[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

strengths & limits of USENET as anonymous broadcast (Re: [freehaven-dev] eternity USENET comparison)

To: freehaven-dev@seul.org
Subject: strengths & limits of USENET as anonymous broadcast (Re: [freehaven-dev] eternity USENET comparison)
From: Adam Back <adamb@zeroknowledge.com>
Date: Sat, 17 Jun 2000 17:02:32 -0400
Delivery-Date: Sat, 17 Jun 2000 17:02:39 -0400
References: <394BC533.B292C78E@zks.net> <vtdhfasjegs.fsf@tir-na-nogth.mit.edu>
Reply-To: freehaven-dev@seul.org
Sender: owner-freehaven-dev@seul.org

Brian T Sniffen wrote:
> Perhaps I'm misunderstanding this, but isn't "local proxy" essentially
> the same as "reading all of alt.anonymous.messages"?  In that case I'd
> say reader anonymity is blown in the same way: if I compromise a bunch
> of USENET servers, I find out who all of the readers one step
> downstream are, and what they're reading.

There is an active attack, for sure, but my supposition is that 
compromising some significant fraction of USENET servers is 
pretty expensive, especially as compared to for example compromising
all 20 odd nodes in the mixmaster network, or (physically if 
necessary) the 50 odd nodes in the ZKS freedom network.

> > - Eternity USENET doesn't provide server anonymity, but
> > it doesn't need to because all USENET servers are coopted
> > into being servers, and there are many of them.  It doesn't
> > provide server anonymity for public proxies, but service
> > remains available to local proxies if public proxies are
> > taken down.
> 
> It does need to.  "Taking down all of USENET" 

Heh.  Be my guest.  Scientologists tried to take down a single
alt newsgroup and failed.  Expensive attack.  I doubt even a
determined first world government could achieve this directly.

Spam it to death with binaries everywhere might do something,
though there would probably be technical countermeasures,
cancel bots already exist, size limits imposed on groups, etc.

> "dumping huge quantities of useless spam into alt.anonymous.messages" 
> are both viable attacks given the lack of server anonymity.  

Dumping enough spam to get alt.anon.messages filtered out would
be a good attack, and would reduce availability.

> Given some document that I know was just published, it's very easy for 
> me to query a USENET server as to whether it posesses that document, 
> then compromise that server and remove the document.

Scale still makes this expensive.  Cancel messages are widely ignored,
you have to catch it before it propogates, and you have no idea
where it will be injected and there are probably 10s of thousands
of injection points.

> I also think that you wouldn't get "all USENET servers" -- in a world
> where this sort of service is being used as much as it needs to be,
> the quantity of encrypted binary traffic would be staggering.  Server
> operators are going to drop the group like a ton of bricks.

Well "scalability problems" was the first item in my known
limitations section.

> > - Also Eternity USENET provides document anonymity, the
> > USENET article can be encrypted with a key derived from the
> > URL.
> 
> Sure, but a USENET server still has the URL as an identifying mark,
> right?  

NNTP servers don't get the URL, the local proxies do.  All the 
NNTP server sees is the hash of the URL, and users sucking
down articles and entire newsgroups.

> Even if I can't read the document, if two people fetch it from
> a server A, A can tell that they both fetched the same document.

True enough, but that is altogether a new property.  That would
be closer to query anonymity.

But I guess with config (c) (local newspool or local newsserver),
Eternity USENET provides query anonymity also.  (If one considers
this server or spool as part of the client security domain).
From the USENET servers perspective, everyone (all config (c)
users) reads everything.

The secure way to use Eternity USENET is to use USENET solely as
an anonymous broadcast system, and use it to maintain a local
view of all content posted.  There needs to be a continuous
stream of reposted content so that new users see older content.

I fully admit it can't scale beyond say 10 meg per day, with
say documents updated once every three months average, which 
translates to about 1 Gig limit.  (Adjust to suit your views
of limit alt.anonymous.messages can withstand before it's 
distribution suffers, and views of how frequently documents
would be updated.

But for that small document space it provides potentially 
high levels of reader and even use anonymity.

I think I recall someone saying you can subscribe to USENET 
broadcast via satellite which highlights the broadcast nature
of USENET, and the way I am using it.

Eternity USENET is very similar to teletext -- periodic 
rebroadcast, low bandwidth, relatively small amount of 
relatively slowly changing information.

Adam

References:
- [freehaven-dev] eternity USENET comparison
  - From: Adam Back <adamb@zeroknowledge.com>
- Re: [freehaven-dev] eternity USENET comparison
  - From: Brian T Sniffen <brians@MIT.EDU>

Prev by Date: reader anonymity (Re: [freehaven-dev] eternity USENET comparison)
Next by Date: [freehaven-dev] "anonymous availability service"
Prev by thread: Re: reader anonymity (Re: [freehaven-dev] eternity USENET comparison)
Next by thread: [freehaven-dev] "anonymous availability service"
Index(es):
- Date
- Thread