Re: Freedom/Pipenet Security
On Tue, Nov 16, 1999 at 02:40:04AM -, lcs Mixmaster Remailer wrote: | The traffic shaping code has issues, in V1 it will be turned off. | Incidentally, the whitepaper you're looking at is close to retirement, | a newer, more accurate one will be out shortly. In addition, we'll be | releasing our security analysis, which includes all of this, at about | the same time. | | Votehere.net was raked over the coals for similar admissions of inaccurate | website documents and promises of improved versions in the future. | Will ZKS receive equal treatment? Sure seems that way. :) | The information that "traffic shaping" (link padding?) will be | turned off in the initial release is especially disappointing. | Without this technology Freedom provides little more privacy than | anonymizer.com, or one of the hundreds of free web proxies listed at | http://www.ijs.co.nz/proxies.htm and http://proxys4all.cgi.net/. This is incorrect. Any of those proxies offer a 'one warrant' model for betraying you. If you leave reply blocks off, Freedom requires three warrants, possibly in different jurisdictions. In addition, anyone* can verify what logs we create on the system, which is not the case with most of those proxy systems. *Anyone meaning anyone who gets the server operator package. I'll claim that in this small instance, opening our source doesn't matter, since whats really relevant is the actual logging to disk (or net), not what we do internally. We will be publishing or opening our source code to outside inspection. I'm not going to attach a timeline to this. and we're currently having an internal discussion about various implications of the decision, including things like the need to take bugfixes and patches from the outside, the possibility of forks, etc. Adam | No doubt the same cypherpunks who make excuses for ZKS's lack of open | source because of potential protocol instability (when they are already | issuing Release Candidate versions!) will explain why the absence of | link padding is nothing to worry about. It will be interesting to see | how long ZKS continues to get a free pass from cypherpunks. -- Resistance is futile! http://jobs.zeroknowledge.com
Re: Freedom/Pipenet Security
Lucky, you offer some interesting challenges and questions. I'm going to focus on getting the whitepapers and security analysis finished and published before responding in depth, because I think that its more useful to have this conversation with all the issues on the table. Adam On Tue, Nov 16, 1999 at 12:26:53AM -0800, Lucky Green wrote: | Anon wrote: | The information that "traffic shaping" (link padding?) will be | turned off in the initial release is especially disappointing. | Without this technology Freedom provides little more privacy than | anonymizer.com, or one of the hundreds of free web proxies listed at | http://www.ijs.co.nz/proxies.htm and http://proxys4all.cgi.net/. | | No doubt the same cypherpunks who make excuses for ZKS's lack of open | source because of potential protocol instability (when they are already | issuing Release Candidate versions!) will explain why the absence of | link padding is nothing to worry about. It will be interesting to see | how long ZKS continues to get a free pass from cypherpunks. | | I wouldn't fully agree that ZKS received a free pass from Cypherpunks, but I | readily admit that ZKS received a "presumption of security absent final | specs and evidence to the contrary" due to the fact that Ian Goldberg is | their Chief Scientist. Ian, unlike all but a few, is certainly capable of | designing a secure anon IP system and has built up the impeccable personal | credentials to not ever have given anyone even a hint of doubt that anything | with Ian's name on it is anything but secure. Therefore, Freedom received | the benefit of the doubt. This was a reasonable course of action to take at | the time. | | However, I must agree with Anon that the time for doubt is over. Freedom's | present pseudonymous email system is massively insecure and subject to | compromise by even a moderately competent script-kiddy attacker. Freedom | email nyms allow for easy confirmation of the identity of a suspected nym | user. This attack does not require the powers of the NSA, but can be | accomplished by the average Bugtraq or Cypherpunks reader. At present, the | use of Freedom nym email for anything significantly more sensitive than you | would find comfortable discussing via your Hotmail account must be | discouraged. I want a secure infrastructure as much, probably more so, than | the next guy and therefore don't relish these findings. But undeniably, | given the facts, these findings are the truth. | | Unfortunately, Freedom security holes do not stop there. Freedom, as a | feature, does not provide for anonymous IP. It provides for pseudonymous IP. | The exit node (AIP) knows the nym of the user making an outgoing connection. | If this user has been so unfortunate as to have set up a reply block, as the | default sign-up script will prompt him to do, he too will fall to the same | attack Freedom email nyms are subject to. | | Now one may assert that the thread model for most users is not a corrupted | Freedom server, but a corrupted target host. Sure, Raytheon may first | subpoena Yahoo, but they will just as quickly subpoena the exit hop you | chose in Freedom to access Yahoo. This task completed, they will know your | Freedom nym. All that's left to do is a trivial attack against your POP | server and your identity has been revealed. Your sole prayer for maintaining | privacy is that your opponent will only resort to subpoenas, not hacks. | YMMV, but I wouldn't want to bet any significant amount of money on the | rigidity of this thin piece of straw. | | Sadly, the core architecture of the Freedom IP network as presently fielded | appears to be insecure even disregarding the fatal email nym-based attacks. | Absent link padding, an attacker with access to your modem link, your ISP's | router, or you ISP's Postmaster (that is to say any attacker that bothers to | subscribe to Bugtraq or knows how to access http://www.rootshell.com) will | be able to correlate your activities to those of your Freedom nym. | | At this point, it seems that the best we can hope with respect to Freedom | security is for ZKS to fix the truck-size security holes by version 1.1 and | that nobody with any sensitive information will use Freedom until that time. | | --Lucky Green [EMAIL PROTECTED] | | "Among the many misdeeds of British rule in India, history will look |upon the Act depriving a whole nation of arms as the blackest." | - Mohandas K. Gandhi, An Autobiography, pg 446 | http://www.citizensofamerica.org/missing.ram | -- Resistance is futile! http://jobs.zeroknowledge.com
