Do not taunt happy-fun-court.

Trei, Peter ptrei at rsasecurity.com
Thu Aug 2 07:18:35 PDT 2001




> ----------
> From: 	Black Unicorn[SMTP:unicorn at schloss.li]
> 
> > At some point I will probably begin keeping logs that expire after a
> > period of several hours, so that I can identify and block spammers. I'm
> > interested in your thoughts on this, Uni. Is the defense "I never retain
> > logs longer than 2 hours; they are automatically deleted out of disk
> space
> > considerations" as string as the first one? (This is how many remailers
> > are configured. But even if the remailers all kept logs, if users are
> > chaining their messages through multiple remailers, anonymity should
> still
> > be preserved.)
> 
> See my (huge) posting on this, but I would suspect that this isn't great.
> Were I operating one, which I am admittedly not, I'd want there to be no
> data
> of evidentiary value ever hitting my memory or media.  To some degree
> that's
> not possible.  In the alternative, actually _disabling_ logging is the
> best
> policy, in my view.  The evidence never existed in the first place then.
> It
> suddenly becomes a challenge to show some kind of conspiracy on your part
> since the actual spoliation claim is harder to make.  Showing conspiracy
> for
> anything with respect to either probably starts hard and gets marginally
> less
> hard in this order:
> 
> a)  A middle remailer in a multiple chain that knows nothing (little)
> about
> original sender, content or recipient. [...]
> b)  A back end remailer in a multiple chain that knows nothing (little)
> about
> content or original sender. [...]
> c)  A front end remailer  in a multiple chain that knows nothing (little)
> about content or recipient. [...]
> d) A "one hop" remailer.
	[...]

You're forgetting 
      e) A remailer which silently ignores (and deletes)  all mail which is 
      not still encrypted after the remailer's decryption key is applied. 
      (Complaints from Choate that I don't show how to  distinguish 
      encrypted vs cleartext mail with 100% accuracy will be silently 
      ignored (and deleted).)

This protects the remailer operator from:

(1) having any knowledge of the ultimate destination of the mail, 
since there is a good possibility that the next email address 
is just another remailer.

(2) having any knowledge of the content of the email, since it is
still encrypted. Thus, a remailer operator in Afghanistan doesn't
knowingly pass on copies of 'The Satanic Verses'.

(3) passing on 99.9999% of spam. Spammers do not use encrypted
mail - it requires far too much per-message processing, in terms of
obtaining public keys, constructing nested encrypted messages, etc.

And yes, BU's point about not generating logs at all is well taken -
I've not looked at remailer software, but commenting out a few lines
should take care of this. If I ran one, I might consider keeping
aggregate data (# of messages/week, MB/week), but I can't see anything
useful I'd do with individual message data.

This ties into the discussion about headless, disposable remailers - many
of the discussed designs have no mass storage to speak of, so of course
they would not keep logs.

Peter Trei







More information about the cypherpunks-legacy mailing list