8.1 copyright
THE CYPHERNOMICON: Cypherpunks FAQ and More, Version 0.666,
1994-09-10, Copyright Timothy C. May. All rights reserved.
See the detailed disclaimer. Use short sections under "fair
use" provisions, with appropriate credit, but don't put your
name on my words.
8.2 - SUMMARY: Anonymity, Digital Mixes, and Remailers
8.2.1. Main Points
- Remailers are essential for anonymous and pseudonymous
systems, because they defeat traffic analysis
- Cypherpunks remailers have been one of the major successes,
appearing at about the time of the Kleinpaste/Julf
remailer(s), but now expanding to many sites
- To see a list of sites: finger remailer-
list@kiwi.cs.berkeley.edu
( or http://www.cs.berkeley.edu/~raph/remailer-list.html)
- Anonymity in general is a core idea
8.2.2. Connections to Other Sections
- Remailers make the other technologies possible
8.2.3. Where to Find Additional Information
- Very little has been written (formally, in books and
journals) about remailers
- David Chaum's papers are a start
8.2.4. Miscellaneous Comments
- This remains one of the most jumbled and confusing
sections, in my opinion. It needs a lot more reworking and
reorganizing.
+ Partly this is because of several factors
- a huge number of people have worked on remailers,
contributing ideas, problems, code, and whatnot
- there are many versions, many sites, and the sites change
from day to day
- lots of ideas for new features
- in a state of flux
- This is an area where actual experimentation with remailers
is both very easy and very instructive...the "theory" of
remailers is straighforward (compared to, say, digital
cash) and the learning experience is better than theory
anyway.
- There are a truly vast number of features, ideas,
proposals, discussion points, and other such stuff. No FAQ
could begin to cover the ground covered in the literally
thousands of posts on remailers.
8.3 - Anonymity and Digital Pseudonyms
8.3.1. Why is anonymity so important?
- It allows escape from past, an often-essential element of
straighening out (an important function of the Western
frontier, the French Foreign Legion, etc., and something we
are losing as the dossiers travel with us wherever we go)
- It allows new and diverse types of opinions, as noted below
- More basically, anonymity is important because identity is
not as important as has been made out in our dossier
society. To wit, if Alice wishes to remain anonymous or
pseudonymous to Bob, Bob cannot "demand" that she provide
here "real" name. It's a matter of negotiation between
them. (Identity is not free...it is a credential like any
other and cannot be demanded, only negotiated.)
- Voting, reading habits, personal behavior...all are
examples where privacy (= anonymity, effectively) are
critical. The next section gives a long list of reasons for
anonymity.
8.3.2. What's the difference between anonymity and pseudonymity?
+ Not much, at one level...we often use the term "digital
pseudonym" in a strong sense, in which the actual identity
cannot be deduced easily
- this is "anonymity" in a certain sense
- But at another level, a pseudonym carries reputations,
credentials, etc., and is _not_ "anonymous"
- people use pseudonyms sometimes for whimsical reasons
(e.g., "From spaceman.spiff@calvin.hobbes.org Sep 6, 94
06:10:30"), sometimes to keep different mailing lists
separate (different personnas for different groups), etc.
8.3.3. Downsides of anonymity
- libel and other similar dangers to reputations
+ hit-and-runs actions (mostly on the Net)
+ on the other hand, such rantings can be ignored (KILL
file)
- positive reputations
- accountability based on physical threats and tracking is
lost
+ Practical issue. On the Cypherpunks list, I often take
"anonymous" messages less seriously.
- They're often more bizarre and inflammatory than ordinary
posts, perhaps for good reason, and they're certainly
harder to take seriously and respond to. This is to be
expected. (I should note that some pseudonyms, such as
Black Unicorn and Pr0duct Cypher, have established
reputable digital personnas and are well worth replying
to.)
- repudiation of debts and obligations
+ infantile flames and run-amok postings
- racism, sexism, etc.
- like "Rumormonger" at Apple?
- but these are reasons for pseudonym to be used, where the
reputation of a pseudonym is important
+ Crimes...murders, bribery, etc.
- These are dealt with in more detail in the section on
crypto anarchy, as this is a major concern (anonymous
markets for such services)
8.3.4. "How will privacy and anonymity be attacked?"
- the downsides just listed are often cited as a reason we
can't have "anonymity"
- like so many other "computer hacker" items, as a tool for
the "Four Horsemen": drug-dealers, money-launderers,
terrorists, and pedophiles.
- as a haven for illegal practices, e.g., espionage, weapons
trading, illegal markets, etc.
+ tax evasion ("We can't tax it if we can't see it.")
- same system that makes the IRS a "silent partner" in
business transactions and that gives the IRS access to--
and requires--business records
+ "discrimination"
- that it enables discrimination (this _used_ to be OK)
- exclusionary communities, old boy networks
8.3.5. "How will random accusations and wild rumors be controlled in
anonymous forums?"
- First off, random accusations and hearsay statements are
the norm in modern life; gossip, tabloids, rumors, etc. We
don't worry obsessively about what to do to stop all such
hearsay and even false comments. (A disturbing trend has
been the tendency to sue, or threaten suits. And
increasingly the attitude is that one can express
_opinions_, but not make statements "unless they can be
proved." That's not what free speech is all about!)
- Second, reputations matter. We base our trust in statements
on a variety of things, including: past history, what
others say about veracity, external facts in our
possession, and motives.
8.3.6. "What are the legal views on anonymity?"
+ Reports that Supreme Court struck down a Southern law
requiring pamphlet distributors to identify themselves. 9I
don't have a cite on this.)
- However, Greg Broiles provided this quote, from _Talley
v. State of California_, 362 U.S. 60, 64-65, 80 S.Ct.
536, 538-539 (1960) : "Anonymous pamphlets, leaflets,
brochures and even books have played an important role in
the progress of mankind. Persecuted groups and sects from
time to time throughout history have been able to
criticize oppressive practices and laws either
anonymously or not at all."
Greg adds: "It later says "Even the Federalist Papers,
written in favor of the adoption of our Constitution,
were published under fictitious names. It is plain that
anonymity has sometimes been assumed for the most
constructive purposes." [Greg Broiles, 1994-04-12]
+ And certainly many writers, journalists, and others use
pseudonyms, and have faced no legal action.
- Provided they don't use it to evade taxes, evade legal
judgments, commit fraud, etc.
- I have heard (no cites) that "going masked for the purpose
of going masked" is illegal in many jurisdictions. Hard to
believe, as many other disguises are just as effective and
are presumably not outlawed (wigs, mustaches, makeup,
etc.). I assume the law has to do with people wearning ski
masks and such in "inappropriate" places. Bad law, if real.
8.3.7. Some Other Uses for Anonymous Systems:
+ Groupware and Anonymous Brainstorming and Voting
- systems based on Lotus Notes and designed to encourage
wild ideas, comments from the shy or overly polite, etc.
- these systems could initially start in meeting and then
be extended to remote sites, and eventually to nationwide
and international forums
- the NSA may have a heart attack over these trends...
+ "Democracy Wall" for encrypted messages
- possibly using time-delayed keys (where even the public
key, for reading the plaintext, is not distributed for
some time)
- under the cover of an electronic newspaper, with all of
the constitutional protections that entails: letters to
the editor can be anonymous, ads need not be screened for
validity, advertising claims are not the responsibility
of the paper, etc.
+ Anonymous reviews and hypertext (for new types of journals)
+ the advantages
- honesty
- increased "temperature" of discourse
+ disadvantages
- increased flames
- intentional misinformation
+ Store-and-forward nodes
- used to facillitate the anonymous voting and anonymous
inquiry (or reading) systems
- Chaum's "mix"
+ telephone forwarding systems, using digital money to pay
for the service
- and TRMs?
+ Fiber optics
+ hard to trace as millions of miles are laid, including
virtually untraceable lines inside private buildings
- suppose government suspects encrypted packets are going
in to the buildings of Apple...absent any direct
knowledge of crimes being aided and abetted, can the
government demand a mapping of messages from input to
output?
- That is, will the government demand full disclosure of
all routings?
- high bandwidth means many degrees of freedom for such
systems to be deployed
+ Within systems, i.e., user logs on to a secure system and
is given access to his own processor
- in a 288-processor system like the NCR/ATT 3600 (or even
larger)
- under his cryptonym he can access certain files, generate
others, and deposit message untraceably in other mail
locations that other agents or users can later retrieve
and forward....
- in a sense, he can use this access to launch his own
agent processes (anonymity is essential for many agent-
based systems, as is digital money)
+ Economic incentives for others to carry mail to other
sites...
- further diffusion and hiding of the true functions
+ Binary systems (two or more pieces needed to complete the
message)
- possibly using viruses and worms to handle the
complexities of distributing these messages
- agents may handle the transfers, with isolation between
the agents, so routing cannot be traced (think of scene
in "Double-Crossed" where bales of marijuana are passed
from plane to boat to chopper to trucks to cars)
- this protects against conspiracies
+ Satellites
+ physical security, in that the satellites would have to
be shot down to halt the broadcasting
+ scenario: WARC (or whomever) grants broadcast rights in
1996 to some country or consortium, which then accepts
any and all paying customers
- cold cash
- the BCCI of satellite operators
+ VSATs, L-Band, Satellites, Low-Earth Orbit
- Very Small Aperture Terminals
- L-Band...what frequency?
+ LEO, as with Motorola's Iridium, offers several
advantages
- lower-power receivers and smaller antennas
- low cost to launch, due to small size and lower need
for 10-year reliability
- avoidance of the "orbital slot" licensing morass
(though I presume some licensing is still involved)
- can combine with impulse or nonsinusoidal transmissions
8.3.8. "True Names"
8.3.9. Many ways to get pseudonyms:
- Telnet to "port 25" or use SLIP connections to alter domain
name; not very secure
- Remailers
8.3.10. "How is Pseudonymity Compromised?"
- slip-ups in style, headers, sig blocks, etc.
- inadvertent revealing, via the remailers
- traffic analysis of remailers (not very likely, at least
not for non-NSA adversaries)
- correlations, violations of the "indistinguishability
principle"
8.3.11. Miscellaneous Issues
- Even digital pseudonyms can get confusing...someone
recently mistook "Tommy the Tourist" for being such an
actual digital pseudonym (when of course that is just
attached to all posts going througha particular remailer).
8.4 - Reasons for Anonymity and Digital Pseudonyms (and Untraceable E-Mail)
8.4.1. (Thre are so many reasons, and this is asked so often, that
I've collected these various reasons here. More can be added,
of course.)