Re: Two Observations on the IETF Plenary Wiretap Vote
On Mon, Nov 15, 1999 at 07:20:13AM -, lcs Mixmaster Remailer wrote: | Over the years, using Wei Dai's term Pipenet (or Pipe-net, as it was spelled | originally) has firmly been established as denotating an anonymous IP | network that uses constant or otherwise data independent "pipes" between the | nodes of the network. Since Freedom uses link padding, I would consider | Freedom a Pipenet. | | It has been the recognition that data-independent traffic flows are a | necessary design component of a secure anonymous IP network, especially | between the end-user and the first network node, that sets Pipenet designs | apart from naive implementations such as the first generation Onion Routers | and Crowds. | | Does Freedom do this? The white paper at | http://www.zeroknowledge.com/products/Freedom_Architecture.html describes | padding between AIP (Anonymous Internet Proxy) nodes: The traffic shaping code has issues, in V1 it will be turned off. Incidentally, the whitepaper you're looking at is close to retirement, a newer, more accurate one will be out shortly. In addition, we'll be releasing our security analysis, which includes all of this, at about the same time. Adam | : Reading the list of neighbors, the AIP sends "PADDING" packets through | : UDP to the neighbors. These packets have the same size as payload packets | : to provide "for free" cover traffic. The use of PADDING packets and cover | : traffic introduces the notion of a Heartbeat amongst the AIPs. A heartbeat | : is defined as the time delay at which a packet must leave the machine for | : a specific neighbor, hiding any information of the AIP server's status | : (idle or busy). The heartbeat concept prevents traffic analysis to a | : significant degree. Since packets are sent out on a regular basis, and | : knowing the rate at which these heartbeat packets arrive at a machine, | : an AIP can determine if a neighbor is unreachable since it will fail to | : send an ALIVE packet after a certain amount of time. PADDING packets | : further prevent traffic analysis by maintaining a constant data flow | : between the AIPs. In addition, all data is link encrypted between two | : adjacent routers with a shared session key. | | However the diagram does not show the end user's "client" node as an | AIP node. The document further identifies the AIP as a subsystem of a | Freedom Server node. These are the "mix" nodes and are a separate set | than the client nodes. | | This documentation would apparently be consistent with the use of link | padding between the nodes of the network but not between the user's | machine and the node where it enters the network. As Lucky points | out, padding from the end-user to the first network node is important. | We need a clear description of the Freedom architecture which answers | this question. -- Resistance is futile! http://jobs.zeroknowledge.com
Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)
On Fri, Jun 25, 1999 at 06:48:49PM +0200, Ulf Möller wrote: | I'll assert that deploying DES today is WORSE than deploying no crypto | at all, because of the deployed lifetime of a new product, and the | associate removal of pressure to deploy an effective cryptosystem. | | OpenSSL supports strong crypto. DES support is there only to allow our | users to talk to crippled American browsers and the like. Those we | don't deploy. | | Besides, as the developers of open source software we can hardly | exercise pressure on our users. I don't develop OSS, but I'll suggest that if you require the user to compile with -DAMAZINGLY_BROKEN_CIPHERS_NSA_LOVES, you cause them to at least consider this issue, rather than naively assume that all the non-snake oil, outside the US crypto in OpenSSL is secure. This is pressuring your users to do the right thing, or at least consider the issues. Do you think it would substantially hurt your uptake? Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Re: so why is IETF stilling adding DES to protocols? (Re: It's official... DES is History)
On Fri, Jun 25, 1999 at 02:32:44PM -0700, James A. Donald wrote: | Despite your contempt for Netscape and Microsoft, they do, | in fact, sell strong crypto products where they are able | to. If the CEOs of these companies went to their boards of | directors and told them that they were going blow off the | entire international market because they didn't want to put | export grade crypto into their products, they'd be out of | their jobs faster than you could say "stockholder lawsuit." | | PGP neither crippled its product, nor did it blow off the | export market. Instead it vigorously worked around the | existing laws. Microsoft has made some effort to get around | these laws, but seemed to lose interest. Perhaps Bill Gates | was the recipient of a little talk. Netscape does not seem | to have made any effort to get around these laws. That is not the case. Netscape published a good deal on what they were going through, spent substantial sums on lobbying (there was a while when Netscape's counsel, (Peter Haber)? was one of the most prominient voices on this subject), got conditinal access crypto put in, and shipped a browser or two with a "POLICY-BEGINS-HERE"" bug that could be fixed with a text editor. To say Netscape didn't achieve what we all wanted them to would be correct. To assert that they didn't try is revisionist history comprable to the work done by Winston Smith. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
