CDR: Response to false statements about Zero-Knowledge
Austin Hill
austin at zeroknowledge.com
Fri Nov 10 11:56:03 PST 2000
Declan,
I would like to respond to some of the discussion and false statements being
made about Zero-Knowledge.
Please see my comments below and FWD: to Politech. Thank you.
Regards,
Austin
>-----Original Message-----
>From: Declan McCullagh [mailto:declan at well.com]
>Sent: Wednesday, November 08, 2000 7:15 PM
>To: politech at politechbot.com
>Cc: shamrock at cypherpunks.to
>Subject: FC: Response to article on Zero Knowledge, marketing, and promises
>
>*********
>A response to:
>http://www.politechbot.com/p-01464.html
>*********
>
>Date: Wed, 01 Nov 2000 18:49:32 -0800
>From: Lucky Green <shamrock at cypherpunks.to>
>Subject: RE: Zero Knowledge, after poor software sales, tries new gambit
>To: declan at well.com
>
>Declan,
>I don't believe the conclusion that Internet users are unwilling to pay for
enhanced privacy is warranted given
>the information currently available. If anything, ZKS' poor sales show that
Internet users are unwilling to pay
>for software that claims to protect the user's privacy but doesn't. This is
a very important distinction to make.
>Freedom (TM) as shipping does not adequately protect the users' privacy.
ZKS' marketing machine and early promises
>notwithstanding, in the end the market was not fooled into buying product
that doesn't deliver.
First to set the record straight, Declan's claim that our software sales
have been poor is completely baseless. He has reported this as fact when
during my interview with him I clearly stated that we are pleased with our
results for Freedom and are seeing substantial growth, so much that we are
still hiring more engineers (adding to the already 100 we have working on
it) and adding more features and improvements to our consumer privacy
product.
Because we as a private company refuse to provide Declan with actual sales &
revenue numbers he has persisted in reporting that this is because of poor
software sales, based on what he described as anecdotal evidence that he has
observed in the cypherpunk community.
Declan fails to mention that Freedom was never targeted toward Cypherpunks;
our goal was to incorporate Cypherpunk-level cryptography and philosophies
into a privacy tool that would empower the average Internet user to manage
their privacy online. Cypherpunks can build privacy tools for themselves;
our target market for Freedom is consumers who are concerned with their
privacy.
Declan and his editor at Wired have received a complaint regarding what we
feel was irresponsible reporting, that includes a transcript of the relevant
parts of the interview. As of now, they have not made any correction or
retraction.
Declan, I invite you to FWD: our letter to you and your Wired editor, to
Politech readers so they can make up their own minds regarding the current
state of our software sales and your editorial on the launch of our
additional corporate privacy services. For now Declan and I have agreed to
disagree about the accuracy and quality of his article.
Now leaving that issue aside, Lucky Green makes the claim that we have
failed to deliver what we promise. I believe this is completely baseless and
false. Our promised privacy protection is detailed extensively at a very
technical level in our whitepapers,
http://www.freedom.net/info/freedompapers/Freedom-Architecture-Protocols.pdf
http://www.freedom.net/info/freedompapers/Freedom-NymCreation.pdf
http://www.freedom.net/info/freedompapers/Freedom-Security.pdf
In these papers we describe every attack we protect against and more
importantly every attack that we don't protect against. These whitepapers
include protocols, design goals and actual results of security audits
against the architecture and the code. Unfortunately, Lucky hasn't done any
analysis to add to the list.
To further improve our security and privacy commitment and to ensure users
do not have to rely on or trust Zero-Knowledge's claims, we have also
published the source code for the system, which is available at,
http://opensource.zeroknowledge.com
We are the only privacy company that has published whitepapers on the full
protocol, security attacks against the system, and the source code. We
believe that this is responsible privacy, and that it is the only way to
verify and support our claims to our users.
If there is _ANY_ attack, weaknesses, flaw or security bug we have invited
people to review our work and inform us, and we then update our documents to
reflect our continued understanding of how to design and implement the best
privacy infrastructure available.
Based on this, we believe we are the strongest privacy solution on the
market. (In fact most other privacy companies claim that we are 'killing a
fly with a bazooka' by going overboard with strong crypto and multi-hop
routing).
>I think it is unfortunate that ZKS' failure to deliver on their
>promises will now be taken as an indication that there is no market
>for a product that ZKS never built.
I actually believe that Lucky's false statements and accusations stem from
Zero-Knowledge shipping a solution that does not include the solution to one
of the original design goals, which was a traffic-analysis-resistant
network. During our first attempt to build the FREEDOM infrastructure and an
AnonymousIP protocol we also tried to build it to be resistant to traffic
analysis and large statistical attacks. (This remains a design goal, but
we think there are open research issues to be solved before we (or anyone)
can ship a system that meets this design goal).
