm now getting all my mailing lists in separate mailboxes; this separation improves both my regular mail and my mailing lists. Try it. ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail Eric
Procmail is one filtering package. You can also use 'filter' which comes as part of the elm package. Promail has a few more features, but is much more difficult to write rules for, IMHO. ____ Robert A. Hayden <=> hayden@krypton.mankato.msus.edu \ /__ -=-=-=-=- <=> -=-=-=-=- \/ / Finger for Geek Code Info <=> In the United States, they \/ Finger for PGP 2.3a Public Key <=> first came for us in Colorado... -=-=-=-=-=-=-=- (GEEK CODE 1.0.1) GAT d- -p+(---) c++(++++) l++ u++ e+/* m++(*)@ s-/++ n-(---) h+(*) f+ g+ w++ t++ r++ y+(*)
W. Kinney writes:
One can only reach the conclusion that Usenet is broken if one assumes that the remailers _aren't_. The automatic broadcast property if Usenet is not a problem if you can always determine the source of a message. This isn't an argument against anonymity, but just saying it's a little backwards to say that Usenet has to be redesigned because it doesn't work with the remailers.
It's broken in the larger sense that Eric mentioned: costs are not incurred by posters. This is not just a problem with remailers, but with the growing numbers of "Make.Money.Fast" and "Allah is Coming!" sorts of posts. Think about it.
Why not use technology to solve a technological problem? The difficulty here is that it is impossible for any one remailer operator to prevent someone, say LD, from using the remailer system. The best he can do is stop LD from using his site as an entry point. So why not introduce a little cooperation among operators? This can be accomplished without collusion of the sort that would break anonymity.
Well, this blocking is what Hal is doing, and he proposed that others do the same, so I don't get your "alternative."
Pretty much all the remailer operators are 'punks, right? If a critical mass of operators get together and agree to block a standardized set of sources and destinations, then that group of operators will have enough pull to force the other operators to toe the line. The trick is to block messages from remailer _operators_ who refuse to agree to behave as part of the community, effectively isolating the wildcats. An isolated remailer is useless.
Not this easy. To see this, imagine the following scenario: Alice chooses not to block Detweiler (for example). Bob, Charles, Dorothy, decide to block Detweiler. Alice receives a message from Detweiler, strips off the headers in the normal way, passes the *encrypted* body (remember that many remailers support PGP and that this is in fact the preferred mode, long term) to Bob, who has absolutely no idea the body message he sees (encrypted further....) is a message from Detweiler. Bob does the header stripping and remailing to Charles, and so on. Eventually, Zeke sends the message on to its final destination. Only at the last stage, in this example, does Zeke realize--if he bothers to look at the message body, presumably now in plaintext (but not necessarily)--that the message is a threat, a flame, a "Yahweh is Coming!" message, or whatever. Thus, so long as at least *one* remailer is not doing source screening, and that at least some encryption is used (not all nodes have to do it, obviously), then source-level screening will not work. Unless, of course, Alice, Bob, Charles, etc. all agree to "work backwards" to trace a sender. This dire situation, counter to everything we want in remailers, would then allow the rest of the remailers to add _Alice_ to their list of blocked sources. Because she didn't play ball and didn't block Detweiler. A slow process, and one that could also be thwarted by, say, Fred, who refuses "on principle" to keep logs, collude with the other remailers, etc. No, source-level blocking is a reasonable short term fix for the present challenge from Detweiler, but is not a long term solution. We can block Detweiler temporarily, because there are so few remailers, so little use of chained encryption, etc., but he and others will find alternatives.
What we have now is a bunch of single remailers. It's a very small step to create a cooperative group of remailers, and it would provide avenues for solutions to a lot of the potential problems. This is not perfect, but it's better.
I agree here that remailers may organize themselves into "cooperatives," groups which make common assumpions about what policies to follow. Thus, in my example, eventually Alice would be excluded from the group, for not blocking Detweiler in the first place. But it gets real messy real fast. Does Alice not accept encrypted messages from "unknown" sources? (For example, it would be possible for Detweiler to contract with Joe User to have him forward a single message, then have Sue Foo forward his next message, etc. In other words, source-blocking fails so long as a remailer accepts encrypted messages.) Very long term, when message costs are borne by the sender, this problem goes away. (Others remain, such as death threats, extortion, markets for murder, etc., but they're in a different category.) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power:2**859433 | Public Key: PGP and MailSafe available.
