[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Thoughts on Data Havens
Re:
> At 07:25 PM 1/9/95, [email protected] wrote:
> > ... Of course, the DH will be hidden by a good remailer (anon.penet.fi), but
> >it is trivial to use traffic analysis to find where the DH lies. Just
> >monitor traffic from/to the remailer and do a series of store/retrives.
> >Then for confirmation, forge a mail from the dh site to the remailer with
> >the password (obtained from sniffing) to yourself. ...
This is a known weakness of the wizvax style remailers. It is a shame that
they are so easy for naive users to use - while I like the idea of an easy
to use remailer, I have to shudder at how many people think that they are
a secure system, especially when the reason they use them is usually because
of a very real fear of the possible consequences if their lifestyle becomes
public.
> Hmm, hmm. Using c'punk remailers with encrypted send blocks fixes one
> problem, especially if the c'punk mailers do some sort of file splitting and
> reassembly along the lines of what happens to IP packets that are too large
> for a given link. What would also help would be a mechanism for randomly
> varying the encrypted send-to block. The password replay attacks can be
> fixed by encrypting the transmitted password along with a timestamp/sequence
> number.
Post a new PGP key and encrypted address block weekly to alt.data.havens,
alt.2600, or a stegoed picture to alt.binaries.pictures.whatever. If you
are limiting usership, perhaps an autoencrypting majordomo list.
If you do decide to go the steganography route, keep in mind that users
on other platforms will want to use your DH and pick your stego program
accordingly. As a Mac user, few things irritate me as much arj and zip
files on ftp sites. gzip is a pain also, but at least I can un-gzip in
my shell account before downloading.
> One problem that remains would be a trail left by the increased traffic
> to/from a DH vs a normal user. That could only be fixed by a multitude of
> DH sites.
One way of solving the traffic analysis problem is to have the DH account
also act as a remailer. It would also be a good idea to only allow DH
commands to be executed if the encrypted (mandatory) control message arrived
from another remailer account - people knowledgeable enough to be using a
dh will probably not mind if they are "forced" to route traffic through
the remailer network - anyone paranoid enough to be a client is going to
tack your address block on the end of a long chain they created themselves.
As an added security measure, when a valid control message is received,
an identical length stream of random garbage should then be encrypted and
passed into the remailer pool. This would be easier if remailers supported
some sort of bit sink command to trash a message rather than pass it along.
Joe Block <[email protected]>
No man's life, liberty or property are safe while the legislature is in session.