8.4.2. Privacy in general
8.4.3. Physical Threats
+ "corporate terrrorism" is not a myth: drug dealers and
other "marginal" businessmen face this every day
- extortion, threats, kidnappings
+ and many businesses of the future may well be less
"gentlemanly" than the conventional view has it
- witness the bad blood between Intel and AMD, and then
imagine it getting ten times worse
- and national rivalries, even in ostensibly legal
businesses (think of arms dealers), may cause more use of
violence
+ Mafia and other organized crime groups may try to extort
payments or concessions from market participants, causing
them to seek the relative protection of anonymous systems
- with reputations
+ Note that calls for the threatened to turn to the police
for protection has several problems
- the activities may be illegal or marginally illegal
(this is the reason the Mafia can often get involved
and why it may even sometimes have a positive effect,
acting as the cop for illegal activities)
- the police are often too busy to get involved, what
with so much physical crime clogging the courts
- extortion and kidnappings can be done using these very
techniques of cryptoanarchy, thus causing a kind of arms
race
+ battered and abused women and families may need the
equivalent of a "witness protection program"
+ because of the ease of tracing credit card purchases,
with the right bribes and/or court orders (or even
hacking), battered wives may seek credit cards under
pseudonyms
- and some card companies may oblige, as a kind of
politically correct social gesture
+ or groups like NOW and Women Against Rape may even
offer their own cards
- perhaps backed up by some kind of escrow fund
- could be debit cards
+ people who participate in cyberspace businesses may fear
retaliation or extortion in the real world
- threats by their governments (for all of the usual
reasons, plus kickbacks, threats to close them down,
etcl)
- ripoffs by those who covet their success...
8.4.4. Voting
- We take it for granted in Western societies that voting
should be "anonymous"--untraceable, unlinkable
- we don't ask people "What have you got to hide?" or tell
them "If you're doing something anonymously, it must be
illegal."
- Same lesson ought to apply to a lot of things for which the
government is increasingly demanding proof of identity for
+ Anonymous Voting in Clubs, Organizations, Churches, etc.
+ a major avenue for spreading CA methods: "electronic
blackballing," weighted voting (as with number of shares)
+ e.g., a corporation issues "voting tokens," which can
be used to vote anonymously
- or even sold to others (like selling shares, except
selling only the voting right for a specific election
is cheaper, and many people don't much care about
elections)
+ a way to protect against deep pockets lawsuits in, say,
race discrimination cases
- wherein a director is sued for some action the
company takes-anonymity will give him some legal
protection, some "plausible deniability"
+ is possible to set up systems (cf. Salomaa) in which
some "supervotes" have blackball power, but the use of
these vetos is indistinguishable from a standard
majority rules vote
- i.e., nobody, except the blackballer(s), will know
whether the blackball was used!
+ will the government seek to limit this kind of
protocol?
- claiming discrimination potential or abuse of
voting rights?
+ will Justice Department (or SEC) seek to overturn
anonymous voting?
- as part of the potential move to a "full disclosure"
society?
- related to antidiscrimination laws, accountability,
etc.
+ Anonymous Voting in Reputation-Based Systems (Journals,
Markets)
+ customers can vote on products, on quality of service,
on the various deals they've been involved in
- not clear how the voting rights would get distributed
- the idea is to avoid lawsuits, sanctions by vendors,
etc. (as with the Bose suit)
+ Journals
- a canonical example, and one which I must include, as
it combines anonymous refereeing (already standard,
in primitive forms), hypertext (links to reviews),
and basic freedom of speech issues
- this will likely be an early area of use
- this whole area of consumer reviews may be a way to get
CA bandwidth up and running (lots of PK-encrypted
traffic sloshing around the various nets)
8.4.5. Maintenance of free speech
- protection of speech
+ avoiding retaliation for controversial speech
- this speech may be controversial, insulting, horrific,
politically incorrect, racist, sexist, speciesist, and
other horrible...but remailers and anonymity make it all
impossible to stop
- whistleblowing
+ political speech
- KKK, Aryan Resistance League, Black National Front,
whatever
- cf. the "debate" between "Locke" and "Demosthenes" in
Orson Scott Card's novel, "Ender's Game."
- (Many of these reasons are also why 'data havens' will
eventually be set up...indeed, they already exist...homolka
trial, etc.)
8.4.6. Adopt different personnas, pseudonyms
8.4.7. Choice of reading material, viewing habits, etc.
- to prevent dossiers on this being formed, anonymous
purchases are needed (cash works for small items, not for
video rentals, etc.)
+ video rentals
- (Note: There are "laws" making such releases illegal,
but...)
- cable t.v. viewing habits
+ mail-order purchases
- yes, they need your address to ship to, but there may be
cutouts that delink (e.g., FedEx might feature such a
service, someday
8.4.8. Anonymity in Requesting Information, Services, Goods
+ a la the controversy over Caller ID and 900 numbers: people
don't want their telephone numbers (and hence identities)
fed into huge consumer-preference data banks
- of the things they buy, the videos they rent, the books
they read. etc. (various laws protect some of these
areas, like library books, video rentals)
- subscription lists are already a booming resale
market...this will get faster and more finely "tuned"
with electronic subscriptions: hence the desire to
subscribe anonymously
+ some examples of "sensitive" services that anonymity may be
desired in (especially related to computers, modems, BBSes)
+ reading unusual or sensitive groups: alt.sex.bondage,
etc.
- or posting to these groups!
- recent controversy over NAMBLA may make such
protections more desirable to some (and parallel calls
for restrictions!)
- posting to such groups, especially given that records are
perpetual and that government agencies read and file
postings (an utterly trivial thing to do)
- requesting help on personal issues (equivalent to the
"Name Witheld" seen so often)
+ discussing controversial political issues (and who knows
what will be controversial 20 years later when the poster
is seeking a political office, for example?)
- given that some groups have already (1991) posted the
past postings of people they are trying to smear!
+ Note: the difference between posting to a BBS group or
chat line and writing a letter to an editor is
significant
- partly technological: it is vastly easier to compile
records of postings than it is to cut clippings of
letters to editors (though this will change rapidly as
scanners make this easy)
- partly sociological: people who write letters know the
letters will be with the back issues in perpetuity,
that bound issues will preserve their words for many
decades to come (and could conceivably come back to
haunt them), but people who post to BBSes probably
think their words are temporary
+ and there are some other factors
- no editing
- no time delays (and no chance to call an editor and
retract a letter written in haste or anger)
+ and letters can, and often are, written with the
"Name Witheld" signature-this is currently next to
impossible to do on networks
- though some "forwarding" services have informally
sprung up
+ Businesses may wish to protect themselves from lawsuits
over comments by their employees
+ the usual "The opinions expressed here are not those of
my employer" may not be enough to protect an employer
from lawsuits
- imagine racist or sexist comments leading to lawsuits
(or at least being brought up as evidence of the type
of "attitude" fostered by the company, e.g., "I've
worked for Intel for 12 years and can tell you that
blacks make very poor engineers.")
+ employees may make comments that damage the reputations
of their companies
- Note: this differs from the current situation, where
free speech takes priority over company concerns,
because the postings to a BBS are carried widely, may
be searched electronically (e.g., AMD lawyers search
the UseNet postings of 1988-91 for any postings by
Intel employees besmirching the quality or whatever of
AMD chips),
- and so employees of corporations may protect themselves,
and their employers, by adopting pseudonyms
+ Businesses may seek information without wanting to alert
their competitors
- this is currently done with agents, "executive search
firms," and lawyers
- but how will it evolve to handle electronic searches?
+ there are some analogies with filings of "Freedom of
Information Act" requests, and of patents, etc.
+ these "fishing expeditions" will increase with time, as
it becomes profitable for companies to search though
mountains of electronically-filed materials
- environmental impact studies, health and safety
disclosures, etc.
- could be something that some companies specialize in
+ Anonymous Consultation Services, Anonymous Stringers or
Reporters
+ imagine an information broker, perhaps on an AMIX-like
service, with a network of stringers
+ think of the arms deal newsletter writer in Hallahan's
The Trade, with his network of stringers feeding him
tips and inside information
- instead of meeting in secretive locations, a very
expensive proposition (in time and travel), a secure
network can be used
- with reputations, digital pseudonyms, etc.
+ they may not wish their actual identities known
- threats from employers, former employers, government
agencies
+ harassment via the various criminal practices that will
become more common (e.g., the ease with which
assailants and even assassins can be contracted for)
- part of the overall move toward anonymity
- fears of lawsuits, licensing requirements, etc.
+ Candidates for Such Anonymous Consultation Services
+ An arms deals newsletter
- an excellent reputation for accuracy and timely
information
+ sort of like an electronic form of Jane's
- with scandals and government concern
- but nobody knows where it comes from
+ a site that distributes it to subscribers gets it
with another larger batch of forwarded material
- NSA, FBI, Fincen, etc. try to track it down
+ "Technology Insider" reports on all kinds of new
technologies
- patterned after Hoffler's Microelectronics News, the
Valley's leading tip sheet for two decades
- the editor pays for tips, with payments made in two
parts: immediate, and time-dependent, so that the
accuracy of a tip, and its ultimate importance (in
the judgment of the editor) can be proportionately
rewarded
+ PK systems, with contributors able to encrypt and
then publicly post (using their own means of
diffusion)
- with their messages containing further material,
such as authentications, where to send the
payments, etc.
+ Lundberg's Oil Industry Survey (or similar)
- i.e., a fairly conventional newsletter with publicly
known authors
- in this case, the author is known, but the identities
of contributors is well-protected
+ A Conspiracy Newsletter
- reporting on all of the latest theories of
misbehavior (as in the "Conspiracies" section of this
outline)
+ a wrinkle: a vast hypertext web, with contributors
able to add links and nodes
+ naturally, their real name-if they don't care about
real-world repercussions-or one of their digital
pseudonyms (may as well use cryptonyms) is attached
+ various algorithms for reputations
- sum total of everything ever written, somehow
measured by other comments made, by "voting,"
etc.
- a kind of moving average, allowing for the fact
that learning will occur, just as a researcher
probably gets better with time, and that as
reputation-based systems become better
understood, people come to appreciate the
importance of writing carefully
+ and one of the most controversial of all: Yardley's
Intelligence Daily
- though it may come out more than daily!
+ an ex-agent set this up in the mid-90s, soliciting
contributions via an anonymous packet-switching sysem
- refined over the next couple of years
- combination of methods
- government has been trying hard to identify the
editor, "Yardley"
- he offers a payback based on value of the
information, and even has a "Requests" section, and a
Classifed Ad section
- a hypertext web, similar to the Conspiracy Newsletter
above
+ Will Government Try to Discredit the Newsletter With
False Information?
- of course, the standard ploy in reputation-based
systems
+ but Yardley has developed several kinds of filters
for this
- digital pseudonyms which gradually build up
reputations
- cross-checking of his own sort
- he even uses language filters to analyze the text
+ and so what?
- the world is filled with disinformation, rumors,
lies, half-truths, and somehow things go on....
+ Other AMIX-like Anonymous Services
+ Drug Prices and Tips
- tips on the quality of various drugs (e.g.,
"Several reliable sources have told us that the
latest Maui Wowie is very intense, numbers
below...")
+ synthesis of drugs (possibly a separate
subscription)
- designer drugs
- home labs
- avoiding detection
+ The Hackers Daily
- tips on hacking and cracking
- anonymous systems themselves (more tips)
- Product evaluations (anonymity needed to allow honest
comments with more protection against lawsuits)
+ Newspapers Are Becoming Cocerned with the Trend Toward
Paying for News Tips
- by the independent consultation services
- but what can they do?
