[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Data_havens
> Auctually, the one real big problem is that the data is all in one place.
I would rephrase this slightly to read "the data, or knowledge of
its location, is all in one place." Sure, with a satellite, both the data
and the info required to access it is in the same physical location; it's
a target as soon as someone tracks a transmission to its source.
But I think there will be problems, even with distributed
systems, for a haven under the control of any single entity. Whether that
control is implicit, such as the coercive force of the host governments,
or the explicit policies of the owner, it will tend to force patterns in
data storage. This could become problematic.
[snip]
> The only workable solution to this that I can see has nothing to do with
> floating countries or anything of the sort. Instead, the use of
> data-splitting programs could be used. I'm not all up on the security or
> reliability of these programs, so if I'm making unwarranted assumptions,
> guess I did a lot of typing for nothing. This has probably been proposed
> before, too, but what the hey...
Actually, Eric Hughes gave an inspirational talk on this very
subject at DEF CON IV. I have to say that I'm a convert, now. Time to go
forth and make the world safe for crypto-anarchy. Much of what I'm going
to say is influenced by that talk. My only regret is that I didn't get his
autograph. Enough about that...
Basically, I think allowing a single entity to create such a
network may lead to a dangerous concentration of information. If we are
to assume that an attack on a data haven will involve the resources of
large, unfriendly governments, along with the full legal (and
extra-legal) powers of said governments...then it becomes possible to
imagine a scenario where one's "network technique" is _studied_ in order
to find possible caches for servers in the data-haven network.
Once the location of the servers/caches are known, the network
becomes vulnerable to seizure. In friendly jurisdictions, subopenas and
warrants may be issued. In unfriendly or extra-jurisdictional
circumstances (e.g. space), one uses anti-satellite measures, black-bag
jobs, bribes, or, heck, let's be
paranoid and say they can send TEMPEST-equipped vans to sit outside and
read the hard drives directly. Even if seizure is made impossible, enough
heat can be brought to bear to limit the growth of one's haven_net and
concentrate new nodes in certain specific jurisdictions...which of course
become more attractive targets for seizure tactics.
The problem is that a single entity may tend to keep records of
what nodes are situated where. Not necessarily in the protocols, either.
All those computers will need servicing, upgrading, network links, etc.
etc. This requires some kind of a control and payment structure. Setting
up a new node is particularly hazardous, especially after initial
deployment. To make matters worse, once a node is found, it may leak
information about the rest of the network (traffic analysis, anyone?).
What is more, it leaves open the door for truly stupid acts, like
keeping a network map where it might be found in case of a search. Don't
laugh. A good deal of design will need to go into a data haven; if the
documents are not destroyed or secured in some way, they could bring down
the whole system.
> For example, lets say you set up an office in 100 countries (it would be
> more effective to have more, but let's say 100). Through the use of
This can be a double-edged sword. 100 countries means 100
_different_ points for an adversary to bribe/steal/warrant his way onto a
point in one's haven_net. Sure, maybe he can't get _all_ of them, but
what can he do with the nodes he does have? Note that the haven operator
may not necessarily know a jurisdiction or node has been compromised; how
many times have you detected the NSA reading your personal e-mail? (on
second thought, don't answer that question :)
I honestly believe it is necessary to involve mass numbers of
_individuals_ or small groups in a sort of Godwin-esque federation for a
robust, reliable, and unkillable haven_net. This implies a certain degree
of flux on the part of the network; nodes have the right to secede at any
time. The trick is to make it financially rewarding to be a part of the
network, so the number of new nodes exceeds the number of imprisoned
crypto-rebels/dilettantes/students looking for a buck/other former
node-type people.
A "data haven", then, in the sense of a corporation which manages
and serves the stuff, is more of a coordinator or a broker than a
warehouser. It acts as a front end to such a distributed system, and
assumes the risk if the client's data should fall through the cracks. The
added value over entering the system oneself comes from the technical
assurance and insulation from legal risk.
[description of obtaining user ID and password thru anon remailers]
Not such a bad idea, but I don't know about tying the ID and
password to a specific number of nodes. Certainly it minimizes leakage of
one's client list; certain nodes only serve a particular subset of
clients. What happens if enough of the client's nodes are seized?
Also, what about spoofing and lost identities? Sure, the protocols involved
between haven and client may offer no chance of either, but what about
the client's network? Just because they are paranoid enough to use a
data-haven does not mean they are clueful enough to encrypt that modem
link they may be using for SLIP, PPP, or whatever.
