ALTA/DMT privacy [was: Re: (No Subject)]

Wed Dec 10 18:20:55 PST 2003

On 10 Dec 2003 at 15:19, Nostradumbass at SAFe-mail.net wrote:
 > E-gold and other DGCs do not do much if any due diligence in
 > checking account holder identification

Unfortunately, they also don't due much if any due diligence in
identifying themselves in messages to real or potential customers,
so it's extremely difficult to determine if I've gotten any
administrative messages that really _were_ from them
as opposed to the N fraudsters sending out mail asking you to
log in to e-g0ld.com or whatever fake page lets them steal
your egold account number and password so they can drain your balance.

A policy of PGP-signing all their messages using a key
that's published on their web pages would be a good start,
though it's still possible to trick some fraction of people
into accepting the wrong keys.  For now, my basic assumption
is that any communications I receive that purport to be from them
are a fraud, and it's frustrating that there's no good mechanism
for reporting that to e-gold.

At 07:08 PM 12/10/2003 -0500, Nostradumbass at SAFe-mail.net wrote:
>-------- Original Message --------
>From: "James A. Donald" <jamesd at echeque.com>
>Date: Wed, 10 Dec 2003 14:13:59 -0800
>
> > On 10 Dec 2003 at 15:19, Nostradumbass at SAFe-mail.net wrote: ...
> > > ALTA/DMT does have a certain degree of un-linkability in that
> > > once accounts are deleted all db references in the system to
> > > that account are also deleted from all ALTA/DMT dbs.
> >
> > Trust us.  Would we lie to you?
>
>This info was obtained from discussions with the developers,
>experiments with the system and examination of the code.

You can't tell if the code you're examining is the real code,
or whether it will continue to be the real code in the future.

You can't tell if the system is making backups of its databases.

You can't tell if the experiments you're making with their system
are really detecting that there's no information stored,
or merely that it's not telling _you_ where they stored it.

You can't tell if they're stashing session keys somewhere
for the Echelon folks to correlate with their wiretap data.

You can't distinguish whether any system is sufficiently advanced or
merely a rigged demo, nor can you tell which one this system is.

You can't tell from discussions with the developers whether they're
lying to you, at least unless they're bad at it.

You can't tell from experiments with the system that
did in fact pay you the money that they should have
whether they'll always do so in the future.

You can't tell from extremely detailed experiments where
they give you the root passwords to all their machines
and let you watch the bits go in and out whether
all future transactions will be handled the same way
or whether they're just stringing you along until there's
enough real money in the system or enough money from real suspects
that the owners or various monkeys on their back want to
rip off or rat out.

You're back to trusting them.  I don't know them,
so I don't know if they're trustable, but there are people
in this business who are, as well as others who aren't.

You can tell whether you've given them any real information,
and if the system doesn't collect it, it can't rat you out.
But otherwise, it's basically trust.