Re: The Remailer Crisis
Tim urges recently that we need to do something about the "remailer crisis." I remember Sameer once mentioning that he could set up remailer-in-a-box accounts for possibly anonymous 'sponsors' who'd be the legal owners therefore indemnifying Sameer (the tolerant sysadmin) of responsibility. I know he allows 'remail-to-yourself' blind-server accounts for $10 / meg or something. That's probably a bit expensive for a sponsor of a public remailer (any stats on average remailer traffic?). I never did here any more from sameer or anyone else about remailers-in-boxed-accounts. I for one would be willing to 'sponsor' a remailer account on any system with a small fee - I can't run my own as my private site looks at the world through PPP. I suggest that 'sponsored' remailers are a better way of making remailers economically viable for people like Sameer, who are the real, if not nominal, administrators. Though I hardly use remailers, those who do would probably make better (and more easily executed) use of their money if they sponsor remailer accounts on Cypherpunk ISPs like c2, rather than pay a (truenamed, legally vulnerable) operator for any single remailer. Sameer's blind-server code can come in use to make any link between the sponsor and her sponsored account very hard to detect. The advantages of sponsoring remailer-site operators to create remailing accounts, rather than pay an individual remailer operator, are many: 1. innocent until proven guilty - presumably sponsors do use remailers a lot; but not necessarily. So the payment transaction can be via truename, rather than via some complicated anonymous means, and still leave the sponsor unimplicated 2. legal - an operator of a single remailer is vulnerable - technically, if not root, and legally otherwise. an administrator of a Cypherpunk ISP is not, and does not have the legal right to monitor a customer's traffic, and with blind-servers even detailed logging don't lead back to the owner of an account, the sponsor, from any _specific_ remailer (though a pool of sponsors exist for a pool of remailer account) 3. technical - it's not possible to ban a single remailer, as they may be _many_ on a site. If the site is much more than just remailers, it's not really possible to ban the entire site. 4. traffic analysis - more remailers addresses will make traffic analysis harder, and chaining more fun - you could chain through multiple accounts on a single site with little loss in reliability (though you'll still want to go through more sites) 5. remailer explosion - more reliable remailers (due to the '-in-a-box', more users, wider distribution Comments? ----------------------------------------------------------------------------- Rishab Aiyer Ghosh "In between the breaths is rishab@dxm.ernet.in the space where we live" rishab@arbornet.org - Lawrence Durrell Voice/Fax/Data +91 11 6853410 Voicemail +91 11 3760335 H 34C Saket, New Delhi 110017, INDIA
rishab@dxm.ernet.in wrote:
Tim urges recently that we need to do something about the "remailer crisis."
I remember Sameer once mentioning that he could set up remailer-in-a-box accounts for possibly anonymous 'sponsors' who'd be the legal owners therefore indemnifying Sameer (the tolerant sysadmin) of responsibility. I know he allows 'remail-to-yourself' blind-server accounts for $10 / meg or something. That's probably a bit expensive for a sponsor of a public remailer (any stats on ....
I of course agree with everything Rishab just said, because I've made these points repeatedly over the last year or so. The "remailer-in-a-box" was even my coinage, though I make no claims to working on it more than just proposing some ideas. I mention this because I sense a fair amount of frustration by many of us that the same ideas keep coming up, keep getting general support, but don't move along further. I've certainly felt this, and I know others have, too. (I sometimes think that nearly all messages here are just skimmed by the readers, so the same stuff keeps bubbling up over and over again.) Yet I'm not pointing a finger at the remailer operators or anyone else. The problems are systemic, related to why things don't get done. In any case, I strongly urge--and have several times now--that the act of owning or operating a site be explicity disconnected from the act of having an account that does remailing. Sites/Owners that allow remailing accounts ARE NOT THE SAME AS accounts/owners that actually do the remailing! Further, there is no legal requirement (U.S.) that accounts be "identifiable" publically--and probably no legal requirement that accounts be identifiable at _all_. Thus, I could buy (Rishab's "sponsor") a remailer account on foo.bar for some amount of money, paid with paper currency sent to the remailer (just to help defray costs, not as a sophisticated "paid remailer" scheme). (And if charges of abuse, or legal letters from the Church of Aptical Foddering, cause the site owner to "shut down" account remailer73@foo.bar, then a new account, remailer121@foo.bar can be instantiated immediately. Nothing illegal about this, unless the site itself is (somehow) declared to be a contributory nuisance or somesuch.) For reasons which should be apparent to all, having my name, or any other name, attached to a remailer (e.g., "Tim-Remailer@foo.bar") could invite deliberate attacks, spams, etc. Better to have remailers have no such flags or invitations, a point several of you have also commented on (in terms of picking domain names that are not inflammatory or that will not trigger local scrutiny). Like Duncan F., I will be willing to sponsor or buy some remailer accounts. How many I sponsor will depend on the price, features, reliabillity, etc. (Please do not post "Hey, I'm willing to do this, so send me your $100 now." messages....for obvious reasons.) I am waiting for such services to be actually, formally, solidly announced, not just casual remarks that it might be possible. And of course the software should be "ready to wear," port-a-potty, so that the remailer account owner does nothing more than pay for the account. (Aside: I strongly recommend that some emergent naming conventios be discussed. For example, the "remailers-in-a-box" may need to be "no frills" remailers, with no errors reported to the sender, no help to those who send the wrong instructions, no hand-holding, and even _no further contact_ between those who sponsored/bought the accounts and the account itself! This could be marked as "anon-nf-137@foo.bar," meaning, an anon account, no frills, number 137 (of many more, hopefully). And so on.) And it will also depend on site reliability, uptime, etc. One site I would otherwise be tempted to sponsor a remailer account on recently took 5 days to forward a test message, so the problems are apparent. (I believe remailer operators need to _promote_ their sites, by citing uptimes, features, policies....but this is another one of those ideas that keeps coming up over and over again, from various people.) The "crisis" I am talking about is that we are down to a handful of sites, down from nearly 20 at one time, and with no apparent upward trend in numbers. Separating the act of having the courage/dedication to allow remailers from the act of operating remailers out of accounts is the key. --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. Cypherpunks list: majordomo@toad.com with body message of only: subscribe cypherpunks. FAQ available at ftp.netcom.com in pub/tc/tcmay
participants (2)
-
rishab@dxm.ernet.in -
tcmay@netcom.com