CNN.com on Remailers

Meyer Wolfsheim wolf at priori.net
Wed Dec 12 15:27:06 PST 2001 

On Wed, 12 Dec 2001, Faustine wrote:

> I don't know, how about traffic analysis?

Yes, but see my previous post.

> Exploiting (publicly) undisclosed holes in the remailer software?

Same problem as traffic analysis if you are talking about compromising the
remailer. Doesn't work after the fact. (Plus, the risk of detection is
certainly non-zero.)

If you're talking about exploiting flaws in the remailer message
encryption or in the mix-net protocol, that would work, but also would
rely upon having remailer traffic be intercepted and collected for later
analysis.

> Good old-fashioned deception isn't exactly rocket science, either. How about
> suckering people into routing traffic through an ever-increasing number of
> corrupt nodes, either by: 1) running them covertly 2) buying off "trusted

Stats manipulation has been discussed before. (LEAs run remailers, and
then ensure that their remailers are at the top of the stats pages, either
by falsifying stats or causing legitimate remailers to sink lower on the
stats then LEA remailers.)

Another half-decent attack if planned in advance.

> pillars of the crypto community" and trading on their reputation
> capital? A sobering thought.

I'm not skeptical as to how effective that would be. Look at all the times
that Phil Zimmermann has been accused of being in bed with the Government.
I'm not sure there are any "trusted pillars of the crypto community".

> Or how about this one: enticing people interested in developing
> cryptography into an closed system based in Canada (international, so
> using full-blown Echelon technology against it isn't a problem)

Except for the pesky fact that the NSA can't spy on US citizens, even if
they're in Canada. (Exceptions can be made, but the hoops become higher
and more numerous than a simple FBI investigation.)

> offering "secure" messaging, file storage, sharing and transmission
> etc. while promising them the moon about being a no-compromise
> information-haven phuck-the-state all-your-eggs-in-one -basket crypto
> system?
>
> Oh wait, it's called CryptoHeaven. Nevermind.

Yes, well. My thoughts on CryptoHeaven are already on the record on this
list.

> Not that I'm claiming the first thing about them--it's just that if I were
> trying to come up with a way to gather information on people interested in
> developing privacy and cryptography technology, setting up a compromised
> CryptoHeaven-like system on behalf of the United States Government would be
> IDEAL. Or at the very least,inserting some bad actors into the system to root
> up the vulnerabilities couldn't hurt. Not to mention cultivating "trusted
> insider" informants.

Smells like entrapment, though.


-MW-

More information about the cypherpunks-legacy mailing list