On Sun, Oct 27, 2019 at 01:15:56PM +1100, Zenaan Harkness wrote:
Here's an obvious in hindsight thought:
Use case: A (hidden, encrypted etc) ping circle (some combo of star or token ring yet to be designed) amongst a group of friends who may at random points in time, wish to send wheat txt sms in the chaff of the regular circle ping.
Usually the ping is chaff.
Any particular ping can be wheat (an sms/txt/email).
If the ping is clocked, and there is any leakage of the clocking, then a GPA jamming my ISP link for say 5 seconds, right at the time I'm about to send my regular ping, would expose the other node(s) I am pinging.
Even the above statement is not necessarily true, may be not true at all: So I ping my 1st hop peer set, who have also these fixed low b/w ping links to their peers, etc, and some subset of all these are part of my ping circle of trusted friends. The earlier postulate (see OP email below) holds, namely that: "The b/w of the ping is so low, that there is little to incentive to not maintain such (virtual) links, even if an incoming ping fails to arrive; and the value of such hidden communications is far greater (and the anonymity of your circle), and so there is abundant incentive to maintain such low-cost links." So, even in the case of a clocked ping, the targets of my low b/w high latency ping are perhaps unlikely to be exposed, using active latency injection attacks. Notwithstanding this fact, the high latency nature of such ping circles suggests that statistically random clocking --within a specified window-- (e.g. 1hr ping, +/- 15 minutes window), would presumably not detract from the security of such links, and may well mitigate unforeseen future attacks. With a shout out to the pipe-net punks and others from ~1995. https://en.wikipedia.org/wiki/David_Chaum https://en.wikipedia.org/wiki/Mix_network
If the ping is not clocked, but is timed (clocked) to a statistically random time within a configured window, the GPA cannot know when to conduct their latency injection attack, and any dropout by me, would be seen by those who failed to receive my ping or received a delayed ping, as nothing but white noise, since every ping is randomly timed anyway.
The ability to hide ping recipients when I and or they are only intermittently connected (i.e., we all live on mobile phones), is in serious doubt. The reasonable (excepting further analysis) operating mode is to, at least, have a node which is permanently connected - but again, we need consider each use case in due course...
[To state what ought be obvious, the pings, though high priority when they are sent at extreme high (compared to normal web traffic) latency intervals, are still sent through 'regular' chaff-filled links, and so except for my local links temporarily dropping out, a GPA stalker should not be able to determine destination nodes for my ping, with any latency injection attack.
There is an unnamed assumption in the above - my ping circle includes only known friends. If my ping circle includes unknown destination nodes, detecting network dropout is trivial (I only have to be actively taken offline for a duration longer than the ping interval (+rand window), for the target to identify me. "Don't talk to strangers about highly important things." "Know your peer." "High value communications (and therefore network links/ routes) with unknown peers, exposes you to active stalker (e.g. government) attacks."
The reasons we can make such an assertion and believe this holds true:
- active latency injection attacks operate on the principle of statistically modifying the distribution of packets across a route (in time (for latency) or some other metric e.g. size)
- in the case of extremely high latency packets (say, 1 hour between packets) at least when sent between nodes trusting one another or via nodes which, if they introduce a few seconds or minutes of latency, cannot meaningfully impact the ping, the relevant statistical "distribution of packets across time" is in the order of (in this example) hours
- the b/w consumed by such ping circles very low - those in my ping circle, have little incentive to close such low b/w "chaff filled links" on the outgoing side - and in fact, those who want to see freedom of anonymous speech, will actively support such links (again, due to their low network costs) - and so those nodes which do NOT maintain such links when requested, naturally increase their stalker score (as viewed by others). ]
"Treat each use case for its unique snowflake characteristics, and we provide for the possibility to optimize that particular use case."