Mitigating Dangers of Compromised Anonymity

Meyer Wolfsheim wolf at priori.net
Sat Aug 31 00:12:16 PDT 2002


On Fri, 30 Aug 2002, Adam Shostack wrote:

> I'd like to suggest that while this may be fun, usability and getting
> millions of users to see that remailers are useful to them is a more
> useful goal.

I agree, although I fail to see how working on this would interfere with
that goal in any way.

> The anonymity set provided by the current extant systems is too small
> to protect anyone against anyone who is willing to kill or disappear
> people as part of their attacks against the remailers.

I find this disbelievable. I suspect there are many groups which do not
have the capability of defeating the remailer system who would still like
to see it eliminated. Willingness to kill or disappear people isn't
necessarily tied to technical capability, though I agree that entities
which can defeat the remailer network without "disappearing" anyone are
unlikely to pose a threat to the remops. If our goal is to make remailers
harder to defeat, however, beforehand might be the right time to address
the problem of "missing remailer operators."

(Incidently, I could see this having uses outside the remailer operator
world.)

> Oh, yeah, and incidentally, if you build this system, the attacker can
> simply add a bit of rubber hosing to their remop elimination program.

To pry the signing key out of the victim? That's a personal "how much
torture can I take" question for the victim to ask himself. He knows he'll
be permanently disappeared after coughing up the private key.

In many cases also it might be far harder to rubber-hose someone than
simply cause an "accident".


-MW-





More information about the cypherpunks-legacy mailing list