> To get the data back, he would send in the ID and password, encrypted
> again, to the nessecary number of offices in order to retrieve the data.
One of the ideas advanced at DEF CON, and one I really liked, was
to make the data retreivable simply by knowing its MD5 hash. No need for
identies, no worrying about keeping a meta-secret or nym secret...just
keeping or revealing the hash for file-by-file protection.
Now, of course, what if the user loses his hash?
> Payment, if nessecary, could be made by anonymous bank transfer or
> something like ecash.
I like the idea of allowing a node to accept payment up front, or
accept for free (but charge a fee to downloaders). Each node can set its
own prices in terms of e$/MB or other units (you like octets?
megawords?) for a given amount of data. I'd like to accept "in-demand"
data (Quake alpha, anyone?) on a 'consignment basis', but can't figure
out how to ensure the node pays the original uploader w/o blowing away
anonymity. Anyone got a paper lying around which could help (beg beg beg)?
Anonymous bank transfer is probably a good idea, too, but it can
be a major hassle. Not just from the State, either; how do you keep track
of what money transfer came from which nym?
>
> Proprietary encryption systems (PGP-like, with IDEA/RSA hybrid in it, but
> can accept 5000+ bit keys and padding) might be used, as well.
IMHO, this kind of application will need to be built anew, and
built well. Becoming a new node should be an install-and-forget process.
This requires certain features. Most importantly, the node's owner should
not known, and should not be _able_ to know what exactly he or she is
storing. I haven't looked at the new steg and crypto packages for linux,
but that's about what I'm thinking of.
>
> This scheme has several pluses. One, it doesn't rely on any fancy legal
> manuevering with off-shore nationalities and crap. Second, it isn't very
None of that is really necessary for a data haven, anyway. Why
bother, when the whole point is to disappear it from physical space in
the first place?? It simply allows Them to have a single point of attack.
> vunerable. They would need to get legal jurisdiction in 70 different
> countries to sieze the data, and then they have the encryption to deal
> with.
Unfortunately, it also means if they get jurisdiction in even one
of those 70 countries, you are in trouble. Even if the encryption is
good, just looking at how much data is on the server, and from where,
could be most unfortunate for business. There's a more serious concern in
reliability, too; if one uses a data-splitting scheme, capturing enough
servers has a probability of removing access to data.
That's bad for business.
> Third, if there's any server problems, it wouldn't affect the entire
> system. Fourth, you don't have to attach missle launchers and hire a
No, but again the splitting scheme needs to be smart. (M, N)
thresholds would be good; losing one server wouldn't mean losing the
data. It also forces Them to capture N servers instead of just one.
> private security force to defend it. There are several problems, though.
> First, it relies on the Internet, something which is inherantly insecure
> anyway. Second, if someone's being wiretapped in their own country, then
> the whole effort is in vain. Third, it would be incredibly costly, but
It is not necessary to obtain a warrant to wiretap. We know that.
The system then relies upon the security of the locations of the servers.
I am very skeptical of the idea that this can be acheived with a single
organization.
> probably no more so than any kind of off-shore platforms. In fact, it
> would probably be cheaper.
What we really need is a robust architecture, like Eric Hughes'
"Universal Piracy Network" which is as popular and as prevalent as
<name your favorite app> is today. We need to make it easy, simple,
profitable, and most of all, _FUN_. Getting people financially dependent
on such a system wouldn't hurt, either.
>
> Any comments?
I have a vision...and I caught it just recently...of a day where
I will be able to sell my disk space to the highest bidder, and know I am
helping the cause of freedom and frictionless data.
A day where I can go forward and create value from "garbage" - unused
cycles, unused HD space, underutilized graphics cards and coprocessors
mouldering away in closets. Where people spontaneously join haven_nets
because it's "cool", or "sensible", or any of the other justifications
people make when they're jumping off the cliff with the other lemmings.
When participation is a mouse-click away. When the NSA advises
Congresscritters on how to best distribute their files, and spends most
of its time figuring out cost/benefit analyses of the myriad haven_nets,
and actively contributing its own latest, greatest, and "just
unclassified" entry into the market for server software.
When no one will be able to imagine having a file without splitting it
across half a dozen countries and half a hundred computers. Where it will
be those who want un-encrypted data who are "strange" and "old fogies",
because distributed data is _orthodox_, and the anonymity and e-cash is
just a simple little feature, along with the rest, and hardly worth
mentioning in and of itself. In short, no where. Utopia. But a nice
vision to get wild-eyed and hand-waving about just the same.