On Fri, Dec 21, 2001 at 01:21:27PM -0800, Len Sassaman wrote: | | In conclusion, I leave you with a question: if remailer users are reduced | to a small number of high-paying remailer customers for whom anonymity is | not a game, but a matter of life or death, could a mix-net be made to | provide any sufficient degree of security? "No" is the easy answer. Say | yes, and prove it. No. If your anonymity set is small, then using the system calls attention to you, and your adversary can simply attack all the users with physical layer attacks (bugged keyboards, video cameras in ceilings, tempest, etc.). Further, if the user set is small you're probably more concerned with unobservability than with unlinkability or untracability. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
On Saturday, December 22, 2001, at 11:29 AM, Adam Shostack wrote:
On Fri, Dec 21, 2001 at 01:21:27PM -0800, Len Sassaman wrote: | | In conclusion, I leave you with a question: if remailer users are reduced | to a small number of high-paying remailer customers for whom anonymity is | not a game, but a matter of life or death, could a mix-net be made to | provide any sufficient degree of security? "No" is the easy answer. Say | yes, and prove it.
No. If your anonymity set is small, then using the system calls attention to you, and your adversary can simply attack all the users with physical layer attacks (bugged keyboards, video cameras in ceilings, tempest, etc.). Further, if the user set is small you're probably more concerned with unobservability than with unlinkability or untracability.
Likewise, if only a small number of people are using Swiss banks, or Yap stone wheels, or nearly any other particular financial instrument then the anonymity set is too small. It's not too hard to know who is spending that Yap stone wheel. I say "nearly" because gold, say, has some nice physical properties which things like currency notes, bank accounts, diamonds, etc. don't have: gold can be melted and all traces of origin lost, save for some expensive tinkering with isotopic ratios, maybe. Note that I am not advocating gold, and especially not E-Gold, just noting facts.) A lot of the complaints we see about cryptographic implementations of things are also echoed in the real world. It's unreasonable to expect crypto to solve all problems. To emphasize this point: When we hear about limitations on the privacy of remailers or digital cash implementations, we should think about comparable situations with ordinary mail, ordinary currency, etc. A lot of systems seemingly fail! The fact that we continue to use them, because they are embedded in a larger system (of reputations, ontological speed bumps, etc.) tells us that crypto is only a part of the overall picture. Too many crypto folks find flaws and declare the whole approach dead. On Len's earlier point, DC Nets are the answer. The 1992 design for "envelopes within envelopes remailers" is just the 1981 Chaumian untraceable e-mail. He knew even then that it was subject to the types of attacks described above. Hence the DC Net. A huge amount of stuff is available on DC Nets, on the Web, in the CP archives, in the literature (Crypto and Eurocrypt Proceedings, esp. by Chaum, Pfitzmann, etc.). Even with DC Nets, the concern is immediately one of "collusion sets" (or "compromised sets," if the FBI/FinCEN/NSA have instrumented nodes). By the way, the attack that Adam describes, of the attacker placing video cameras and monitoring devices, is not inexpensive. For example, I doubt that Swiss banks in Geneva and Zurich have been compromised in this way...though I expect that wire transfers into and out of such banks are observed and recorded. (One of the early remailers was located in a vault formerly used for an accelerator near Amsterdam. Pretty hard for FinCEN or NSA to get cameras in there. Ditto for some of the vaults in the U.K. being used for colo. Ditto for HavenCo (though I am not necessarily endorsing the use of platforms in the North Sea),) I think the continued existence of private banking systems for high net worth individuals shows that even relatively small sets of interacting parties can achieve privacy. This may not be doable with remailers which are operated by, for example, 22-year-old grad students who have spent a couple of hours setting up a remailer on their 600 MHz Celeron box, or even by computer professionals like Len willing to spend more time and effort, but it looks doable. Paid remailers are just as necessary for the longterm health of the remailer business as paid banks were and are for the banking business. "Swiss bank in a box" may look like a neat little bit of code to play with in the latest Debian code release, but it ain't really a Swiss bank. And folks saying Swiss banks can't provide privacy because "Swiss bank in a box" doesn't really work very well.... --Tim May "Stupidity is not a sin, the victim can't help being stupid. But stupidity is the only universal crime; the sentence is death, there is no appeal, and execution is carried out automatically and without pity." --Robert A. Heinlein
On Sat, 22 Dec 2001, Tim May wrote:
--Tim May "Stupidity is not a sin, the victim can't help being stupid. But stupidity is the only universal crime; the sentence is death, there is no appeal, and execution is carried out automatically and without pity." --Robert A. Heinlein
