[freehaven-dev] an attack on buddies

[Roger R Dingledine <arma@mit.edu>]

Scenario:

We've got a share S_1 living on host A. It has a buddy S_2 that lives on
host B.

The Church of Scientology owns nodes C.

Share S_1 gets traded from A to C. The Scientology people say "ah ha, I
have a share of a file I want to kill. But I don't have the buddy, so I
can't just drop this share yet. But this share says that its buddy lives
on B, so I'm going to start asking B for trades until I get the buddy."

No problem -- we put a special case in so a share doesn't get traded to
a node that already has its buddy on it.

"Great," says Scientology. "That's why we've got node D, and we'll just
try to get node D to obtain the buddy, then drop them both and not squawk."

No problem -- that's why we limit the number of trades we accept from a
given node. That means that D would take a long time before it randomly
picked the buddy. (Note: it might be that D provides a very narrow window
of "acceptable" trades, to aim at getting the buddy more quickly. Perhaps
we should become distrustful of people who are so specific about what they
want.)

"Great," says Scientology. "Good thing we're rich. We'll just make a bunch
of nodes, and build up a minimal trust for each, and since we know exactly
who has the buddy, we're going to get it after a while."

No problem -- that's why we've got a bunch of nodes on the system. All of
this attack is predicated on the idea that Scientology can get their grubby
little paws on one of the shares, which statistically they can't count on,
certainly not for every share of a document.

What do you think? Did I miss anything?
--Roger