+ lawsuits are tried, to prevent anonymous tips when
payments are involved
- their lawyers cite the tax evasion and national
security aspects
+ Private Data Bases
+ any organization offering access to data bases must be
concerned that somebody-a disgruntled customer, a
whistleblower, the government, whoever-will call for an
opening of the files
- under various "Data Privacy" laws
- or just in general (tort law, lawsuits, "discovery")
+ thus, steps will be taken to isolate the actual data from
actual users, perhaps via cutouts
+ e.g., a data service sells access, but subcontracts out
the searches to other services via paths that are
untraceable
+ this probably can't be outlawed in general-though any
specific transaction might later be declared illegal,
etc., at which time the link is cut and a new one is
established-as this would outlaw all subcontracting
arrangements!
- i.e., if Joe's Data Service charges $1000 for a
search on widgets and then uses another possibly
transitory (meaning a cutout) data service, the
most a lawsuit can do is to force Joe to stop using
this untraceble service
- levels of indirection (and firewalls that stop the
propagation of investigations)
+ Medical Polls (a la AIDS surveys, sexual practices surveys,
etc.)
+ recall the method in which a participant tosses a coin to
answer a question...the analyst can still recover the
important ensemble information, but the "phase" is lost
- i.e., an individual answering "Yes" to the question
"Have you ever had xyz sex?" may have really answered
"No" but had his answer flipped by a coin toss
+ researchers may even adopt sophisticated methods in which
explicit diaries are kept, but which are then transmitted
under an anonymous mailing system to the researchers
- obvious dangers of authentication, validity, etc.
+ Medical testing: many reasons for people to seek anonymity
- AIDS testing is the preeminent example
- but also testing for conditions that might affect
insurablity or employment (e.g., people may go to
medical havens in Mexico or wherever for tests that might
lead to uninsurability should insurance companies learn
of the "precondition")
+ except in AIDS and STDs, it is probably both illegal and
against medical ethics to offer anonymous consultations
- perhaps people will travel to other countries
8.4.9. Anonymity in Belonging to Certain Clubs, Churches, or
Organizations
+ people fear retaliation or embarassment should their
membership be discovered, now or later
- e.g., a church member who belongs to controversial groups
or clubs
- mainly, or wholly, those in which physical contact or other
personal contact is not needed (a limited set)
- similar to the cell-based systems described elsewhere
+ Candidates for anonymous clubs or organizations
- Earth First!, Act Up, Animal Liberation Front, etc.
- NAMBLA and similar controversial groups
- all of these kinds of groups have very vocal, very visible
members, visible even to the point of seeking out
television coverage
- but there are probably many more who would join these
groups if there identities could be shielded from public
group, for the sake of their careers, their families, etc.
+ ironically, the corporate crackdown on outside activities
considered hostile to the corporation (or exposing them to
secondary lawsuits, claims, etc.) may cause greater use of
anonymous systems
- cell-based membership in groups
- the growth of anonymous membership in groups (using
pseudonyms) has a benefit in increasing membership by
people otherwise afraid to join, for example, a radical
environmental group
8.4.10. Anonymity in Giving Advice or Pointers to Information
- suppose someone says who is selling some illegal or
contraband product...is this also illegal?
- hypertext systems will make this inevitable
8.4.11. Reviews, Criticisms, Feedback
- "I am teaching sections for a class this term, and tomorrow
I am going to: 1) tell my students how to use a remailer,
and 2) solicit anonymous feedback on my teaching.
"I figure it will make them less apprehensive about making
honest suggestions and comments (assuming any of them
bother, of course)." [Patrick J. LoPresti
patl@lcs.mit.edu, alt.privacy.anon-server, 1994-09-08]
8.4.12. Protection against lawsuits, "deep pockets" laws
+ by not allowing the wealth of an entity to be associated
with actions
- this also works by hiding assets, but the IRS frowns on
that, so unlinking the posting or mailing name with
actual entity is usually easier
+ "deep pockets"
- it will be in the interest of some to hide their
identities so as to head off these kinds of lawsuits
(filed for whatever reasons, rightly or wrongly)
- postings and comments may expose the authors to lawsuits
for libel, misrepresentation, unfair competition, and so
on (so much for free speech in these beknighted states)
+ employers may also be exposed to the same suits,
regardless of where their employees posted from
- on the tenuous grounds that an employee was acting on
his employer's behalf, e.g., in defending an Intel
product on Usenet
- this, BTW, is another reason for people to seek ways to
hide some of their assets-to prevent confiscation in deep
pockets lawsuits (or family illnesses, in which various
agencies try to seize assets of anybody they can)
- and the same computers that allow these transactions will
also allow more rapid determination of who has the
deepest pockets!
+ by insulating the entity from repercussions of "sexist" or
"racist" comments that might provoke lawsuits, etc.
- (Don't laugh--many companies are getting worried that
what their employees write on Usenet may trigger lawsuits
against the companies.)
+ many transactions may be deemed illegal in some
jursidictions
+ even in some that the service or goods provider has no
control over
- example: gun makers being held liable for firearms
deaths in the District of Columbia (though this was
recently cancelled)
- the maze of laws may cause some to seek anonymity to
protect themselves against this maze
+ Scenario: Anonymous organ donor banks
+ e.g., a way to "market" rare blood types, or whatever,
without exposing one's self to forced donation or other
sanctions
- "forced donation" involves the lawsuits filed by the
potential recipient
- at the time of offer, at least...what happens when the
deal is consummated is another domain
- and a way to avoid the growing number of government
stings
8.4.13. Journalism and Writing
+ writers have had a long tradtion of adopting pseudonyms,
for a variety of reasons
- because they couldn't get published under their True
Names, because they didn't _want_ their true names
published, for the fun of it, etc.
- George Elliot, Lewis Carroll, Saki, Mark Twain, etc.
- reporters
+ radio disc jockeys
- a Cypherpunk who works for a technology company uses the
"on air personna" of "Arthur Dent" ("Hitchhiker's Guide")
for his part-time radio broadcasting job...a common
situation, he tells me
+ whistleblowers
- this was an early use
+ politically sensitive persons
- "
+ I subsequently got myself an account on anon.penet.fi as
the "Lt.
- Starbuck" entity, and all later FAQ updates were from
that account.
- For reasons that seemed important at the time, I took
it upon myself to
- become the moderator/editor of the FAQ."
-
+ Example: Remailers were used to skirt the publishing ban on
the Karla Homolka case
- various pseudonymous authors issued regular updates
- much consternation in Canada!
+ avoidance of prosecution or damage claims for writing,
editing, distributing, or selling "damaging" materials is
yet another reason for anonymous systems to emerge: those
involved in the process will seek to immunize themselves
from the various tort claims that are clogging the courts
- producers, distributors, directors, writers, and even
actors of x-rated or otherwise "unacceptable" material
may have to have the protection of anonymous systems
- imagine fiber optics and the proliferation of videos and
talk shows....bluenoses and prosecutors will use "forum
shopping" to block access, to prosecute the producers,
etc.
8.4.14. Academic, Scientific, or Professional
- protect other reputations (professional, authorial,
personal, etc.)
- wider range of actions and behaviors (authors can take
chances)
- floating ideas out under pseudonyms
- later linking of these pseudonyms to one's own identity, if
needed (a case of credential transfer)
- floating unusual points of view
- Peter Wayner writes: "I would think that many people who
hang out on technical newsgroups would be very familiar
with the anonymous review procedures practiced by academic
journals. There is some value when a reviewer can speak
their mind about a paper without worry of revenge. Of
course everyone assures me that the system is never really
anonymous because there are alwys only three or four people
qualified to review each paper. :-) ....Perhaps we should
go out of our way to make anonymous, technical comments
about papers and ideas in the newsgroups to fascilitate the
development of an anonymous commenting culture in
cypberspace." [Peter Wayner, 1993-02-09]
8.4.15. Medical Testing and Treatment
- anonymous medical tests, a la AIDS testing
8.4.16. Abuse, Recovery
+ personal problem discussions
- incest, rape, emotional, Dear Abby, etc.
8.4.17. Bypassing of export laws
- Anonymous remailers have been useful for bypassing the
ITARs...this is how PGP 2.6 spread rapidly, and (we hope!)
untraceably from MIT and U.S. sites to offshore locations.
8.4.18. Sex groups, discussions of controversial topics
- the various alt.sex groups
- People may feel embarrassed, may fear repercussions from
their employers, may not wish their family and friends to
see their posts, or may simply be aware that Usenet is
archived in many, many places, and is even available on CD-
ROM and will be trivially searchable in the coming decades
+ the 100% traceability of public postings to UseNet and
other bulletin boards is very stifling to free expression
and becomes one of the main justifications for the use of
anonymous (or pseudononymous) boards and nets
- there may be calls for laws against such compilation, as
with the British data laws, but basically there is little
that can be done when postings go to tens of thousands of
machines and are archived in perpetuity by many of these
nodes and by thousands of readers
- readers who may incorporate the material into their own
postings, etc. (hence the absurdity of the British law)
8.4.19. Avoiding political espionage
+ TLAs in many countries monitor nearly all international
communications (and a lot of domestic communications, too)
- companies and individuals may wish to avoid reprisals,
sanctions, etc.
- PGP is reported to be in use by several dissident groups,
and several Cypherpunks are involved in assisting them.
- "...one legitimate application is to allow international
political groups or companies to exchange authenticated
messages without being subjected to the risk of
espionage/compromise by a three letter US agency, foreign
intelligence agency, or third party." [Sean M. Dougherty,
alt.privacy.anon-server, 1994-09-07]
8.4.20. Controversial political discussion, or membership in
political groups, mailing lists, etc.
+ Recall House UnAmerican Activities Committee
- and it's modern variant: "Are you now, or have you ever
been, a Cypherpunk?"
8.4.21. Preventing Stalking and Harassment
- avoid physical tracing (harassment, "wannafucks," stalkers,
etc.)
- women and others are often sent "wannafuck?" messages from
the males that outnumber them 20-to-1 in many newsgroups--
pseudonyms help.
- given the ease with which net I.D.s can be converted to
physical location information, many women may be worried.
+ males can be concerned as well, given the death threats
issued by, for example, S. Boxx/Detweiler.
- as it happens, S. Boxx threatened me, and I make my home
phone number and location readily known...but then I'm
armed and ready.
8.4.22. pressure relief valve: knowing one can flee or head for the
frontier and not be burdened with a past
- perhaps high rate of recidivism is correlated with this
inability to escape...once a con, marked for life
(certainly denied access to high-paying jobs)
8.4.23. preclude lawsuits, subpoenas, entanglement in the legal
machinery
8.4.24. Business Reasons
+ Corporations can order supplies, information, without
tipping their hand
- the Disney purchase of land, via anonymous cutouts (to
avoid driving the price way up)
- secret ingredients (apocryphally, Coca Cola)
- avoiding the "deep pockets" syndrome mentioned above
- to beat zoning and licensing requirements (e.g., a certain
type of business may not be "permitted" in a home office,
so the homeowner will have to use cutouts to hide from
enforcers)
- protection from (and to) employers
+ employees of corporations may have to do more than just
claim their view are not those of their employer
- e.g., a racist post could expose IBM to sanctions,
charges
+ thus, many employees may have to further insulate their
identities
- blanc@microsoft.com is now
blanc@pylon.com...coincidence?
