[freehaven-cvs] elaboration on dishonest node motivations

[arma@seul.org (Roger Dingledine)]

Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
elaboration on dishonest node motivations


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- econymics.tex	15 Sep 2002 06:18:03 -0000	1.9
+++ econymics.tex	15 Sep 2002 08:56:09 -0000	1.10
@@ -94,7 +94,7 @@
 optimal strategies for participants based on a variety of scenarios.
 Ultimately we aim to uncover some new insights about how to align
 incentives to create an economically workable system for both users and
-node operators.
+infrastructure operators.
 
 \end{abstract}
 
@@ -105,7 +105,7 @@
 \section{Introduction}
 \label{sec:intro}
 
-Individuals and organizations have both a need and a desire for
+Individuals and organizations need and desire
 anonymity on public networks like the Internet. People want to be able
 to surf the Web, purchase online, and send email without revealing
 their identities, interests, and activities to others. Corporate and
@@ -131,7 +131,7 @@
 our speculations about the influences and interactions based on these
 incentives. Ultimately we aim to uncover some new insights about how
 to align incentives to create an economically workable system for both
-users and node operators.
+users and infrastructure operators.
 
 Section \ref{sec:overview} gives an overview of the
 ideas behind our model, and Section \ref{sec:model} goes on to describe
@@ -167,8 +167,8 @@
 bandwidth and processing power, most of which will be used by `freeloading'
 users who do not themselves run nodes. Furthermore, when administrators
 are faced with abuse complaints concerning illegal or antisocial use of
-their systems, the very anonymity that they're providing makes it very
-difficult to take the usual solutions of suspending users or otherwise
+their systems, the very anonymity that they're providing prevents
+the usual solutions of suspending users or otherwise
 holding them accountable.
 
 Unlike encryption (confidentality), it's not enough for the communicating
@@ -190,12 +190,12 @@
 point of vulnerability, both from insiders and from attackers who try
 to bridge the trust bottlenecks.
 
-Anonymity systems must also be robust against a surprisingly wide variety
+Anonymity systems must be robust against a surprisingly wide variety
 of active attacks to break anonymity \cite{back01,raymond00}. Adversaries
 can also attack to reduce the efficiency or reliability of nodes, or
 to make it more expensive for operators to continue running nodes. All
-of these factors combine to threaten the \emph{anonymity} of the system
-as well. Back et al point out that ``in anonymity systems usability,
+of these factors combine to threaten the \emph{anonymity} of the system.
+As Back et al point out, ``in anonymity systems usability,
 efficiency, reliability and cost become \emph{security} objectives because
 they affect the size of the user base which in turn affects the degree
 of anonymity it is possible to achieve'' \cite{back01}.
@@ -687,7 +687,8 @@
 \section{A few more roadblocks}
 \label{sec:roadblocks}
 
-\subsection{Authentication in a volunteer economy}
+%\subsection{Authentication in a volunteer economy}
+\subsection{Pseudospoofing and dishonest nodes}
 
 Our discussions above indicate that it may in fact be plausible to build
 a strong anonymity infrastructure from a wide-spread group of independent
@@ -698,13 +699,16 @@
 However, volunteers are problems: users don't know who they're dealing
 with. In this work we primarily focus on the strategic motivations of
 honest agents, but the motivations of dishonest agents are at least as
-important.  An anonymity-breaking adversary with an adequate budget would
+important. An anonymity-breaking adversary with an adequate budget would
 do best to provide very good service, possibly also attempting DoS against
 other high-quality providers. None of the usual metrics of performance and
 efficiency will help tell who the bad guys are in this instance. Further,
 who assigns those metrics and how? If they depend on a centralized trusted
-authority, the advantages of diffusion are lost. A reliability-breaking
-adversary will have still different goals and approaches.
+authority, the advantages of diffusion are lost. Another approach to
+breaking anonymity is to simply destroy the reliability (or maybe just
+the perceived reliability) of the system --- this attack flushes
+users to a weaker system just as military strikes against underground
+cables force the enemy to communicate over less secure channels.
 
 It is possible to structure system protocols to create better
 incentives for honest principals and to catch bad performance by others
@@ -740,10 +744,10 @@
 for better service or preferential treatment --- the hordes in the coach
 seats are probably better off anonymity-wise than those in first class.
 
-This requirement to pidgeonhole users into a few behavior classes
+This need to pigeonhole users into a few behavior classes
 conflicts with the fact that real-world users have different interests
 and different approaches. Heterogeneity in its users is what makes the
-Internet so lively and successful. Reduced options can lead to reduced
+Internet so lively and successful. Reducing options can lead to reducing
 usability, scaring away the users and leaving a useless anonymity system.
 
 % It remains to be seen whether designs and

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/