From: tcmay@netcom.com (Timothy C. May) Date: Tue, 15 Feb 1994 11:38:54 -0800 (PST) It's broken in the larger sense that Eric mentioned: costs are not incurred by posters. This is not just a problem with remailers, but with the growing numbers of "Make.Money.Fast" and "Allah is Coming!" sorts of posts. Think about it. I've heard this assertion made a large number of times --- that if the poster had to pay for the cost of a posting, that all of our problems would go away (or at least a lot of them would). I'm not convinced they would; perhaps it is time to start exploring this assumption. Digital postage solves the problem that it becomes expensive for someone to flood a mailing list or a newsgroup with 10,000 annoying messages. But all it does is disenfranchise the poor; the rich would still be able to make themselves a nuisance. How do you defend against someone like Detweiler if he has the resources of a Donald Trump, or a Bill Gates? Also, how much do you charge? For example, Detweiler's Blacknet posting only went to some 20-odd newsgroups, and yet it was able to do a lot of damage. If you charge $1 a message, then for a mere $20, he was able to cause a lot of damage and consternation on the net. If you start charging $10 a message or more, legitimate users will be hurt, since they will now have to pay this large amount of money. And in the long run, it still doesn't work, since Detweiler wasn't even being very efficient. For example, he could have sent a GIF image containing kiddy porn or bondage pictures to soc.women; then the sh*t would have really hit the fan. A single message can do quite a lot of damage. Digital postage alone does not solve the accountability problem. - Ted
Ted Ts'o writes:
I've heard this assertion made a large number of times --- that if the poster had to pay for the cost of a posting, that all of our problems would go away (or at least a lot of them would).
Some problems will be lessened, some will remain. Nothing is perfect, but digital postage is certainly a step in the right direction....it at least makes the process of posting and mailing less "free" than it currently is. (As to why remailing should _not_ be free, I'll not get into this political issue here. Suffice it to say that nothing is completely free--someone pays. Right now, the remailer operators are eating the costs.)
I'm not convinced they would; perhaps it is time to start exploring this assumption. Digital postage solves the problem that it becomes expensive for someone to flood a mailing list or a newsgroup with 10,000 annoying messages. But all it does is disenfranchise the poor; the rich would still be able to make themselves a nuisance. How do you defend against someone like Detweiler if he has the resources of a Donald Trump, or a Bill Gates?
A "problem" we can't solve. Placing a ad in a newspaper costs 10 bucks or so, for example. Does this "disenfranchise" the poor? Does the fact that Bill Gates could probably buy the nation's five largest papers mean that ads should be free? Paid for by whom? I can't pursue this topic any further here--it's too political for the list to have to bear.
Also, how much do you charge? For example, Detweiler's Blacknet posting only went to some 20-odd newsgroups, and yet it was able to do a lot of damage. If you charge $1 a message, then for a mere $20, he was able to cause a lot of damage and consternation on the net. If you start charging $10 a message or more, legitimate users will be hurt, since they will now have to pay this large amount of money. And in the long run, it still doesn't work, since Detweiler wasn't even being very efficient. For example, he could have sent a GIF image containing kiddy porn or bondage pictures to soc.women; then the sh*t would have really hit the fan. A single message can do quite a lot of damage.
Agreed, it doesn't solve all problems. And part of the problem lies in Usenet itself, as we have been discussing. The "broadcast" model, without any form of postage along the way, means that any message can in principle be sent to thousands of sites (though dial-in users are of couse not obligated to read these posts, and hence don't have to incur expenses). I fully agree that no single price for a "stamp" could wipe out the problem. Even setting the price at $100 would be insufficient for a determined disruptor to find the juiciest exmaple of child porn and then pay the $100 to have it remailed to a site or newsgroup which would almost certainly guarantee massive repercussions. This could be child porn, pet torture (recall the "Kitty in a Blender" posts on rec.pets a year or so back), detailed military secrets, personal dossiers on a leading government official, whatever.