+ moonlighting employees (the original concern over Black Net
and AMIX)
- employers may have all kinds of concerns, hence the need
for employees to hide their identities
- note that this interects with the licensing and zoning
aspects
- publishers, service-prividers
+ Needed for Certain Kinds of Reputation-Based Systems
+ a respected scientist may wish to float a speculative
idea
- and be able to later prove it was in fact his idea
8.4.25. Protection against retaliation
- whistleblowing
+ organizing boycotts
- (in an era of laws regulating free speech, and "SLAPP"
lawsuits)
+ the visa folks (Cantwell and Siegel) threatening those who
comment with suits
- the law firm that posted to 5,000 groups....also raises
the issue again of why the Net should be subsidized
- participating in public forums
+ as one person threatened with a lawsuit over his Usenet
comments put it:
- "And now they are threatening me. Merely because I openly
expressed my views on their extremely irresponsible
behaviour. Anyways, I have already cancelled the article
from my site and I publicly appologize for posting it in
the first place. I am scared :) I take all my words back.
Will use the anonymous service next time :)"
8.4.26. Preventing Tracking, Surveillance, Dossier Society
+ avoiding dossiers in general
- too many dossiers being kept; anonymity allows people to
at least hold back the tide a bit
+ headhunting, job searching, where revealing one's identity
is not always a good idea
- some headhunters are working for one's current employer!
- dossiers
8.4.27. Some Examples from the Cypherpunks List
+ S, Boxx, aka Sue D. Nym, Pablo Escobar, The Executioner,
and an12070
- but Lawrence Detweiler by any other name
+ he let slip his pseudonym-true name links in several ways
- stylistic cues
- mention of things only the "other" was likely to have
heard
+ sysops acknowledged certain linkings
- *not* Julf, though Julf presumably knew the identity
of "an12070"
+ Pr0duct Cypher
- Jason Burrell points out: "Take Pr0duct Cypher, for
example. Many believe that what (s)he's doing(*) is a
Good Thing, and I've seen him/her using the Cypherpunk
remailers to conceal his/her identity....* If you don't
know, (s)he's the person who wrote PGPTOOLS, and a hack
for PGP 2.3a to decrypt messages written with 2.6. I
assume (s)he's doing it anonymously due to ITAR
regulations." [J.B., 1994-09-05]
+ Black Unicorn
- Is the pseudonym of a Washington, D.C. lawyer (I think),
who has business ties to conservative bankers and
businessmen in Europe, especially Liechtenstein and
Switzerland. His involvement with the Cypherpunks group
caused him to adopt this pseudonym.
- Ironically, he got into a battle with S. Boxx/Detweiler
and threated legal action. This cause a rather
instructive debate to occur.
8.5 - Untraceable E-Mail
8.5.1. The Basic Idea of Remailers
- Messages are encrypted, envelopes within envelopes, thus
making tracing based on external appearance impossible. If
the remailer nodes keep the mapping between inputs and
outputs secret, the "trail" is lost.
8.5.2. Why is untraceable mail so important?
+ Bear in mind that "untraceable mail" is the default
situation for ordinary mail, where one seals an envelope,
applies a stamp, and drops it anonymously in a letterbox.
No records are kept, no return address is required (or
confirmed), etc.
- regional postmark shows general area, but not source
mailbox
+ Many of us believe that the current system of anonymous
mail would not be "allowed" if introduced today for the
first time
- Postal Service would demand personalized stamps,
verifiable return addresses, etc. (not foolproof, or
secure, but...)
+ Reasons:
- to prevent dossiers of who is contacting whom from being
compiled
- to make contacts a personal matter
- many actual uses: maintaining pseudonyms, anonymous
contracts, protecting business dealings, etc.
8.5.3. How do Cypherpunks remailers work?
8.5.4. How, in simple terms, can I send anonymous mail?
8.5.5. Chaum's Digital Mixes
- How do digital mixes work?
8.5.6. "Are today's remailers secure against traffic analysis?"
- Mostly not. Many key digital mix features are missing, and
the gaps can be exploited.
+ Depends on features used:
- Reordering (e.g., 10 messages in, 10 messages out)
- Quantization to fixed sizes (else different sizes give
clues)
- Encryption at all stages (up to the customer, of course)
- But probably not, given that current remailers often lack
necessary features to deter traffic analysis. Padding is
iffy, batching is often not done at all (people cherish
speed, and often downcheck remailers that are "too slow")
- Best to view today's remailers as experiments, as
prototypes.
8.6 - Remailers and Digital Mixes (A Large Section!)
8.6.1. What are remailers?
8.6.2. Cypherpunks remailers compared to Julf's
+ Apparently long delays are mounting at the penet remailer.
Complaints about week-long delays, answered by:
- "Well, nobody is stopping you from using the excellent
series of cypherpunk remailers, starting with one at
remail@vox.hacktic.nl. These remailers beat the hell out
of anon.penet.fi. Either same day or at worst next day
service, PGP encryption allowed, chaining, and gateways
to USENET." [Mark Terka, The normal delay for
anon.penet.fi?, alt.privacy.anon-server, 1994-08-19]
+ "How large is the load on Julf's remailer?"
- "I spoke to Julf recently and what he really needs is
$750/month and one off $5000 to upgrade his feed/machine.
I em looking at the possibility of sponsorship (but don't
let that stop other people trying).....Julf has buuilt up
a loyal, trusting following of over 100,000 people and
6000 messages/day. Upgrading him seems a good
idea.....Yes, there are other remailers. Let's use them
if we can and lessen the load on Julf." [Steve Harris,
alt.privacy.anon-server, 1994-08-22]
- (Now if the deman on Julf's remailer is this high, seems
like a great chance to deploy some sort of fee-based
system, to pay for further expansion. No doubt many of
the users would drop off, but such is the nature of
business.)
8.6.3. "How do remailers work?"
- (The MFAQ also has some answers.)
- Simply, they work by taking an incoming text block and
looking for instructions on where to send the remaining
text block, and what to do with it (decryption, delays,
postage, etc.)
+ Some remailers can process the Unix mail program(s) outputs
directly, operating on the mail headers
- names of programs...
+ I think the "::" format Eric Hughes came up with in his
first few days of looking at this turned out to be a real
win (perhaps comparable to John McCarthy's decision to use
parenthesized s-expressions in Lisp?).
- it allows arbitary chaining, and all mail messages that
have text in standard ASCII--which is all mailers, I
believe--can then use the Cypherpunks remailers
8.6.4. "What are some uses of remailers?"
- Thi is mostly answered in other sections, outlining the
uses of anonymity and digital pseudonyms: remailers are of
course the enabling technology for anonymity.
+ using remailers to foil traffic analysis
- An interesting comment from someone not part of our
group, in a discussion of proposal to disconnect U.K.
computers from Usenet (because of British laws about
libel, about pornography, and such): "PGP hides the
target. The remailers discard the source info. THe more
paranoid remailers introduce a random delay on resending
to foil traffic analysis. You'd be suprised what can be
done :-).....If you use a chain then the first remailer
knows who you are but the destination is encrypted. The
last remailer knows the destination but cannot know the
source. Intermediate ones know neither." [Malcolm
McMahon, JANET (UK) to ban USENET?, comp.org.eff.talk,
1994-08-30]
- So, word is spreading. Note the emphasis on Cyphepunks-
type remailers, as opposed to Julf-style anonymous
services.
+ options for distributing anonymous messages
+ via remailers
- the conventional approach
- upsides: recipient need not do anything special
- downsides: that's it--recipient may not welcome the
message
+ to a newsgroup
- a kind of message pool
- upsides: worldwide dist
- to an ftp site, or Web-reachable site
- a mailing list
8.6.5. "Why are remailers needed?"
+ Hal Finney summarized the reasons nicely in an answer back
in early 1993.
- "There are several different advantages provided by
anonymous remailers. One of the simplest and least
controversial would be to defeat traffic analysis on
ordinary email.....Two people who wish to communicate
privately can use PGP or some other encryption system to
hide the content of their messages. But the fact that
they are communicating with each other is still visible
to many people: sysops at their sites and possibly at
intervening sites, as well as various net snoopers. It
would be natural for them to desire an additional amount
of privacy which would disguise who they were
communicating with as well as what they were saying.
"Anonymous remailers make this possible. By forwarding
mail between themselves through remailers, while still
identifying themselves in the (encrypted) message
contents, they have even more communications privacy than
with simple encryption.
"(The Cypherpunk vision includes a world in which
literally hundreds or thousands of such remailers
operate. Mail could be bounced through dozens of these
services, mixing in with tens of thousands of other
messages, re-encrypted at each step of the way. This
should make traffic analysis virtually impossible. By
sending periodic dummy messages which just get swallowed
up at some step, people can even disguise _when_ they are
communicating.)" [Hal Finney, 1993-02-23]
"The more controversial vision associated with anonymous
remailers is expressed in such science fiction stories as
"True Names", by Vernor
Vinge, or "Ender's Game", by Orson Scott Card. These
depict worlds in which computer networks are in
widespread use, but in which many people choose to
participate through pseudonyms. In this way they can
make unpopular arguments or participate in frowned-upon
transactions without their activities being linked to
their true identities. It also allows people to develop
reputations based on the quality of their ideas, rather
than their job, wealth, age, or status." [Hal Finney,
1993-02-23]
- "Other advantages of this approach include its extension to
electronic on-line transactions. Already today many
records are kept of our financial dealings - each time we
purchase an item over the phone using a credit card, this
is recorded by the credit card company. In time, even more
of this kind of information may be collected and possibly
sold. One Cypherpunk vision includes the ability to engage
in transactions anonymously, using "digital cash", which
would not be traceable to the participants. Particularly
for buying "soft" products, like music, video, and software
(which all may be deliverable over the net eventually), it
should be possible to engage in such transactions
anonymously. So this is another area where anonymous mail
is important." [Hal Finney, 1993-02-23]
8.6.6. "How do I actually use a remailer?"
+ (Note: Remailer instructions are posted _frequently_. There
is no way I can keep up to date with them here. Consult the
various mailing lists and finger sites, or use the Web
docs, to find the most current instructions, keys, uptimes,
etc._
+ Raph Levien's finger site is very impressive:
+ Raph Levien has an impressive utility which pings the
remailers and reports uptime:
- finger remailer-list@kiwi.cs.berkeley.edu
- or use the Web at
http://www.cs.berkeley.edu/~raph/remailer-list.html
- Raph Levien also has a remailer chaining script at
ftp://kiwi.cs.berkeley.edu/pub/raph/premail-
0.20.tar.gz
+ Keys for remailers
- remailer-list@chaos.bsu.edu (Matthew Ghio maintains)
+ "Why do remailers only operate on headers and not the body
of a message? Why aren't signatures stripped off by
remailers?"
