[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

re: Response to Anonymous re: Zero-Knowledge Freedom




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attn: Anonymous

Thank you for your comments with regards to the Freedom project.   I
would like to respond to some of the points you have brought up.


>-----Original Message-----
>From: HyperReal-Anon [mailto:[email protected]]
>Sent: Friday, November 06, 1998 7:30 PM
>To: [email protected]
>Subject: 
>
>
>Attn: Austin Hill
>Zero Knowledge Systems, Inc.
>3981 St. Laurent Blvd. 
>Suite 810 
>Montr=E9al, Qu=E9bec 
>H2W 1Y5 
>Canada 
>514.286.2636 phone 
>514.286.2755 fax 
>
>Mr. Hill:
>
>Congratulations. I hope your name goes down in history for being
>involved in creating and operating FREEDOM.net
>
>Additional suggestions for the FREEDOM.NET concept:
>
>1) Undoubtedly, after your client software is developed and deployed
>there will be nations run by legislators and politicians with evil
>intentions to continue to restrict and sabotage the privacy of
>individuals. If your software already has flexible measures coded
into
>it to counter these evil forces, privacy seeking citizens from
>affected nations will prevail.
>
>For the client side software, it would be extremely useful to have a
>feature (or an input field) where users can view their IP hops
>(traceroutes), but more important to allow users to BYPASS all local
>FREEDOM servers in their home country (example: if terrible laws are
>passed like in the Netherlands requiring logging and storage of all
>packet info., etc.). In this manner, a local user in a restrictive
>nation could set their client to BYPASS all local FREEDOM servers,
>accessing only FREEDOM servers in the nearest friendly nation which
>protects privacy of users and allows FREEDOM servers to operate AS
YOU
>DESIGNED THEM.      Even the FSU of Russia has already begun to
>implement "black box" requirements at every ISP (only Internet by
>satellite will bypass this ?)
>
>Example:  
>
><Box to check> **Bypass local FREEDOM SERVER**
>Enter the IP address of first FREEDOM server to route 
>through__________________________________ (user fills in this blank)
>

Route definitions for use of AnonymousIP nodes is COMPLETELY
configurable.   A user of Freedom can define preferred exit hops (i.e.
'Make all my pseudonyms IP traffic come from country X'); server's to
avoid (i.e. 'Never use any Freedom node in country X'); and some
rather advanced custom configurations (i.e. 'Always make my exit hop
of of the following countries, use the fastest and best routing point
for my first hop and make my middle hop one of the following trusted
nodes')

With regards to countries such as the Netherlands; and Russia these
laws will have no effect on Freedom users.   Since all IP traffic
leaves the local computer anonymized and multiply encrypted with the
different keys for different hops a local ISP that is logging all
traffic as per government rules will only be able to log encrypted
data and be able to reveal that this user is using Freedom.    The
ability to define the destination or content of that Internet traffic
is not possible.    As well, due to the features we have included for
traffic analysis foiling, both packets and links are padded to avoid
traffic correlation's.    Even if an all powerful network attacker
with the ability to watch all incoming and outgoing connections to all
Freedom nodes attempts to correlate traffic patterns, they will not be
able to reveal the true identity behind the pseudonym.

The user interface for controlling the Freedom node selection and some
of these rules is designed to make it COMPLETELY transparent and easy
for the average Internet user.   There will be an advanced mode that
allows more advanced users to built custom routing profiles that they
can associate with a particular pseudonym or with particular
destination sites.  (i.e. Whenever I browse 'www.playboy.com' use
pseudonym 'playboyfan' and routing profile 'Fast routing, no rules
except exit hop cannot be in the following Muslim countries').




