[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remop inbreeding, or, the 'kidnap Len' attack



Just for the record (and I am aware that this is a public list, which is
why I will say this here) --

There are no remailer operators for whose life I would give up my
remailer's keys. If "they" pull the 'kidnap Len' attack on a fellow remop
(even on a good friend such as Lucky), and approach me with the decision:
randseed's keys, or the Lucky's life, my answer will be "pound sand --
it sucks to be Lucky."

I hope it doesn't need to be said that if the 'kidnap Len' attack were to
happen literally, I would expect all of you who might be influenced by it
to know me well enough that you would realize I would want the same
treatment. I will be severely pissed off if someone compromised the
remailer system for my benefit.

We are all expendable. There is no reason to let this attack succeed other
than sentimental reasons -- and we must ignore them.

That said, I hope that making it clear what my policy will be, and what I
expect all of you to have as your policies in the 'kidnap Len' situation,
the attack becomes less attractive. I really don't want to be kidnapped,
and I don't think I would be unless a) the attacker thought the 'kidnap
Len' attack had a high probability of working, or b) wanted me disappeared
anyway, in which case I'm just screwed to begin with.

I agree that publicity is the appropriate response to an attempt at this
attack. One should consider the kidnapee lost already in this case -- so
make it as painful as possible for the kidnapers.

On Tue, 4 Mar 2003, Roger Dingledine wrote:

> We've been pondering this issue for a while, and I just had a conversation
> with Raph about it, so I'll get it written down while it's still fresh.
>
> The fundamental problem is that the goal of the remailer network is to
> get lots of mixes that don't really care about each other. Worst case
> is if all nodes are run by one person, or can otherwise be manipulated
> or blackmailed by a common issue. For shorthand, we've termed this the
> 'Kidnap Len' attack -- what do we do if the bad guy kidnaps Len, and
> demands that either we turn over sufficient info to track a user, or
> Len gets it? The fact that the remailer community has grown closer in
> the past few years means we are weaker to this attack.
>
> (As a side note, there's an interesting prisoner's dilemma here. If we
> believe in the security of our batching strategies, then as long as a few
> people resist, the rest of them can yield the information without any
> harm. That is, if the threat is "we ruin your life", then *most* remailers
> can give in, knowing that the bad guy won't get enough information to
> track his victim. I've cc'ed Alessandro on this because it sounds like
> economics :) Is there anything this reminds you of, Alessandro?)
>
> At first I thought the idea of using a trust metric to decide who gets to
> be a remailer made the kidnap Len attack even worse, because we would be
> effectively enforcing an inbred community. If we do such a trust metric
> it's critical that we emphasize that a cert is based on whether you
> think he's an honest operator, not just whether he's your friend. I'm
> not quite sure what it means to be an honest operator (honest against
> what adversary? honest meaning will resist even when threatened with
> lawsuit? arrest? death?). I fear implementing the web of trust well will
> be difficult, until we sort out what we want certs to mean.
>
> Raph suggests that scaling essentially solves the 'kidnap Len' attack --
> as the net scales, the diameter increases, so a 'low cost' attack against
> one node becomes less powerful.
>
> It does have one good defense going for it though: publicity. Once
> it became public that it was happening, we might see a whole lot more
> support for anonymity suddenly (and for Len ;).
>
> So one might argue that growing the remop community by enlisting our
> friends is not actually significantly strengthening the network. But on
> the theory that worse is better, and on the theory that momentum and
> apparent activity is way more important than theoretical security at
> this point, I think it's a fine way to grow.
>
> --Roger
>

--Len.