Re: all about transferable off-line ecash (Re: Brands off-line tech)
On Tue, 9 Apr 2002, Adam Back wrote: > Tranferable off-line coins allow all kinds of cool anonymity features > as described above, I also argued above that the linkability > deficiency can somewhat defended against. > > And transferable off-line coins add yet more flexibility, while again > not preventing online clearing for those that prefer it. While some > of the features have the linkability artifact, those features are > optional and the user has free choice to select methods to avoid > entirely or defend against linkability by any of the available methods > respectively fetching fresh online coins, using money-changers to do > the same more off-line, and self re-spending to add confusion. Hence > transferable off-line coins are already superior to both > non-transferable off-line coins and online coins due to the selection > of choice of new features and trade-offs offered to the users. All we > need now is a way to more robustly defeat linkability. While I agree with goal, it's not clear to me that it's physically possible. What makes "money" useful is it's physical existance, people have been counterfiting coins since they were invented but it's been getting harder to do. With off-line coins you could easily counterfit or double spend and live off the float, especially if you do it all anonymously. And if you just do it once with some huge sum, you'd get away with it (like Enron guys did :-) Money boils down to psycology - people trust that it trades their effort for somebody elses effort. who's going to trust ephemeral bits? Crossing that barrier is going to be a lot harder than any technology. Patience, persistence, truth, Dr. mike
Re: all about transferable off-line ecash (Re: Brands off-line tech)
Anonymous gives some comments on some deficiencies in the properties of the transferable ecash schemes to date: On Mon, Apr 08, 2002 at 04:15:09AM +0200, Anonymous wrote: > [...] > And second, because they grow, it is possible to tell exactly how > many hands a particular coin has passed through - just count the > transcripts of previous spends. So coins are not all that > anonymous. And further, there is no re-blinding of the earlier > transcripts. The Alice transcript is in the clear in all following > uses of that same coin. Transferred coins are recognizable and > linkable. While it is true that the coins are by unavoidably linkable, the linkability will only leak information where a user happens to see the same coin twice as it gets re-spent, as he can recognize this. As the chain length is also visible he knows how many hands it has gone through since he spent it. However he has no way to identify the intermediate payers except the last payer. The amount of identifying information the immediate payer discloses is up to that payer, though some identification may be relatively hard to avoid if there is no anonymous communication link used. So in general the shorter the intermediate chain the more revealing about the first and last payer in the intermediate chain the observation is. The more people who collude, the more chance their is that the colluding group can find samples of respent coins and so identify or gain information about the transactions of a target payer or payee. The transaction information leakage from the linkability may be fairly limited in practice -- for example by comparison how much transaction leakage would you expect to get as an individual or small group of coluding individuals if you write down the serial number on a bank note and wait until you see it again -- or even if a bank were to perform the same experiment, and they are far more likely to see it again due to volume. The issue will tend to be worse in small payment communities. Clearly it's not ideal, and it is useful to think about things you could do to improve the situation: - One thing that could be done to obscure this is to add a few extra random spending hops (say 0-2) which the user can do himself by spending to himself, though this comes at some extra space overhead. The recipient won't be able to distinguish self-spends from third-party spends. - Another defense would be to use third party money-changer to exchange coins for different coins. Basically to shuffle coins around a bit so that receiving a coin from someone with a short enough chain length between current and recognised spend to normally leak some information will no longer gain useful information. Ideas for more robustly fixing it: - Perhaps there is a way to encrypt the original chain with the bank's public key with a randomizable encryption algorithm such as Elgamal and yet retain sufficient proofs that the encrypted chain contains coin transcripts which would identify the appropriate part if the coin were double spent, and such that people handling the coin are assured of it's issue value. Also here are some comments on the conclusions: > So it works, but broadly speaking there are two problems. First, off-line > coins suck, as described above. And second, because they grow, it is > possible to tell exactly how many hands a particular coin has passed > through - just count the transcripts of previous spends. So coins are > not all that anonymous. And further, there is no re-blinding of the > earlier transcripts. The Alice transcript is in the clear in all > following uses of that same coin. Transferred coins are recognizable > and linkable. Hence they suck even worse than off-line coins. Online actions are harder to perform anonymously, therefore added flexibility to behave more off-line is good for anonymity. Off-line and transferable off-line coins add several new features which are useful to an anonymous user: - ability to transfer rather than deposit, so better hiding payee identity from bank for payers that want this (there are good uses for payee privacy as well as payer privacy) - accountless operation is better for privacy than forcing payments to be deposited and withdrawn as it also gives a user privacy of transaction volume; however accountless operation where you have to connect to the bank in real time (online protocol) makes it more difficult to remain anonymous due to the need for interactive low-latency communication - a money changer is much easier and more realistic to operate with off-line transferability -- it's basically impossible for the bank to detect with off-line transferability. With online coins a money changer would stand out exchanging a lot of coins through it's account (with forced-account option), plus even with accountless online exchange of fresh coins at the bank it's harder for the money changer to hide it's identity due to it's necessarily high bandwidth, low-latency inter
