1998-01-11 - Re: Eternity Services

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: tcmay@got.net
Message Hash: a32946e01e79ee1352d55db997e58d2fbd8ef12a3662288b131fae8ad0df1d85
Message ID: <199801112306.XAA00525@server.eternity.org>
Reply To: <v03102800b0deac61cffd@[207.167.93.63]>
UTC Datetime: 1998-01-11 23:17:27 UTC
Raw Date: Mon, 12 Jan 1998 07:17:27 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Mon, 12 Jan 1998 07:17:27 +0800
To: tcmay@got.net
Subject: Re: Eternity Services
In-Reply-To: <v03102800b0deac61cffd@[207.167.93.63]>
Message-ID: <199801112306.XAA00525@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain




Tim May <tcmay@got.net> writes:

[ Ryan Lackey on proposed hardware setup for his Eternity DDS ]

> Will these be located in the U.S.? Will their locations be
> publicized? Will any offshore (non-U.S.) locations be publicized?
> 
> Any file system which can be identified as to *location in some legal
> jurisdiction*, espeically in the U.S. but also probably in any
> OECD/Interpol-compliant non-U.S. locations, will be subject to COMPLETE
> SEIZURE under many circumstances:
> 
> * if any "child porn" is found by zealous prosecutors to be on the system(s)

I think child porn is pretty much the canonical example -- the spooks
/ feds have a history of posting their own child porn if none is
available to seize.  (eg The Amateur Action BBS case which Tim cites
classic case -- the Thomases had not had any dealings with child porn,
but a US postal inspector mailed some to them, and busted them for it
before they had even opened the package.  They are still in jail
now.)

An article which got forwarded to cypherpunks a while back was a URL
for some people who had created a for-pay web service which consisted
soley of hypertext links to child porn articles in usenet.  I never
did investigate (the worry is always that it is a sting in itself, and
I was interested in the techniques not the material), but it is
interesting that these people considered this action safe enough for
the monetary rewards to compensate.  

(Anyone save this post / URL, or know if these people are still in
business, or what technique they used to be able to generally link to
USENET articles... is it possible to link to
news:alt.anonymous.messages/message-id in a way which is independent
of news spool?)


I agree with Tim that actually building distributed file systems where
data can be traced back to the server serving it will cause problems
for the operators.  I think even if there are many operators, and even
if the data is secret split, the operators would likely be held
liable.

Ross's paper describes some techniques for building a distributed
database which makes it difficult for a server to discover what it is
serving.  (Necessary because an attacker will become a server operator
if this helps him).


The threat of seizure is the reason that I focussed on using USENET as
a distributed distribution mechanism.  All sorts of yucky stuff gets
posted to USENET every day, and USENET seems to weather it just fine.

The idea of using new protocols, and new services as Ross's paper
describes is difficult to acheive a) because the protocols are more
complex and need to be realised, and b) because you then face
deployment problems with an unpopular service and supporting protocols
who's only function is to facilitate publishing of unpopular
materials.


So I focussed on USENET, but the weakness of using USENET for building
a distributed database where data is intended to persist for
protracted periods of time is that USENET articles expire, existing in
news spools often for only 3 days or so.  The problem is really that
USENET is essentially a distributed _distribution_ mechanism, and not
a distributed database.

Archiving USENET as a separable enterprise which charges for access
(altavista for example charges via advertisements) seems less
problematic than directly trying to build a database of controversial
materials.  Archiving it all partly reduces your liability I think,
because you are not being selective, you just happen to have a
business which archives USENET.  However there are two problems with
this: a) volume -- USENET daily volume is huge; b) the censors will
ask you to remove articles they object to from the archive.

The solution I am using is to keep reposting articles via remailers.
Have agents which you pay to repost.  This presents the illusion of
persistance, because the eternity server will fetch the most recent
version currently available in the news spool.  This avoids
centralised servers which would become subject to attack, all that is
left is a local proxy version of an eternity server which reads news
from an ordinary news spool.

My current implementation is a CGI binary which is currently running
as a remote eternity server.  You can run it as a local eternity
server if you have a local UNIX box, running say linux.

Better would be a more general local proxy for other platforms.  I am
working on this local proxy version at present.  This is the state of
play for me.


The reposter will be either the publisher of the article, or a
reposting agent.  In either case remailers can be used.

Remailer resistance to attack has improved a lot since some of the
remailers started using disposable hotmail etc accounts as exit nodes
-- the remailer is no longer traceable without a much higher resources
being spent by the attacker.  Using a chain of mixmaster remailers,
and a remailer using hotmail for delivery provides good anonymity.

> I would have thought that a much more robust (against the attacks above)
> system would involve:
> 
> - nodes scattered amongst many countries, a la remailers

Better to have no nodes at all, as with USENET only solution.  The
reposting agent (which may be the publisher, or interested reader if
they are fulfilling the role of reposting agent) is a node of sorts,
however this node can be replicated, can move frequently, and only
ever need communicate via remailers.

> - no known publicized nexus (less bait for lawyers,  prosecutors, etc.)

This one is crucial.

> - changeable nodes, again, a la remailers
>
> - smaller and cheaper nodes, rather than expensive workstation-class nodes
> 
> - CD-ROMS made of Eternity files and then sold or distributed widely

This is an interesting suggestion, but surely would open the
distributor up for liability, especially if copyright software were
amongst the documents.  Were you thinking of 

> - purely cyberspatial locations, with no know nexus
>
> (I point to my own "BlackNet" experiment as one approach.)

This is the best option.  Make it entirely distributed, so there is no
nexus, period.  cyberspacial -> meatspace mappings are often easier to
trace than we would wish, especially where there is continued usage
(for example there are various active attacks which can make progress
even against mixmaster remailers).  This is the weak point of my
reposting agent, be that human, or automated.

However anonymous interchangeable reposting agents is an interesting
concept.  One way to view the reposting function would be to view it
as a new function for remailers; that they would post a message a
specified number of times at specified intervals.

However it is probably better to separate the function into a separate
agent because remailers are known, and few in number.  A reposting
agent need never advertise an address.  Instructions to the agent
would be via USENET (it would read news for instructions and eternity
documents bundled with ecash payment for it's services, and repost
these according to those instructions).  The reposting agents would be
motivated by profit, have reasonable chances at obscuring their
identity through the use of remailers, and so would be willing to take
the risks.  A smart operator could further reduce risks by using
resources intermittently and unpredictably, and by using multiple,
automated entry nodes into the remailer net.

Potentially agents could be left operating in cracked accounts,
siphoning payments off to their owners, at fairly low risk to the
owner.

Agents could be rated for reliability in delivering services paid for,
or payment could be enabled for each repost by a arbitration agent
upon seeing the post.

> It is also likely in the extreme that a working Eternity service will
> quickly be hit with attackers of various sorts who want to test the limits
> of the service, or who want such services shut down. 

I agree with this prediction.  Remailers have seen this pattern, with
`baiting' of operators, and apparently people posting controversial
materials and reporting the materials to the SPA or others themselves,
etc.

As you might guess part of the above are unimplemented.  The local
proxy is my current task.  Reposting agents are unimplemented, as is
integration of payment.


Another comment is that reader anonymity is a separable aim which
should be cleanly separated from the design.  Services like
anonymizer, crowds, pipenets, SSL encrypted news server access
(supported by netscape 4), and local news feed can ensure anonymous
access to eternity document space at varying cost trade-offs.

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread