high latency low b/w ping circles: random vs clocked
Here's an obvious in hindsight thought: Use case: A (hidden, encrypted etc) ping circle (some combo of star or token ring yet to be designed) amongst a group of friends who may at random points in time, wish to send wheat txt sms in the chaff of the regular circle ping. Usually the ping is chaff. Any particular ping can be wheat (an sms/txt/email). If the ping is clocked, and there is any leakage of the clocking, then a GPA jamming my ISP link for say 5 seconds, right at the time I'm about to send my regular ping, would expose the other node(s) I am pinging. If the ping is not clocked, but is timed (clocked) to a statistically random time within a configured window, the GPA cannot know when to conduct their latency injection attack, and any dropout by me, would be seen by those who failed to receive my ping or received a delayed ping, as nothing but white noise, since every ping is randomly timed anyway. [To state what ought be obvious, the pings, though high priority when they are sent at extreme high (compared to normal web traffic) latency intervals, are still sent through 'regular' chaff-filled links, and so except for my local links temporarily dropping out, a GPA stalker should not be able to determine destination nodes for my ping, with any latency injection attack. The reasons we can make such an assertion and believe this holds true: - active latency injection attacks operate on the principle of statistically modifying the distribution of packets across a route (in time (for latency) or some other metric e.g. size) - in the case of extremely high latency packets (say, 1 hour between packets) at least when sent between nodes trusting one another or via nodes which, if they introduce a few seconds or minutes of latency, cannot meaningfully impact the ping, the relevant statistical "distribution of packets across time" is in the order of (in this example) hours - the b/w consumed by such ping circles very low - those in my ping circle, have little incentive to close such low b/w "chaff filled links" on the outgoing side - and in fact, those who want to see freedom of anonymous speech, will actively support such links (again, due to their low network costs) - and so those nodes which do NOT maintain such links when requested, naturally increase their stalker score (as viewed by others). ] "Treat each use case for its unique snowflake characteristics, and we provide for the possibility to optimize that particular use case."
On Sun, Oct 27, 2019 at 01:15:56PM +1100, Zenaan Harkness wrote:
Here's an obvious in hindsight thought:
Use case: A (hidden, encrypted etc) ping circle (some combo of star or token ring yet to be designed) amongst a group of friends who may at random points in time, wish to send wheat txt sms in the chaff of the regular circle ping.
Usually the ping is chaff.
Any particular ping can be wheat (an sms/txt/email).
If the ping is clocked, and there is any leakage of the clocking, then a GPA jamming my ISP link for say 5 seconds, right at the time I'm about to send my regular ping, would expose the other node(s) I am pinging.
Even the above statement is not necessarily true, may be not true at all: So I ping my 1st hop peer set, who have also these fixed low b/w ping links to their peers, etc, and some subset of all these are part of my ping circle of trusted friends. The earlier postulate (see OP email below) holds, namely that: "The b/w of the ping is so low, that there is little to incentive to not maintain such (virtual) links, even if an incoming ping fails to arrive; and the value of such hidden communications is far greater (and the anonymity of your circle), and so there is abundant incentive to maintain such low-cost links." So, even in the case of a clocked ping, the targets of my low b/w high latency ping are perhaps unlikely to be exposed, using active latency injection attacks. Notwithstanding this fact, the high latency nature of such ping circles suggests that statistically random clocking --within a specified window-- (e.g. 1hr ping, +/- 15 minutes window), would presumably not detract from the security of such links, and may well mitigate unforeseen future attacks. With a shout out to the pipe-net punks and others from ~1995. https://en.wikipedia.org/wiki/David_Chaum https://en.wikipedia.org/wiki/Mix_network
If the ping is not clocked, but is timed (clocked) to a statistically random time within a configured window, the GPA cannot know when to conduct their latency injection attack, and any dropout by me, would be seen by those who failed to receive my ping or received a delayed ping, as nothing but white noise, since every ping is randomly timed anyway.
The ability to hide ping recipients when I and or they are only intermittently connected (i.e., we all live on mobile phones), is in serious doubt. The reasonable (excepting further analysis) operating mode is to, at least, have a node which is permanently connected - but again, we need consider each use case in due course...
[To state what ought be obvious, the pings, though high priority when they are sent at extreme high (compared to normal web traffic) latency intervals, are still sent through 'regular' chaff-filled links, and so except for my local links temporarily dropping out, a GPA stalker should not be able to determine destination nodes for my ping, with any latency injection attack.
There is an unnamed assumption in the above - my ping circle includes only known friends. If my ping circle includes unknown destination nodes, detecting network dropout is trivial (I only have to be actively taken offline for a duration longer than the ping interval (+rand window), for the target to identify me. "Don't talk to strangers about highly important things." "Know your peer." "High value communications (and therefore network links/ routes) with unknown peers, exposes you to active stalker (e.g. government) attacks."
The reasons we can make such an assertion and believe this holds true:
- active latency injection attacks operate on the principle of statistically modifying the distribution of packets across a route (in time (for latency) or some other metric e.g. size)
- in the case of extremely high latency packets (say, 1 hour between packets) at least when sent between nodes trusting one another or via nodes which, if they introduce a few seconds or minutes of latency, cannot meaningfully impact the ping, the relevant statistical "distribution of packets across time" is in the order of (in this example) hours
- the b/w consumed by such ping circles very low - those in my ping circle, have little incentive to close such low b/w "chaff filled links" on the outgoing side - and in fact, those who want to see freedom of anonymous speech, will actively support such links (again, due to their low network costs) - and so those nodes which do NOT maintain such links when requested, naturally increase their stalker score (as viewed by others). ]
"Treat each use case for its unique snowflake characteristics, and we provide for the possibility to optimize that particular use case."
On Sun, Oct 27, 2019 at 01:51:36PM +1100, Zenaan Harkness wrote:
If the ping is not clocked, but is timed (clocked) to a statistically random time within a configured window, the GPA cannot know when to conduct their latency injection attack, and any dropout by me, would be seen by those who failed to receive my ping or received a delayed ping, as nothing but white noise, since every ping is randomly timed anyway.
The ability to hide ping recipients when I and or they are only intermittently connected (i.e., we all live on mobile phones), is in serious doubt.
The reasonable (excepting further analysis) operating mode is to, at least, have a node which is permanently connected - but again, we need consider each use case in due course...
That said, friends expose their friend connections daily these days - sms, text, phone calls, facebook, "likes" and endless more social virtue signalling signals. "You and your friends, who live only on mobile phones" are often connected around the same time. In these circumstances, fixed base rate links provide hiding of whether or not we are chatting, voice talking, or surfing through one another's nodes. This is useful "content, and type of" comms hiding. "Just because we cannot hide who we are communicating with, does not mean we should not exercise our right to hide the content and frequency of our communications." If my phone always connects to the same peer nodes when I turn my phone on, and vice versa, and we always establish certain base rate links, we may not even be communicating and no one would know, assuming we always reserve a minimum base rate load as "chaff or wheat" between our phones, and such that when we accept additional circuit requests, those exist above the private "always reserved" base link. This is the headroom concept, but always chaff filled, and reserved between me and my primary first hop peers.
high latency ping circle pings, should effectively disappear in the "usual mix" of traffic between standard peers. 1-hr +/- 15 minutes ping circle with immediate peer nodes ("friend") could be a mandatory base load. Even just coordinating links between peer nodes is an order of magnitude greater b/w - the pings "as wheat" will disappear "in the chaff of normal net/switch coord traffic", and automatically provide for high-value and hidden (to onlookers) text messages to be sent around. Imagining a UI element: HiddenMessageService - send message to friend - choose latency: - "std (up to 1.5 hrs to arrive)" - "half hour max" - "1 minute max" - "10 seconds max" - I type text and choose "1 minute max option" - app pops up saying "Enable 1 minute max messages to friend Blah, this will incur up to a 12MiB per month b/w overhead" - I click yes. - the app negotiates such a link with my friend - every time we are both connected, we maintain this link - until we optionally disable that link - because peer nodes must negotiate and regularly communicate re switching and routes and b/w, in order to anything at all, the overhead of that "1 minute max" link might almost disappear completely into regular network control packets (remember, we combine packets up to MTU or "configged normalized packet size" anyway, and we reserve the required b/w for such control packets as well - always keep a little headroom - i.e. that 12MiB/month might end up being much closer to the marginal size of the actual text messages only.
participants (1)
-
Zenaan Harkness