[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remailers & liability



At 05:06 PM 5/27/96 EDT, E. Allen Smith wrote:

>	Why, precisely, do you think that remailers don't do much good where
>the operator isn't root? The possibility of the sysop looking at the mail &
>getting the private key, the increased susceptibility to cracking of
>non-root accounts, possible sysop non-cooperation in an honest manner (as
>opposed to the first one), or what?

I think it's more difficult to covertly monitor communications through a
remailer if the remailer operator isn't root; this is also the case if the
primary MX record doesn't point directly to a machine under the operator's
control. I think it'd be possible for a hostile party to monitor/intercept
communications through any remailer; but it's more likely to cause an
unexplained disruption or outage where the hostile party has less access to
the target machine/network, and the operator (who we assume is trusted) has
more access.

I also think that where root is not the remailer operator, root is a lot
less likely to say "fuck off you evil TLA I won't help you monitor remailer
traffic." My hunch is that many/most remailer operators would shut down a
remailer instead of letting a TLA monitor traffic, and/or would refuse to
take clear steps to publically reestablish the integrity of a remailer if
its confidentiality was in question. My hunch is that many/most
"professional" sysadmins would let a TLA monitor traffic if a user was
running a remailer, and wouldn't do anything to let either the user/operator
or the clients of the remailer know anything was amiss. Look at the way that
the WELL and Netcom and AOL (I'm probably missing some examples here) have
been willing to let amateur and professional spooks & cops wander around
their systems reading mail and looking in home directories while chasing
"bad guys". How many ISP's are going to say "come back with a warrant" if
cops show up with badges & guns, saying "User X is running a remailer which
sends kiddie porn/drug sales transaction info/whatever"? I bet very, very
few. (And no, the ECPA won't be much help, see _Steve Jackson Games_ re
"what does intercept mean?")

Obviously I'm talking about "more" and "fewer" and hunches, not a
mathematical proof. This is really just another web-of-trust; I may trust X
to run a remailer (and not log traffic or disclose it to outsiders), but I
probably don't trust X to pick a service provider who will not be
susceptible to "the Briefing" and who won't hire anyone as a sysadmin who
isn't bribable or coercible. 

My intention is not to slam remailer operators who aren't root, just to
point out that the level of protection we should expect from those remailers
is relatively small. Ditto for remailers operated by unknown nyms who don't
have well-known people willing to vouch for their integrity. Truly, no
offense is intended. If I have some idea who the remailer operator is, and
they are root, I feel like I learn something if the operator says "My system
doesn't log traffic." If the operator isn't in a position to know (because
they're not root) or if I don't have a reason to trust them, I assume the
remailer is logging traffic. And a remailer that logs traffic may be more
dangerous than no remailer at all, because the amount of security provided
is illusory. 

--
Greg Broiles                |"Post-rotational nystagmus was the subject of
[email protected]         |an in-court demonstration by the People
http://www.io.com/~gbroiles |wherein Sgt Page was spun around by Sgt
                            |Studdard." People v. Quinn 580 NYS2d 818,825.