The techniques we attempted to use to facilitate this were:
-Constant packet sizing
-Link padding
-Traffic shaping (introducing extra bogus traffic or limiting traffic to
disguise the actual amount of traffic being sent through the network)
During our tests of the first alpha versions of FREEDOM, we found a number
of problems with this including:
1. Speed & performance degradation that made the system unusable
2. Huge costs increases in operating the backbone infrastructure (Packets
were being sent with a huge increase in 'stuffed' payloads and there had to
be constant traffic on the network)
3. Incomplete understanding of the effect in the security and resistances to
these attacks (we found there was not enough research in the area of traffic
analysis to determine if the extra delays and huge costs increased gained us
anything in the protection from traffic analysis. In fact, upon review we
found that since the costs of doing the bare minimum padding (full link
padding from the client node to the first server node) could not be
supported by what we felt users were willing to pay for privacy, we reviewed
our threat model and lowered the bar on the what we were trying to
accomplish.
We consider traffic analysis to be an area in need of basic research. We
have some information-theoretical and computationally secure proposals but
minimal work on secure systems with work-factors less than computationally
secure. Simple things like how to define and discuss the work-factor of
these systems are missing. We do not have equivalents of basic constructs
like Feistel-networks, s-boxes, or chaining modes. We have easy attacks
which seem very powerful, but can't judge if those attacks are the
equivalent of statistical attacks on ceaser ciphers or something more
powerful. We do not have powerful techniques such as differential or linear
cryptanalysis, the impossible variants, or any sort of trade-off attacks.
There's not a great deal of discussion of the case where flood the pipe is
not an option, or where we want to limit delays.
We think the situation is analogous to the state of our understanding of
block cipher analysis in 1970. We had an information-theoretically secure
system. But we had little or no knowledge of the Enigma breaks (Bletchly
Park is not mentioned in the index of the 1967 ed. of the Codebreakers).
When the NBS proposed the DES, many were at a loss as to how to critique it
beyond asking for the design criteria to be published. Compare and contrast
this situation with the AES competition.
Our Director of Technology, Adam Shostack raised this issue in a rump
session talk at the 'Design Issues in Anonymity and Unobservability'
workshop, and we're looking for other ways to bring the problem to the
attention of the academic community.
Our users are primarily Win 95/98 users who are worried about their privacy
(i.e. email address; cookies; profiling by ad networks; pseudonyms for chat
rooms and Usenet). They are not worried about the NSA doing traffic analysis
on their communications. We were way too ambitious with that design goal and
we decided it was not a 'must have' that would prevent us from shipping our
current solution. More than that, we did so publicly (see our whitepapers)
and we are also working on increasing academic research in this area (we
have a few scientists working on it) so that if we decide to attack this
problem in the future there will be more information available to us to
review.
Lucky claims that there is large market demand (in terms of $$ and/or
people) for traffic-analysis-resistant, completely anonymous networking. I
disagree, but would invite him to take our source code and go out and build
a business based on this. The published source code is the result of 3 years
of engineering by more than 100 developers and we would invite him to take
this start and improve on it. We would be interested in his results both
technically (how to achieve traffic analysis resistant networking) and on
the business side (how do you build a business to support fully traffic
analysis resistant networking).
We have 250+ people working very hard on privacy systems, and have taken
huge steps in making sure we are accurate in our claims, transparent in our
systems and are delivering privacy services that we can be very proud of.
Lucky, by claiming that we are misleading our users or not protecting their
privacy because of the lack of resistance to traffic analysis is
irresponsible and is allowing the best to be the enemy of the good.*
* For those who don't follow security debates, this refers to idealists who
want to build great systems with really neat provable properties and other
useful underpinnings. Unfortunately, none of those systems have ever
shipped, and in the real world, we get by with good. Freedom is the
strongest privacy system that's shipping. Is it as good as we would like it
to be in an ideal world? Of course not. But there is a braintrust at
Zero-Knowledge of really smart people who want to make it even better, so
while we've decided to ship a strong and working system that offers
consumers the best privacy available today, we also have 100 engineers
working to continually make it better.
Regards,
-Austin
>The risk that the such a, in my view erroneous, conclusion would be drawn
was of course the big risk to Internet
>privacy worldwide that followed from ZKS' foolish gamble to ship a product
that didn't meet market demand. A risk
>that I on more than one occasion impressed upon the principals was to great
to take.
>
>--Lucky Green <shamrock at cypherpunks.to>
>
> "Anytime you decrypt... its against the law".
> Jack Valenti, President, Motion Picture Association of America in
> a sworn deposition, 2000-06-06
>
_________________________________________________________________________
Austin Hill Zero-Knowledge Systems Inc.
President Montreal, Quebec
Phone: 514.286.2636 Fax: 514.286.2755
mailto:a_hill at zeroknowledge.com http://www.zeroknowledge.com
Are you fast enough? Are you smart enough? We are hiring those who are!
http://www.zeroknowledge.com/jobs/
PGP Fingerprints
RSA = 7BDB A72C 1130 BC09 CD5A 2712 F51D 72AC
DH/DSS = F783 7187 E174 0C5C DD4C B1FA 0392 C7DC AF5A 1FAB
_________________________________________________________________________
--
Resistance is futile! http://jobs.zeroknowledge.com
More information about the Testlist
mailing list