Digital postage alone does not solve the accountability problem.
No one has claimed this. All that has been claimed is that it raises the costs of flooding a bit. A step in the right direction. Long range, Usenet will likely be restructured in some way so that users choose what they wish to receive. Actually, I think the "volume" arguements--that Detweiler consumed too much volume--are wrong-headed. His posts added infinitesimally to the hundreds of megabytes a day flowing throught the system. I looked at the newsgroups Hal mentioned that the BlackNet piece went out to, and the posts were lost in the noise. Granted, they were "off subject," but so are a lot of posts. I'm not minimizing the downsides, just pointing out that the angry reactions were more likely related to the subject material itself and the total irrelevance to the "diabetes" and "frg" groups than to the slight increase in volume the posts caused. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power:2**859433 | Public Key: PGP and MailSafe available.
From: tcmay@netcom.com (Timothy C. May) Date: Tue, 15 Feb 1994 13:25:11 -0800 (PST) And part of the problem lies in Usenet itself, as we have been discussing. The "broadcast" model, without any form of postage along the way, means that any message can in principle be sent to thousands of sites (though dial-in users are of couse not obligated to read these posts, and hence don't have to incur expenses). Long range, Usenet will likely be restructured in some way so that users choose what they wish to receive. OK, well, at least I understand how digital postage would work, technically. But it sounds like we all agree that it's not enough. If we assume that Usenet is "broken", how do we fix it? Considering how many users there are (which must be at least one or two orders of magnitude more than there are of the thousands of news sites), how do you efficiently get articles only to the users who want them, and no others. And heck, how do you even have the users *describe* which postings they want? In some ways, rec.pets.birds is a rough description of what they want, by common consensus. The problem is that there's no enforcement on it, so anyone can become Detweilered. And if you do have to send your filter out across the network, there are obvious privacy implications as well --- it's one of the reasons why Usenet's flooding algorithm is somewhat useful. Users at MIT can read alt.sex.bondage without needing to send their identity out on the global network (and we *DON'T* keep logs on our news server!). For this reason, ``your long range solution'' has a lot of very tough technical challenges hiding behind it!!! Instead of just hearing people say that "Usenet is broken", I'd love to hear about some suggestions about how to re-architect it, at a real technical level. "Cypherpunks write code" --- well, it sounds like there's a really big and interesting problem here. - Ted
C'punks, On Tue, 15 Feb 1994, Theodore Ts'o wrote:
I'm not convinced they would; perhaps it is time to start exploring this assumption. Digital postage solves the problem that it becomes expensive for someone to flood a mailing list or a newsgroup with 10,000 annoying messages. But all it does is disenfranchise the poor; the rich would still be able to make themselves a nuisance. How do you defend against someone like Detweiler if he has the resources of a Donald Trump, or a Bill Gates?
Ever notice how few mail bombs we get from Trump or Gates? Maybe the rich are rich because they've learned self-restraint. Bet you dollars to donuts that LD doesn't have a pot to pee in or a window to throw it out. S a n d y P.S. Oops! Broke my own pledge, sort of. Okay, I'll climb back on the wagon.
[Usenet] is broken in the larger sense that Eric mentioned: costs are not incurred by posters. This is not just a problem with remailers, but with the growing numbers of "Make.Money.Fast" and "Allah is Coming!" sorts of posts. Think about it.
Be carefull of what you wish for, we have plenty of systems where the costs for information are incured by the ones that produce and diseminate it. I for one will fight long and hard to insure that usenet stays free and does not sink into the same myopic sluge pit that corporate press wades through. It's very importaint that usenet be free for anyone to post. It's also becoming nessesary to have good noise filters on the readers end. brad
It's broken in the larger sense that Eric mentioned: costs are not incurred by posters. [...] Very long term, when message costs are borne by the sender, this problem goes away.
