Re: [freenet-support] Wondering about darknets security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/29/2011 05:28 PM, Dennis Nezic wrote: On Tue, 26 Jul 2011 14:15:35 +0100, Matthew Toseland wrote: Basically, you are vulnerable to your peers (those other freenet nodes your node connects to). They know your IP address - they have to to connect to you. They can identify you. As you rightly point out, your peers can also, with a fair bit of work, and on various plausible assumptions, identify much of what you are doing on Freenet. When will premix routing and tunneling and onion routing be implemented? Who will authenticate the key of the node that you tunnel to? Your peer can make you believe that it is a whole tunnel. Even if you use two peers and then try to find a common friend of a friend of a friend... you are still making some big assumptions. So as i see it tunnelling can only guarantee safety when you 100% trust your friends not to spy on you, and in that case you don't really need it. - Volodya - -- http://freedom.libsyn.com/ Echo of Freedom, Radical Podcast None of us are free until all of us are free.~ Mihail Bakunin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOM63iAAoJENW9VI+wmYasABwH/iYO+b++xZkuqkCvEjVPboIY EePNAyUyZr8hfKoyIhP0ZCDxIlM0/QqCJhZq/sW710ob+KH0JkLBKquTrohLnVqX BAoloQoqa+9ncMZ1rnzVSdj0AfdFMM+XWvf796AQ0TRcfbA4BDupB7hRHG3bmFz1 zNVyQC+79hGl5ujU2/GwOmpq0YLFn1qBG8TgOvmWMo1Wy9gMcVKR80N2o0dI+lfS SWLBKsVwGn+pFvMwQuv9BYV5wSlz5NK0b5n3qHNXtECxfqG3sdkiHv4LsDv2Z3mv NZtVJzAt7BxqiATjTECGOMMKuHUco7/mixt4WRm6+hfYDhRexFz1TOes+ywaeCE= =UsCz -END PGP SIGNATURE- ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
One question about darknets in a darknet only net where lets say its 10 people can they see stuff like linkarmageddon and other freesites or only the content they share on the darknet? if one node became a opennet hybrid will they be able to get to the rest of freenet and freesites? ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/29/2011 10:08 AM, BoBeR wrote: One question about darknets in a darknet only net where lets say its 10 people can they see stuff like linkarmageddon and other freesites or only the content they share on the darknet? if one node became a opennet hybrid will they be able to get to the rest of freenet and freesites? You can only see the content that you can connect to through other people's nodes. Therefore if you set up an island darknode then only the content that these nodes insert will be visible (you won't even have autoupdates). However, once one or more people start connecting to the global darknet or opennet, others will be able to see the 'global' content through the bridge nodes (hopefully). - Volodya - -- http://freedom.libsyn.com/ Echo of Freedom, Radical Podcast None of us are free until all of us are free.~ Mihail Bakunin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOMpxdAAoJENW9VI+wmYasxUQH/1FLlfbVsTtg9pLI3FVgBZof eI4zodp1G4lxOY226kmX+xvT6cMyhvAnP45rsUv2MYTejKcmva3qwuGlIJPA5SRe YAX4NwKRdWht8BanwpXNJXTBJ8avhgZ2FFyfEIce8rIxPJ4auhcIwc2MfaYUBTGg 0io4aRrqsOWfr1efEpFujivSVLDhNAf1EcQirjEp//d1I0DiM9tmwD9vNAu0Ll90 /GJHaQXUuediMtug/MpoNfb/AboGTHcOuTCNYRRAKIBPNKZSUdfHJobBFj4TQ/tS wcopZF6JH2buFEefpiwHGyFegQQj+Xu/YEGZ27ukKH7SNn4kcTVLWEVNE71KlRQ= =khG7 -END PGP SIGNATURE- ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
On Tue, 26 Jul 2011 14:15:35 +0100, Matthew Toseland wrote: Basically, you are vulnerable to your peers (those other freenet nodes your node connects to). They know your IP address - they have to to connect to you. They can identify you. As you rightly point out, your peers can also, with a fair bit of work, and on various plausible assumptions, identify much of what you are doing on Freenet. When will premix routing and tunneling and onion routing be implemented? ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
On 07/26/2011 06:15 AM, Matthew Toseland wrote The electronic attacks mentioned above are far cheaper than any scheme to try to get people who run Freenet to spy on their friends. You can only spy on your direct friends (well, it gets less accurate the more hops away the target, but this also makes opennet surveillance much cheaper). Putting 10% of the population on the payroll (as in East Germany) is always a rather expensive way to gather intelligence! The hope is that there will be a large enough global darknet that those who have a particular need for it (for instance those who publish subversive political blogs) will be able to connect to their friends (who the authorities already know about from e.g. phone records), who don't. I guess I'm either not understanding darknet, or I'm not understanding the underlying reason(s) for Freenet as a whole. I was under the impression that darknet leaves you wide open to your friends, so choose your friends carefully. Opennet still left you open to those who connect with you, but you might have some level of anonymity when communicating. I also believe I read in one of your posts here a while back that while Freenet packets are encrypted and can't be audited for content from outside the Freenet network, it's still fairly easy to spot Freenet node activity even