[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] finished first pass over sections 5 and 6
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03
Modified Files:
econymics.bib econymics.tex
Log Message:
finished first pass over sections 5 and 6
Index: econymics.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.bib,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- econymics.bib 15 Sep 2002 23:56:34 -0000 1.8
+++ econymics.bib 16 Sep 2002 02:34:12 -0000 1.9
@@ -105,6 +105,16 @@
month = {September}
}
+@InProceedings{nymserver98,
+ author = {David Mazi\`{e}res and M. Frans Kaashoek},
+ title = {{The Design, Implementation and Operation of an Email
+ Pseudonym Server}},
+ booktitle = {$5^{th}$ ACM Conference on Computer and
+ Communications Security (CCS'98)},
+ year = 1998,
+ publisher = {ACM Press}
+}
+
@Misc{palfrey-rosenthal-89,
author = {Thomas R. Palfrey and Howard Rosenthal},
title = {Underestimated Probabilities that Others Free Ride: An Experimental Test},
@@ -156,6 +166,15 @@
url = {\url{http://www.cs.rice.edu/Conferences/IPTPS02/}}
}
+@InProceedings{mojo,
+ author = "Bryce Wilcox-O'Hearn",
+ title = {{Experiences Deploying a Large-Scale Emergent Network}},
+ booktitle = "1st International Peer To Peer Systems Workshop (IPTPS 2002)",
+ month = Mar,
+ year = 2002,
+ url = {\url{http://www.cs.rice.edu/Conferences/IPTPS02/}}
+}
+
@InProceedings{raymond00,
author = {J. F. Raymond},
title = {{Traffic Analysis: Protocols, Attacks, Design Issues,
@@ -167,6 +186,12 @@
pages = {96--114},
editor = {H. Federrath},
publisher = {Springer Verlag, LNCS 2009},
+}
+
+@Misc{seti-stats,
+ author = {UC Berkeley},
+ title = {{SETI@home: Search for Extraterrestrial Intelligence at Home}},
+ howpublished = {\url{http://setiathome.ssl.berkeley.edu/}},
}
@InProceedings{syverson_2000,
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -d -r1.17 -r1.18
--- econymics.tex 15 Sep 2002 23:56:35 -0000 1.17
+++ econymics.tex 16 Sep 2002 02:34:12 -0000 1.18
@@ -86,15 +86,14 @@
\begin{abstract}
Decentralized anonymity infrastructures are still not in wide use today.
-Here we explore some reasons why anonymity systems are particularly
-hard to deploy, enumerate the incentives people have to
-participate either as senders or as nodes, and build a general model to
-take into account each of these incentives. We then describe and justify
-some simplifying assumptions to make the model manageable, and compare
-optimal strategies for participants based on a variety of scenarios.
-Ultimately we aim to uncover some new insights about how to align
-incentives to create an economically workable system for both users and
-infrastructure operators.
+Here we present some new insights about how to align incentives to
+create an economically workable system for both users and infrastructure
+operators. We explore some reasons why anonymity systems are particularly
+hard to deploy, enumerate the incentives people have to participate either
+as senders or as nodes, and build a general model to take into account
+each of these incentives. We then describe and justify some simplifying
+assumptions to make the model manageable, and compare optimal strategies
+for participants based on a variety of scenarios.
\end{abstract}
@@ -847,21 +846,21 @@
reputation can come in the form of wanting a higher reputation to get
more cover traffic, but also as one of the rewards for the ``special
agents'' above. Just as the stats pages for seti@home \cite{seti-stats}
-encourage more participation, publically quantifying and ranking their
-generosity and interest in providing privacy systems to the world creates
-an incentive to participate. This incentive is very important to consider,
-even if doesn't fit in our model very well, because to date that's where
-most node operators come from.
+encourage more participation, publically quantifying and ranking
+generosity creates an incentive to participate. The incentives of public
+recognition and wanting to donate service for the public good are very
+important to consider, even if they don't fit in our model very well,
+because to date that's where most node operators come from.
-If we publish a list of mixes ordered by reliability (and thus safety,
-based on number of messages each message is expected to be mixed with),
-then the high sensitivity users will gravitate to those mixes, causing
+If we publish a list of mixes ordered by safety (based on number of
+messages each message is expected to be mixed with),
+the high sensitivity users will gravitate to safe mixes, causing
more traffic, and improving their safety further (and lowering the safety
of other nodes). Based on our model the system will stabilize with one
or a few remailers. One reason it won't actually stabilize like this
-is because $p_a$ is influenced not just by $n_h$ but also by some fuzzy
-notion of diverse jurisdictions --- a given high sensitivity sender is
-happier with a set of diverse mostly safe nodes than with a set of very
+is because $p_a$ is influenced not just by $n_h$ but also by
+jurisdictional diversity --- a given high sensitivity sender is
+happier with a diverse set of mostly safe nodes than with a set of very
safe nodes run in the same zone. Another reason it may not stabilize is
that at some point latency will begin to suffer, and the low sensitivity
users will go elsewhere, thus taking away the nice anonymity sets. (On
@@ -871,12 +870,29 @@
of messages from the low sensitivity people, and thus end up providing
\emph{better} anonymity than one that fires only infrequently. Is a
message from a high sensitivity sender ''better'' than a message from a
-low sensitivity sender? Certainly a dummy message which ends at a mix is
+low sensitivity sender? Certainly a dummy message which ends at a mix is
''worse'' than an actual message that ends at an actual recipient.
-\item mojonation: we might be able to get the system to work by building in
-a micropayments system, like mojo nation did. however, its design isn't as
-applicable here as we might hope.
+\item Micropayments for service. Mojo Nation \cite{mojo} was a
+peer-to-peer design for robustly distributing resources (e.g. file
+sharing). It employed a digital cash system, called \emph{mojo}, to help
+protect against abuse of the system. In addition to the usual operations
+of publish and retrieve, users could also pay nodes to indirect traffic
+through them, both so they can participate in the system behind NATs
+and so they can gain some measure of anonymity. Participants in the
+system `pay' mojo to other participants when they ask for a service that
+uses resources. Thus Mojo Nation reduces the potential for damage from
+resource flooding attacks. Further, this credit and reputation system
+allows the interactions to be streamlined based on trust built up from
+past experience.
+
+While Mojo Nation's currency design was a fascinating idea for building
+a stable economic ecosystem, the system ultimately fell apart due to
+more mundane concerns such as usability and lack of funding. Even if it
+had succeeded to the point of being able to offer anonymity services,
+though, there would have been many more problems to face. We detail some
+of these in the next section.
+
\end{enumerate}
\section{A few more roadblocks}
@@ -923,80 +939,75 @@
Another potential solution, a global PKI to ensure unique identities, is
unlikely to emerge any time soon.
-\subsubsection{Why ``lazy'' nodes are more likely than flat-out
-``dishonest'' nodes%
-%[[ Feel free to remove this sub-sub-section if you do not feel it is technically appropriate. The main point I would like to make about pseduospoofing and dishonest nodes is that if we consider strategic dishonest nodes then we must also consider their rational incentives]]
-}
+\subsubsection{Why lazy nodes are more likely than flat-out dishonest
+nodes}
-On the other side, when we consider ``strategic'' dishonest nodes we must
-also analyze their motivations as rational agents. A flat-out dishonest
-agent is an agent whose only presence in the system is justified by her
-desire to compromise its anonymity or its reliability. In doing so, however,
-a dishonest agent will have to consider the costs of reaching and mantaining
-a position from which those attacks are possible (which will probably
-involve gaining reputation and acting as a node for an extended period of
-time); the benefits from successful attacks from that position (which might
-be financial, as in the case of sensitive information being spoofed, or a
-competitor's service being disrupted; or they could be purely related to
-personal satisfaction); and the costs following being discovered as a
-dishonest node (reaching an attack position will likely involve efforts,
-time, and, more importantly, publicity; therefore 1) acting as a dishonest
-node without being detected as such will be unlikely, and 2)\ being exposed
-as a dishonest node might have serious negative consequences (in direct
-financial terms, reputation, and so on) for the attacker itself.
+On the other hand, when we consider strategic dishonest nodes we must also
+analyze their motivations as rational agents. A flat-out dishonest agent
+participates only to compromise anonymity or reliability. In doing so,
+however, a dishonest agent will have to consider the costs of reaching
+and maintaining a position from which those attacks are effective ---
+which will probably involve gaining reputation and acting as a node for
+an extended period of time. Such adversaries will be in an arms race with
+protocol developers \cite{casc-rep} to stay undetected while performing
+their attacks. The benefits from successful attacks might be financial,
+as in the case of discovering and using sensitive information, or a
+competitor's service being disrupted; or they could be purely related
+to personal satisfaction. The costs following being discovered as a
+dishonest node include rebuilding a new node's worth of reputation;
+but being noticed and exposed as the adversary may have very serious
+negative consequences for the attacker itself. (Imagine the public
+response if the NSA were found running dishonest nodes.)
-All things considered, it might be that the law of economics work against
-the attacker as well.
