Mitigating Dangers of Compromised Anonymity

Adam Shostack adam at homeport.org
Sun Sep 1 15:12:57 PDT 2002 

On Sat, Aug 31, 2002 at 12:12:16AM -0700, Meyer Wolfsheim wrote:
| On Fri, 30 Aug 2002, Adam Shostack wrote:
| 
| > I'd like to suggest that while this may be fun, usability and getting
| > millions of users to see that remailers are useful to them is a more
| > useful goal.
| 
| I agree, although I fail to see how working on this would interfere with
| that goal in any way.

Scarce resources (programmer time) go to this, not that.  Given the
small pool of people writing code, I'd like to try to convince them to
write code that I think is more useful.  I'd write it myself, but that
just makes work for someone who says "My god, I need to re-write
this!" ;)

| > The anonymity set provided by the current extant systems is too small
| > to protect anyone against anyone who is willing to kill or disappear
| > people as part of their attacks against the remailers.
| 
| I find this disbelievable. I suspect there are many groups which do not
| have the capability of defeating the remailer system who would still like
| to see it eliminated. Willingness to kill or disappear people isn't
| necessarily tied to technical capability, though I agree that entities
| which can defeat the remailer network without "disappearing" anyone are
| unlikely to pose a threat to the remops. If our goal is to make remailers
| harder to defeat, however, beforehand might be the right time to address
| the problem of "missing remailer operators."

Sorry, I think you missed my point a little.  Let me explain, then
I'll respond to what you said.

If Charlie is willing to kill someone to achieve his goals, then he is
pretty dedicated.  He may be able to trade that willingness to commit
violence for technical help, etc.

I agree that there are groups who might not be able to defeat the
remailer system who'd like it to go away, but its not clear to me how
many of them would go to the extent of kidnapping or killing a
remailer operator to achieve the goal of getting rid of the remailer
system.

| (Incidently, I could see this having uses outside the remailer operator
| world.)

So?

| > Oh, yeah, and incidentally, if you build this system, the attacker can
| > simply add a bit of rubber hosing to their remop elimination program.
| 
| To pry the signing key out of the victim? That's a personal "how much
| torture can I take" question for the victim to ask himself. He knows he'll
| be permanently disappeared after coughing up the private key.
|
| In many cases also it might be far harder to rubber-hose someone than
| simply cause an "accident".

True, but how many groups are willing to go that far?

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

More information about the cypherpunks-legacy mailing list