From: Black Unicorn <unicorn@schloss.li>
Date: Wed, 3 Jul 1996 13:32:33 +0800
To: "Igor Chudov @ home" <ichudov@algebra.com>
Subject: Re: anonymous mailing lists
In-Reply-To: <199606290404.XAA32220@manifold.algebra.com>
Message-ID: <Pine.SUN.3.94.960702211855.2420A-100000@polaris>
MIME-Version: 1.0
Content-Type: text/plain




On Fri, 28 Jun 1996, Igor Chudov @ home wrote:

> How about this attack: suppose I want to find out who hides behind
> an alias MightyPig@alpha.c2.org and I have the ability to monitor
> all internet traffic. Then I simply start mailbombing that address
> and see whose account gets unusually high traffic volume.
> 
> A nice, albeit quite expensive, way of pretection from traffic analysis
> is to create a mailing list (or a newsgroup) and forward all messages to
> all users of that mailing list or newsgroup. Of course, since messages
> are encrypted, only the recipients will be able to decrypt them.
> 
> This way the list of suspects is all subscribers of that list or
> newsgroup and there is no way to discriminate them.
> 
> Instead of having messages to be sent to all recipients all the time,
> alpha.c2.org may be programmed so that it sends out every message not to
> only one recipient X, but to X and 20 other randomly selected people.
> 
> It apparently makes traffic analysis much harder.
> 
> Then users of alpha.c2.org will have to install mail filters that
> automatically delete all incoming mail not intended to be read by them
> (they can't read such messages anyway).
> 
> 	- Igor.
> 

I think that traffic analysis can be best defeated by powerful filtering
rather than any kind of multiple sending.

Eventually, (as the number of messages to a particular party increases
beyond the number of distractor messages sent with each mailing) it will
be possible to note the statistical difference in the number of messages
send to the random 20 people and the actual recipiant.  A mail bombing
will still reveal the true identity of the addressee as the 20 distractor
address will be randomly selected each time, and the addressee will not.

Instead, one might suggest, the same 20 people should be sent to as
distractors.  Unfortunately this leaves the actual addressee open to
disclosure when he/she responds to alpha forwarded messages (you were
assuming all internet traffic would be monitored, thus the response timing
would be a major clue).

I think the real answer to this is going to be open access pools.  All
encrypted messages will be left in a collective pop account, accessable by
anyone at all.  An agent could easily be written to poll the pop account,
download the entire queue of messages and locally decode and make
available only the ones addressed to the addressee.

I suspect the best policy would be to purge the pop account once a month
of messages older than 2 months.

Traffic analysis will reveal who polls the pop account, but not much else.

I suppose this could even work today if someone wrote a clever agent to
poll alt.anonymous.messages.