Thanks for the living hell, and question about OpenSSL

Patrick Chkoreff patrick at fexl.com
Fri Apr 25 15:01:24 PDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Major Variola (ret) wrote:

> At 02:20 PM 4/25/03 -0400, someone claiming to be Patrick Chkoreff
> wrote:

(-:  The sig is valid for the key at http://fexl.com/keys/patrick.txt)


> I was mistakenly thinking that because my sacred code did not
>> in fact record any IP-based transmission logs, users were safe as far
>> as anonymity and privacy were concerned.  What I missed was that if
>> someone put a gun to my head
>
> Generally in security analysis you want to list threat models and how
> you resist (or not) them.
> From this you can derive a spec.  ...
> This leads to the conclusion that security is economics + physics.  The
> goal is
> to make attacks more expensive to your adversary, at "reasonable" cost
> to you.
>
> Subpeonas are cheap to some.

True.  From the thrashing I took yesterday, I conclude that subpoenas 
and other forceful means of system compromise are very cheap indeed.  
That assumes the system is big enough to matter to the bad guys, which 
is definitely false at initial rollout but from the looks of this crowd 
is likely to remain false forever if the system cannot guarantee 
protection against that threat.  Everybody here wants an improvement 
over book-entry systems, but nobody will settle for anything less than 
fully blinded digital notes.

The question of whether digital notes can circulate in the wild without 
server contact but with the ability to identify double-spenders later 
is up for grabs.  Hettinga likes that feature for intrinsic reasons 
having nothing to do with network reliability or ubiquity.  I find it a 
bit appealing myself because it can help support small social nets of 
accountability.  I have not reviewed the math in detail, but am I to 
understand that under this protocol ONLY double-spenders can be 
identified?  That is, if you do not double-spend can you be guaranteed 
anonymity from other recipients down the spend chain?

Obviously those in the know share a common threat model that demands 
blinding.  Certainly that has serious implications for the server.  In 
a non-blinded system you can just store a small number of unspent coins 
and the server can do tricks like include an lseek number in the coin 
data to make lookup extremely fast.  But nobody wants an non-blinded 
system.  Consequently, the server must store a large number of spent 
coins and because coin identifiers are created randomly out in the wild 
there is no convenient embedded lseek number.  But yes, it is extremely 
cool that you can get the bank's signature on X without actually 
revealing X to the bank.

Certainly there are more detailed threats than forced compromise to 
consider.  Some precautions you take just because you can -- lock and 
randomize memory for example.  But whether you turn on internal 
churning mechanisms to prevent timing attacks, put ceramic caps on 
memory components, put boxes in Faraday cages, etc. is another story 
altogether.

- -- Patrick
http://fexl.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPqmwOVA7g7bodUwLEQIW2QCgqNLLeEA/PbOe3dgazARsXvEJJVoAoLYi
nPzuhTdEBoXQs0BJ8ysLz92c
=E5lc
-----END PGP SIGNATURE-----





More information about the cypherpunks-legacy mailing list