- "The reason to build mailers that faithfully pass on the
entire body of
the message, without any kind of alteration, is that it
permits you to
send ANY body through that mailer and rely on its
faithful arrival at the
destination." [John Gilmore, 93-01-01]
- The "::" special form is an exception
- Signature blocks at the end of message bodies
specifically should _not_ be stripped, even though this
can cause security breaches if they are accidentally left
in when not intended. Attempting to strip sigs, which
come in many flavors, would be a nightmare and could
strip other stuff, too. Besides, some people may want a
sig attached, even to an encrypted message.
- As usual, anyone is of course free to have a remailer
which munges message bodies as it sees fit, but I expect
such remailers will lose customers.
- Another possibility is another special form, such as
"::End", that could be used to delimit the block to be
remailed. But it'll be hard getting such a "frill"
accepted.
+ "How do remailers handle subject lines?"
- In various ways. Some ignore it, some preserve it, some
even can accept instructions to create a new subject line
(perhaps in the last remailer).
- There are reasons not to have a subject line propagated
through a chain of remailers: it tags the message and
hence makes traffic analysis trivial. But there are also
reasons to have a subject line--makes it easier on the
recipient--and so these schemes to add a subject line
exist.
+ "Can nicknames or aliases be used with the Cypherpunks
remailers?"
- Certainly digitally signed IDs are used (Pr0duct Cypher,
for example), but not nicknames preserved in fields in
the remailing and mail-to-Usenet gateways.
- This could perhaps be added to the remailers, as an extra
field. (I've heard the mail fields are more tolerant of
added stuff than the Netnews fields are, making mail-to-
News gateways lose the extra fields.)
+ Some remailer sites support them
- "If you want an alias assigned at vox.hacktic.nl, one -
only- needs to send some empty mail to
and the adress the mail was send
from will be inculded in the data-base.....Since
vox.hacktic.nl is on a UUCP node the reply can take
some time, usually something like 8 to 12 hours."[Alex
de Joode, , 1994-08-29]
+ "What do remailers do with the various portions of
messages? Do they send stuff included after an encrypted
block? Should they? What about headers?"
+ There are clearly lots of approaches that may be taken:
- Send everything as is, leaving it up to the sender to
ensure that nothing incriminating is left
- Make certain choices
- I favor sending everything, unless specifically told not
to, as this makes fewer assumptions about the intended
form of the message and thus allows more flexibility in
designing new functions.
+ For example, this is what Matthew Ghio had to to say
about his remailer:
- "Everything after the encrypted message gets passed
along in the clear. If you don't want this, you can
remove it using the cutmarks feature with my remailer.
(Also, remail@extropia.wimsey.com doesn't append the
text after the encrypted message.) The reason for this
is that it allows anonymous replies. I can create a
pgp message for a remailer which will be delivered to
myself. I send you the PGP message, you append some
text to it, and send it to the remailer. The remailer
decrypts it and remails it to me, and I get your
message. [M.G., alt.privacy.anon-server, 1994-07-03]
8.6.7. Remailer Sites
- There is no central administrator of sites, of course, so a
variety of tools are the best ways to develop one's own
list of sites. (Many of us, I suspect, simply settle on a
dozen or so of our favorites. This will change as hundreds
of remailers appear; of course, various scripting programs
will be used to generate the trajectories, handled the
nested encryption, etc.)
- The newsgroups alt.privacy.anon-server, alt.security.pgp,
etc. often report on the latest sites, tools, etc.
+ Software for Remailers
+ Software to run a remailer site can be found at:
- soda.csua.berkeley.edu in /pub/cypherpunks/remailer/
- chaos.bsu.edu in /pub/cypherpunks/remailer/
+ Instructions for Using Remailers and Keyservers
+ on how to use keyservers
- "If you have access to the World Wide Web, see this
URL: http://draco.centerline.com:8080/~franl/pgp/pgp-
keyservers.html" [Fran Litterio, alt.security.pgp, 1994-
09-02]
+ Identifying Remailer Sites
+ finger remailer-list@chaos.bsu.edu
- returns a list of active remailers
- for more complete information, keys, and instructions,
finger remailer.help.all@chaos.bsu.edu
- gopher://chaos.bsu.edu/
+ Raph Levien has an impressive utility which pings the
remailers and reports uptime:
- finger remailer-list@kiwi.cs.berkeley.edu
- or use the Web at
http://www.cs.berkeley.edu/~raph/remailer-list.html
- Raph Levien also has a remailer chaining script at
ftp://kiwi.cs.berkeley.edu/pub/raph/premail-0.20.tar.gz
+ Remailer pinging
- "I have written and installed a remailer pinging script
which
collects detailed information about remailer features and
reliability.
To use it, just finger remailer-
list@kiwi.cs.berkeley.edu
There is also a Web version of the same information, at:
http://www.cs.berkeley.edu/~raph/remailer-list.html"
[Raph Levien, 1994-08-29]
+ Sites which are down??
- tamsun.tamu.edu and tamaix.tamu.edu
8.6.8. "How do I set up a remailer at my site?"
- This is not something for the casual user, but is certainly
possible.
- "Would someone be able to help me install the remailer
scripts from the archives? I have no Unix experience and
have *no* idea where to begin. I don't even know if root
access is needed for these. Any help would be
appreciated." [Robert Luscombe, 93-04-28]
- Sameer Parekh, Matthew Ghio, Raph Levien have all written
instructions....
8.6.9. "How are most Cypherpunks remailers written, and with what
tools?"
- as scripts which manipulate the mail files, replacing
headers, etc.
- Perl, C, TCL
- "The cypherpunks remailers have been written in Perl, which
facilitates experimenting and testing of new interfaces.
The idea might be to migrate them to C eventually for
efficiency, but during this experimental phase we may want
to try out new ideas, and it's easier to modify a Perl
script than a C program." [Hal Finney, 93-01-09]
- "I do appreciate the cypherpunks stuff, but perl is still
not a very
widely used standard tool, and not everyone of us want to
learn the
ins and outs of yet another language... So I do applaud
the C
version..." [Johan Helsingius, "Julf," 93-01-09]
8.6.10. Dealing with Remailer Abuse
+ The Hot Potato
- a remailer who is being used very heavily, or suspects
abuse, may choose to distribute his load to other
remailers. Generally, he can instead of remailing to the
next site, add sites of his own choosing. Thus, he can
both reduce the spotlight on him and also increase cover
traffic by scattering some percentage of his traffic to
other sites (it never reduces his traffic, just lessens
the focus on him).
+ Flooding attacks
- denial of service attacks
- like blowing whistles at sports events, to confuse the
action
- DC-Nets, disruption (disruptionf of DC-Nets by flooding
is a very similar problem to disruption of remailers by
mail bombs)
+ "How can remailers deal with abuse?"
- Several remailer operators have shut down their
remailers, either because they got tired of dealing with
the problems, or because others ordered them to.
- Source level blocking
- Paid messages: at least this makes the abusers _pay_ and
stops certain kinds of spamming/bombing attacks.
- Disrupters are dealt with in anonymous ways in Chaum's DC-
Net schemes; there may be a way to use this here.
+ Karl Kleinpaste was a pioneer (circa 1991-2) of remailers.
He has become disenchanted:
- "There are 3 sites out there which have my software:
anon.penet.fi, tygra, and uiuc.edu. I have philosophical
disagreement with the "universal reach" policy of
anon.penet.fi (whose code is now a long-detached strain
from the original software I gave Julf -- indeed, by now
it may be a complete rewrite, I simply don't know);
....Very bluntly, having tried to run anon servers twice,
and having had both go down due to actual legal
difficulties, I don't trust people with them any more."
[Karl_Kleinpaste@cs.cmu.edu, alt.privacy.anon-server,
1994-08-29]
- see discussions in alt.privacy.anon-server for more on
his legal problems with remailers, and why he shut his
down
8.6.11. Generations of Remailers
+ First Generation Remailer Characteristics--Now (since 1992)
- Perl scripts, simple processing of headers, crypto
+ Second Generation Remailer Characteristics--Maybe 1994
- digital postage of some form (perhaps simple coupons or
"stamps")
- more flexible handling of exceptions
- mail objects can tell remailer what settings to use
(delays, latency, etc.(
+ Third Generation Remailer Characteristics--1995-7?
- protocol negotiation
+ Chaum-like "mix" characteristics
- tamper-resistant modules (remailer software runs in a
sealed environment, not visible to operator)
+ Fourth Generation Remailer Characteristics--1996-9?
- Who knows?
- Agent-based (Telescript?)
- DC-Net-based
8.6.12. Remailer identity escrow
+ could have some uses...
- what incentives would anyone have?
- recipients could source-block any remailer that did not
have some means of coping with serious abuse...a perfect
free market solution
- could also be mandated
8.6.13. Remailer Features
+ There are dozens of proposed variations, tricks, and
methods which may or may not add to overall remailer
security (entropy, confusion). These are often discussed on
the list, one at a time. Some of them are:
+ Using one's self as a remailer node. Route traffic back
through one's own system.
- even if all other systems are compromised...
- Random delays, over and above what is needed to meet
reordering requirements
- MIRVing, sending a packet out in multiple pieces
- Encryption is of course a primary feature.
+ Digital postage.
- Not so much a feature as an incentive/inducement to get
more remailers and support them better.
+ "What are features of a remailer network?"
- A vast number of features have been considered; some are
derivative of other, more basic features (e.g., "random
delays" is not a basic feature, but is one proposed way
of achieving "reordering," which is what is really
needed. And "reordering" is just the way to achieve
"decorrelation" of incoming and outgoing messages).
+ The "Ideal Mix" is worth considering, just as the "ideal
op amp" is studied by engineers, regardless of whether
one can ever be built.
- a black box that decorrelates incoming and outgoing
packets to some level of diffusion
- tamper-proof, in that outside world cannot see the
internal process of decorrelation (Chaum envisioned
tamper-resistant or tamper-responding circuits doing
the decorrelation)
+ Features of Real-World Mixes:
+ Decorrelation of incoming and outgoing messages. This
is the most basic feature of any mix or remailer:
obscuring the relationship between any message entering
the mix and any message leaving the mix. How this is
achieve is what most of the features here are all
about.
- "Diffusion" is achieved by batching or delaying
(danger: low-volume traffic defeats simple, fixed
delays)
- For example, in some time period, 20 messages enter a
node. Then 20 or so (could be less, could be
more...there is no reason not to add messages, or
throw away some) messages leave.
+ Encryption should be supported, else the decorrelation
is easily defeated by simple inspection of packets.
- public key encryption, clearly, is preferred (else
the keys are available outside)
- forward encryption, using D-H approaches, is a useful
idea to explore, with keys discarded after
transmission....thus making subpoenas problematic
(this has been used with secure phones, for example).
+ Quanitzed packet sizes. Obviously the size of a packet
(e.g., 3137 bytes) is a strong cue as to message
identity. Quantizing to a fixed size destroys this cue.
+ But since some messages may be small, and some large,
a practical compromise is perhaps to quantize to one
of several standards:
- small messages, e.g., 5K
- medium messages, e.g., 20K
- large messages....handled somehow (perhaps split
up, etc.)