without knowing the specifics of what's moving in and out of that node. Now in most democratic countries, the government has to jump through certain legal hoops in order to seize one's equipment, arrest a person, etc. But if Freenet is built with the goal of allowing dissidents to communicate below the radar of a totalitarian government, by your description it seems doomed to failure. If a government-controlled ISP can use traffic analysis to spot Freenet traffic, and if they don't have legal hoops to jump through, can't that government then easily place one darknet person under house arrest and keep the darknet node running? Doesn't that give them the packet contents as well as the packet originator? And how would one securely connect to someone in darknet mode unless you know the operator of that node personally? If that person turned out to be a spy, doesn't connecting to him in darknet mode leave you with no anonymity whatsoever? ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
On Thu, Jul 28, 2011 at 11:06 AM, Ray Jones crawlz...@gmail.com wrote: On 07/26/2011 06:15 AM, Matthew Toseland wrote The electronic attacks mentioned above are far cheaper than any scheme to try to get people who run Freenet to spy on their friends. You can only spy on your direct friends (well, it gets less accurate the more hops away the target, but this also makes opennet surveillance much cheaper). Putting 10% of the population on the payroll (as in East Germany) is always a rather expensive way to gather intelligence! The hope is that there will be a large enough global darknet that those who have a particular need for it (for instance those who publish subversive political blogs) will be able to connect to their friends (who the authorities already know about from e.g. phone records), who don't. I guess I'm either not understanding darknet, or I'm not understanding the underlying reason(s) for Freenet as a whole. I was under the impression that darknet leaves you wide open to your friends, so choose your friends carefully. Darknet leaves you basically exactly as open to your peers as Opennet does. With Darknet, you choose your peers. With Opennet, your peers choose you (or at least, they can, and will if they're attackers that you're worried about). So, on Darknet, you should choose your peers carefully enough to be somewhat confident they aren't actively out to get you, and you'll be doing better than Opennet. If you want, you can be more paranoid about peer selection than that. In which case, Opennet *definitely* isn't for you. To summarize: Lowest security, easiest to set up: run opennet. Marginal improvement: run a hybrid Opennet/Darknet node. Mostly this should be treated as a transition point to full Darknet, or a way to help out your Darknet-only friends. Better security, somewhat harder to set up: run Darknet, and connect to anyone you personally know and don't believe to be cooperating with the Bad Guys. Still better security, even harder to set up: Be more picky about your Darknet peers. Best security: Immolate your computer on a pyre of thermite, and go live in a cave somewhere. Or simply stop doing whatever it is you're worried about getting caught at. Seriously, there is no perfect security; it's just a question of what's good enough, and what your threat model is. Opennet still left you open to those who connect with you, but you might have some level of anonymity when communicating. I also believe I read in one of your posts here a while back that while Freenet packets are encrypted and can't be audited for content from outside the Freenet network, it's still fairly easy to spot Freenet node activity even without knowing the specifics of what's moving in and out of that node. Depends on your standards of fairly easy. It requires some amount of traffic analysis, which means significantly more CPU investment. This may be enough to stop snooping ISPs, but won't stop an adversary with a specific target in mind. Now in most democratic countries, the government has to jump through certain legal hoops in order to seize one's equipment, arrest a person, etc. But if Freenet is built with the goal of allowing dissidents to communicate below the radar of a totalitarian government, by your description it seems doomed to failure. I'd call it a work in progress, best suited to countering threats less severe than a dedicated state actor with police-state level powers. And against that threat model, I have no clue what the answer is. If a government-controlled ISP can use traffic analysis to spot Freenet traffic, and if they don't have legal hoops to jump through, can't that government then easily place one darknet person under house arrest and keep the darknet node running? Doesn't that give them the packet contents as well as the packet originator? Certainly. Which is far, far harder than chasing down a target on Opennet -- that doesn't even require warrants, let alone things like house arrest. Like I said, protecting against police-state level adversaries is hard. And how would one securely connect to someone in darknet mode unless you know the operator of that node personally? If that person turned out to be a spy, doesn't connecting to him in darknet mode leave you with no anonymity whatsoever? That's precisely the idea behind Darknet. You should know your peers personally. Whether from the Internet, or Real Life. You should know them from somewhere *other* than a board dedicated to finding Darknet peers. Someone you know from conversations on Freenet might work. Choosing people at random will do bad things to the network; choosing people you have a social connection to (regardless of where that connection comes from) should provide the required network properties. Really, it depends on trust levels. If you just want better security than Opennet, all you have to do is make your adversary put some human effort into setting up each
Re: [freenet-support] Wondering about darknets security
On Thu, 2011-07-28 at 11:51 -0400, Evan Daniel wrote: On Thu, Jul 28, 2011 at 11:06 AM, Ray Jones crawlz...@gmail.com wrote: On 07/26/2011 06:15 AM, Matthew Toseland wrote The electronic attacks mentioned above are far cheaper than any scheme to try to get people who run Freenet to spy on their friends. You can only spy on your direct friends (well, it gets less accurate the Lets suggest you are a group of young Libyan men, who want to fight Gadaffi without G knowing. You meet such groups in certain Libyan cities and discuss, then you start a darknet, only with people you have met personally and exchanged nodes at these meetings only let's say by exchaning one cd each node. Then you do planning of what to do to get rid of Gadaffi using this darknet... Then nobody but the implied persons of the darknet will know. Of course if a spy from Gadaffi becomes part of the darknet from joining such meetings, this person could compromise everything. But as long as the darknet is running properly with trusted persons only you have a very safe heaven. If compromised you could close down that darknet and start a new darknet with proper people. And so on . You could even make a new darknet twice a year to ascertain it is not compromised. It could be a group of gangsters or porno people etc - only the phantasy sets the limit. This was an attempt to explain the principle with simple terms of how a darknet could be used *smile* ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
On Thu, 28 Jul 2011 11:51:12 -0400, Evan Daniel wrote: [...] To summarize: Lowest security, easiest to set up: run opennet. Marginal improvement: run a hybrid Opennet/Darknet node. Mostly this should be treated as a transition point to full Darknet, or a way to help out your Darknet-only friends. Better security, somewhat harder to set up: run Darknet, and connect to anyone you personally know and don't believe to be cooperating with the Bad Guys. Still better security, even harder to set up: Be more picky about your Darknet peers. Best security: Immolate your computer on a pyre of thermite, and go live in a cave somewhere. [...] I couldn't find the immolate-option during the installation wizard. ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
Re: [freenet-support] Wondering about darknets security
On Wednesday 29 Jun 2011 14:46:06 Anonymous wrote: This is sent anonymously, sorry if this message appears more than once. The remailer network is not very reliable. I see Matthew Toseland propagating darknet, connection to 'friends' only, in favour of opennet. Now since there is no way around the fact that 'friends' must know your IP and it being very easy for them to monitor all you do on Freenet, I think using darknet is by definition making yourself much more vulnerable than opennet, no matter how much more attacks may be possible to the strangers network. Also no matter the visibility of me having a Freenet node up. Because it takes just one infiltrant who just has to sit back and follow all connections to know exactly who to pick out. As an internet pedophile, I know that there is no worse security than breaking the rule: trust no one. I can't possibly seek out 'trusted friends' in real life, that's hopefully obvious. But it stretches to say, Chinese dissidents who may find it easier to have real life trustees. Also their darknet can be compromized by government and how many can one infiltrator then catch at once? On balance I suppose it's best that I answer this, because of the other people reading (especially via archives and Google). Legally we can't be seen to be providing technical support to pirates, I don't think there is any such issue with paedophilia. However, I strongly urge you to refrain from abusing children or paying for said abuse. Exchanging second-hand (or nth-hand) pictures of such abuse is a far lesser issue, though it is unfortunate that Freenet gets used for such things (and it's still illegal, as I'm sure you are aware!). Basically, you are vulnerable to your peers (those other freenet nodes your node connects to). They know your IP address - they have to to connect to you. They can identify you. As you rightly point out, your peers can also, with a fair bit of work, and on various plausible assumptions, identify much of what you are doing on Freenet. There are two consequences for opennet: 1. An attacker could connect to every node on the network, and thus identify everything going on. Such an attack would be only moderately expensive, since the network is small. The main costs would be bandwidth and hardware, and a little software development. 