These hacks are very ancient news. We first wrote about them in I think 1998, and many of them especially concerning Java, Javascript, and ActiveX were not original to us even then. We were also all aware of GUIDs being imbedded in Office Docs, Windows Media Players, Real players, etc. Mike Reed wrote a snoop server that we used to have posted on the onion routing site back then. A nice one that was new at the time was to embed into the HTML a call to use the RTSP protocol to load shells of movies into Quicktime, and other media players specifically to identify the IP address of the sender. There were other snoop servers and similar demo pages available from Anonymizer, Digicrime, JAP, and others. I don't know first who put up a demo of the obvious point that using an anonymous pipe does not imply an anonymous data stream nor the prevention of opening up a nonanonymous pipe if one doesn't shut down all other pipes or calls too them through the anonymous pipe.
So what? 1. It's pretty annoying that every few years someone announces a big discovery in which they re-invent a wheel that we and others had invented, implemented and announced many times. Then some press report jumps all over it like it's a new discovery that surprised the anonymous communications people unawares or something like that. 2. If the appalling lack of scholarship is annoying, the concerns are real. It's simultaneously true that it's unfair to yell at someone still trying to get a core TLS implementation done right for not having solved all the phishing attacks that might occur over applications that use it and true that people will get hurt by a browser that simply offers an OK crypto interface but doesn't cope with all the exploits that come from not understanding what it protects and what it doesn't (that's a metaphor, don't take it literally as about current Tor issues). What we don't need is anyone else telling us that there's a problem as if we didn't know that. People have to reinvent wheels a bit as they learn about something. That's fine, and they should be encouraged and coaxed not ridiculed. But they shouldn't be tolerated if they put themselves forth as experts showing something new to the world while refusing to read any of the documentation, the specs, the code, or the scientific literature. What we do need are answers. 3. This is forever an arms race, and, once you get beyond the early adopters or systems for specialized use, telling people to RTFM is always nonanswer. What exactly is an answer? I don't know. Many people who are on this list have hints of ideas that will help somewhat and they have been raising them, implementing them, analyzing them in papers, etc. I make one suggesting here so that I'm not just grousing, even constructively. It might be good to have a testing page that is part of the setup wizards in some way as well as being fairly prominent on the homepage. Apologies if someone has already suggested that and I forgot (and especially apologies if that someone was me). There's lots of issues implicit in this suggestion, but nunc scripsi totam pro publio, da mihi potum. aloha, Paul -- Paul Syverson () ascii ribbon campaign Contact info at http://www.syverson.org/ /\ against html e-mail