[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (eternity) God's Own Backup Medium




Dan Fabulich:
> I must be insane, because this seems simple to me.  Don't listen.

It's simple conceptually, just some of the technical details are
multi-axis tradeoffs which need to be made explicit.
> 
> Presume that the goal is a secure anonymous storage/retrieval system, paid
> for with e$.  Armed with a persistent naming system for each document, we
> set up e$ protocols to pay for storage of a (possibly encrypted) document
> OR to pay for retrieval of a particular named document.  I broadcast that I
> want up to ten people to store my XMB document and that I'm prepared to pay
> $Y/mo. to each participant.  My document is then secure for as long as I'm
> prepared to pay for it.  It is anonymous to the extent that information can
> be transferred anonymously between me and the other willing participants;
> it is therefore a remailer problem, not an Eternity problem.

It's an Eternity problem if you want your eternity system to have
better performance than the remailers have.  What you really need
is a multi-level security infrastructure, where someone (the owner
of the data, the individual intermediate server operators, etc.) can
choose the level of security they will provide to meet certain 
Quality of Service levels.

Yes, for a lot of the data you're handling, remailers are a good model.
However, steganographically-protected streams hidden inside other streams
work better for certain things.  Perhaps quantum channels work better for
other things.  Perhaps hand-carried optical tapes are best for others.  
The system should have a way of handling these formats in a suitably
abstract way.

> Alternately, if a document is in high demand, someone might offer money to
> anyone who can provide a particular document given by name.  Any willing
> sellers could then exchange information/e$ via e-mail.  (One might even
> imagine data-traders who would seek out valuable information at a bargain
> and sell them to others at market value.)  Again, the mechanism is only
> anonymous to the extent that e-mail is secure.

Which helps both security and performance.  A very good mechanism.
> 
> Note that the system is profitable to all of its participants no matter
> WHAT the broadcast mechanism is.  The more automation, the more profitable.
>  The more participants, the more profitable.  The more information online,
> the more profitable.

Yes.  That's why I'm including market-based techniques in Eternity DDS --
I think market-based arguments are as powerful as statistical ones --
perhaps not as powerful as mathematical/cryptographic proof, but
close.

> The missing link here, of course, is anonymous e$.  Despite the success of
> the remailers, I've never been convinced that they're not vulnerable to
> traffic analysis.  (Possibly this is why no one has ever bothered to shut
> them down?)
> And even if we COULD set up automated daemons to monitor the broadcasts and
> negotiate trades, there's still no good way to distribute money over the net.

I know with high confidence there will be a deployed quality anonymous
e$ system in 1998.
> 
> At any rate, keeping the system independent of its broadcast medium (which
> can be done pretty easily by just making sure that the program communicates
> in [encrypted] plaintext,) should make the system autocatalytic...  At that
> point, just let it run, get as many people running it as possible and let
> the market take over.

Yes.  Both Eternity-USENET and Eternity DDS are only secure once they
grow to a certain size.  Market pressure is (I think) the best way of
getting a system to scale to that size.

(Eternity-USENET is vulnerable to technical Denial of Service attacks
with the current small number of indexing servers, even if it is protected
from legal issues.  I think illegal or extralegal attacks are as dangerous
as the legal ones)


-- 
Ryan Lackey
[email protected]
http://mit.edu/rdl/