[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

theories about lack of crypto

sorry if this appears twice; I sent a copy through one of the new anonymous
remailers last night and it looks like it didn't make it.  Or I messed up
somehow ;)

-----BEGIN PGP SIGNED MESSAGE-----

Tim May brings up some interesting and valid points about crypto
protocols.

I think there are several reasons surrounding the slow pace of crypto
protocol (particularly software) development; rather than list them
let me explain the difficulties in setting up a "data haven" (as far
as I can see):

I - Difficulties

1. The usual stuff like finding the time to code and maintain
   software, including getting access to a workstation (or whatever,
   some net connected computer given that my home computer is a PC
   running MSDOS).

2. Say all this code gets written.  To really be able to run a data
   haven, I'd need to own the machine it runs on, to have the power to
   call all the shots.  Yes, maybe my internet provider charges $x per
   megabyte, but I seriously doubt I'd be allowed to use up 100 Megs of
   disk space, even if I payed (and charged a bit more for storeage to
   cover my expenses).  Now I can get a SLIP account for about $50 a
   month where I live, and so if I had a spare computer to devote, I'd be
   set, sort of.

   I'd definitely need the machine to be available on a network,
   otherwise it would be too inconvenient and nobody would use it.  Of
   course, I'd also need an easy to use digital cash system to accept
   payments.

   Same thing with top-notch anonymous remailers; to be able to turn off
   logging, and be in control of a hundred details, I need to own the
   machine. 

   Same thing with digital banks.  Who would use a bank that runs off
   of an account from an internet provider?  Besides, I'd need to own the
   machine to setup the appropriate security measures, etc.

3. Legal issues.

   This is the biggest problem.  By running a data haven (and this
   applies to many other cryptographic protocols, particularly ones that
   guarentee anonymity, etc.) I pretty much open myself up to a legal can
   of worms.  All it takes is one person to store pirated software, one
   person to send death threats through my "strong" anonymous remailer,
   one person to forward Clarinet posts to usenet, and I'm potentially
   in for a battle.  Craig Neidorf (phrack) went to court and racked up a
   legal bill of $100,000, all for the government to drop its case.

   Consider if somebody posted anonymous soliciting pirated software.
   Let's say in a year, I set up an anonymous remailer and digital
   bank, and it really is anonymous.  Somebody posts, soliciting the
   source code for Chicago (just an example), offering $10 million
   dollars.  Some anonymous person sends it off, and receives payment.
   Neither party is traceable, and both are very happy.  Except me.
   How screwed do you think I'd be facing the legal department of Microsoft?

   Yeah, the solution is to relocate off-shore; this is not feasible
   for me.

   This is only the tip of it since a large number of the more
   interesting and useful protocols are patented.  Sure, maybe the
   concept of software patents suck, but the fact it, it's legal until a
   court overturns it.  And I don't have the money to mount a legal battle.

   There is a balance to be struck between offering totally anonymous
   remailing (for example) and keeping enough logs to keep out of
   potential legal trouble.  The problem is that the balance falls closer
   to the logging side, which would scare off potential users/customers.

II - Incentives

Really, what are the incentives for running these services?  None as
far as I can tell, other than the satisfaction of doing it.

Johan Helsingus (Julf of anon.penet.fi) spends hours a day maintaining
his site, responding to complaints, etc.  He provides a valuable
service, which obviously is very popular... all the same, I'll bet
when he asked for a donation of $5 per account to help defray costs,
he got almost no response.

III - Usage

Why aren't people using DC-Nets, data havens, etc.?  Because I don't
think there is a reason to.  

I'm not saying that it's a waste of time to develop this software;
it's just for now it'll be confined to experimental usage, research
purposes, or just as a challenge to surmount.  

I mean, I know what a DC-Net is, but I can't think of a single reason
I'd actually use one, other than for the heck of it.

IV - Platforms

Well, for me, it would be MS-DOS.  I love UNIX too, but my home
computer is 10 times more convenient to develop for.

>it all...remailers appear and then vanish when the students go away or lose
>their accounts, features added make past learning useless, and so on. Life

All I can say is for the near future, I don't see any of this stuff
being done by anybody other than "hobbyists".

"The Internet Casino"

This sounds great, in fact, I've thought of writing a crypto version
of roulette or blackjack... something that would use a bit-committment
protocol to committ to a shuffle or sequence of random number, and
play you.  Afterwards, you could check logs to verify you weren't
cheated.  Maybe I'll actually find some time this summer to write it,

> Later protocols have not fared as well. Why this is so is of great
> importance.

I'm interested in hearing your theories about this, Tim.  I too wish
things were different, but I just can't do much about it.

I still think we are in a "ease of use" phase.  Most people on this
list don't even pgp sign their messages, largely because it isn't
convenient.  It isn't surprising later protocols aren't faring well.

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLchxHIOA7OpLWtYzAQGP1QP9HbB+1eHhF5otXP9ShcC7mu5vSDVTeIf2
SNr4u28WOgRRHFP4MQcsvYp7VM0ELNhIdMXpCiThgl2kVj0oomLNboCpW0HNW9jn
4dux0K0hGJqsoxeZhqvNEybIQiVPHg0VFdkwI6q79V+oHynlOOaNZyJXad6ZFwsv
xxUlGjLdmK8=
=AAzE
-----END PGP SIGNATURE-----