Even the 'smartest' die. So in some sense they must be 'stupid' too... -- ____________________________________________________________________ Day by day the Penguins are making me lose my mind. Bumper Sticker The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- --------------------------------------------------------------------
On Sat, Dec 22, 2001 at 01:12:02PM -0800, Tim May wrote: | On Saturday, December 22, 2001, at 11:29 AM, Adam Shostack wrote: | | > On Fri, Dec 21, 2001 at 01:21:27PM -0800, Len Sassaman wrote: | > | | > | In conclusion, I leave you with a question: if remailer users are | > reduced | > | to a small number of high-paying remailer customers for whom | > anonymity is | > | not a game, but a matter of life or death, could a mix-net be made to | > | provide any sufficient degree of security? "No" is the easy answer. | > Say | > | yes, and prove it. | > | > No. If your anonymity set is small, then using the system calls | > attention to you, and your adversary can simply attack all the users | > with physical layer attacks (bugged keyboards, video cameras in | > ceilings, tempest, etc.). Further, if the user set is small you're | > probably more concerned with unobservability than with unlinkability | > or untracability. | | | Likewise, if only a small number of people are using Swiss banks, or Yap | stone wheels, or nearly any other particular financial instrument then | the anonymity set is too small. It's not too hard to know who is | spending that Yap stone wheel. Yes, but I found it suprising to realize that the number of people who need to use a Swiss bank for it to be private is much smaller than the number who use a remailer. (In addition, Swiss banks have natural cover traffic provided by the ever-efficient local Swiss.) Survielling a bank is more expensive than a remailer, and a bank will not tend to have an 'upstream ISP' where all patrons of the bank, wearing tags, can be identified. | I say "nearly" because gold, say, has some nice physical properties | which things like currency notes, bank accounts, diamonds, etc. don't | have: gold can be melted and all traces of origin lost, save for some | expensive tinkering with isotopic ratios, maybe. Note that I am not | advocating gold, and especially not E-Gold, just noting facts.) | | A lot of the complaints we see about cryptographic implementations of | things are also echoed in the real world. It's unreasonable to expect | crypto to solve all problems. To emphasize this point: When we hear | about limitations on the privacy of remailers or digital cash | implementations, we should think about comparable situations with | ordinary mail, ordinary currency, etc. A lot of systems seemingly fail! | The fact that we continue to use them, because they are embedded in a | larger system (of reputations, ontological speed bumps, etc.) tells us | that crypto is only a part of the overall picture. Too many crypto folks | find flaws and declare the whole approach dead. This is absolutely correct, and Ryan's points about latency mattering a great deal to users are also bang-on. | On Len's earlier point, DC Nets are the answer. The 1992 design for | "envelopes within envelopes remailers" is just the 1981 Chaumian | untraceable e-mail. He knew even then that it was subject to the types | of attacks described above. Hence the DC Net. A huge amount of stuff is | available on DC Nets, on the Web, in the CP archives, in the literature | (Crypto and Eurocrypt Proceedings, esp. by Chaum, Pfitzmann, etc.). | | Even with DC Nets, the concern is immediately one of "collusion sets" | (or "compromised sets," if the FBI/FinCEN/NSA have instrumented nodes). | | By the way, the attack that Adam describes, of the attacker placing | video cameras and monitoring devices, is not inexpensive. For example, I | doubt that Swiss banks in Geneva and Zurich have been compromised in | this way...though I expect that wire transfers into and out of such | banks are observed and recorded. Probably; but if the end points are both expensive to trace, watching those transfers may not buy you a lot. | I think the continued existence of private banking systems for high net | worth individuals shows that even relatively small sets of interacting | parties can achieve privacy. This may not be doable with remailers which | are operated by, for example, 22-year-old grad students who have spent a | couple of hours setting up a remailer on their 600 MHz Celeron box, or | even by computer professionals like Len willing to spend more time and | effort, but it looks doable. | | Paid remailers are just as necessary for the longterm health of the | remailer business as paid banks were and are for the banking business. | "Swiss bank in a box" may look like a neat little bit of code to play | with in the latest Debian code release, but it ain't really a Swiss bank. As Dan Geer pointed out, banks are in the risk management business. If you put your risk management algorithm in a box and expect me not to game it, its because you have too little money to pay for the analysis. LTCM had this problem; their banks decided it was more profitable to squueze them than to let them live, and they had no escape plan. (Its too bad the banks didn't know what their liabilities were, but thats another rant.) Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
participants (3)
-
Adam Shostack -
Jim Choate -
Tim May