high latency low b/w ping circles: random vs clocked

Zenaan Harkness zen at freedbms.net
Sat Oct 26 19:51:36 PDT 2019 

On Sun, Oct 27, 2019 at 01:15:56PM +1100, Zenaan Harkness wrote:
> Here's an obvious in hindsight thought:
> 
> Use case: A (hidden, encrypted etc) ping circle (some combo of star
> or token ring yet to be designed) amongst a group of friends who may
> at random points in time, wish to send wheat txt sms in the chaff of
> the regular circle ping.
> 
> Usually the ping is chaff.
> 
> Any particular ping can be wheat (an sms/txt/email).
> 
> If the ping is clocked, and there is any leakage of the clocking,
> then a GPA jamming my ISP link for say 5 seconds, right at the time
> I'm about to send my regular ping, would expose the other node(s) I
> am pinging.

Even the above statement is not necessarily true, may be not true at
all:

So I ping my 1st hop peer set, who have also these fixed low b/w ping
links to their peers, etc, and some subset of all these are part of
my ping circle of trusted friends. The earlier postulate (see OP
email below) holds, namely that:

  "The b/w of the ping is so low, that there is little to incentive
   to not maintain such (virtual) links, even if an incoming ping
   fails to arrive;
   and the value of such hidden communications is far greater (and
   the anonymity of your circle), and so there is abundant incentive
   to maintain such low-cost links."

So, even in the case of a clocked ping, the targets of my low b/w
high latency ping are perhaps unlikely to be exposed, using active
latency injection attacks.

Notwithstanding this fact, the high latency nature of such ping
circles suggests that statistically random clocking --within a
specified window-- (e.g. 1hr ping, +/- 15 minutes window), would
presumably not detract from the security of such links, and may well
mitigate unforeseen future attacks.

With a shout out to the pipe-net punks and others from ~1995.


  https://en.wikipedia.org/wiki/David_Chaum
  https://en.wikipedia.org/wiki/Mix_network



> If the ping is not clocked, but is timed (clocked) to a statistically
> random time within a configured window, the GPA cannot know when to
> conduct their latency injection attack, and any dropout by me, would
> be seen by those who failed to receive my ping or received a delayed
> ping, as nothing but white noise, since every ping is randomly timed
> anyway.


The ability to hide ping recipients when I and or they are only
intermittently connected (i.e., we all live on mobile phones), is in
serious doubt.

The reasonable (excepting further analysis) operating mode is to, at
least, have a node which is permanently connected - but again, we
need consider each use case in due course...


> [To state what ought be obvious, the pings, though high priority when
>  they are sent at extreme high (compared to normal web traffic)
>  latency intervals, are still sent through 'regular' chaff-filled
>  links, and so except for my local links temporarily dropping out, a
>  GPA stalker should not be able to determine destination nodes for my
>  ping, with any latency injection attack.


There is an unnamed assumption in the above - my ping circle includes
only known friends.

If my ping circle includes unknown destination nodes, detecting
network dropout is trivial (I only have to be actively taken offline
for a duration longer than the ping interval (+rand window), for the
target to identify me.

  "Don't talk to strangers about highly important things."

  "Know your peer."

  "High value communications (and therefore network links/ routes)
   with unknown peers, exposes you to active stalker (e.g.
   government) attacks."



>  The reasons we can make such an assertion and believe this holds
>  true:
> 
>   - active latency injection attacks operate on the principle of
>     statistically modifying the distribution of packets across a
>     route (in time (for latency) or some other metric e.g. size)
> 
>   - in the case of extremely high latency packets (say, 1 hour
>     between packets) at least when sent between nodes trusting one
>     another or via nodes which, if they introduce a few seconds or
>     minutes of latency, cannot meaningfully impact the ping, the
>     relevant statistical "distribution of packets across time" is in
>     the order of (in this example) hours
> 
>   - the b/w consumed by such ping circles very low
>     - those in my ping circle, have little incentive to close such
>       low b/w "chaff filled links" on the outgoing side
>     - and in fact, those who want to see freedom of anonymous speech,
>       will actively support such links (again, due to their low
>       network costs)
>     - and so those nodes which do NOT maintain such links when
>       requested, naturally increase their stalker score (as viewed by
>       others).
> ]
> 
> 
>   "Treat each use case for its unique snowflake characteristics,
>    and we provide for the possibility to optimize that particular
>    use case."
>

More information about the cypherpunks mailing list