Re: Statements about the HTL attacks
shroobi writes: >> Hi shroobi, >> shroobi writes: >> >>> I wanted to leave a note about these statements on the Freenet >>> homepage. I don't understand why a response to disprove the paper >>> would be released but there hasn't been any code put in place to >>> address the problem. >> >> There was no code put in place, because the statistics in the attacks >> were false. We can’t fix it if there is no vulnerability in the >> first place. >> >> To be frank: The paper was wrong. >> >>> Furthermore, later a detailed description was made of *how exactly* an >>> attack could be done with certainty. Not cool. An enormous risk has >>> been put on users because of this. Why was that done? >> >> That later description was also false: >> https://www.draketo.de/software/levine-2017-errors.html >> >> We cannot fix it in code when people simply fake proof. > > Final note: The minimal information required for statistical claims > about observations of node upload or download activity in Freenet: > … snip … Did you see any claim that actually contained this information? If not, then they are trying to fake proof by making unverifiable claims. I have yet to see anyone giving a solid statistical argument while providing the actually needed information to check their claims. This is not to say that it is impossible to trace you on opennet. It’s just that no one ever did it right. To actually prevent all but the most powerful (those who can make ISPs their tools and hack individual computers) from tracking you, you must be connected via friend-to-friend mode (high security) with people you trust not to try to pro-actively track you. To track you then requires hacking your friends' computers. To get even higher security, you‘ll also need to connect Freenet to the internet via a regional mesh-network that does not spy on the data you transmit to find people who upload lots of encrypted packages. But the first step to improve protections for your privacy is really to move to friend-to-friend mode. Best wishes, Arne -- Unpolitisch sein heißt politisch sein ohne es zu merken signature.asc Description: PGP signature
Re: Statements about the HTL attacks
Hi shroobi, shroobi writes: I wanted to leave a note about these statements on the Freenet homepage. I don't understand why a response to disprove the paper would be released but there hasn't been any code put in place to address the problem. There was no code put in place, because the statistics in the attacks were false. We can’t fix it if there is no vulnerability in the first place. To be frank: The paper was wrong. Furthermore, later a detailed description was made of *how exactly* an attack could be done with certainty. Not cool. An enormous risk has been put on users because of this. Why was that done? That later description was also false: https://www.draketo.de/software/levine-2017-errors.html We cannot fix it in code when people simply fake proof. Final note: The minimal information required for statistical claims about observations of node upload or download activity in Freenet: The exact time and HTL of each watched chunk that was seen from the node per chunk: node-location of the observer at the time per chunk: node-location of the observed at the time per chunk: node-locations of all peers of the observer at the time per chunk: node-locations of all peers of the observed at the time per-chunk: the manifest it belongs to (only size + index in some list + number of chunks in the manifest) per chunk: routing part of the key of the chunk (no decryption possible from this info => data not accessible) The exact formula of the probability that the observed is a valid target The exact formula of the probability that the observed is not a false positive The results of applying those formula to the data along with the data, so they can be checked independently. all chunks received at HTL <= 16 which would be a match if at HTL > 16 The peercounts they observed on that day in all nodes they connected to (a plain list of numbers) Keys for chunks should be truncated by cutting or blacking at least 4 letters, so they cannot easily be used to download the associated data, though the full keys must be provided on request to an independent trusted party (i.e. the defense lawyer) to verify that they contain what is claimed. Otherwise they could just make up claims from thin air. definition: watched chunks are those which are recorded if received from the observed or sent to the observed, as well as those which would be recorded if received by the observer or sent by the observer. If observers cannot provide this minimal information, they cannot get a robust statistical result. If they do not want to provide this to a court, they prevent the court from checking their claims. Yes, it is hard to correctly trace activity in Freenet to a specific user. Without this property, Freenet could not protect Freedom of speech and of the press, both of which are under attack in many countries around the world. And Freenet enabled that in 2007: Use the friend-to-friend mode (high security / darknet). This is the only way to prevent easy harvesting of your IP, and so it is the only way to prevent someone from targeting you with faked proof. Best wishes, Arne Right back atcha, champ
Re: Statements about the HTL attacks
Hi shroobi, shroobi writes: > I wanted to leave a note about these statements on the Freenet > homepage. I don't understand why a response to disprove the paper > would be released but there hasn't been any code put in place to > address the problem. There was no code put in place, because the statistics in the attacks were false. We can’t fix it if there is no vulnerability in the first place. To be frank: The paper was wrong. > Furthermore, later a detailed description was made of *how exactly* an > attack could be done with certainty. Not cool. An enormous risk has > been put on users because of this. Why was that done? That later description was also false: https://www.draketo.de/software/levine-2017-errors.html We cannot fix it in code when people simply fake proof. The actual problem is in the legal system. If a court accepts false proofs, the only way we can prevent this is to hide the address of the node in the first place. And Freenet enabled that in 2007: Use the friend-to-friend mode (high security / darknet). This is the only way to prevent easy harvesting of your IP, and so it is the only way to prevent someone from targeting you with faked proof. Best wishes, Arne -- Unpolitisch sein heißt politisch sein ohne es zu merken signature.asc Description: PGP signature
Statements about the HTL attacks
I wanted to leave a note about these statements on the Freenet homepage. I don't understand why a response to disprove the paper would be released but there hasn't been any code put in place to address the problem. Furthermore, later a detailed description was made of *how exactly* an attack could be done with certainty. Not cool. An enormous risk has been put on users because of this. Why was that done? -- It's like shroobi, but with an eye.