1997-08-06 - Re: distributed data store, a la eternity

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: rdl@mit.edu
Message Hash: 85e2a79ff2727de77a5537a495f494d6d5154448478cb4bcdbb5d36d7408db5a
Message ID: <199708061206.NAA01240@server.test.net>
Reply To: <199708060720.DAA17656@the-great-machine.mit.edu>
UTC Datetime: 1997-08-06 12:14:18 UTC
Raw Date: Wed, 6 Aug 1997 20:14:18 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Wed, 6 Aug 1997 20:14:18 +0800
To: rdl@mit.edu
Subject: Re: distributed data store, a la eternity
In-Reply-To: <199708060720.DAA17656@the-great-machine.mit.edu>
Message-ID: <199708061206.NAA01240@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




Ryan Lackey <rdl@mit.edu> writes:
> I've been looking at the current eternity server, and it's a nice
> thing, but I'm kind of convinced no system like this which does not
> allow for electronic payments for those taking the risks will be
> successful.  Perhaps I'm wrong, but I don't think so.  It takes
> money to run a secure data store.  (my current project depends upon
> secure distribued available data storage, so I've been looking into
> this for a while)

The eternity servers announced recently are experimental.  That is to
say they are designed as a vehicle for improvement.  They are not
completed systems yet.  I am most keen myself to see eternity servers
which are truly resilient; the implementation we have is a first cut.
The whole idea is for it to be improved.

As to the risks issue (being an eternity server operator might lead to
legal hassles, and therefore people need to make money to compensate),
I have three main comments on that:

1. Accepting money for activities might worsen your legal position as
   you are then personally offering services.  This issue has been
   argued about in the past in relation to the idea of having
   for-pay remailers.  I'm not legally qualified to comment on this.

2. With my design the document store is a separate distributed system
   which is now part of the landscape, and is well accepted as a home
   for all kinds of dodgy materials and discussions.  People are used
   to the fact that some alt USENET newsgroups are full of material
   which is illegal in some parts of the world.  If you start from
   scratch with a new document distribution method, your first few
   servers are easy targets, due to small numbers.  People will be
   intolerant of them, and the Feds will probably go for RICO
   conspiracy and lock all 6 up.  Game over before you start.  I agree
   that you can do much better theoretically with this model, but
   you've got to consider existing network social norms, USENET is
   part of the landscape.  You won't simultaneously manage to threaten
   all news admins in the world to close down alt groups, they are in
   too many countries, and admins will rebel, and there will be plenty left. 

   So using USENET allows you to point the finger and say "it's not my
   material, it's just USENET posts".  Much like altavista doesn't
   issue cancel messages for posts in USENET news, it's not their
   problem, they're just providing a view onto a distributed database.
   Or much like providing an open access NNTP server, or access to
   users only as done by thousands of ISPs the world over without
   ill-effect modulo localised attempts to force people to not carry
   some groups.

   Another less openly stated opinion of mine is that the way to do it
   is to start as I have, and add other document sharing channels
   later.  Keep some confusion for the observer as to where the
   material is coming from.  As long as it _might_ have come out of
   USENET news on the fly, you can use that as a cover argument.  If
   the shit hits the fan you can fall back to that.

   Probably long term I think you would want to keep USENET as 
   a fall back system, but definately keep it as the distribution
   channel (it is _the_ most secure way of delivering anonymous
   messages, where you want to protect the recipients identity:
   broadcast it).  Much better than sending mail via anonymous
   remailers.  Mixmaster is good, but not that good in the face of
   repeated posting by one individual of materials which seriously
   annoy a major government.

3. Last argument is the "good enough" argument.  If the above tactic
   of using USENET as a distribution mechanism, and having cacheing,
   and optionally charging for storage, with exchange of articles
   between servers survives censorship in practice, why bother with
   anything more complex.

   For example Ross talks about arranging it so that documents are
   reconstructed from secret shares so that individual servers don't
   know what they've served.  Well that's sexy stuff, and clearly more
   secure if you absolutely must conceal which server served what
   material, if it has definately got the material from a database
   which it owns.

   The basic threat model of my eternity server design is
   disposable nodes.  That is it's like the new low orbit satellite
   systems, the satellites fall in and burn up after a while, but it
   doesn't matter because it's part of the design to keep throwing up
   new ones often enough to ensure continuous cover.  Same for
   eternity servers.  Individuals will cave, but when they do other
   enraged netters will start some more in protest.

   Just look at the Scientologist battles.  It's simply amazing the
   bravery of the Scientologist detractors in face of types of
   harrasement thrown at them.  Despite this the Scientologists are
   losing in that their materials are all over the place.  This
   suggests to me that USENET could work just fine.

   Also there is the possibility of private eternity servers.  That is
   you have an eternity server for your own use only, or only for a
   group of friends, or only for users of your ISP.  That one won't
   come under attack, and provided USENET doesn't get censored you'll
   be ok.

