Re: On the crime bill and remailers
-----BEGIN PGP SIGNED MESSAGE----- Hal said:
I strongly disagree with this. Anonymous remailers as presently constructed will be almost completely ineffective against any significant government attempts to surveil email traffic. The government does have the resources today to defeat most uses of remailers. Since present-day remailers lack padding features, the correspondence between incoming and outgoing messages, even with encryption, is relatively easy to establish. This is made worse by the lack of general support for reordering, which renders the task almost trivial.
Although it does seem that the government ought to be able to track remailer traffic, is there any evidence that they are actually doing it in the real world? I've seen posts on usenet which would have presumably provoked a reaction from police, but I can't remember hearing of any cases in which such surveilance occured. == Alex Strasheim alex@omaha.com -----BEGIN PGP SIGNATURE----- Version: 2.6.1 iQCVAwUBLn9tpREpP7+baaPtAQHrewQAvJW8zUIQb57XwHHsdGC7gJo9UyFfds4o hu1vTUEsZvzyYJL7BIVgDEnHowVZ6vWyKky2QW+CiYli6Ulo8zFN5zoeWS09vLx2 /pANQPxXC+o61C1rypiR85D/esJ7a7ZRJu8OI5sa98+eLmDDad/j/768OMmFwR8c iI8ZnV2PCbQ= =DwQt -----END PGP SIGNATURE-----
Hal Finney assumes that cooperating attackers are monitoring each and every remailer site used by a well-constructed message (which I define as two or more jurisdictions, at least one private box, and nested encryption). While ubiquitous wiretap is a good worst-case assumption to make when designing the remailers, the odds that all the remailers in such a chain are being wiretapped is vanishingly small. A post-hoc attack of examing logs, like what the FBI is probably doing now for the RC4 incident, is much more likely. A wiretap attack would only become even remotely likely if there was a repeated pattern, for example regularly leaked trade secrets that appeated to come from the same originator. Despite the possibility that the RC4 leaker used the predictable 'premail', or perhaps didn't even use nested encryption at all, and that the leak was serious enought to make the front page of the Wall Street Journal, I'll lay even odds that the leaker is never found. If the leaker used a well-constructed message, and doesn't try to repeat his coup, I set the odds at 1000:1 that we'll ever find him via remailer tracing. This despite the fact that the current remailer network falls well short of a wiretap-proof digital mix, as Hal correctly notes. Jim Hart hart@chaos.bsu.edu
Jim Hart wrote:
A post-hoc attack of examing logs, like what the FBI is probably doing now for the RC4 incident, is much more likely... I'll lay even odds that the leaker is never found... if the leaker used a well constructed message... I set the odds at 1000:1 that we'll ever find him via remailer tracing.
Intellectual property rights, export status and all that aside, as a once (and hopefully future) remailer operator, I am curious and concerned for the remailer operator in this case. I see that RSADSI contacted Mr. Perry's employer (jpunix consultants here in Houston?) and the remailer is "temporarily" shut down. This investigation could go a long ways into answering (maybe unfavorably) several legal matters, such as the seizure of sendmail logs, from multiple machines if chained. Will the FBI get cooperation from a foreign law enforcement if a foriegn remailer was used? If the mail was chained through several remailers, will legal action be taken against each one? Then there's the liability of the remailer operator, the company who owned the machine, etc. Will RSA pursue action against these people? Can they? I'm not advocating illegal remailer usage, but I certainly don't want to see John Perry become the focus of lawsuits as the most visible target. John Perry mentioned he was almost fired, except the CEO of JPUnix is open minded. Thankfully, I can imagine other organizations wouldn't have hesitated in firing him. -- Karl L. Barrus: klbarrus@owlnet.rice.edu 2.3: 5AD633; D1 59 9D 48 72 E9 19 D5 3D F3 93 7E 81 B5 CC 32 2.6: 088C8F21; 97 73 9E 8B 98 3E DD B5 E8 97 64 7E 20 95 60 D9 "One man's mnemonic is another man's cryptography" - K. Cooper
Karl Lui Barrus <klbarrus@owlnet.rice.edu> wrote:
I see that RSADSI contacted Mr. Perry's employer (jpunix consultants here in Houston?) and the remailer is "temporarily" shut down.
The remailer is back up. I don't know if it's really my place to comment here, but I would like to clear up the misconceptions. Someone from RSA (probably Bidzos) contacted Perspective Scientific (persci.com), a company which hired John Perry to install and maintain their network. Since Mr. Perry was not in at the time, they demanded to speak to the CEO. The caller then proceeded to tell him that Persci's computers were being used to distribute proprietary, copyrighted encryption software on the internet. This claim is false, and I assume that the caller knew it was false but made it anyway. Jpunix.com is John Perry's personal computer at his home. The caller could have gotten his home number from the whois record and called him personally; there was absolutely no reason for them to call his employer. RSA called PerSci for no other reason than to harass John Perry and attempt to get him in trouble at work. This is not the first time they have done this type of thing (and based on the various lawsuits against them, it would seem they consider it standard procedure). Fortunately, the CEO of Persci was open-minded enough to realise that RSA's complaint had nothing to do with Perspective Scientific, and dropped the issue there. Failing that, there isn't much else RSA can do to harass Mr. Perry, and they seem to have given up for now...
participants (4)
-
Alex Strasheim -
Jim Hart -
Karl Lui Barrus -
Matthew J Ghio