I really doubt the problem goes away. Message costs have some restrictive effect, but they are not a panacea. (They are a panacea for supporting remailer services, but that should be obvious.) Transmission costs are dropping so fast that it is conceivable that the cost of a broadcast of a three page message to everyone in the world will be less than a dollar. Mailbombing might be solved by message costs, and will be a deterrent, but mailbombing is such a blunt weapon. As I recently argued, the problem is not individual disrupters but salience in general. Usenet is broken because it transmits everything which is sent to it, without any sort of judgement as to the propriety of the message to the newsgroups to which it is posted. Paying for the message does not solve the problem of newbie questions, or flame wars (low bandwidth data, high bandwidth emotion; flames are extremely compressible), or digressions. Eric
Date: Tue, 15 Feb 94 12:59:55 -0800 From: hughes@ah.com (Eric Hughes) As I recently argued, the problem is not individual disrupters but salience in general. I agree; this is indeed the problem. And when we try to sell the moderation software to individual groups, it should be sold as solving the salience problem --- and that it solves the individual anonymous disrupter as only side effect. The way I'd design this service is that the newsgroup would be moderated, and so postings would be mailed to a central site. The moderation group would have to have internet access, and would connect to the central site using a client program. The client program would display the message to the moderator, and then the moderator would have a chance to give a "thumbs up", "thumbs down", "abstain", or "decide later" vote. The software on the central site would send out the message after the threshold number of moderators had approved the message, or would kill it after the threshold number of moderators had given it the thumbs down. Of course, with something like this you'd want to make sure authentication was done right --- which in this case, probably means using a password-based challenge-response authentication system. Note that this proposed solution does not solve a lot of problems. It does not solve the moderation selection problem. (The moderation group can not be left wide open; otherwise a Detweiler could approve his own postings.) It does not solve the "forge a faked approved: header" attack. Yet for the problems it does solve, it would probably be a good thing. - Ted P.S. Wow, a productive, constructive, relatively flame-free discussion on cypherpunks! I was beginning to think it wasn't really possible. :-)
I wish to note at the outset that Ted and I seem to agree on the basic principles: 1. Use the ability to moderate newsgroups a. to restrict posting b. to get tendered articles to the moderators 2. Use multiple moderators and some weighting algorithm
And when we try to sell the moderation software to individual groups, it should be sold as solving the salience problem
I don't think it's necessary to sell it to existing groups. Create an alt group, set up the code, and see if people use it. How about alt.talk.crypto? Surely any measure of moderation would be an improvement over talk.politics.crypto. If the alt group is successful, the software can be moved over to talk.politics.crypto. To summarize the specifics of Ted's proposal: 1. mail to a central site is accessed by internet client 2. moderators vote +/-/0/not now 3. threshold weighting + and - 4. selection of moderators left open 5. security of approved header left open I had thought of using email to distribute articles to the moderator, but one might just as easily use NNTP. The modified newsreader could be pointed at the restricted-to-moderators NNTP site. NNTP might not even need extension, if the existing authentication procedures can be hacked to work. Votes/ratings can be in the form of articles posted to a .votes or .ratings group. The rating method and the particular algorithm for weighting will take some experimentation. I proposed the "one yes vote" system because it is enormously simply to implement and because that's the way the current system works: each person votes yes to approve their own post. Since not everyone will be a moderator, this method already gets rid of most newbie questions. If a disruptive moderator gets on board, their name would be attached to the post. If it gets bad enough, the bad moderator can be removed. This removal can happen by popular demand or by the person or organization which owns the central site for the moderator address. Unlike usenet, which has no specific point of control, the central site would have final say. Later protocols could be developed to get rid of the hazards of single central sites. This central site is only for each newsgroup, though, not the whole system. I wouldn't worry about forged Approved: headers right now. That bit of usenet will take major public key surgery to fix. I don't think it will happen until the RSA patents expire. Eric