+All things considered, it might be that the law of economics works
+against the attacker as well.
-A ``lazy'' node might be an agent which is in the system to protect her own
-anonymity, but does not forward or accept all of her incoming traffic to
-keep costs lower. By doing so this node decreases the reliability of the
-system. While this strategy might be sounder than the one of the flat-out
-dishonest node, it also exposes again the lazy node to the risk of being
-recognized as a disruptor of the system. In addition, this tactic, by
-altering the flow of the traffic through her own node, might actually reduce
-the anonymity of that agent.
+A ``lazy'' node might be an agent who wants to protect
+her own anonymity, but keeps her costs lower by not forwarding or
+accepting all of her incoming traffic. By doing so this node decreases
+the reliability of the system. While this strategy might be sounder than
+the one of the flat-out dishonest node, it also exposes again the lazy
+node to the risk of being recognized as a disruptor of the system. In
+addition, this tactic, by altering the flow of the traffic through her
+own node, might actually reduce the anonymity of that agent.
-Surveys and analysis on actual attacks on actual systems%
-%[[ quote mazieres - kaashoek here?]]
-can help us determine which forms of attacks are more frequent, how
-dangerous they are, and whether economic incentives or technical answers are
-the best way to counter them.
+Surveys and analysis on actual attacks on actual systems (eg
+\cite{nymserver98}) can help us determine which forms of attacks are
+more frequent, how dangerous they are, and whether economic incentives
+or technical answers are the best way to counter them.
-\subsection{Bootstraping the system and perceived costs%
-%[[ new subsection - needs lots of rewriting]]
-}
+\subsection{Bootstrapping the system and perceived costs}
-In our models so far we have considered the strategic choices of agents
-facing an already existing mix-net. In some cases, we might even imagine
-that the system does not yet exist but that, before the first period of the
-repeated-game, all the players can somehow know each other and coordinate in
-order to start with one of the cooperative equilibria discussed above.
+Our models so far have considered the strategic choices of agents facing
+an already existing mix-net. We might even imagine that the system does
+not yet exist but that, before the first period of the repeated-game,
+all the players can somehow know each other and coordinate to start with
+one of the cooperative equilibria discussed above.
As this might not be an often realistic scenario, we must discuss how a
-mix-net system with distributed trust can come to be. We face a paradox here
-- agents with high privacy sensitivity want lots of traffic in order to feel
-secure using the system. This means that they need many participants with
-lower privacy sensitivities using the system first. The problem lies in the
-fact that the lower sensitive types are also those less likely to be early
-adopters. In addition, their perceived costs of using the system might be so
-higher than the real costs - especially when the system is new and not well
-known - that in the strategic decision process described above they will
-decide against using the mix-net at all.
+mix-net system with distributed trust can come to be. We face a paradox
+here --- agents with high privacy sensitivity want lots of traffic in
+order to feel secure using the system. They need many participants with
+lower privacy sensitivities using the system first. The problem lies in
+the fact that there's no reason to believe the lower sensitive types are
+more likely to be early adopters. In addition, their perceived costs of
+using the system might be higher than the real costs --- especially when
+the system is new and not well known --- that in the strategic decision
+process described above they will decide against using the mix-net at all.
-Note in this case that the choice of agents with lower privacy sensitivity
-between different anonymous systems with different levels of anonymity (and
-monotonically associated costs) can be represented in our model as the
-choice between being a node or only an user of the system. But anedoctal
-evidence as well as surverys and experimental results have shown how even
-those individuals who claim to care about their privacy are unwilling to pay
-even small amounts to defend it - or, viceversa, are ready to trade it for
-small rewards.
+%Note in this case that the choice of agents with lower privacy sensitivity
+%between different anonymous systems with different levels of anonymity (and
+%monotonically associated costs) can be represented in our model as the
+%choice between being a node or only an user of the system. But anedoctal
+%evidence as well as surverys and experimental results have shown how even
+%those individuals who claim to care about their privacy are unwilling to pay
+%even small amounts to defend it - or, viceversa, are ready to trade it for
+%small rewards.
-The difficulties in bootstrapping the system and the myopic behavior \cite
-{acquisti-varian-02} of certain users might make one the additional
-incentive mechanisms discussed in the previous Section preferrable to a
-market-only solution.
+Difficulties in bootstrapping the system and the myopic behavior \cite
+{acquisti-varian-02} of some users might make the additional incentive
+mechanisms discussed in Section \ref{sec:alternate-incentives} preferrable
+to a market-only solution.
\subsection{Customization and preferential service are risky too}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/