[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] elaboration on dishonest node motivations
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03
Modified Files:
econymics.tex
Log Message:
elaboration on dishonest node motivations
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- econymics.tex 15 Sep 2002 06:18:03 -0000 1.9
+++ econymics.tex 15 Sep 2002 08:56:09 -0000 1.10
@@ -94,7 +94,7 @@
optimal strategies for participants based on a variety of scenarios.
Ultimately we aim to uncover some new insights about how to align
incentives to create an economically workable system for both users and
-node operators.
+infrastructure operators.
\end{abstract}
@@ -105,7 +105,7 @@
\section{Introduction}
\label{sec:intro}
-Individuals and organizations have both a need and a desire for
+Individuals and organizations need and desire
anonymity on public networks like the Internet. People want to be able
to surf the Web, purchase online, and send email without revealing
their identities, interests, and activities to others. Corporate and
@@ -131,7 +131,7 @@
our speculations about the influences and interactions based on these
incentives. Ultimately we aim to uncover some new insights about how
to align incentives to create an economically workable system for both
-users and node operators.
+users and infrastructure operators.
Section \ref{sec:overview} gives an overview of the
ideas behind our model, and Section \ref{sec:model} goes on to describe
@@ -167,8 +167,8 @@
bandwidth and processing power, most of which will be used by `freeloading'
users who do not themselves run nodes. Furthermore, when administrators
are faced with abuse complaints concerning illegal or antisocial use of
-their systems, the very anonymity that they're providing makes it very
-difficult to take the usual solutions of suspending users or otherwise
+their systems, the very anonymity that they're providing prevents
+the usual solutions of suspending users or otherwise
holding them accountable.
Unlike encryption (confidentality), it's not enough for the communicating
@@ -190,12 +190,12 @@
point of vulnerability, both from insiders and from attackers who try
to bridge the trust bottlenecks.
-Anonymity systems must also be robust against a surprisingly wide variety
+Anonymity systems must be robust against a surprisingly wide variety
of active attacks to break anonymity \cite{back01,raymond00}. Adversaries
can also attack to reduce the efficiency or reliability of nodes, or
to make it more expensive for operators to continue running nodes. All
-of these factors combine to threaten the \emph{anonymity} of the system
-as well. Back et al point out that ``in anonymity systems usability,
+of these factors combine to threaten the \emph{anonymity} of the system.
+As Back et al point out, ``in anonymity systems usability,
efficiency, reliability and cost become \emph{security} objectives because
they affect the size of the user base which in turn affects the degree
of anonymity it is possible to achieve'' \cite{back01}.
@@ -687,7 +687,8 @@
\section{A few more roadblocks}
\label{sec:roadblocks}
-\subsection{Authentication in a volunteer economy}
+%\subsection{Authentication in a volunteer economy}
+\subsection{Pseudospoofing and dishonest nodes}
Our discussions above indicate that it may in fact be plausible to build
a strong anonymity infrastructure from a wide-spread group of independent
@@ -698,13 +699,16 @@
However, volunteers are problems: users don't know who they're dealing
with. In this work we primarily focus on the strategic motivations of
honest agents, but the motivations of dishonest agents are at least as
-important. An anonymity-breaking adversary with an adequate budget would
+important. An anonymity-breaking adversary with an adequate budget would
do best to provide very good service, possibly also attempting DoS against
other high-quality providers. None of the usual metrics of performance and
efficiency will help tell who the bad guys are in this instance. Further,
who assigns those metrics and how? If they depend on a centralized trusted
-authority, the advantages of diffusion are lost. A reliability-breaking
-adversary will have still different goals and approaches.
+authority, the advantages of diffusion are lost. Another approach to
+breaking anonymity is to simply destroy the reliability (or maybe just
+the perceived reliability) of the system --- this attack flushes
+users to a weaker system just as military strikes against underground
+cables force the enemy to communicate over less secure channels.
It is possible to structure system protocols to create better
incentives for honest principals and to catch bad performance by others
@@ -740,10 +744,10 @@
for better service or preferential treatment --- the hordes in the coach
seats are probably better off anonymity-wise than those in first class.
-This requirement to pidgeonhole users into a few behavior classes
+This need to pigeonhole users into a few behavior classes
conflicts with the fact that real-world users have different interests
and different approaches. Heterogeneity in its users is what makes the
-Internet so lively and successful. Reduced options can lead to reduced
+Internet so lively and successful. Reducing options can lead to reducing
usability, scaring away the users and leaving a useless anonymity system.
% It remains to be seen whether designs and
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/