   Perhaps pointing the finger at USENET will be an effective
   strategy.  Perhaps we'll find out one way or another in the next
   few months :-)  Empirical cryptography.


Now some ideas on moving towards a real Anderson Eternity Service (in
small stages, the first steps are far removed), I have several ideas
for where to go next:

a) Cache replacement policy based on number of accesses

   There is currently a cache of eternity documents.  Documents and
   servers are configurable to either cache: on, off, or encrypted.
   One solution to the question of what happens when you fill up that
   100Mb cache is to discard least accessed pages.  Popular stuff stays,
   and you have fixed storage requirements.  The mantra "Disk is cheap".
   It wouldn't kill someone these days to dedicate a 6Gb disk for an
   eternity cache.

b) Have the above cache policy augmented with pay for disk space with
   ecash storage fee included with post.  Realistically for either you
   need a way for eternity servers to ask each other for articles.
   Well they can do that easily enough via http, but you still need
   to know which servers are available.

c) Use news archival services as another database to query.  eg
   altavista, dejanews.  I am starting to think that this is not such
   a hot idea now, because it's too centralised, and the operators are
   already hostile to bloat of their archive space, and do things like
   truncate UUencoded documents, and PGP ascii armored documents already.
   I mean ok, I'm sure we could run a war of new crude stego improvements
   being countered by more advanced eternity article detectors, up until
   we get to a natural langauge looking stego encoder.  Texto is a simple
   example of one of these.

> Would anyone else be interested in working on a real reliable
> distributed data store, more like what Anderson described than the
> current Eternity server?  Specifically, something with payment
> systems built in, 

Payment is definately going to go in.  It will be necessary to control
volume somehow if it gets popular, and it allows providors to cover
their expenses.  Charging for document download might be an idea also
to cover bandwidth.

> a multiplicity of ways to pass messages from server to server, 

That has to come also, because of USENET expiring, and because of the
non-distributed nature of systems of using the news archival services
(dejanews etc).

Initial ideas are:

- have list of eternity servers, and query them randomly until you
find one which has the document.  Pro: simple solution, fast lookup,
Con: has easily accessible comprehensive list of who's running
eternity servers.

- build something in terms of remailers to allow eternity servers to
query each other anonymously.  Con: _slow_ lookup.

- build specialised DC-net or pipe net setup with eternity servers on
it.  Pro: fast lookup, harder to track who's serving what, Con: no
implementations yet, con #2 provides a fat target for distrupting,
take out the DC net/pipenet and the document exchange connectivity
fails.

- secret sharing documents over eternity servers

> and a multi-level design in which a maximum amount of anonymity is
> preserved?

One approach would be to treat anonymity as a separable issue from the
issue of hiding which server served which document (and issues of
secret sharing etc).

That is couldn't the viewer use crowds, or less securely
www.anonymizer.com.

However I think there is an opportunity to have the document
constructed by the eternity server nodes in such a way that only the
requester can reconstruct the document.  Eg each server encrypt the
share it is serving with the requesters public key.  Then only the
requester can recover the shares and hence the document.  You should
make sure it's forward secrect too.

> I'm not saying I don't like the current eternity server, just that
> I'd like to work on one with payment systems built in, 

I'm all for payment methods.  Perhaps hascash
(http://www.dcs.ex.ac.uk/~aba/hashcash/) would be a good experimental
currency to get it working with first, and then switch to real
anonymous ecash a bit later.

> and more closely following the original idea for an eternity server
> (which I thought was a great one).

I'm all for making things as resilient and crypgraphically strong as
you can.  However I think part of the reason for different opinions is
that you are addressing three issues at once:

  - non censorable document store
  - preventing people correlating material with the server which served it
  - making the users accesses anonymous

The design of my eternity server as it is at the moment trying to
address just:

  - non censorable document store

by relying on the low orbit satellite model for public access servers,
and the borrowing from the dififculty of censoring USENET news.

Mild attempts can be made to protect correlation of users with
material accessed:

  - enable ssl on the server

(Cheap solution I know, as it relies on the trustworthiness of the
operators of the server, and that the system hasn't been compromised
by hackers, and that you have possibility of MITM attack if the
servers certificate isn't authenticated, or even if it is with a more
determined long term MITM attack).

No attempt is made to prevent:

  - people correlating material with the server which served it

because that is outside the design criteria.  Who cares what they
correlate for the server.  The server is just forwarding you USENET
news articles, just like an open access NNTP server, with a bit of
reformatting.

If someone takes enough exception to that there will be plenty of
other eternity servers to take up the slack.

Please feel free to take and hack the eternity-0.08 source code, and
contribute, or hack it for your whatever purposes.

I'd be interested in any comments on this somewhat long post from
yourself, and other readers.

Adam
-- 
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread