From: daw@cs.berkeley.edu (David Wagner)
Date: Wed, 3 Jul 1996 22:52:40 +0800
To: cypherpunks@toad.com
Subject: Re: Message pools _are_ in use today!
In-Reply-To: <adfe19830002100425c1@[205.199.118.202]>
Message-ID: <4rdm7p$2lm@joseph.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


In article <adfe19830002100425c1@[205.199.118.202]>,
Timothy C. May <tcmay@got.net> wrote:
> I must be missing something....:

Nope!  That would be..er..my fault. :-)

> I'm not following your "upload an article to the NNTP server." Don't most
> people use mail-to-News gateways to post anonymously? (If not, they should,
> of course.)
> 
> This way, the posting of an article has the anonymity provided by the chain
> of remailers used to reach the terminal site, the mail-to-News gateway.

You are quite right.  I was mixing my criticisms.  My mistake.

A message pool provides only recipient anonymity, of course.  For sender
anonymity (e.g. posting to a message pool), chaining is the right way to go.


> The posting is anonymous (within the usual limits we discuss here), and the
> reading is "pretty hard" to focus on, for several reasons:
> 
> 1. Hard to gain access to local ISP without sending alerts out (it would be
> for my ISP, at least). This is admittedly not cryptographically
> interesting, but is a very real practical difficulty.
> 
> 2. Many who browse alt.anonymous.messages probably "glance" at many of the
> oddly-named message pool messages. I know I do. Again, makes it a "needle
> in a haystack" to know which of several hundred folks who glanced at
> "ToBear" or "TheRealMessage"--assuming the NSA could ever identify these
> hundreds--is the real intended target.
> 
> 3. And I recall that many have newsreaders which download _all_ messages in
> a newsgroup automatically. Again, this makes the pool of potential readers
> quite large and meaningless to try to track.
> 
> The use of public posting areas for message pools (what I called "Democracy
> Walls" several years back) seems to me have several compelling advantages
> over "reply-block" approaches.

Good points, all of them.

I agree that public message pools seem to give far better security than
reply-block approaches.  (Although the two can be combined: set up a nym
reply-block which just redirects traffic to alt.anonymous.messages; then
the reply-block is not security-critical, but does allow folks to contact
you by a simple email address.)



Jim Bell brought up the really nifty point that someday soon we may be
able to receive these message pools by satellite dish-- hurray for true
broadcasting!  That would provide most excellent security (unless `they'
started requiring licenses, waiting periods, ... to own a dish-- unlikely).
I can't wait.



Another suggestion was to read alt.anonymous.messages by pointing the
anonymizer at it.  This doesn't stand up to my threat model at all.
The anonymizer only provides you anonymity against a malicious server
who is trying to collect marketing information-- it doesn't protect
you against SIGINT folks eavesdropping on network links, performing
traffic analysis, etc. to trace back your access.

Now if we had pipe-net deployed :-), the idea might work...