2. If you are inserting files whose contents are predictable in advance, and are inserting them as CHKs, or reinserting them, or you are regularly chatting on some board or otherwise making many requests which are easily identified, a far cheaper attack is possible, which involves the attacker intercepting a few requests randomly (depending on how many requests you are sending, i.e. how big the file is etc), and then using them to get a rough fix on your location (keyspace-wise), which he then uses to get connections closer to his guesstimate of where you are. Then he will see more of the request stream, and can thus close in increasingly quickly. This is technically feasible on darknet, but the different is, on opennet you can quickly get connections at a specific keyspace location (via announcement), and on darknet, getting connections is (relatively) expensive as you have to either compromise somebody's computer, social engineer them, kidnap them, etc, for each hop. Hence it is not a matter of hiding in the crowd on opennet, on the basis that your peers probably aren't the bad guy because there are only a few bad guys, because first, the attacker can connect to everyone relatively cheaply, and second, he can move around. I reasonably expect that future versions of Freenet will make the second attack harder than it is now. However, the first isn't going away any time soon. The electronic attacks mentioned above are far cheaper than any scheme to try to get people who run Freenet to spy on their friends. You can only spy on your direct friends (well, it gets less accurate the more hops away the target, but this also makes opennet surveillance much cheaper). Putting 10% of the population on the payroll (as in East Germany) is always a rather expensive way to gather intelligence! The hope is that there will be a large enough global darknet that those who have a particular need for it (for instance those who publish subversive political blogs) will be able to connect to their friends (who the authorities already know about from e.g. phone records), who don't. To answer your X files'ism, even if the second attack is resolved, running opennet is equivalent to trust anyone powerful enough to connect to all peers (and they probably don't even need to do that in practice). Trusting your friends is preferable to trusting anyone and everyone. You could reasonably come back here and say that Tor doesn't require me to have any friends, and gives me better security, and so on. The short answer is, Tor can be blocked (the Chinese have managed to block even its
[freenet-support] Wondering about darknets security
This is sent anonymously, sorry if this message appears more than once. The remailer network is not very reliable. I see Matthew Toseland propagating darknet, connection to 'friends' only, in favour of opennet. Now since there is no way around the fact that 'friends' must know your IP and it being very easy for them to monitor all you do on Freenet, I think using darknet is by definition making yourself much more vulnerable than opennet, no matter how much more attacks may be possible to the strangers network. Also no matter the visibility of me having a Freenet node up. Because it takes just one infiltrant who just has to sit back and follow all connections to know exactly who to pick out. As an internet pedophile, I know that there is no worse security than breaking the rule: trust no one. I can't possibly seek out 'trusted friends' in real life, that's hopefully obvious. But it stretches to say, Chinese dissidents who may find it easier to have real life trustees. Also their darknet can be compromized by government and how many can one infiltrator then catch at once? ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
[freenet-support] Wondering about darknets security
This is sent anonymously, sorry if this message appears more than once. The remailer network is not very reliable. I see Matthew Toseland propagating darknet, connection to 'friends' only, in favour of opennet. Now since there is no way around the fact that 'friends' must know your IP and it being very easy for them to monitor all you do on Freenet, I think using darknet is by definition making yourself much more vulnerable than opennet, no matter how much more attacks may be possible to the strangers network. Also no matter the visibility of me having a Freenet node up. Because it takes just one infiltrant who just has to sit back and follow all connections to know exactly who to pick out. As an internet pedophile, I know that there is no worse security than breaking the rule: trust no one. I can't possibly seek out 'trusted friends' in real life, that's hopefully obvious. But it stretches to say, Chinese dissidents who may find it easier to have real life trustees. Also their darknet can be compromized by government and how many can one infiltrator then catch at once? ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe