Cypherdudes, Hal noted:

As Tim says, it is no secret on this list that the remailers are not presently secure. I posted a long message a few months ago outlining possible attacks on the remailers. It's worth noting that Karl Barrus' remailer does batch up messages and send them out once a day. If enough people use it that will help mix them up. There is still the message size to match them up, though (and, believe it or not, the Subject:line!).

The traffic volume problem should be solved by having a source of random messages which traverse the network, mixing in with user messages. This will help, but you still have the problem that only user messages will leave the network.

The most bogus problem of the remailer system is lack of traffic. I mean how many messages go thru a given remailer a day? 1? 10? 100? This makes it pitifully easy to track messages. Padding them to the same size helps but if you have to track ten messages around (even though the problem becomes more egregious at each site) so what. Queing is a drag if you have to wait a day to get enough mail to send out. If I wanted it to take that long I'd send it snail mail. More traffic = shorter que time needed to make things a bummer for trackers. Random traversing messages are a reasonable temporary solution but Remailer publicity (thus, more traffic) is an important part of getting better anonymity going. Tell your friends, send all your punk postings thru at least one remailer (that will put some traffic through them!). This method is a passive one, how can we subvert the system now in place to make traffic more invisible?

The biggest problem is that many remailers are on unsecure systems. The PGP keys and passwords for these remailers are on the disk IN THE CLEAR. Anyone who can get privileges on these systems (many hackers, these days, not to mention the NSA) can get the remailer's keys and decrypt any messages sent to those remailers. Karl's monthly posting shows which remailers are on private machines; those are the only ones which have any hope of being secure against the NSA.

If you believe this you've already seceded the battle to the NSA. Formidable opponents != Defeat. Great respect for NSA ability is neccesary but independent minds (especially working together) can exhibit Davidian qualities. Exactly, how is tracking done? I've heard the general issues of file size and physical compromise but what programs and access codes are needed to obtain such info? How does one access SMTP mail channels, sendmail ques and mail logs? How can we subvert their attempts? Can we use the known router algorithms and network bookkeeping methods at hop sites to disguise where messages are traveling? I guess what I'm saying is can we use the complexities of the system itself, rather than our own system alone to make traffic analysis a drag. We know the weakness of our system, what are the weaknesses of the analyzers systems. What are the possibilities for an analyzers systems, how do we attack them? I'll start by looking at various RFC's but a little offense rather than defense can only make us more aware. Even if it doesn't seem possible for goliath to lose. I think today I'll be: Stranger