From: "Roger J. Jones" <cyber@ibpinc.com>
Date: Thu, 15 May 1997 23:47:55 +0800
To: "'cypherpunks@cyberpass.net>
Subject: FW: Anonymous Remailers
Message-ID: <01BC611B.8CD67F10@pc1901.ibpinc.com>
MIME-Version: 1.0
Content-Type: text/plain




At 5:17 AM -0800 5/14/97, Roger J. Jones wrote:
>Why is it that some who are very concerned about their personal privacy
>utilize anonymous remailers that:
>
>1) Log all of their mail messages?

Tim May Responded

With chained, multiply-encrypted messages, logs are ineffective unless all of the links in the chain collude to trace messages. While this is certainly possible, it seems unlikely.
Roger J Jones Responded
Several of you have suggested as Tim has that the chain of remailers is secure.  I suggest that the statement is only true to the extent that one wants to trace back a particular message.  On the other hand, if one wants to find the source of postings to anonymous remailers and has skilled access to the Internet the task is quite simple and does not even require attacking the remailers.  Of course, one could break the chain by having the remailers call each other outside of the Internet, but then of course the phone records would disclose the connection.  Then again, one could hard wire a private connection between two remailers outside of both the Internet and the phone system but even this connection would be disclosed through reasonable traffic analysis.  Of course, the simple fact that even encrypted streams need to include the ultimate destination of the message makes content analysis easier and weakens the encryption.  Then again, all of this is a lot of work.  Social Engineering and pure bribery would more likely be the most efficient and effective solution.

Roger J Jones wrote:

>2) Are in many cases reputed to be run by foreign intelligence services?

Tim May Responded

This allegation was made by some clueless Washington think tank authors.  They provided no evidence, only innuendo, and they were unwilling or unable to provide any further comments when queried by several Cypherpunks.
And given that many or even most of the remailer operators are members of the various related Cypherpunks or Remailers Operators lists, and are known to various of us, the notion that most (or even many) remailers are run by intelligence agencies is absurd.

At 9:48 AM -0800 5/14/97, Roger J. Jones wrote:
I suggest that just because you chose to characterize the sources as "clueless Washington think tank authors" does not (as they say in Star Trek - The Next Generation) "make it so".  The "allegation" that foreign governments actively participate in actions to violate personal privacy ("borrowing" laptops from traveling businesspeople, taping phones, etc.) are all documented in various places.  Of course, they could all the result of a single psyop with excellent results.  But I doubt it.

Tim May Responded
Your first point, using some kind of Star Trek lingo, is beyond comment. I provided a lot more context than your original point provided, and yet you seem to want even more documentation. Go back and read the archives for a discussion of this paper (hint: search on "remailers" ANDed with "SAIC." Pay particular attention to the critique of this paper by such folks as Raph Levien, and others.

Anonymous Responded
Yes, you are missing a lot.  The bit about foreign inteligence agencies is almost certainly a canard created by one Strassman at a conference in Boston 2 years ago, then retracted.  Anyway, if you use chaining, it's irrelevant.
See 
<A HREF="http://www.law.miami.edu/~froomkin/articles/ocean.htm">
http://www.law.miami.edu/~froomkin/articles/ocean.htm
</A> and
<A HREF="http://www.law.miami.edu/~froomkin/articles/arbitr.htm">
http://www.law.miami.edu/~froomkin/articles/arbitr.htm
</A>
for the gory details.

Roger J Jones Responded

Given that several of you have suggested that the "foreign agent" theory is a hoax I suggest that this does not give me much faith either.  What we have is the classic case that it difficult if not impossible to prove the non-existence of anything.  For example, presume that one could identify every real owner of every remailer in the Internet universe.  Have we proved anything?  Not really.  Because in the time it has taken to prove the case, a new remailer could have been created.  Or the remailer that one thinks is secure could be down with a different remailer operating as an IT spoof.  Or, after checking with the owner of the "safe" remailer the owner becomes subject to the normal desires of life (fear, greed, power, etc.) and "turns."  The existence of both type one and type two errors prevents even an exhaustive search from being fully satisfied.

Roger J Jones wrote

>Do they really trust the owner of the remailer? (Unless of course, it is
>their remailer?)  I seem to be missing something.

Roger J Jones wrote further......

So, chaining does not seem to be a secure solution.  It just makes the process more difficult, but not impossible.

The non-existance of "agents" who would operate a remailer for purposes other than protecting security can not be proven.

I still seem to be missing something.........