- More analysis is needed.
+ Reputation and Service
- How long in business?
- Logging policy? Are messages logged?
- the expectation of operating as stated
+ The Basic Goals of Remailer Use
+ decorrelation of ingoing and outgoing messages
- indistinguishability
+ "remailed messages have no hair" (apologies to the
black hole fans out there)
- no distinguishing charateristics that can be used to
make correlations
- no "memory" of previous appearance
+ this means message size padding to quantized sizes,
typically
- how many distinct sizes depends on a lot fo things,
like traffic, the sizes of other messages, etc.
+ Encryption, of course
- PGP
- otherwise, messages are trivially distinguishable
+ Quantization or Padding: Messages
- padded to standard sizes, or dithered in size to obscure
oringinal size. For example, 2K for typical short
messages, 5K for typical Usenet articles, and 20K for
long articles. (Messages much longer are hard to hide in
a sea of much shorter messages, but other possibilities
exist: delaying the long messages until N other long
messages have been accumulated, splitting the messages
into smaller chunks, etc.)
+ "What are the quanta for remailers? That is, what are the
preferred packet sizes for remailed messages?"
- In the short term, now, the remailed packet sizes are
pretty much what they started out to be, e.g, 3-6KB or
so. Some remailers can pad to quantized levels, e.g.,
to 5K or 10K or more. The levels have not been settled
on.
- In the long term, I suspect much smaller packets will
be selected. Perhaps at the granularity of ATM packets.
"ATM Remailers" are likely to be coming. (This changes
the nature of traffic analyis a bit, as the _number_ of
remailed packets increases.
- A dissenting argument: ATM networks don't give sender
the control over packets...
- Whatever, I think packets will get smaller, not larger.
Interesting issues.
- "Based on Hal's numbers, I would suggest a reasonable
quantization for message sizes be a short set of
geometrically increasing values, namely, 1K, 4K, 16K,
64K. In retrospect, this seems like the obvious
quantization, and not arithmetic progressions." [Eric
Hughes, 1994-08-29]
- (Eudora chokes at 32K, and so splits messages at about
25K, to leave room for comments without further
splitting. Such practical considerations may be important
to consider.)
+ Return Mail
- A complicated issue. May have no simple solution.
+ Approaches:
- Post encrypted message to a pool. Sender (who provided
the key to use) is able to retrieve anonymously by the
nature of pools and/or public posting.
+ Return envelopes, using some kind of procedure to
ensure anonymity. Since software is by nature never
secure (can always be taken apart), the issues are
complicated. The security may be gotten by arranging
with the remailers in the return path to do certain
things to certain messages.
- sender sends instructions to remailers on how to
treat messages of certain types
- the recipient who is replying cannot deduce the
identity, because he has no access to the
instructions the remailers have.
- Think of this as Alice sending to Bob sending to
Charles....sending to Zeke. Zeke sends a reply back
to Yancy, who has instructions to send this back to
Xavier, and so on back up the chain. Only if Bob,
Charles, ..., Yancy collude, can the mapping in the
reverse direction be deduced.
- Are these schemes complicated? Yes. But so are lot of
other protocols, such as getting fonts from a screen
to a laser printer
+ Reordering of Messages is Crucial
+ latency or fanout in remailers
+ much more important than "delay"
- do some calculations!
+ the canard about "latency" or delay keeps coming up
- a "delay" of X is neither necessary nor sufficient
to achieve reordering (think about it)
- essential for removing time correlation information,
for removing a "distinguishing mark" ("ideal remailed
messages have no hair")
+ The importance of pay as you go, digital postage
+ standard market issues
- markets are how scarece resources are allocated
- reduces spamming, overloading, bombing
- congestion pricing
- incentives for improvement
+ feedback mechanisms
- in the same way the restaurants see impacts quickly
- applies to other crypto uses besides remailers
+ Miscellaneous
- by having one's own nodes, further ensures security
(true, the conspiring of all other nodes can cause
traceability, but such a conspiracy is costly and would
be revealed)
+ the "public posting" idea is very attractive: at no point
does the last node know who the next node will be...all
he knows is a public key for that node
+ so how does the next node in line get the message,
short of reading all messages?
- first, security is not much compromised by sorting
the public postings by some kind of order set by the
header (e.g., "Fred" is shorthand for some long P-K,
and hence the recipient knows to look in the
Fs...obviously he reads more than just the Fs)
+ outgoing messages can be "broadcast" (sent to many nodes,
either by a literal broadcast or public posting, or by
randomly picking many nodes)
- this "blackboard" system means no point to point
communication is needed
+ Timed-release strategies
+ encrypt and then release the key later
- "innocuously" (how?)
- through a remailing service
- DC-Net
- via an escrow service or a lawyer (but can the lawyer
get into hot water for releasing the key to
controversial data?)
- with a series of such releases, the key can be
"diffused"
- some companies may specialize in timed-release, such
as by offering a P-K with the private key to be
released some time later
- in an ecology of cryptoid entities, this will increase
the degrees of freedom
+ this reduces the legal liability of
retransmitters...they can accurately claim that they
were only passing data, that there was no way they
could know the content of the packets
- of course they can already claim this, due to the
encrypted nature
+ One-Shot Remailers
- "You can get an anonymous address from
mg5n+getid@andrew.cmu.edu. Each time you request an
anon address, you get a different one. You can get as
many as you like. The addresses don't expire, however,
so maybe it's not the ideal 'one-shot' system, but it
allows replies without connecting you to your 'real
name/address' or to any of your other posts/nyms." [
Matthew Ghio, 1994-04-07]
8.6.14. Things Needed in Remailers
+ return receipts
- Rick Busdiecker notes that "The idea of a Return-Receipt-
To: field has been around for a while, but the semantics
have never been pinned down. Some mailer daemons
generate replies meaning that the bits were delivered."
[R.B., 1994-08-08]
+ special handling instructions
- agents, daemons
- negotiated procedures
+ digital postage
- of paramount importance!
- solves many problems, and incentivizes remailers
+ padding
+ padding to fixed sizes
- padding to fixed powers of 2 would increase the average
message size by about a third
- lots of remailers
- multiple jursidictions
- robustness and consistency
+ running in secure hardware
- no logs
- no monitoring by operator
- wipe of all temp files
- instantiated quickly, fluidly
- better randomization of remailers
8.6.15. Miscellaneous Aspects of Remailers
+ "How many remailer nodes are actually needed?"
- We strive to get as many as possible, to distribute the
process to many jurisdictions and with many opeators.
- Curiously, as much theoretical diffusivity can occur with
a single remailer (taking in a hundred messages and
sending out a hundred, for example) as with many
remailers. Our intuition is, I think, that many remailers
offer better diffusivity and better hiding. Why this is
so (if it is) needs more careful thinking than I've seen
done so far.
- At a meta-level, we think multiple remailers lessens the
chance of them being compromised (this, however, is not
directly related to the diffusivity of a remailer network-
-important, but not directly related).
- (By the way, a kind of sneaky idea is to try to always
declare one's self to be a remailer. If messages were
somehow traced back to one's own machine, one could
claim: 'Yes, I'm a remailer." In principle, one could be
the only remailer in the universe and still have high
enough diffusion and confusion. In practice, being the
only remailer would be pretty dangerous.)
+ Diffusion and confusion in remailer networks
+ Consider a single node, with a message entering, and
two messages leaving; this is essentially the smallest
"remailer op"
- From a proof point of view, either outgoing message
could be the one
- and yet neither one can be proved to be
- Now imagine those two messages being sent through 10
remailers...no additional confusion is added...why?
- So, with 10 messages gong into a chain of 10 remailers,
if 10 leave...
- The practical effect of N remailers is to ensure that
compromise of some fraction of them doesn't destroy
overall security
+ "What do remailers do with misaddressed mail?"
- Depends on the site. Some operators send notes back
(which itself causes concern), some just discard
defective mail. This is a fluid area. At least one
remailer (wimsey) can post error messages to a message
pool--this idea can be generalized to provide "delivery
receipts" and other feedback.
- Ideal mixes, a la Chaum, would presumably discard
improperly-formed mail, although agents might exist to
prescreen mail (not mandatory agents, of course, but
voluntarily-selected agents)
- As in so many areas, legislation is not needed, just
announcement of policies, choice by customers, and the
reputation of the remailer.
- A good reason to have robust generation of mail on one's
own machine, so as to minimize such problems.
+ "Can the NSA monitor remailers? Have they?"
+ Certainly they _can_ in various ways, either by directly
monitoring Net traffic or indirectly. Whether they _do_
is unknown.
- There have been several rumors or forgeries claiming
that NSA is routinely linking anonymous IDs to real IDs
at the penet remailer.
+ Cypherpunks remailers are, if used properly, more
secure in key ways:
- many of them
- not used for persistent, assigned IDs
- support for encryption: incoming and outgoing
messages look completely unlike
- batching, padding, etc. supported
- And properly run remailers will obscure/diffuse the
connection between incoming and outgoing messages--the
main point of a remailer!
+ The use of message pools to report remailer errors
- A good example of how message pools can be used to
anonymously report things.
- "The wimsey remailer has an ingenious method of returning
error messages anonymously. Specify a subject in the
message sent to wimsey that will be meaningful to you,
but won't identify you (like a set of random letters).
This subject does not appear in the remailed message.
Then subscribe to the mailing list
errors-request@extropia.wimsey.com
by sending a message with Subject: subscribe. You will
receive a msg
for ALL errors detected in incoming messages and ALL
bounced messages." [anonymous, 93-08-23]
- This is of course like reading a classified ad with some
cryptic message meaningful to you alone. And more
importantly, untraceable to you.
+ there may be role for different types of remailers
- those that support encryption, those that don't
+ as many in non-U.S. countries as possible
- especially for the *last* hop, to avoid subpoena issues
- first-class remailers which remail to *any* address
+ remailers which only remail to *other remailers*
- useful for the timid, for those with limited support,
etc.
-
+ "Should mail faking be used as part of the remailer
strategy?"
- "1. If you fake mail by talking SMTP directly, the IP
address or domain name of the site making the outgoing
connection will appear in a Received field in the header
somewhere."
"2. Fake mail by devious means is generally frowned upon.
There's no need to take a back-door approach here--it's
bad politically, as in Internet politics." [Eric Hughes,
94-01-31]
- And if mail can really be consistently and robustly
faked, there would be less need for remailers, right?
(Actually, still a need, as traffic analysis would likely
break any "Port 25" faking scheme.)
- Furthermore, such a strategy would not likely to be
robust over time, as it relies on exploiting transitory
flaws and vendor specifics. A bad idea all around.
+ Difficulties in getting anonymous remailer networks widely
deployed
- "The tricky part is finding a way to preserve anonymity
where the majority of sites on the Internet continue to
log traffic carefully, refuse to install new software
(especially anon-positive software), and are
administrated by people with simplistic and outdated
ideas about identity and punishment. " [Greg Broiles,
1994-08-08]
+ Remailer challenge: insulating the last leg on a chain from
prosecution
+ Strategy 1: Get them declared to be common carriers, like
the phone company or a mail delivery service
+ e.g., we don't prosecute an actual package
deliveryperson, or even the company they work for, for
delivery of an illegal package
- contents assumed to be unknown to the carrier
- (I've heard claims that only carriers who make other
agreements to cooperate with law enforcement can be
treated as common carriers.)