Date: Tue, 15 Feb 94 17:11:34 -0800 From: hughes@ah.com (Eric Hughes) To summarize the specifics of Ted's proposal: 1. mail to a central site is accessed by internet client 2. moderators vote +/-/0/not now 3. threshold weighting + and - 4. selection of moderators left open 5. security of approved header left open I had thought of using email to distribute articles to the moderator, but one might just as easily use NNTP. The modified newsreader could be pointed at the restricted-to-moderators NNTP site. NNTP might not even need extension, if the existing authentication procedures can be hacked to work. Votes/ratings can be in the form of articles posted to a .votes or .ratings group. I wouldn't do it that way. There's too much overhead involved in talking to the .votes or .ratings group. I'd instead extend the NNTP protocol with a "XVOTE" command, which can take the arguments "yes" or "no"; this way, the server code is much simpler. The client code won't be that bad --- it would be pretty easy to modify gnus to do the right thing. It will be important to have real authentication to that central site, though; password stealing is all too common these days. Later protocols could be developed to get rid of the hazards of single central sites. This central site is only for each newsgroup, though, not the whole system. I wouldn't worry about the "hazards of the single central server" for quite a while, precisely because it is only for each newsgroup. I'd imagine that the number of people that would be moderating a newsgroup would be relatively small. I wouldn't worry about forged Approved: headers right now. That bit of usenet will take major public key surgery to fix. I don't think it will happen until the RSA patents expire. Actually, it might not be that hard to fix. Consider an additional header line which contains the signature of selected header fields (say, the message-id, the date, the from field, and the subject). I doubt that a news systems would ever verify the signature while they are accepting mail --- that would slow down the news throughput unacceptablely throughout the system --- but one can imagine an "auto-cancellation" system installed on a few key sites that would send out cancel message for any article a "new moderated group" that didn't have a valid signature on it. That way, you don't even need to get the signature validation software running on all sites; indeed, most sites wouldn't need to upgrade their software at all, which is a major point. One problem that hasn't been addressed is the social one: how do people choose moderators? The only method we currently have involves conducting a Usenet vote, which tends to be a long and cumbersome process. Any other one, unfortunately, tends to bring up cries of "Usenet cabal" very quickly. The one exception is the "anyone can be a moderator"; but that will only stop the newbie poster --- it won't stop a determined attacker. - Ted
One problem that hasn't been addressed is the social one: how do people choose moderators?
I'm not convinced this needs to be decided up front. For the first such group, whoever hosts the ratings site can decide who gets to moderate. A benign autocrat is ideal in this case. The lessons of experience will be needed to decide how to do the second and subsequent groups. One of the reasons I outlined a broad framework for distributed moderation is that we really can't tell in advance what systems will be desirable, and whatever it is, it will likely vary from group to group. We will eventually need to figure out a way to have multiple groups with the same topic but with different moderation techniques. Fractious bickering will cause schisms, and creating namespace turf to fight over is counterproductive when there need not be such a problem. This is one of the reasons I suggested using a separate newsgroup for rating/voting, to support multiple moderation groups. On voting for a moderator:
Any other one, unfortunately, tends to bring up cries of "Usenet cabal" very quickly.
I say fine, let them cry. It would be impolitic to take over and monopolize a particular topic, so that if there are complaints about the moderated group, there's always another place to go. This is another reason to think about how to do multiple moderation, which is to say to the whiners "put up or shut up". Eric
"W. Kinney" <kinney@bogart.Colorado.EDU> writes:
-----BEGIN PGP SIGNED MESSAGE-----
One can only reach the conclusion that Usenet is broken if one assumes that the remailers _aren't_. The automatic broadcast property if Usenet is not a problem if you can always determine the source of a message. This isn't an argument against anonymity, but just saying it's a little backwards to say that Usenet has to be redesigned because it doesn't work with the remailers.
The real problem is the same sort of problem that one has to face in all public spaces. If an individual is allowed to speak, they may be abusive. If they are not allowed to speak, the state is being abusive. Usenet is a public space. Sure, people have attempted to moderate parts of it, but all they've really done is split off from the public space to form private spaces which have restrictive policies on content.
Why not use technology to solve a technological problem? The difficulty here is that it is impossible for any one remailer operator to prevent someone, say LD, from using the remailer system. The best he can do is stop LD from using his site as an entry point. So why not introduce a little cooperation among operators? This can be accomplished without collusion of the sort that would break anonymity.
Co-operation amongst remailer operators won't solve this problem either. If any one site lets Larry use a remailer, then he's free to abuse the system. Like open terminal servers, a few may survive the purge, but the abuses tend to consolidate the opinion of the many against the idea of the service.
Pretty much all the remailer operators are 'punks, right? If a critical mass of operators get together and agree to block a standardized set of sources and destinations, then that group of operators will have enough pull to force the other operators to toe the line. The trick is to block messages from remailer _operators_ who refuse to agree to behave as part of the community, effectively isolating the wildcats. An isolated remailer is useless.
First of all, I'd like to see remailer servers running on a well-known port. That way, anyone could stick up a remailer, provided they had access to a C compiler. There would be no cabal of remailer operators, because everyone would have the possiblity of being a remailer. Also, an isolated remailer isn't useless. It doesn't provide perfect anonymity, especially since it may be doing logging. But, remember, when the entire chain is as strong as it's strongest link, the chain doesn't necessarily need to be more than one link long.
Should be easy enough to work out -- a posted alert PGP signed by any two remailer operators is immediately implemented, no questions asked. Remailer scripts should include blocking by source, destination, or _content_, as in posts on a certain subject to a certain newsgroup. This would allow blocking of a nutcase using encrypted hops to post to Usenet without having to collude and blow his anonymity. Just say "Sorry, due to abuse of the remailers, we're not going to forward messages about the creatures from Uranus using microwave mind-control any more". This is a complicated idea in a general case, but scanning for subject lines, for instance, could be implemented as easily as scanning for destinations.
So then you end up with a situation where the potential abusers are writing subject lines which don't match the contents. In general, you're going to have a hard time trying to prevent certain subjects from getting out, especially if you plan on automating this function.
What we have now is a bunch of single remailers. It's a very small step to create a cooperative group of remailers, and it would provide avenues for solutions to a lot of the potential problems. This is not perfect, but it's better.
Actually, I don't believe that it's better. I think that the base functionality of remailers should be standardized, so that they can all interoperate, but I don't think that forcing the operators into a cabal is at all helpfull.
tytso@ATHENA.MIT.EDU (Theodore Ts'o):
Lance is, unfortunately, pointing out some huge, gaping holes in the current architecture of the Cypherpunks remailers. It would be good if
LD is smart enough to know that you _chain_ remailers for anonymity. I think he wanted us to know it was him, and wanted to see whether or not Hal would blow his anonymity when it came down to it.
I think you're right. He wanted to know if Hal could be trusted to not give in when the "abuse" became unbearable. Hal, apparently, couldn't. I understand that Hal has to do what he feels is right. However, if all remailer operators are going to cave when faced with an "abuser" who they don't agree with, then there will be no anonymity for anyone. What ever happened to "I hate what you say, but I will fight to the death for your right to say it?" How long will it be before we get to the point where certain "contents" are considered off-limits? Everyone needs to be able to run a remailer. How else will you be able to trust the remailer operator? Jon Boone | PSC Networking | boone@psc.edu | (412) 268-6959 | PGP Key # B75699 PGP Public Key fingerprint = 23 59 EC 91 47 A6 E3 92 9E A8 96 6A D9 27 C9 6C
Usenet is a public space. Sure, people have attempted to moderate parts of it, but all they've really done is split off from the public space to form private spaces which have restrictive policies on content.
Any forum which captures the desirable qualities of a public space will therefore have to restrict content in some way. The trick is not to restrict content too much, and to make sure the restrictions cut broadly across opinion boundaries.
First of all, I'd like to see remailer servers running on a well-known port. That way, anyone could stick up a remailer, provided they had access to a C compiler.
The problem with a well known port is that it restricts remailers to one per machine. Then in fact only one person per machine could set up a remailer. This does make a difference, because the sysadmin is not the only one technically able to monitor the remailer; its operator is also able. A pseudonymous service, like a pseudonymous person, should not need to be linked to any particular machine except during an actual transaction. If I have a pseudonym, I can post from anywhere and my identity is communicated by a signature. Likewise should a pseudonymous service be able to hop from machine to machine. The techniques of location-independent computing, developed for radio links, can be applied here. What we need is a name service which has public keys as identities and which can map virtual and pseudonymous services to various combinations of IP address, port number, and protocols. In the decentralized spirit, this name service should not have a root. Someone Saturday mentioned that there was a paper from some Plan 9 folk about rootlessness; pointers will be welcome. Eric
hughes@ah.com (Eric Hughes) writes:
Any forum which captures the desirable qualities of a public space will therefore have to restrict content in some way. The trick is not to restrict content too much, and to make sure the restrictions cut broadly across opinion boundaries.
