[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Remop inbreeding, or, the 'kidnap Len' attack



We've been pondering this issue for a while, and I just had a conversation
with Raph about it, so I'll get it written down while it's still fresh.

The fundamental problem is that the goal of the remailer network is to
get lots of mixes that don't really care about each other. Worst case
is if all nodes are run by one person, or can otherwise be manipulated
or blackmailed by a common issue. For shorthand, we've termed this the
'Kidnap Len' attack -- what do we do if the bad guy kidnaps Len, and
demands that either we turn over sufficient info to track a user, or
Len gets it? The fact that the remailer community has grown closer in
the past few years means we are weaker to this attack.

(As a side note, there's an interesting prisoner's dilemma here. If we
believe in the security of our batching strategies, then as long as a few
people resist, the rest of them can yield the information without any
harm. That is, if the threat is "we ruin your life", then *most* remailers
can give in, knowing that the bad guy won't get enough information to
track his victim. I've cc'ed Alessandro on this because it sounds like
economics :) Is there anything this reminds you of, Alessandro?)

At first I thought the idea of using a trust metric to decide who gets to
be a remailer made the kidnap Len attack even worse, because we would be
effectively enforcing an inbred community. If we do such a trust metric
it's critical that we emphasize that a cert is based on whether you
think he's an honest operator, not just whether he's your friend. I'm
not quite sure what it means to be an honest operator (honest against
what adversary? honest meaning will resist even when threatened with
lawsuit? arrest? death?). I fear implementing the web of trust well will
be difficult, until we sort out what we want certs to mean.

Raph suggests that scaling essentially solves the 'kidnap Len' attack --
as the net scales, the diameter increases, so a 'low cost' attack against
one node becomes less powerful.

It does have one good defense going for it though: publicity. Once
it became public that it was happening, we might see a whole lot more
support for anonymity suddenly (and for Len ;).

So one might argue that growing the remop community by enlisting our
friends is not actually significantly strengthening the network. But on
the theory that worse is better, and on the theory that momentum and
apparent activity is way more important than theoretical security at
this point, I think it's a fine way to grow.

--Roger