Re: mil disinfo on cryptome
Quoting Khoder bin Hakkin ([EMAIL PROTECTED]): [faustine] > More interestingly, s/he neglects to include this disqualifier from > State Secrets: > > >>Allegiance to the United States > > Conditions that could raise a security concern and may be disqualifying > include: > > d. Involvement in activities which unlawfully advocate or practice > the > commission of acts of force or violence to prevent others from > exercising > their rights under the Constitution or laws of the United States or > of any state.<< > > How many Congressvermin, police w/ NCIS access, FBI, judges, domestic > spooks of all flavors, etc are guilty of this? Here is a classic example of disinformation. Obviously, certain rights, activities, etc. are from time-to-time require that various rights be temporarily curtailed so that the important machinery of law-enforcement may work its magic. You're just trying to divert attention from this necessary exception to the normal rules. Therefore, you must be a spook. Regards, Steve -- Just fake it. -- Include "35da3c9e079dcf68ec3a608e8c0a47f6" somewhere in your message when you reply.
RE: out of the box
ummm, you've been to Sweden, but can't even spell it right? -Original Message- From: Michael Roberts [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 04, 2002 2:19 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: out of the box weird. I was told this when I was in sweeden, as an explaination for the basic niceness of sweedes - ie, that they recieved in school basic emotional education which enabled them to deal with difficult people and situations. true/not true ? M On Thu, 2002-04-04 at 08:18, [EMAIL PROTECTED] wrote: > Citerar Michael Roberts <[EMAIL PROTECTED]>: > > > In Sweeden basic emotional education for all cuts social problems down > > to a minscule amount. > > Sweden has a basic emotional education for all? How come they never told me > that? > > - Sten (born and raised in Sweden)
RE: mil disinfo on cryptome
> Oh, and I can't believe I almost forgot--I'm sure you'll be > tickled pink to learn that ever having had anything to do with > you can be the kiss of death as far as getting clearance is > concerned. From the adjudication guidelines: > > http://www.dss.mil/training/adr/adjguid/adjguidF.htm > > "Conditions that could raise a security concern and may be > disqualifying include: > >>d. Any foreign, domestic, or international organization or person engaged in analysis, discussion, or publication of material on intelligence, defense, foreign affairs, or protected technology.<< However Faustine neglects to include the simple solution, that you simply renounce playing with Johnny: >>Conditions that could mitigate security concerns include: b. The individual terminates the employment or discontinues the activity upon being notified that it is in conflict with his or her security responsibilities.<< More interestingly, s/he neglects to include this disqualifier from State Secrets: >>Allegiance to the United States Conditions that could raise a security concern and may be disqualifying include: d. Involvement in activities which unlawfully advocate or practice the commission of acts of force or violence to prevent others from exercising their rights under the Constitution or laws of the United States or of any state.<< How many Congressvermin, police w/ NCIS access, FBI, judges, domestic spooks of all flavors, etc are guilty of this?
brilliancy
"Any attacker who can control 100,000 machines is a major force on the internet, while someone with a million or more is currently unstoppable: able to launch massively diffuse DDOS attacks, perform needle in a hayfield searches, and commit all sorts of other mayhem. We already understand how worms could be used to gain control of so many machines. Yet the recent revelation that Brilliant Digital Media has bundled a small trojan with KaZaA has underscored another means by which an attacker could gain control of so many machines: poorly secured automatic updaters. If an attacker can distribute his own code as an update, he can take control of millions of machines. " http://www.cs.berkeley.edu/~nweaver/0wn2.html So, now, how hard would it be to use this mechanism to upload PGPNet with opportunistic encryption enabled to millions of hosts ?
Re: FUCANN Fully UnCentrallized Authority for Naming and Numbers
Frob the Builder wrote: >> The problem comes when the server a domain points to is the map >>for several domains, say via Virtual Hosts or selected forwarding. Many servers >>use this if they're on a dedicated web-hoster, or for subdomains. > > Ahah, because the 'physical' server uses the URL to map to 'virtual' > servers. > You're right, the Rev 1.0 plan doesn't handle that. This only applies to HTTP requests though, AFAIK. The easiest work around, I figure, is a translation proxy that you run (locally) and channel all requests through. This proxy could look up the virtual mapping from a local domain to a "legacy" domain and vice versa. Not big on proxies myself, so not sure how feasible it'd be to either build a custom one, or to adapt an existing one. Off to look through Squid... .g -- "...not much (legal) material is out there that's full of graphics and in a consumer-friendly format to create the need for DSL." - Jack Valenti http://www.exmosis.net/"Sometimes I use Google instead of pants."
Re: all about transferable off-line ecash (Re: Brands off-line tech)
The issue with off-line cash is this: has the coin being offered already been spent? With on-line cash, the offered coin is immediately deposited at the bank, hence doubly-spent coins are detected instantly. With off-line cash this cannot be done because by definition there is no connection to the bank. Hence there is no way to know, off-line, if a coin has already been spent. The solution is to embed the identity of the withdrawer into the coin when it is withdrawn from the bank, in such a way that this identity will only be revealed if the coin is double-spent. That provides a partial solution to the off-line scenario. A coin is offered off-line, and the recipient again has no guarantee that it hasn't been spent already. He accepts the coin anyway, and later when he gets on-line he tries to deposit it at the bank. But he learns that he was cheated; the coin had already been spent. Now he has a fall-back solution: the doubly-spent coin reveals the embedded identity of the party who withdrew it (and who doubly-spent it). He can call the cops and try to track down and prosecute the cheater. All off-line spending schemes work this way. All they can offer is the hope of tracking down cheaters after the fact. They can never offer the assurance of validity that an immediate on-line check can provide. With off-line coins, unlike on-line coins, the spender knows more than he's telling. He knows secrets about those coins which would reveal his identity; that is, his identity is embedded in some secret information associated with the coin. When he spends it at a shop, he responds to a random challenge from the shop, using his secret information. The system is set up so that the shop, and later the bank, can validate his response as being valid, proving that he truly owned a coin. For the double-spending detection, the system is further arranged that if two different shops offer two different random challenges, then from the responses to these two challenges, the user's secret information and therefore his identity is revealed. To turn this into a transferrable system, we would allow a chain of transfers before the bank gets involved. Alice spends the coin with Bob, who spends it with Carol, who spends it with David, who deposits it at the bank. There are two problems. First, only Alice knows the secret information associated with the coin. She can't give all the secrets to Bob, or else he would know her identity. So Bob only has a limited amount of information about the coin. Second, after this chain of transfers, if there was double-spending, it might have been anyone along the chain. The system for double-spending detection has to be able to identify which person was the cheater. The solution which Adam describes works as follows. Each party pre-withdraws a zero-value coin from the bank. This is an off-line coin which has their identity encoded in it, if they double-spend it. Alice first spends her coin with Bob in the normal off-line way. Bob ends up with a transcript sufficient to prove that he received a presumably valid coin from Alice (but one which might have been doubly-spent). Now Bob wants to spend with Carol. He does two things: he gives her the transcript of Alice's spend with him, which implicitly identifies the value of the coin; and also he engages in the regular off-line coin spend with her, using his zero-value coin. If Carol then spends the coin with David, she does the same two things: she gives David the transcript of Bob's spend with her (which itself included the two parts above), and also spends a zero-value coin with him. The resulting transcript now has three parts. So it grows at each transfer, and in the end the transcript is deposited. If there was a double-spend, someone spent his zero-value coin twice, and his own identity is revealed. There is one flaw, which is that Bob could use the same Alice transaction with more than one zero-value coin, which he after all gets for free. Carol can't tell that the Alice transaction she sees is the same one someone else saw, and if Bob uses a unique zero-value coin for each spend, then Bob's identity will not be revealed as it should be. The fix for this is that when Bob receives the coin from Alice, knowing that he is going to pass it on, he must link the specific zero-value coin he will later use into the transcript he will receive of Alice's spend with him. This is done by including a hash of the coin information into the random challenge he sends to Alice. Then when he tries to pass the coin on to Carol, she checks that the zero-value coin he is spending with her matches the value used in the Alice transcript. That prevents Bob from using two different zero-value coins with a single Alice transcript. So it works, but broadly speaking there are two problems. First, off-line coins suck, as described above. And second, because they grow, it is possible to tell exactly how many hands a particular coin has
RE: mil disinfo on cryptome
On Sun, 7 Apr 2002, John Young wrote: > Reputation is a trap not an accomplishment, Yeah, I like this statement a lot. I've worked in some golden cages. You can't accomplish much when all you do is politics. It's not anybody's fault the disinfo forces specific mental states, but they can be pretty sick states. Patience, persistence, truth, Dr. mike
