On Tue, Dec 26, 2000 at 11:04:41PM -0800, Mr.Bad wrote:
> No matter what is decided about MediaEnforcer-style attacks, it seems
> unfair not to have a prominent notice about this on the Freenet site.
What is irritating me is that it has never been a secret that someone can
discover that you are running a Freenet node, in every thing I have
written and every interview I gave on the aims of Freenet, I always point
out that Freenet aims to protect the anonymity of information producers
and information consumers, and NEVER claimed that it would be impossible
to detect whether you were participating in the network at all. Your
hysteria over this "security risk" is based around what I can only assume
was an incorrect understanding of the aims of this project on your part,
and I don't see why we need to start singing and dancing about it just
because you have learned something new which everyone else should have
been aware of within minutes of reading any one of a number of
descriptions of Freenet available on the website.
> I don't think any of us would think twice about criticizing a software
> company or project that had a known security risk, even if it was
> unproven and/or theoretical, and failed to inform users about
> it. (I use the term "security risk" under the broadest possible
> definition here, which might be, "Unplanned and unauthorized use of
> the software that causes the user a major pain in the ass." B-)
I am in favour of being completely open about what Freenet can and cannot
do, in fact, I do believe I suggested the creation of a webpage to address
exactly this issue not 2 weeks ago. I am well aware of the importance of
not selling false promises to people who may be in dangerous situations.
The best way to avoid this is total honesty and openness.
What I will not do is characterize this as a flaw in Freenet's design,
since any design is judged by its ability to meet stated goals (in
Freenet's case, to provide anonymity to creators and producers of
information, NOT to make it impossible for anyone to discover that your
are running a Freenet node at all). What I will also not do is to add
this as a new goal without a good deal of reasoned discussion, and I must
say your alarmist posts on the subject in the last few days
(<paraphrase>Freenet is broken, I am going to tell all of my friends not
to use it</paraphrase>) are not helping.
> It would be nice to say what we plan to do about the risk, even if we
> choose not to do anything and bank on the integrity and courage of
> ISPs and universities. But even if we haven't decided what we're going
> to do, we should point out the potential hazard.
Within the constraints of what I have said above, I am more than happy to
provide a detailed examination of this issue - but any solution should be
classified as an extension of Freenet's current aims, not a "security
fix". I do think that such an examination should come after there has
been more debate on the subject here.
Ian.
PGP signature
