[liberationtech] Jacob Appelbaum's Ultrasurf Report

Jacob Appelbaum jacob at appelbaum.net
Wed Apr 25 22:44:14 PDT 2012 

On 04/25/2012 11:15 PM, StealthMonger wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
> 
>> On 04/24/2012 12:19 PM, Meredith L. Patterson wrote:
> 
>>> http://freehaven.net/doc/batching-taxonomy/taxonomy.pdf
> 
>> http://freehaven.net/anonbib/
> 
> Excellent, a propos references.  Thank you both.  I shall be reading.

Sure, it's a great set of papers to read.

> 
> Earlier, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> 
>> Oh - sure - if you want to rope in mixmaster/mixminion networks, I
>> believe that those are also suitable for certain activities.  I do
>> not however view those are competitors, one of the creators of Tor
>> is the main mixminion person and I think he basically hacked a ton
>> on mixmaster.
> 
> That doesn't alter the fact that Tor's anonymity is broken.

That's a pretty bogus statement. Tor's anonymity isn't "broken" - the
threat model for *any* low latency anonymity system has limits. The
limits are well defined and that is why geographic node diversity is
very important.

> 
> If the channel has low latency, no hacking can conceal the packet
> timing and volume correlation at the endpoints.  It is high random
> latency and thorough mixing that gain mixmaster its anonymity.
> Dingledine and company would agree.
> 

I've cc'ed him, I encourage him to reply in all of his spare time. :)

I don't think I agree with you about low latency - I think GNUNet tries
to solve this by creating a large pipenet, which in theory, has some
very strong and also very low latency anonymity properties. I also think
that Tor solves this problem as much as any system by ensuring that the
nodes are spread over the entire planet.

Practically, I also think that mixmaster is an example of "great on
paper" and soon we'll see how it works out in the real world. Now that
the FBI is taking nodes left (in New York last week) and right (in
Austria this week) - we'll note that some of these anonymity properties
are coming up for a serious test. For example, if you don't compose Tor
and Mixmaster together, what happens when you're the only person to ever
connect to Mixmaster? I think the answer is that you're a suspect,
cryptographic evidence be damned.

This is a discussion I had with Len Sassaman more than a few times - in
theory - mixmaster is pretty amazing but in practice, what if the cops
only have a single suspect because using the system is itself a sign of
guilt in their eyes? I'd wager that the traffic analysts or police or
whoever will come after you and worry about the math later.

That's the rub with these kinds of systems when they are used in
isolation. Though another rub is that the mixmaster keys of two
remailers may be compromised now - in addition to network traffic
flowing to those nodes if the NSA has anything to say about it. If the
user only used those two nodes or those two and a few compromised nodes,
what then?

Perfection is well, a hard claim to live up to, right?

I use this face for how I generally feel about solutions on this topic:

   :-|

>> In any case, is it possible to use anonget with a lot of modern
>> websites in any practical manner where users won't just walk away?
> 
> It depends on details of the website.  I have successfully dealt with
> some sites that were obviously designed for interactive use only, by
> capturing a browser's GET or POST request, reshaping it into a proper
> URL, and requesting that URL by mail.
> 

I agree that it depends - I do think though that practically, it means
that perhaps you and a half dozen other people are actually using such a
system.


>> I like the idea to be certain but only for a limited set of tasks.
> 
> True, sadly.  For the others, strong anonymity may be difficult.
> 
> A constructive attitude to take is to encourage such sites to offer
> email access as well as web, as for example a subscription to this
> mailing list can be initiated and controlled entirely by email, thanks
> to mailman.
> 

Generally, I agree. I think a broadcast system like usenet has some
advantages for systems like this and the web is very difficult to adapt
to these needs.

All the best,
Jacob

More information about the liberationtech mailing list