+ Strategy 2: Message pools
+ ftp sites
- with plans for users to "subscribe to" all new
messages (thus, monitoring agencies cannot know
which, if any, messages are being sought)
- this gets around the complaint about too much volume
on the Usenet (text messages are a tiny fraction of
other traffic, especially images, so the complaint is
only one of potentiality)
+ Strategy 3: Offshore remailers as last leg
- probably set by sender, who presumably knows the
destination
- A large number of "secondary remailers" who agree to
remail a limited number...
+ "Are we just playing around with remailers and such?"
- It pains me to say this, but, yes, we are just basically
playing around here!
- Remailer traffic is so low, padding is so haphazard, that
making correlations between inputs and outputs is not
cryptographically hard to do. (It might _seem_ hard, with
paper and pencil sorts of calculations, but it'll be
child's play for the Crays at the Fort.)
- Even if this is not so for any particular message,
maintaining a persistent ID--such as Pr0duct Cypher does,
with digital sigs--without eventually providing enough
clues will be almost impossible. At this time.
- Things will get better. Better and more detailed
"cryptanalysis of remailer chains" is sorely needed.
Until then, we are indeed just playing. (Play can be
useful, though.)
+ The "don't give em any hints" principle (for remailers)
- avoid giving any information
- dont't say which nodes are sources and which are sinks;
let attackers assume everyone is a remailer, a source
- don't say how long a password is
- don't say how many rounds are in a tit-for-tat tournament
8.7 - Anonymous Posting to Usenet
8.7.1. Julf's penet system has historically been the main way to
post anonymously to Usenet (used by no less a luminary than
L. Detweiler, in his "an12070/S. Boxx" personna). This has
particulary been the case with postings to "support" groups,
or emotional distress groups. For example,
alt.sexual.abuse.recovery.
8.7.2. Cryptographically secure remailes are now being used
increasingly (and scaling laws and multiple jurisdictions
suggest even more will be used in the future).
8.7.3. finger remailer.help.all@chaos.bsu.edu gives these results
[as of 1994-09-07--get a current result before using!]
- "Anonymous postings to usenet can be made by sending
anonymous mail to one of the following mail-to-usenet
gateways:
group.name@demon.co.uk
group.name@news.demon.co.uk
group.name@bull.com
group.name@cass.ma02.bull.com
group.name@undergrad.math.uwaterloo.ca
group.name@charm.magnus.acs.ohio-state.edu
group.name@comlab.ox.ac.uk
group.name@nic.funet.fi
group.name@cs.dal.ca
group.name@ug.cs.dal.ca
group.name@paris.ics.uci.edu (removes headers)
group.name.usenet@decwrl.dec.com (Preserves all headers)"
8.8 - Anonymous Message Pools, Newsgroups, etc.
8.8.1. "Why do some people use message pools?"
- Provides untracable communication
- messages
- secrets
- transactions
+ Pr0duct Cypher is a good example of someone who
communicates primarily via anonymous pools (for messages to
him). Someone recently asked about this, with this comment:
- "Pr0duct Cypher chooses to not link his or her "real
life" identity with the 'nym used to sign the software he
or she wrote (PGP Tools, Magic Money, ?). This is quite
an understandable sentiment, given that bad apples in the
NSA are willing to go far beyond legal hassling, and make
death threats against folks with high public visibility
(see the threads about an NSA agent threatening to run
Jim Bidzos of RSA over in his parking lot)." [Richard
Johnson, alt.security.pgp, 1994-07-02]
8.8.2. alt.anonymous.messages is one such pool group
- though it's mainly used for test messages, discussions of
anonymity (though there are better groups), etc.
8.8.3. "Could there be truly anonymous newsgroups?"
- One idea: newgroup a moderated group in which only messages
sans headers and other identifiers would be accepted. The
"moderator"--which could be a program--would only post
messages after this was ensured. (Might be an interesting
experiment.)
+ alt.anonymous.messages was newgrouped by Rick Busdiecker,
1994-08.
- Early uses were, predictably, by people who stumbled
across the group and imputed to it whatever they wished.
8.9 - Legal Issues with Remailers
8.9.1. What's the legal status of remailers?
- There are no laws against it at this time.
- No laws saying people have to put return addresses on
messages, on phone calls (pay phones are still legal), etc.
- And the laws pertaining to not having to produce identity
(the "flier" case, where leaflet distributors did not have
to produce ID) would seem to apply to this form of
communication.
+ However, remailers may come under fire:
+ Sysops, MIT case
- potentially serious for remailers if the case is
decided such that the sysop's creation of group that
was conducive to criminal pirating was itself a
crime...that could make all involved in remailers
culpable
8.9.2. "Can remailer logs be subpoenaed?"
- Count on it happening, perhaps very soon. The FBI has been
subpoenaing e-mail archives for a Netcom customer (Lewis De
Payne), probably because they think the e-mail will lead
them to the location of uber-hacker Kevin Mitnick. Had the
parties used remailers, I'm fairly sure we'd be seeing
similar subpoenas for the remailer logs.
- There's no exemption for remailers that I know of!
+ The solutions are obvious, though:
- use many remailers, to make subpoenaing back through the
chain very laborious, very expensive, and likely to fail
(if even one party won't cooperate, or is outside the
court's jurisdiction, etc.)
- offshore, multi-jurisdictional remailers (seleted by the
user)
- no remailer logs kept...destroy them (no law currently
says anybody has to keep e-mail records! This may
change....)
- "forward secrecy," a la Diffie-Hellman forward secrecy
8.9.3. How will remailers be harassed, attacked, and challenged?
8.9.4. "Can pressure be put on remailer operators to reveal traffic
logs and thereby allow tracing of messages?"
+ For human-operated systems which have logs, sure. This is
why we want several things in remailers:
* no logs of messages
* many remailers
* multiple legal jurisdictions, e.g., offshore remailers
(the more the better)
* hardware implementations which execute instructions
flawlessly (Chaum's digital mix)
8.9.5. Calls for limits on anonymity
+ Kids and the net will cause many to call for limits on
nets, on anonymity, etc.
- "But there's a dark side to this exciting phenomenon, one
that's too rarely understood by computer novices.
Because they
offer instant access to others, and considerable
anonymity to
participants, the services make it possible for people -
especially computer-literate kids - to find themselves in
unpleasant, sexually explicit social situations.... And
I've gradually
come to adopt the view, which will be controversial among
many online
users, that the use of nicknames and other forms of
anonymity
must be eliminated or severly curbed to force people
online into
at least as much accountability for their words and
actions as
exists in real social encounters." [Walter S. Mossberg,
Wall Street Journal, 6/30/94, provided by Brad Dolan]
- Eli Brandt came up with a good response to this: "The
sound-bite response to this: do you want your child's
name, home address, and phone number available to all
those lurking pedophiles worldwide? Responsible parents
encourage their children to use remailers."
- Supreme Court said that identity of handbill distributors
need not be disclosed, and pseudonyms in general has a long
and noble tradition
- BBS operators have First Amendment protections (e.g..
registration requirements would be tossed out, exactly as
if registration of newspapers were to be attempted)
8.9.6. Remailers and Choice of Jurisdictions
- The intended target of a remailed message, and the subject
material, may well influence the set of remailers used,
especially for the very important "last remailer' (Note: it
should never be necessary to tell remailers if they are
first, last, or others, but the last remailer may in fact
be able to tell he's the last...if the message is in
plaintext to the recipient, with no additional remailer
commands embedded, for example.)
- A message involving child pornography might have a remailer
site located in a state like Denmark, where child porn laws
are less restrictive. And a message critical of Islam might
not be best sent through a final remailer in Teheran. Eric
Hughes has dubbed this "regulatory arbitrage," and to
various extents it is already common practice.
- Of course, the sender picks the remailer chain, so these
common sense notions may not be followed. Nothing is
perfect, and customs will evolve. I can imagine schemes
developing for choosing customers--a remailer might not
accept as a customer certain abusers, based on digital
pseudonyms < hairy).
8.9.7. Possible legal steps to limit the use of remailers and
anonymous systems
- hold the remailer liable for content, i.e., no common
carrier status
- insert provisions into the various "anti-hacking" laws to
criminalize anonymous posts
8.9.8. Crypto and remailers can be used to protect groups from "deep
pockets" lawsuits
- products (esp. software) can be sold "as is," or with
contracts backed up by escrow services (code kept in an
escrow repository, or money kept there to back up
committments)
+ jurisdictions, legal and tax, cannot do "reach backs" which
expose the groups to more than they agreed to
- as is so often the case with corporations in the real
world, which are taxed and fined for various purposes
(asbestos, etc.)
- (For those who panic at the thought of this, the remedy for
the cautious will be to arrange contracts with the right
entities...probably paying more for less product.)
8.9.9. Could anonymous remailers be used to entrap people, or to
gather information for investigations?
- First, there are so few current remailers that this is
unlikely. Julf seems a non-narc type, and he is located in
Finland. The Cypherpunks remailers are mostly run by folks
like us, for now.
- However, such stings and set-ups have been used in the past
by narcs and "red squads." Expect the worse from Mr.
Policeman. Now that evil hackers are identified as hazards,
expect moves in this direction. "Cryps" are obviously
"crack" dealers.
- But use of encryption, which CP remailers support (Julf's
does not), makes this essentially moot.
8.10 - Cryptanalysis of Remailer Networks
8.10.1. The Need for More Detailed Analysis of Mixes and Remailers
+ "Have remailer systems been adequately cryptanalyzed?"
- Not in my opinion, no. Few calculations have been done,
just mostly some estimates about how much "confusion" has
been created by the remailer nodes.
- But thinking that a lot of complication and messiness
makes a strong crypto system is a basic mistake...sort of
like thinking an Enigma rotor machine makes a good cipher
system, by today's standards, just because millions of
combinations of pathways through the rotor system are
possible. Not so.
+ Deducing Patterns in Traffic and Deducing Nyms
- The main lesson of mathematical cryptology has been that
seemingly random things can actually be shown to have
structure. This is what cryptanalysis is all about.
- The same situation applies to "seemingly random" message
traffic, in digital mixes, telephone networks, etc.
"Cryptanalysis of remailers" is of course possible,
depending on the underlying model. (Actually, it's always
possible, it just may not yield anything, as with
cryptanalysis of ciphers.)
