security and hidden networks (was On the LAM--Local Area Mixes)

Tue Jan 20 12:30:11 PST 1998

summary

this post suggests that technically, routing through a sub-network 
does not necessarily increase complexity or hinder traffic analysis,
as it can be treated as a virtual node. given that, LAM-type networks
may not provide much protection in a politically unkind environment.
i also suggest a way of rating (or classifying) secure networks based
on how well they hide suspect data and routes in other traffic.

as this in response to tim may's LAM post, i'll respond quoting that.

Tim May <tcmay at got.net> writes:
>A message would enter the physical site, bounce around to N machines, and
>exit, perhaps going to other machines and sites, and back again, etc. (The
>image was of perhaps 20 or 30 cheap PCs linked with Ethernet in a set of
>apartments in Berkeley--obtaining search warrants or court orders to allow
>monitoring of all 20 or 30 machines, scattered across several physical
>addresses, would be "problematic.")

i won't repeat my objections to a reliance on "problematic" court orders, which
i've made in another post. let us simply assume, for example, that i am the
NSA, and i don't need court orders, but i'm a sneaky sort so i don't want to
go in with guns blazing just yet. Alice has a network, alice.net, 10.1.1.0. she
has many machines on this network, some hers, some belonging to Bob. 
when Alice and Bob plan stink-bomb attacks on the IRS (sorry, when they,
or Li-Xia and Bu-pang, write articles on human rights violations in xinjiang) 
to Carol and David, outside their network, they first bounce their packets around
their 30 machines.

i sniff all packets going into and out of the network 10.1.1.0, from the upstream
provider (Alice has her whole building in a faraday cage, which is ok because she
never tries to use her mobile phone indoors). so. does it matter in the least, to
me, whether alice wrote her last rant from kitchen.alice.net (10.1.1.1) or garage.alice.net
(10.1.1.2) or whether it was actually Bob - Bob Inc, to be safe - from 10.1.1.33?

it could matter politically/legally (if i wanted to prosecute) or technically (if i want
to trace traffic down, to, from or through alice's net). technically first: it doesn't
really matter. i treat alice's net as a hermetically sealed virtual "node"...

>-- the routing topology of the site may be an interesting area to look at.
>Ideally, a "Linda"-like broadcast topology (all machines see all packets,
>like messages in a bottle thrown into the "sea") could have certain

... which is all the more correct topologically if broadcast addresses (10.1.1.255)
are used. so i treat alice's net as a single node, and monitor traffic as it enters
and leaves that "node". just as i would monitor traffic entering and leaving a
single machine, without caring much which disk drive or memory bank it passed
through.

with a single physical entry and exit point to the network it can be treated exactly 
as if it were a single node for the purposes of any traffic analysis (security/traceability).
multiple physical connections might complicate it slightly, but if i'm sniffing them
all, and they connect to the same set of machines (i.e. the same network), not much
(if it's IP the address spaces may differ but that's a minor matter).

depending on what remailer math tells us - and we really do need remailer math, as
tim pointed out! - bouncing traffic around sub-nets may have little impact on
security. it could remain the same; i don't see how it could become much better;
it could plausibly get worse, if multiple nodes in a single subnet can eat into your 
random route hops resulting in concentration of traffic through fewer virtual "nodes".

the only situation in which this isn't true is if the source and destination of traffic
are both within the sealed network - presumably what would happen most of the
time with tim's suggestion of voice/high-bandwidth stuff.

now for the political/legal bit. given that i'd like to see cypherpunk technology as
daring enough to be of use outside western democracies, let's look at a slightly
challenging situation. you're a bunch of people, each with your own firm for added
safety, in this building. now i'm not a decent american cop, worried about court
orders etc. ok, i don't exactly want to shoot all of you at once. but if i am satisfied
(which i could be, using technical methods) that lots of "suspicious" stuff is coming
from your network, then i'll certainly come in and reeducate you all on your "errors
and distortions." (sorry, just finished a week of watching andrzej wajda films at a
retrospective.) 

oho. it's a BIG building. and i don't really suspect all of you. ok, i go have a chat
with the network admin - Alice - and hold her responsible. she has great respect
for the government and police and would never write such a nasty thing as "the
state tortures political prisoners?" uh oh. so i tell her that for the good of the country
she must let someone listen in at her machine ("you didn't keep logs? ah, that was
a mistake, no?") - i'm now inside, and the sealed network shrinks. of course if i'm 
impatient and don't believe her innocent approach, i just use the rubber hose. 

the same goes for multiple physical links into the same network.

can _technology_ - rather than relying on law-abiding cops, and rights-abiding
laws - provide a solution? the key is the BIG building. the more non-suspicious
routes there are - i.e. a route through normal, unsuspected people, typically
but not necessarily outside the physically well-protected area - the harder to 
usefully treat a network as a virtual node. looking at 10.1.1.0 as a node may 
help, just 256 people there; but 10.1.0.0 is a bit big to make a coherent "node"

so although a LAM may be a great way to _test_ new tech and protocols out,
i'd think it a big mistake to actually deploy it, as it were, on a large scale. it
wouldn't help at all in the tough spots, and it would only serve to make the 
easier spots tougher, strengthening the immune system of would-be tyrannical
states (i.e. the nicer western democracies). in general "WAMs" would be much
more helpful and secure. 

the other thing that helps is of course the degree of non-suspicious traffic on
suspected routes. putting them together, i think you can get some measure
of the utility of a protocol and topology. 

the ideal would a) make it technically impossible to trace the route of suspicious 
traffic; and b) make it politically/legally difficult to prosecute originators/destinations
of suspicious traffic. it would do this by a) blurring the distinction between suspicious
and "regular" routes; and b) make it difficult to distinguish suspicious from harmless
traffic on those routes; c) make it difficult or impossible to block suspicious routes
or intercept/monitor suspicious traffic without causing unacceptable deterioration
of service for "ordinary" traffic.

two ratios seem useful to me as a way of organising cryptoanarchic network protocols. 
suspicious routes/ordinary routes; suspicious/ordinary traffic on any route. an ideal universal
DC-Net with padding to keep constant throughput would have both ratios tending towards 1 - 
there is only one route - broadcast - for everyone; and traffic is constant so the degree of
really suspicious stuff is unknown.

pure Blacknet-type systems tend towards [1,0] - there is only one route, assuming everyone
uses it. but without padding, you could suspect all traffic.

Pipenet tends towards [0,1] - there are many routes, and they're all pretty suspicious
as it's possible for the monitor to discriminate among them. but traffic is constant, so
you don't know when to suspect. 

regards,
rishab

First Monday - The Peer-Reviewed Journal on the Internet 
http://www.firstmonday.dk/  Munksgaard International Publishers, Copenhagen

Intl & Managing Editor - Rishab Aiyer Ghosh (ghosh at firstmonday.dk) 
Mobile +91 98110 14574; Fax +91 11 2209608; Tel +91 11 2454717 
A4/204 Ekta Apts., 9 Indraprastha Extn, New Delhi 110092 INDIA