>
>2) It is very possible government spy agencies will secretly arrange
>for spy friendly ISP's to obtain your software and setup FREEDOM
>servers in their nation. Then, they could write or modify code to
>intercept and decrypt incoming packets of data BEFORE it hit the
>FREEDOM servers.   Can you write secret "test" code or test packets
>such that you can send out packets from your Canadian headquarters to
>test all FREEDOM servers deployed worldwide to detect all forms of
>tampering, and if detected, send emergency emails and post on
>newgroups the violators ?
>
This is essentially the hostile root/hostile node attack.   Ultimately
we have decided that protecting against a hostile root or node is
infeasible.   (i.e. Whatever attempts we make to make it impossible to
have a hostile node, do not justify themselves because they are not
completely effective)   We do employ some simple protections to try
and avoid amateur hostile nodes (Valid binary checking, periodic
unannounced audits for nodes) but a sophisticated and well financed
attacker could and most likely will operate a number of nodes in the
network.    To compromise the identity behind a pseudonym, an attacker
would have to control or collude with all the nodes you use in a
particular AnonymousIP route.    Since a user by default uses three
hops, and can configure specific nodes that they trust this reduces
the possibility of a single node or a groups of nodes being able to
work to compromise a pseudonyms privacy.

(i.e. If you decide based on reputation to trust Zero-Knowledge, you
might enter into your preferences to always use at least one
Zero-Knowledge server in your AnonymousIP routers.   This means that
as long as that Zero-Knowledge server does not have a hostile root or
that we have not been subverted that your identity is protected.   You
may choose to chain trusted servers (i.e. Use Zero-Knowledge, TOAD.COM
and EFF.ORG servers (TOAD.COM; EFF.ORG are just examples - They are
not to imply that they are currently committed to operate Freedom
nodes) for all my anonymous routes.)

Also because Freedom node operators are rewarded financially to
operate Freedom nodes, we've found incredible interest in the ISP
community to operate Freedom nodes.   This will help to increase the
total number of Freedom nodes in the network, making it that much
harder for a hostile attacker to operate a large percentage of nodes
in the network.  (i.e. 'If there are only 10 nodes in the network,
running 40% of them is quite easy.   If there are 700 nodes in the
network and a user only needs 3 of them, owning enough of those 700
nodes to have a reasonable chance at always being all 3 hops is less
likely.)




>3) Curiously, what if Canadian legislators / politicians create laws
>similar to what the Dutch parliment enacted recently ? Would you move
>your entire company to another nation ? Or, would you have to move
the
>FREEDOM net server headquarters to another nation ? It seems very
>important initially to setup FREEDOM servers in as many nations as
>possible to counteract such attempts to destroy the right to internet
>privacy.

Canada has proven quite committed to the privacy of its citizens and
has demonstrated its support for Canada's growing cryptography
industries.  Many leading cryptography companies are now setup in
Canada and able to export strong cryptography without restriction.  
We believe that Canada will remain a friendly country in which to
develop our products and distribute them around the world.

In the event that the US or another country were able to convince
Canada to ban anonymity/pseudonymity online; or make it illegal to
provide these services there are plans and provisions we have made to
ensure we are able to continue to provide service to our customers.   
Because of the distributed nature of the system, it would take a
global effort among all countries to ban and make Freedom illegal (A
nice soundbyte waiting to happen ;)

The US would have a difficult time (According to our lawyers) passing
a law making anonymity/pseudonymity illegal or banning the domestic
use of encryption products like Freedom.    Ultimately this will be
another example of 'the cats out of the bag'.   There will most likely
be some fights because this will be the first time that completely
pseudonymous digital identities will be accessible to the layman; or
average Internet user - and the technical sophistication of
AnonymousIP with pseudonymous identities mapped on top will pose a
serious challenge for some government initiatives.    But we will be
attempting to educate law enforcement; government officials that this
tool will be the primary and most effective way of protecting children
online (From stalkers and aggressive marketing profiles); protecting
privacy (Both archived histories that we cannot separate ourselves
from; multiple roles we have that are difficult to separate online
right now and privacy from aggressive marketing) and protecting free
speech and human rights on a global level.

For this education process to be effective, we will need to help
government understand that there are better ways of using traditional
law enforcement techniques to accomplish their goals.   This is the
same process that many of the cypherpunks; privacy advocacy groups and
lobbyists have already been doing and we will work on supporting those
efforts.

Initially we will have servers deployed in MANY countries and we have
an aggressive marketing plan to ensure that we have high penetration
of servers very quickly after we release.


>
>4) I urge you to try and think ahead, designing as many
>countermeasures as possible into the first initial version of client
>software, making it as easy as possible for users to circumvent any
>harmful measures taken by the evil forces of the dark side.

We have designed the system to be as versatile as possible and as hard
to shut down as possible.   We have included provisions (Might not be
in version 1, but can be applied very quickly after) to circumvent
country level firewalls or proxy servers so that countries that
attempt to ban all IP traffic to the Freedom network will encounter
many difficulties.   While this is not likely in most North American
or European countries (Although the US many attempt it when they
implement ISP blocking provisions for offshore gambling sites (Online
Gambling Act)and realize that Freedom clients can bypass ISP political
filtering of sites) in certain other countries around the world, the
initial reaction will be to ban Freedom and add it to a list of
filtered sites.    Since some of these countries are the ones that
have citizens who in the most urgent need of unlimited access to Free
Speech, total privacy for their browsing and online activities and the
ability to communicate secretly - we've made it very difficult for any
country to ban our traffic.



>
>5) A PARADOX awaits - Serious privacy advocates will want to "test"
>your system. One such test would be to sign up and operate as as a
>spammer, and use your system to pass on SPAM, or what about malicious
>hackers ? If that person is identified or revealed by you, then your
>system has been revealed as not a true anonymous system, and there
>will be a media feeding frenzy exposing it. But if it IS a truely
>anonymous system, you will have no way to identify and locate
spammers
>or malicious hackers.

The SPAM dilemma was one of the more difficult ones that we faced in
designing the project.   We were aware that if we could not manage the
abuse (Spam, harassment, Anonymous hack attempts) then we would
quickly become 'blackballed' for most services and a few bad apples
could affect all of our legitimate users.    We could not have the
option of knowing who to hold responsible for abuse because that would
include our holding some sort of identity escrow which we specifically
did not want and designed the system to make impossible.   The
alternative we decided on was to invest significantly on making abuse
easier through other networks than the Freedom network.   Some of the
ways we've accomplished this;

- -Designed the entire system around untraceable pseudonymity as opposed
to anonymity.

	This re-enforces the reputation capital aspect of having a pseudonym.
  In general we hope this will promote people who have made an
investment in a pseudonym (Both in time, and money) to be careful
about how badly the affect the online reputation of that pseudonym.

- -Associated a direct cost with a pseudonym

	By having a cost associated with a pseudonym, many people who would
normally take liberties in abusing Internet communication will/do
hesitate, since there is the potential of losing that financial
investment.


- -Forcing 'nymserver' like features of having all outgoing e-mail pass
through the Freedom server, signed by both the pseudonym and the
Freedom network key to avoid forged spam baiting mail.

- -Allowing end users to have destination blocking per recipient and
making it easy for them to request not to receive e-mail from a
particular pseudonym.  (In cases of harassment)

- -Developing sophisticated SPAM blocking systems to make our network
VERY VERY unfriendly to pseudonyms attempting to send SPAM.  (i.e. Max
per day recipients limits of 500 or so people; with the limit
automatically adjusting to deal with averages of all pseudonyms and
number of confirmed spam complaints.)   Bulk mailers will have the
option of purchasing a more expensive pseudonym that removes any daily
limits for recipients but has strict cancellation policies for
unsolicited spam (This enables an underground Zine that publishes
anonymously to sent out an edition every Friday to 15,000 people; but
if someone buys one of the bulk mailing pseudonyms (Around $500+/year)
and abuses by sending a massive SPAM we will confirm the spam
complaints (Based on digital sig on headers and message) and then have
the right to cancel the pseudonyms (Resulting in the Spammer paying
$500+ to deliver one spam to many people then losing that pseudonym.) 
 This makes it cheaper to SPAM from other free services or open mail
relay systems thereby diverting hard core spammers from making the
Freedom network their home.

- -Anonymous Telnet host blocking (Site administrators can work with us
to block anonymous telnet to their sites) allowing certain sites such
as MUDs and Telnet BBS's to allow access but corporate/university
sites to restrict access for anonymous telnet.



We hope with these and other systems we have taken the time to develop
it will help mitigate or reduce the potential of a few malicious users
to harm the legitimate Freedom users.    Ultimately we have only once
choice in dealing with abuse, canceling the pseudonym which will cause
a financial loss for someone as well as killing that 'nym and any
reputation it has gathered.    The terms under which we will cancel a
pseudonym will be very clearly posted, and the only other time is when
a government agency (Canadian) issues us a court order to turn off a
pseudonym.    There is NO MEANS possible for us to reveal the identity
of a user (Thereby avoiding some of the Penet.Fi style attacks).






>
>6) It seems unfortunate that some of the larger, "holier than thou,
>self righteous" worldwide ISP's (like AOL) will be frustrated at
>FREEDOM net not being able to identify who the spammers or hackers
>are, and then BLOCK    FREEDOM net packets from going through their
>servers, starting little electronic wars. These "blocking wars" have
>already occured from time to time.


Hopefully with the abuse management tools we've made available we will
cut off any attempts to block or ban our service.    If certain
domains/admins feel they still wish to ban Freedom traffic we would
work with them to address whatever concerns we can to help restore
good routing relations, but in the end it will be up to our users to
fight for FREEDOM, if anyone attempts to take it away.    Strong
letter writing campaigns, boycotts and media attention should all help
pressure certain organizations to deal with us on any complaints or
issues they have and not treat pseudonyms as second class online
citizens.

Ultimately this service and peoples pseudonymous digital identities
will be as valuable as they make them.   By using them frequently,
lobbying sites to support pseudonymous identities (For instance for
one click authentication and login to web sites), and making sure the
get ALL their friends to use pseudonyms then it becomes REALLY
difficult to shut the service down or silence millions of users.

If there is a small uptake and we only have 100,000 pseudonyms it
would be possible to shut the service down without a lot of noise
(We'll make as much as we can, but ultimately our users have to help).
  With 12 million pseudonyms registered and all of them making as much
noise as possible to fight any attempts to ban Freedom, there will by
a lot more chance of making Freedom completely ubiquitous.

>
>7) It would really be useful for your staff to address questions/
>concerns like these and others by creating pages regarding these
>matters on your website.

Hopefully, you are on some of the lists that I am responding to your
e-mail with.   Most of this information will be posted in time to our
web site, but the FAQ's and whitepapers describing most of this are
not ready for publication on the web yet.

>
>
>Anonymously Yours,
>
>P.S. I will only feel comfortable revealing my anonymous self to you
>by way of my psuedonym, when I sign up with your service, which I
hope
>to do as soon as FREEDOM net is ready.
>
>

Thanks for the interest and comments.   I hope I've been able to
answer most of your questions.




________________________________________________________________________
_
Austin Hill                                   Zero-Knowledge Systems
Inc.
President                                                Montreal,
Quebec
Phone: 514.286.2636 Ext. 226                            Fax:
514.286.2755
E-mail: [email protected]                                
http://www.zks.net

             Zero Knowledge Systems Inc. - Nothing Personal
			Changing the world with Zero Knowledge

PGP Fingerprints
2.6.3i = 3F 42 A2 0D AF 78 20 ED  A2 BB AD BE 8B 40 5E 64
5.5.3i = 77 1E 62 21 B3 F0 EB C0  AA 6C 65 30 56 CA BA C4 94 26 EC 00
keys available at 
http://www.nai.com/products/security/public_keys/pub_key_default.asp

________________________________________________________________________
_ 


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>

iQA/AwUBNkS3qlbKusSUJuwAEQJzNACg7TTSDuipjmCrT78WMWKskdOkzgQAnAnq
R4ka2Ne+CMK4FmyAt6qfExJu
=paSA
-----END PGP SIGNATURE-----