+ on the time correlation in remailer cryptanalysis
- imagine Alice and Bob communicating through
remailers...an observer, unable to follow specific
messages through the remailers, could still notice
pairwise correlations between messages sent and
received by these two
+ like time correlations between events, even if the
intervening path or events are jumbled
- e.g., if within a few hours of every submarine's
departure from Holy Loch a call is placed to Moscow,
one may make draw certain conclusions about who is a
Russian spy, regardless of not knowing the
intermediate paths
- or, closer to home, correlating withdrawals from one
bank to deposits in another, even if the intervening
transfers are jumbled
+ just because it seems "random" does not mean it is
- Scott Collins speculates that a "dynamic Markov
compressor" could discern or uncover the non-
randomness in remailer uses
- Cryptanalysis of remailers has been woefully lacking. A
huge fraction of posts about remailer improvements make
hand-waving arguments about the need for more traffic,
longer delays, etc. (I'm not pointing fingers, as I make
the same informal, qualitative comments, too. What is
needed is a rigorous analysis of remailer security.)
- We really don't have any good estimates of overall security
as a function of number of messages circulating, the
latency ( number of stored messages before resending), the
number of remailer hops, etc. This is not cryptographically
"exciting" work, but it's still needed. There has not been
much focus in the academic community on digital mixes or
remailers, probably because David Chaum's 1981 paper on
"Untraceable E-Mail" covered most of the theoretically
interesting material. That, and the lack of commercial
products or wide usage.
+ Time correlations may reveal patterns that individual
messages lack. That is, repeated communicatin between Alice
and Bob, even if done through remailers and even if time
delays/dwell times are built-in, may reveal nonrandom
correlations in sent/received messages.
- Scott Collins speculates that a dynamic Markov compressor
applied to the traffic would have reveal such
correlations. (The application of such tests to digital
cash and other such systems would be useful to look at.)
- Another often overlooked weakness is that many people
send test messages to themselves, a point noted by Phil
Karn: "Another way that people often let themselves be
caught is that they inevitably send a test message to
themselves right before the forged message in question.
This shows up clearly in the sending system's sendmail
logs. It's a point to consider with remailer chains too,
if you don't trust the last machine on the chain." [P.K.,
1994-09-06]
+ What's needed:
- aggreement on some terminology (this doesn't require
consensus, just a clearly written paper to de facto
establish the terminology)
- a formula relating degree of untraceability to the major
factors that go into remailers: packet size and
quantization, latency (# of messages), remailer policies,
timing, etc.
- Also, analysis of how deliberate probes or attacks might
be mounted to deduce remailer patterns (e.g., Fred always
remails to Josh and Suzy and rarely to Zeke).
- I think this combinatorial analysis would be a nice little
monograph for someone to write.
8.10.2. A much-needed thing. Hal Finney has posted some calculations
(circa 1994-08-08), but more work is sorely needed.
8.10.3. In particular, we should be skeptical of hand-waving analyses
of the "it sure looks complicated to follow the traffic"
sort. People think that by adding "messy" tricks, such as
MIRVing messages, that security is increased. Maybe it is,
maybe it isn't. But it needs formal analysis before claims
can be confidantly believed.
8.10.4. Remailers and entropy
- What's the measure of "mixing" that goes on in a mix, or
remailer?
- Hand=waving about entropy and reordering may not be too
useful.
+ Going back to Shannon's concept of entropy as measuring the
degree of uncertainty...
+ trying to "guess" or "predict' where a message leaving
one node will exit the system
- not having clear entrance and exit points adds to the
difficulty, somewhat analogously to having a password
of unknown length (an attacker can't just try all 10-
character passwords, as he has no idea of the length)
- the advantages of every node being a remailer, of
having no clearly identified sources and sinks
+ This predictability may depend on a _series_ of messages
sent between Alice and Bob...how?
- it seems there may be links to Persi Diaconis' work on
"perfect shuffles" (a problem which seemed easy, but
which eluded solving until recently...should give us
comfort that our inability to tackle the real meat of
this issue is not too surprising
8.10.5. Scott Collins believes that remailer networks can be
cryptanalyzed roughly the same way as pseudorandom number
generators are analyzed, e.g., with dynamic Markov
compressors (DNCs). (I'm more skeptical: if each remailer is
using an information-theoretically secure RNG to reorder the
messages, and if all messages are the same size and (of
course) are encypted with information-theoretically secure
(OTP) ciphers, then it seems to me that the remailing would
itself be information-theoretically secure.)
8.11 - Dining Cryptographers
8.11.1. This is effectively the "ideal digital mix," updated from
Chaum's original hardware mix form to a purely software-based
form.
8.11.2. David Chaum's 1988 paper in Journal of Crypology (Vol 1, No
1) outlines a way for completely untraceable communication
using only software (no tamper-resistant modules needed)
- participants in a ring (hence "dining cryptographers")
- Chaum imagines that 3 cryptographers are having dinner and
are informed by their waiter that their dinner has already
been paid for, perhaps by the NSA, or perhaps by one of
themselves...they wish to determine which of these is true,
without revealing which of them paid!
- everyone flips a coin (H or T) and shows it to his neighbor
on the left
+ everyone reports whether he sees "same" or "different"
- note that with 2 participants, they both already know
the other's coin (both are to the left!)
- however, someone wishing to send a message, such as Chaum's
example of "I paid for dinner," instead says the opposite
of what he sees
+ some analysis of this (analyze it from the point of view of
one of the cryptographers) shows that the 3 cryptographers
will know that one of them paid (if this protocol is
executed faithfully), but that the identity can't be
"localized"
- a diagram is needed...
+ this can be generalized...
+ longer messages
- use multiple rounds of the protocol
+ faster than coin-flipping
- each participant and his left partner share a list of
"pre-flipped" coins, such as truly random bits
(radioactive decay, noise, etc.) stored on a CD-ROM or
whatever
- they can thus "flip coins" as fast as they can read the
disk
+ simultaneous messages (collision)
- use back-off and retry protocols (like Ethernet uses)
+ collusion of participants
- an interesting issue...remember that participants are
not restricted to the simple ring topology
- various subgraphs can be formed
- a participant who fears collusion can pick a subgraph
that includes those he doubts will collude (a tricky
issue)
+ anonymity of receiver
- can use P-K to encrypt message to some P-K and then
"broadcast" it and force every participant to try to
decrypt it (only the anonymous recipient will actually
succeed)
- Chaum's complete 1988 "Journal of Cryptology" article is
available at the Cypherpunks archive site,
ftp.soda.csua.edu, in /pub/cypherpunks
8.11.3. What "DC-Net" Means
- a system (graph, subgraphs, etc.) of communicating
participants, who need not be known to each other, can
communicate information such that neither the sender nor
the recipient is known
+ unconditional sender untraceability
- the anonymity of the broadcaster can be information-
theoretically secure, i.e., truly impossible to break and
requiring no assumptions about public key systems, the
difficulty of factoring, etc.
+ receiver untraceability depends on public-key protocols, so
traceability is computationally-dependent
- but this is believed to be secure, of course
+ bandwidth can be increased by several means
- shared keys
- block transmission by accumulating messages
- hiearchies of messages, subgraphs, etc.
8.12 - Future Remailers
8.12.1. "What are the needed features for the Next Generation
Remailer?"
+ Some goals
- generally, closer to the goals outlined in Chaum's 1981
paper on "Untraceable E-Mail"
- Anonymity
- Digital Postage, pay as you go, ,market pricing
- Traffic Analysis foiled
+ Bulletproof Sites:
- Having offshore (out of the U.S.) sites is nice, but
having sites resistant to pressures from universities and
corporate site administrators is of even greater
practical consequence. The commercial providers, like
Netcom, Portal, and Panix, cannot be counted on to stand
and fight should pressures mount (this is just my guess,
not an aspersion against their backbones, whether organic
or Internet).
- Locating remailers in many non-U.S. countries is a Good
Idea. As with money-laundering, lots of countries means
lots of jurisdictions, and the near impossibility of
control by one country.
+ Digital Postage, or Pay-as-you-Go Services:
- Some fee for the service. Just like phone service, modem
time, real postage, etc. (But unlike highway driving,
whose usage is largely subsidized.)
- This will reduce spamming, will incentivize remailer
services to better maintain their systems, and will
- Rates would be set by market process, in the usual way.
"What the traffic will bear." Discounts, favored
customers, rebates, coupons, etc. Those that don't wish
to charge, don't have to (they'll have to deal with the
problems).
+ Generations
- 1st Gen--Today's Remailer:
- 2nd Gen--Near Future (c. 1995)
- 3rd Gen-
- 4th Gen--
8.12.2. Remailing as a side effect of mail filtering
- Dean Tribble has proposed...
- "It sounds like the plan is to provide a convenient mail
filtering tool which provides remailer capability as a SIDE
EFFECT! What a great way to spread remailers!" [Hal Finney,
93-01-03]
8.12.3. "Are there any remailers which provide you with an anonymous
account to which other people may send messages, which are
then forwarded to you in a PGP-encrypted form?" [Mikolaj
Habryn, 94-04]
- "Yes, but it's not running for real yet. Give me a few
months until I get the computer + netlink for it. (It's
running for testing though, so if you want to test it, mail
me, but it's not running for real, so don't *use* it.)"
[Sameer Parekh, 94-04-03]
8.12.4. "Remailer Alliances"
+ "Remailer's Guild"
- to make there be a cost to flakiness (expulsion) and a
benefit to robustness, quality, reliability, etc.
(increased business)
- pings, tests, cooperative remailing
- spreading the traffic to reduce effectiveness of attacks
- which execute protocols
- e.g., to share the traffic at the last hop, to reduce
attacks on any single remailer
8.13 - Loose Ends
8.13.1. Digital espionage
+ spy networks can be run safely, untraceably, undetectably
- anonymous contacts, pseudonyms
- digital dead drops, all done electronically...no chance
of being picked up, revealed as an "illegal" (a spy with
no diplomatic cover to save him) and shot
+ so many degrees of freedom in communications that
controlling all of them is essentially impossible
- Teledesic/Iridium/etc. satellites will increase this
capability further
+ unless crypto is blocked--and relatively quickly and
ruthlessly--the situation described here is unstoppable
- what some call "espionage" others would just call free
communication
- (Some important lessons for keeping corporate or business
secrets...basically, you can't.)
8.13.2. Remailers needs some "fuzziness," probably
+ for example, if a remailer has a strict policy of
accumulating N messages, then reordering and remailing
them, an attacker can send N - 1 messages in and know which
of the N messages leaving is the message they want to
follow; some uncertainly helps here
- the mathematics of how this small amount of uncertainty,
or scatter, could help is something that needs a detailed
analysis
- it may be that leaving some uncertainty, as with the
keylength issue, can help
8.13.3. Trying to confuse the eavesdroppers, by adding keywords they
will probably pick up on
+ the "remailer@csua.berkeley.edu" remailer now adds actual
paragraphs, such as this recent example:
- "I fixed the SKS. It came with a scope and a Russian
night scope. It's killer. My friend knows about a
really good gunsmith who has a machineshop and knows how
to convert stuff to automatic."
- How effective this ploy is is debatable
8.13.4. Restrictions on anonymous systems
- Anonymous AIDS testing. Kits for self-testing have been
under FDA review for 5 years, but counseling advocates have
delayed release on the grounds that some people will react
badly and perhaps kill themselves upon getting a positive
test result...they want the existing system to prevail. (I
mention this to show that anonymous systems are somtimes
opposed for ideological reasons.)