From: Jim Choate <ravage@EINSTEIN.ssz.com>
Date: Wed, 9 Dec 1998 22:44:49 +0800
To: cypherpunks@EINSTEIN.ssz.com (Cypherpunks Distributed Remailer)
Subject: Re: Building crypto archives worldwide to foil US-built Berlin (fwd)
Message-ID: <199812091354.HAA18154@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text



Forwarded message:

> Date: Wed, 9 Dec 1998 07:33:32 -0500
> From: Robert Hettinga <rah@shipwright.com>
> Subject: Re: Building crypto archives worldwide to foil US-built Berlin
>  Walls

> ====
> 
> Q: Is it better for the providers of crypto resources to alarm/log
>    accesses to their websites or not?
> 
> I'd strongly argue not;
>   Team Despot will disguise itself and we are surveilled as we speak;
>   Team Legion loses if it creates targets for harvesting.
> 
> ====

>From a security standpoint it is advised to log access and all resource use
for about 4-5 days so you can get a sample big enough to look for
under_the_radar_hacking. On the flip side you don't want to keep them longer
than that because they could be used in an incriminating manner, whether an
actual criminal act occured or not. I use the default buffer time (4 days)
for my mail package as my ttl value. Once that time is past the files are
bye bye.

If the security of the site is compromised then it's pretty worthless as an
archive.

> Q: Is coordinated integrity control (code signing) a Good Thing?
> 
> I'd weakly argue not;

> Alternative argument;

> ====

The code shouldn't be signed by any of the archive sites, they shouldn't put
their butts on the line. The code should be signed by the originators of
same. This verifies that ALL the archive sites have the same package and not
individualy modified ones.

The archive sites should provide some sort of hash to verify successful
transfers.

> Q: Should requestors routinely avoid surveilled identification?

> ====

There isn't any way around this one. If the site is up and it's advertised
and publicly accessible then expect to be identified. Either the owner of
the domain/network resources you're using or your registration to the
relevant domain name authorities will provide ample pointers. Of course
there is the strategy of registering the domain for a year only and then
each year register a new one. Then you could provide bogus address and owner
information. This of course won't slow a packet sniffer down for long. Onion
and CROWDS won't help here unless you're connected directly to the
anonymizer. If you're that close they'll find you by following the wires.

> it.  If one of us goes off the air, step into
> their place.

You so glibly throw people away...it's better to fix a system such that
there is a legal ramification (ie resistance) for the LEA's applying the
pressure; a fight in court. Beside shutting the sites down another primary
goal of LEA's is to keep the conflict off the evening news. There is ample
evidence of LEA's dropping charges because the group made it known they were
going to use their day in court as a platform for espousing their agenda.



    ____________________________________________________________________

           If I can put in one word what has always infuriated me
           in any person, any group, any movement, or any nation,
           it is: bullying
                                                Howard Zinn

       The Armadillo Group       ,::////;::-.          James Choate
       Austin, Tx               /:'///// ``::>/|/      ravage@ssz.com
       www.ssz.com            .',  ||||    `/( e\      512-451-7087
                           -====~~mm-'`-```-mm --'-
    --------------------------------------------------------------------