Agreed.
First of all, I'd like to see remailer servers running on a well-known port. That way, anyone could stick up a remailer, provided they had access to a C compiler.
The problem with a well known port is that it restricts remailers to one per machine. Then in fact only one person per machine could set up a remailer. This does make a difference, because the sysadmin is not the only one technically able to monitor the remailer; its operator is also able.
Yes, that is a problem.
A pseudonymous service, like a pseudonymous person, should not need to be linked to any particular machine except during an actual transaction. If I have a pseudonym, I can post from anywhere and my identity is communicated by a signature. Likewise should a pseudonymous service be able to hop from machine to machine.
The techniques of location-independent computing, developed for radio links, can be applied here.
What we need is a name service which has public keys as identities and which can map virtual and pseudonymous services to various combinations of IP address, port number, and protocols. In the decentralized spirit, this name service should not have a root. Someone Saturday mentioned that there was a paper from some Plan 9 folk about rootlessness; pointers will be welcome.
Actually, the Mobile IP working group of the IETF is busy defining a system of proxy agents which will accept packets for mobile machines and then forward them on to the proper destination. Something like this would be useful for anonymous remailers. Imagine a scheme whereby a "core" of these agents were available on well known ports of established machines. When you start up your remailer, it registers with the core agents and does it delivery. It can then move to another machine. A lack of a "keepalive" packet every n seconds would indicate that the remailer had gone down and it would be purged from the records. Jon Boone | PSC Networking | boone@psc.edu | (412) 268-6959 | PGP Key # B75699 PGP Public Key fingerprint = 23 59 EC 91 47 A6 E3 92 9E A8 96 6A D9 27 C9 6C
Summary: Use (anonymous) certificates to fix Usenet, and mailing lists. I think this message is interesting to the readers of cypherpunks because it describes the a decentralized, crypto supported, solution to the problems of e-speach in e-public places. If a message is found on a usenet group, a mailing list, or any other 'e-public' space for that matter, one is tempted to assume that its content is apropriate for the space, and interesting. But who certified that? On moderated lists, the moderator(s) did, and things usualy go a little more smoothly. On unmoderated lists, only the author. Were there a way to attach signed judgements to posted articles (as articles naturally), you could program your mail reader to skip articles which aren't judged highly enough by your favorite judges. Then, the flames would die away -- few people would judge them interesting enough. The incentive for the reader is to improve their judgment of judges, and so spend more time reading good stuff (neural net learning anyone?). The incentive for the judges is to earn 'reps' or money (how to sell judgements?). The incentive for the poster is to be heard (improving their 'rep'), and so if no (important, in the poster's opinion) judges like their stuff, they will feel an incentive to improve their posts. Naturally the anarchist in me feels that any person shoud be able to act as reader, poster, or judge at any time. What Usenet, this, and other lists lack are digital reputations. I belive it is a 'real world' problem which is aproaching the size of the 'private email' problem. I am going to abandon the private IP stuff for a little while, and see if I can hack up a pseudonymous certificate system ala Chaum from the bones of magic money. j' -- O I am Jay Prime Positive jpp@markv.com 1250 bit fingerprint B06229 = B8 95 E0 AF 9A A2 CD A5 89 C9 F0 FE B4 3A 2C 3F 524 bit fingerprint 2A915D = 8A 7C B9 F2 D5 46 4D ED 66 23 F1 71 DE FF 51 48 Public keys via `finger jpp@markv.com', or via email to pgp-public-keys@io.com Your feedback is welcome directly or via my symbol JPP on hex@sea.east.sun.com Resist the Clipper Chip, write "I oppose Clipper" to Clipper.petition@cpsr.org
participants (11)
-
Brad Huntting -
Eli Brandt -
hughes@ah.com -
Jon 'Iain' Boone -
jpp@markv.com -
Mats Bergstrom -
Robert A. Hayden -
Sandy Sandfort -
tcmay@netcom.com -
tytso@ATHENA.MIT.EDU -
W. Kinney