Is it time to kill the JAP backdoor cretins and their families?

Len Sassaman rabbi at abditum.com
Mon Aug 25 20:27:20 PDT 2003 

On Thu, 21 Aug 2003, Tim May wrote:

> It would be easy for me to say that all of the operators connected with
> JAP should be killed, either necklaced and left to burn in their
> driveways, with perhaps their families (children, siblings, parents)
> also tortured to death, or at least that the offices of JAP should be
> firebombed, but I will not do this.

For what it is worth, there has been a lot of good theory research in the
field of strong anonymity to come out of Dresden.

Operators of anonymity services, of course, are free to do what they wish
with their services: log, not log, restrict users, etc., as long as their
policies are clearly presented to their users. To lie to their users and
to misrepresent the level of anonymity provided by the system is
reprehensible.

> But of course those who placed any faith in "trust us, we won't narc
> you out!" software are the real fools.

It's this point of Tim's I have been meaning to address, since it isn't
quite as simple as this.

First of all, JAP was presented as something other than the above. It was
not a "trust us" system -- it used mixes, with independent operators. JAP
was intended to be a "trust the laws of mathematics" system, and was
undermined by the software authors.

I won't go into a lot of detail about why low-latency mixes are more
likely to be breakable, even when deployed correctly, as this is covered
pretty well in the literature. But I would like to suggest that, in some
cases, a "trust us not to narc you out" system may, in fact, be superior
to the alternatives.

The Cypherpunk adage "trust in the laws of mathematics, not of men"
excludes a third evaluation classification: the laws of reputation and
economics.

Let's look at JAP vs. Anonymizer, prior to the JAP backdoor issue:

o JAP was a low-latency mix cascade system with independent operators.
o JAP had ~ 30K users.
o JAP was run primarily by educational/research institutions with
  government influence.

o Anonymizer is a low-latency single-hop proxy system with one operator.
o Anonymizer has ~ 100K paid users, and an undetermined amount of free
  users. (Estimates are as high as 2 mil, though that may be a stretch).
o Anonymizer is a for-profit company that makes its money by not narc'ing
  out its users.

>From the laws of math vs. men standpoint, JAP looks like it was the better
choice.

However, even when setting aside the issue that our understanding of the
math involved may be flawed, JAP quickly becomes less appealing choice
once the other factors are considered.

University / government funded research relies on grants for its
existence. This makes the operators beholden to the source of grant funds.
It also eliminates an economic incentive to put users first.

Private companies offering privacy/anonymity services are faced with a
direct correlation between revenue and delivery of such services. Should a
company like Anonymizer violate its stated privacy policy and misrepresent
its level of security, as JAP did, the results would be devastating to the
viability of the company. The JAP group, on the other hand, is facing
nothing more than a little bad PR and the loss of some users. (Many of
those 30,000 probably are unaware of the silent compromise of JAP
security).

Then there is the anonymity-set issue. With almost 4 times the number of
users as JAP, Anonymizer is much stronger against many adversaries who
lack sophisticated attack capabilities.

Anonymity is difficult to achieve. If the number of users of a system is
too small to provide sufficient cover traffic for the individual users, it
does not matter how "secure" the system is -- it can be treated as a black
box, and its users' actions analyzed.

Honestly, as much as it pains me to say this as maintainer of Mixmaster,
one is probably a lot safer using Anonymizer and Hotmail to send anonymous
email than Mixmaster (against most realistic adversaries at this point)
simply based on the respective size of the user bases. Hopefully that will
improve greatly as the Mixmaster network continues to mature, and remailer
software gets easier to use.

[Yes, as a "trust-us" system, Anonymizer isn't appropriate for some uses
that a correctly implemented and deployed verifiably strong anonymity
system would be. However, those uses aren't likely to be common. But one
must evaluate his own threat models and take whatever precautions are
necessary.]


--Len.

More information about the cypherpunks-legacy mailing list