1995-01-20 - remailer questions

Header Data

From: “Craig A. Johnston” <caj@tower.stc.housing.washington.edu>
To: cypherpunks@toad.com
Message Hash: 28504e6443ba99abf6ac936949d0ef2752bffb014983838af7cec9be9eaa26dd
Message ID: <199501201209.EAA01188@tower.stc.housing.washington.edu>
Reply To: N/A
UTC Datetime: 1995-01-20 12:09:42 UTC
Raw Date: Fri, 20 Jan 95 04:09:42 PST

Raw message

From: "Craig A. Johnston" <caj@tower.stc.housing.washington.edu>
Date: Fri, 20 Jan 95 04:09:42 PST
To: cypherpunks@toad.com
Subject: remailer questions
Message-ID: <199501201209.EAA01188@tower.stc.housing.washington.edu>
MIME-Version: 1.0
Content-Type: text



Ok, I'm planning on putting up a remailer on my Linux box.   

One of the things I'd really like to know is, how much in the way of
attempts to break into your machines are remailer ops seeing?  

How much in the way of other attacks?

I'd also like to get some idea of the amt of resources consumed by
a relatively popular remailer -- amt of system loading, disk space
devoted to remailing activites, and anything else.  

I know loading will be hard to quantify in a meaningful way, but for
reference my machine is a 486/66 w/32 megs RAM and pretty fast SCSI
disks.  Just a general idea of how significant the load on such
a machine will be would be nice.  My SCSI and Ethernet are both fast,
and on a PCI bus.

My site is at the moment, I think, relatively secure.  I have few users
and am sure at the moment nobody has an easily crackable password.  I
plant to install a fascist password checker soon.  

I currently have ftpd and fingerd commented out of my inetd.conf.
(I plan to put ftpd back, at some point, but really don't like outsiders
being able do a finger @site and find out who is on, how long, how long
idle, find out when users last logged on or read their mail, etc.  I will
probably want to add it back after modifying it or finding a stock one
that does what I want.)  

I have tcp wrappers installed, and have checked on a number of blatant
security holes that I know of.

I am worried that once I begin running a remailer, the number of attacks
on my machine will increase dramatically.  I'd of course like for my
data and my users' data to remain private, and believe that a compromised
remailer is (obviously) worse than no remailer at all.

What would be nice, before I put up a remailer, would be to have any
willing, security-knowledgeable cypherpunk subscribers out there to
probe my machine for any really obvious chinks, for security-aware
Linux users to point out any Linux or Slackware-specific security
holes, etc.  Of course I'd want to have a word with anyone willing
to probe me before they just went at it... ;)

Linux kernel is currently 1.1.81, which is quite stable for me, 
and the Slackware distribution is 1.2.0.  

I'm running sendmail 8.6.9, are there any really terrible vulnerabilities
in it any longer from outside the machine?  From inside?

Of course, I'm on an Ethernet with others, and have users logging in
from other Ethernets, so am vulnerable to sniffers.  I don't
think it's going to be feasible to install skey here, as a number
of my users are extremely non-technical.

I'm also still looking around for what I'm going to run.
I'd like for it to be easy to reply to users, but absolutely 
impossible for me to 'out' anyone under any circumstances.  The 
encrypted-sender stuff some remailers currently use is probably too
ugly for most average joes to want to use, and not as secure as I'd
like.  It's probably the best available at the moment.  This should
definitely change.

What I'd *really* like to do would be to write a client and server
to make an anonymous pool act like normal email ... this is really 
the only way I can think of to make replying easy but also to have
good security.  I'm sort of surprised someone has not done this yet.
It'd be pseudonymous, your client would only look at messages for
you or for everyone (for your convenience -- of course anyone could
look at anything, but it'll all be PGP'ed, so...)  Some really 
neat things that could be done w/this... for folks willing to 
trust the sever to some degree, cross-referencing of pseudonyms
and public keys could be done, allowing joe user to just mail to
a pseudonym -- this would be good in cases where one party wishes to
hide, while the other has nothing to hide and is possibly very
non-technical.  He'd have no guarantee that someone wasn't reading
his mail to the pseudonymous party, on the way in, but the p.n. party
would not have to worry about having his real address cross-referenced,
or about the server having the key to decrypt his real (included) address
in memory or on disk.  

Anon pools are obviously doable right now, with a mailing list, but
the inconvenience of using one like this is a real barrier.

An anonymous pool;  Usenet-like -- distributed over many machines in
many countries, but with pseudonyms instead of "real names" and
public keys as addresses.  This is definitely doable, right now.
NNTP-type servers doing news and mail service.  As the scale got
larger, we'd of course not want to send everyone's mail to all
the servers, but tying a user down only as far as to a given server
would probably not be a problem -- look at all the different folks that
may use one NNTP server.  Perhaps mail for a given user could be sent
to several different servers to keep things muddy.

Mixmaster does not currently run on Linux, is that correct?  
Anyone know what the problem is, or have an idea what amt of work 
would be involved in porting it?  I'd like to look at this.

Really, though, everything out there is pretty unsatisfactory --
only anonymous pools and DC-nets have the characteristics I'm
interested in.  Anyone on the list doing any serious work on 
DC-nets?  I find these extremely exciting, and don't see much
brainstoming on implementation going on.


regards,
Craig.




Thread