ZKS vs. Cryptoanarchy

16 December 1999

Date: Tue, 14 Dec 1999 09:35:01 -0800
To: cypherpunks@cyberpass.net
From: Tim May <tcmay@got.net>
Subject: Re: Non-hierarchical Networks in Nature

At 9:49 PM -0800 1999-12-13, R. A. Hettinga wrote:

>The article became a chapter in "Out of Control", by the way, and is, of
>course, foundation of a then-contemporary cover story on cypherpunks,
>hockey masks and all, in Wired 0.3 or so. A magazine which, of course,
>Kelly helped found as an editor. I subscribed to cypherpunks myself in
>late spring 1994, a year and a half or two after Tim and Eric started the
>cypherpunks meetings in the Bay Area, with Eric and John starting the
>mailing list shortly thereafter.

A minor correction: The mailing list was set up by Hugh Daniel, running on John's spare machine, "Hoptoad." Setting up the list was discussed on a Sunday morning bagel run by Eric Hughes, Hugh Daniel, and myself, the morning after our very successful first meeting with 25 or so people.

On that morning walk we also discussed just how feasible it would be to actually implement the "mix" we used a paper form of that Saturday. I wanted to _demonstrate_ how mixes could work, how untraceable markets could work, how reputations could develop in a pseudonym-only network, how digital money would work, and so on. Basically, the stuff I'd written about several years earlier in my Crypto Anarchist Manifesto.

So all Saturday afternoon we played "the crypto anarchist game," with envelopes and baskets substituting for mixes (remailers), with Monopoly money subbing for digital money, with blackboards subbing for Usenet and anonymous markets, and so on. Some people were given "secrets" to sell, things like submarine movements out of harbors, source code to commercial products, etc. (BlackNet goes back to 1987-88, used as an illustration of Chaumian technologies with Phil Salin for his then-nascent AMiX, a precursor to EBay and all the other auction markets. I used the term "BlackNet" to capture the essence of an untraceable, Vinge-style market for "interesting" items. This history has been recounted before, in articles from the 1992-3 period on the list.)

Anyway, the next morning the three of us were walking around the Montclair section of Oakland, munching Noah's bagels and discussing how feasible it would be to actually _build_ a simple mix or remailer system, instead of waiting for Chaum and the Pfitzmans to hammer out all the nagging problems with DC Nets. Hugh and Eric were talking about how Sendmail could be told to just forward on items, with headers stripped, behaving just as our "envelopes" had behave in the game we played, and just as the "shell game" I had described worked.

A weekend or two later Eric spent Saturday learning enough Perl to do the job, and then spent Sunday coding up the first basic remailer. With the "::request-remailing-to: " syntax. Later, Hal Finney improved the code further, adding the important ingredient of PGP. Others reworked and rewrote the code further. Mixmaster resulted about a year later.

By the way, we were well familiar with the existing "anonymizer" that Johann Helsingius, Julf, was deploying, based on the code of Karl Kleinpaste. Experiments in anonymizing and pseudonymizing had started with the "Kremvax" and similar systems used in some of the "*.personals" newsgroups.

But these were all _centralized_ systems, missing the essence of a "shell game" system. A shell game where a message goes from Alice to Bob, gets mixed with N other nominally identical (because of the entropy of encrypted messages) messages, gets sent out to Charles, and so on. An observer watching the process has no way of knowing where a message exited the system and was delivered.

(During the crypto anarchist game, we had emergent behavior: some people who attempted to correlate messages to senders by observing latency patterns.)

I mention this because one of the main weaknesses, it seems to me, in the ZKS Freedom network is a return to a centralized system. Hence the "meetings" ZKS has admitted having with the FBI and other TLAs in the Evil Empire.

(A true distributed system would be open source, no central nexus, no "security through obscurity," and none of the despicable ZKS "ability to turn off nyms if lawbreaking is occuring." Gee, sounds like the Cypherpunks/Mixmaster approach.)

--Tim May

Y2K: It's not the odds, it's the stakes.

---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
"Cyphernomicon"             | black markets, collapse of governments.

From: Austin Hill <austin@zeroknowledge.com>
To: "'Tim May'" <tcmay@got.net>
Cc: "'cypherpunks@infonex.com'" <cypherpunks@infonex.com>
Subject: RE: Non-hierarchical Networks in Nature
Date: Thu, 16 Dec 1999 11:15:49 -0500

> -----Original Message-----
> From: Tim May [mailto:tcmay@got.net]
> Subject: Re: Non-hierarchical Networks in Nature
<snip>
> I mention this because one of the main weaknesses, it seems to me, in the
> ZKS Freedom network is a return to a centralized system. Hence the
> "meetings" ZKS has admitted having with the FBI and other TLAs in the
> Evil Empire.
>
> (A true distributed system would be open source, no central nexus, no
> "security through obscurity," and none of the despicable ZKS "ability to
> turn off nyms if lawbreaking is occuring." Gee, sounds like the
> Cypherpunks/Mixmaster approach.)

Hey Tim,

Just wanted to follow up on the point you made about the weakness of having a centralized system. This is similar to the conversation we had close to a year and half ago in CA. I agree with you 100% that a centralized system is subject to numerous types of attacks, both legislative & technical and that some of these attacks worsen depending on which jurisdiction is chosen.

Moving towards an distributed, open source, no central nexus system is part of what ZKS is trying to do. We are already deploying multiple nym servers, core services in different countries around the world to deal with issues such as DOS attacks, load balancing, and jurisdictional arbitrage with regards to orders to shut off nyms. We recognize that the company's value, reputation and future potential success relies on the pledge of <Zero-Knowledge> and that if there is a central point to attack which would compromise our reputation or the security of a nym, that all of our work & investment is at risk.

While version 1.0 is part of that approach (Multiple independent server operators, in multiple jurisdictions around the world, agreeing to co-operate by contract), it is the first step.

The harder aspect of what we are trying to do is something that ANY Pipenet; OnionRouter, FreedomNetwork Anonymous IP system will have to deal with. This is how do you design, manage and distribute routing topology, backbone design and state table information with regards to a globally distributed anonymous network.

Technically it is easy to distributed lots of anonymous nodes, which connect to each other and are all independent and in a perfect world we would have anonymous ecash that we could include in our outgoing packets so that we would pay as our traffic routed through nodes so that anyone running a note would be compensated for the bandwidth they dedicate to this network without having to be in any contractual relationship with someone who is 'running' the network.

(BTW - This ignores the practicality or business problems of having users pay per packet, or the differences in bandwidth pricing around the world which would cause your packet to only route through regions you could afford etc. etc.)

There are tons of questions about how each server operator would choose to connect to each other, under what conditions, what if a high bandwidth operator tries to connect to a low bandwidth operator and kills that operators backbone connection?, what if some operators don't want to connect to others?, how many interconnections will each operator be required to have to other nodes (1?, 3?, 5?) - What if that operator doesn't have enough bandwidth to dedicate to connect to that many nodes (let's say 1/2 a T1 which with padding, etc. is really only useful for maybe 2 interconnects). Remember, that as opposed to Mixmaster/Type I remailers, these connections operate as constant IP overlay connections and must choose which nodes they connect to, and that information needs to be distributed to clients.

In reality this is a lot harder to implement. Any truly anonymous MIX style network includes in my mind the following difficulties to implement,

- Global state table of network topology, stats etc. (Is the server up, down, dropping packets, performing well etc.) - This needs to be authenticated, and digitally signed or you open yourself up to various attacks whereby user traffic is rerouted based on forged topology stats and routing tables.
- Key distribution and key rotation for each node, to enable forward secrecy & rapid key changing.
- Routing topology which manages the different speed of nodes and plug's new nodes into the proper part of the network. (This is based on safety in numbers. If you end up having many split networks whereby you have small groups of nodes who agree to talk to each other, then everyone's anonymity is threatened because it is easier to perform traffic analysis on a few nodes than many thousands of nodes). Routing topology decisions also need to take into effect, bandwidth contribution, server uptime/reliability, topological distance to other core nodes, server operator reputation & identity etc.... (This is the same reason that there are many central points of failure on the existing Internet since there a few companies, and a few core routing points that deal with the majority of all backbone traffic).

If you look at the existing routing architecture of the net, it isn't that distributed. (Or secure). The routing management and topology design of a MIX style network needs to be more secure and better designed.

I'm not saying that this is impossible to do with a distributed, non-central controlled system. But it does pose a lot of challenges that ZKS hasn't solved yet. (Both technical and business related challenges).

For instance....

- Attacker, sets up high bandwidth NAPs and subscribes them or joins them to the MIX network, and sets them up a key routing points talking to other compromised nodes.
- Attacker, uses a combination of DOS attacks and routing attacks to drop statistics and performance rating of non compromised servers.
- Attacker sets up many nodes under different names and corporations and makes sure they all talk to each other in the topology so that any user using those nodes is compromised.

Ultimately this system will have to incorporate reputation capital in the routing decisions and topology. Whereby a server with little or no reputation cannot become core routing points, and users can rate servers based on reputation and choose which routing points they prefer. Doing this right wasn't something we could accomplish for 1.0.

I would say we've done a good job so far of getting something going, we've been honest about its problems and failings, and we are working hard (With various members of this group, and top crypto people in the world - Aside from just Ian & Adam) to deploy a better system on the next revision.

I'll be pleased to see some time in the future, Tim, and others who have a higher security expectation for the system sign on once we've accomplished some of these things.

BTW - For those of you on this list who remember, Zero-Knowledge did make a very credible effort to get some the Chaum patents and make sure that eCash, blinded reputation credentials were available to be used in the design of our system and others. We actually had a contract in place, whereby we were required if our bid was successful to give free patent licenses to any open source initiative. Unfortunately, our company did not have the resources to pull off our bid, be we were there until the end. Our goal for this was to include anonymous ecash, and blinded authentication to the Freedom network as part of Freedom.

In any case, I think the Freedom network has made the most credible attempt to build the type of privacy systems that have been talked about for most than 10 years on this list and others. There are a couple key elements that haven't been incorporate yet, (open source, decentralized management, etc.) and we'll be attacking those in the future.

Ultimately we need to make sure that we get millions of people on the system, otherwise it will always remain just a toy for crypto-anarchists and criminals where traffic analysis and statistical attacks are trivial because it never amounts to any large number of people (Sounds like Mixmaster/Type I remailers to me). For a system like this to exist, we need every AOL user, ICQ user, Disney loving parent and child - all using the system as part of their everyday activities online. This is not going be to be accomplished by a renegade <burn down the government> attitude. It is going to be accomplished by promoting strong privacy, educating companies that protecting the privacy of their users is in their interests, and building it on a secure and private anonymous layer of the Internet.

Zero-Knowledge is attempting to do that, so while you may give us some flack in the future about announcing deals with every <middle of the road> organization in the world to incorporate Freedom into it will be these deals that make sure we have a viable anonymous network which millions of users.

- Austin

From: Austin Hill <austin@zeroknowledge.com>
To: "'John Young'" <jya@pipeline.com>
Cc: "'cypherpunks@infonex.com'" <cypherpunks@infonex.com>
Subject: RE: ZKS criticized by police.
Date: Thu, 16 Dec 1999 12:20:42 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: John Young [mailto:jya@pipeline.com]
> Subject: Re: ZKS criticized by police.
>
> Peter Trei wrote:
> >http://www.nandotimes.com/technology/story/0,1643,500141911-500168443-500625430-0,00.html
>
> Congratulations ZKS, but, WTF is this all about:
>
>   Zero-Knowledge says it is based in Canada in part
>   because the nation has rules that are less
>   restrictive than the United States in governing the
>   export of encryption technology. But it has met
>   with officials at the U.S. Department of Justice and
>   plans to meet with the Federal Bureau of
>   Investigation to brief them on the service.
>
> Excuse me, most trusted 0Ks, but it would be
> great if you would sign in blood that these meetings are
> not going to turn out like those of another Canadian
> firm, TMI Communications, which capitulated to US
> authorities after first putting up a principled fight:
>
>    http://cryptome.org/tmi-snoop.htm
>
> When did the DoJ and FBI meetings occur, with whom,
> and could you share the minutes of what was or was not
> promised now and forever. In the interest of trusting your
> exemplary product, now and forever. Thanks for listening,
> no need for a private meeting, a public email will do,
> anonymous 0K.
>
> This is not to say that the global PGP Inc model is not a viable
> business alternative to trustworthiness. One time review
> indeed. One review one agreement one approval one FU
> to loyal PGP users.

Hereby signed in blood & with PGP......NO meetings will turn out like TMI!

Since I've attended all meetings I'll give run downs now. In the future, John's suggestion is great, and we will publish details of all our interactions and meetings with law enforcement/TLAs.

1. RCMP - Tuesday Oct. 19 from 12 PM - 2 PM. Included people from the Computer Crime division, and the computer forensics lab. We did a presentation for them on the Freedom network, how it worked, why as a result we would have no useful information for them with regards to our users.

They asked why we couldn't build an true identity escrow only accessible under supbonea, and aside from our "we don't want to & aren't required to" response, we educated them about some of the flaws of these types of systems including the Clipper debate, Scientologist attack on Anon.penet.fi, Raytheon vs. John Doe & Yahoo's role, Philips Services vs. John Does etc.

We then talked to them about how privacy and strong crypto will prevent people from being victims, protect children from stalkers while online etc.

We then got into technical details about what they could do if they were trying to find out the identity of a specific nym. We proceeded to suggest the following items,

-- Sting operation (Convince the Nym to meet you somewhere in the physical world)
-- Hostile Code Attack (As described in our Security faults whitepaper), send the Nym a file, or application that contains hostile code that will compromise the Nym.
-- Investigate the person as opposed to the Nym (Look for real world connections, money transfers, hints in the nyms activities that might link to identity).
-- Apply huge resources to the science of cryptanalysis and hope you find a new area in math that breaks DH/DSS security :)

We talked with them about using Nyms, and Freedom as a tool for investigations and undercover operations on the Internet and suggested to them that it would become the tool of choice for them in these investigations.

We then talked about who in their dept. we should use as a liason and who they could contact @ ZeroKnowledge when they had issues or problems they needed to deal with us on.

Overall friendly meeting.

2. CSE (CSIS, some RCMP, some DFAIT (Dept. of Foriegn Affairs and International Trade, our version of the Dept. of Commerce and BXA - in charge of Wassenaar) August 26 - 1:30 to 3:30 in Ottawa @ CSE Headquarters.

People in attendance from ZKS - Ian G.; Austin H.; Dov S.; Hammie H.

People in attendance from various agencies - About 20 (A few cards from RCMP, DFAIT and CSE but various people didn't not introduce themselves).

Topic - Freedom

I gave a presentation of the system, explained the security model, the intent and the basic idea of what we were trying to do. I described some of the future security plans of the system (Link padding, variable traffic shaping etc.) and then Ian talked about the algorithms we use, and some of the issues regarding key lengths etc. (Nothing that isn't in our whitepapers - actually a lot less detail).

Not a lot of questions, mostly about abuse like Spam, harrassement etc.

As Ian pointed out to me later, most of the fun questions they aren't allowed to ask since it would leak information about what they can and can't do with regards to attacks on the system.

<Note: Ask Ian and he might post an URL with a picture of him standing outside of a CSE headquarters sign. He was proud of that one :)>

3. Dept. of Justice - August 31, 1999 - Lunch Meeting - Washington

This was a meeting between myself and someone from the computer crime division @ DOJ. We spoke about the Freedom system, types of abuse, anonymity vs. pseudonymity, reputation mechanisms as a means of abuse management (i.e. Killfiles for bad reputations).

The conversation was quite candid and very informal. I was asked about reply blocks, and being able to follow the chain back to the user, and I talk about our intent to ditch reply blocks as soon as possible, and how we were working to get code into the system that purposefully choose nodes in multiple jurisidictions to make that hard/impossible as well as key rotations to ensure that server operator keys were thrown away and reply blocks frequently rotated to make certain types of these legislative attacks hard/difficult.

We then spoke about the situations where this would pose the most amount of concern. I have a fair amount of respect for this person @ DOJ, because they were honest and straight the point about where this would cause them problems, copyright theft, IP theft (Digital goods being transmitted from nym to nym). We both acknowledged that some of the physical world stuff (Terrorism, drugs, money laundering) were not the primary areas of concern because those are all meatspace crimes that have other avenues of investigation.

I proceeded to give my opinion that the problem wasn't strong privacy systems like Freedom, but rather the bad & outdated (Sometimes non-existent) copyright management systems on things like songs, articles and software and I pointed out how this problem exists regardless of ZKS.

Generally a good discussion, and I promised to come into the DOJ and do a 'brown bag lunch' for various people there and answer similar questions and talk to them about Freedom.

(Note: This has not occured yet, due to scheduling problems)

4. CSE - Montreal Sept. 7/99 1:30 to 3:30pm

Review of our export controls mechanisms for countries on the ACL list. I wasn't at this meeting, but from my partners comments to me it was just a once over to review the procedures we take to make sure people in Angola, Myanmar (Burma) and Yugoslavia can't download the software from out site. (reverse lookups, having users click to agree they aren't in those countries etc.)

We also reviewed our software licence with them.

This was in preparation for an opinion from DFAIT which stated that Freedom is not required to have an export lisense under Wassenaar since it is public domain software.

There were no discussion to my knowledge at this meeting with regards to thes security of the system.

Meetings with the FBI, Customs, Secret Service and other TLAs will occur in the New Year and I expect will follow a similar course of that detailed above. We will post details as the meetings occur.

- -Austin

_________________________________________________________________________
Austin Hill                                   Zero-Knowledge Systems Inc.
President                                                Montreal, Quebec
Phone: 514.286.2636                                 Fax: 514.286.2755
mailto:a_hill@zeroknowledge.com
http://www.zeroknowledge.com

Are you fast enough? Are you smart enough? We are hiring those who are!

http://www.zeroknowledge.com/jobs/

PGP Fingerprints
RSA = 7BDB A72C 1130 BC09 CD5A 2712 F51D 72AC
DH/DSS = F783 7187 E174 0C5C DD4C B1FA 0392 C7DC AF5A 1FAB

________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBOFkf/gOSx9yvWh+rEQI+eACdFDmjRMH7mltvpuZ7HNGCOTKBsgUAoO+7
0Y+U6pM8h3fGk29uml3GHuD3
=NdMM
-----END PGP SIGNATURE-----

Date: Thu, 16 Dec 1999 11:01:36 -0800
To: Austin Hill <austin@zeroknowledge.com>
From: Tim May <tcmay@got.net>
Subject: Zero Knowledge Systems
Cc: "'cypherpunks@infonex.com'" <cypherpunks@infonex.com>

At 8:15 AM -0800 1999-12-16, Austin Hill wrote:

>Hey Tim,
>
>Just wanted to follow up on the point you made about the weakness of having
>a centralized system.    This is similar to the conversation we had close to
>a year and half ago in CA.   I agree with you 100% that a centralized system
>is subject to numerous types of attacks, both legislative & technical and
>that some of these attacks worsen depending on which jurisdiction is chosen.
>
>Moving towards an distributed, open source, no central nexus system is part
>of what ZKS is trying to do.    We are already deploying multiple nym
>servers, core services in different countries around the world to deal with
>issues such as DOS attacks, load balancing, and jurisdictional arbitrage
>with regards to orders to shut off nyms.   We recognize that the company's
>value, reputation and future potential success relies on the pledge of
><Zero-Knowledge> and that if there is a central point to attack which would
>compromise our reputation or the security of a nym, that all of our work &
>investment is at risk.

I think we both agree on all of these points. I am more critical of centralized servers than you are, no doubt, because I am not trying to set up such a service. You are, and so you have to think about certain compromises. I don't envy you.

>The harder aspect of what we are trying to do is something that ANY Pipenet;
>OnionRouter, FreedomNetwork Anonymous IP system will have to deal with.
>This is how do you design, manage and distribute routing topology, backbone
>design and state table information with regards to a globally distributed
>anonymous network.

My hunch is that it's possible to _know_, if not _manage_, the state of such a network. By monitoring reports from nodes (which can use the constant, or frequent, bandwidth) to ping other nodes, to consolidate the results of dummy packets sent around, and so on.

Sort of like the Net itself and routers, which route packets without any centralized system for topology and state table information.

(How this would be done, precisely, I don't know.)

The harder part, as we discussed in Menlo Park last year, is HOW TO MAKE MONEY?

And, even harder, how does the DEVELOPER, whether Eric Hughes or Lance Cottrell or ZKS, make money?

I am persuaded by the lessons of closed vs. open systems (usual Linux, Cathedral and Bazaar, etc. sorts of points) that the best way to make money with mixes and remailers is:

-- for each mix to charge some market-based fee for services (an old idea of course)
-- for the developer of such mixes to make money by providing services, timely distribution of new updates (still open source, but he has the advantage of a devoted staff, a la Red Hat or other providers of open source)

This model encourages more "Mom and Pop mixes," which is the desired goal, right?

Can a company funded with $12 million in venture capital, plus funds from the founders, etc., make enough money by distributing the 30 or 60 or 120 pieces of software for those who want to set up mix nodes?

Gee, I don't see how. Sorry, but I just don't understand how ZKS recoups its investment. Except by going public, the _real_ "shell game."

>Technically it is easy to distributed lots of anonymous nodes, which connect
>to each other and are all independent and in a perfect world we would have
>anonymous ecash that we could include in our outgoing packets so that we
>would pay as our traffic routed through nodes so that anyone running a note
>would be compensated for the bandwidth they dedicate to this network without
>having to be in any contractual relationship with someone who is 'running'
>the network.

Just as you are, as I understand it, using the "anonymized coupon" method (where coupons are bought, possibly anonymized by an exponentiation a la Chaum, and then traded in for a nym), so too could you use a simplified form of digital cash for paying for remailings. This has been proposed and partially tried a bunch of times.

Cheap coupons can work for situations where digital cash would otherwise need more robustness. (The cost per packet being low.) By analogy, a 33-cent stamp is a lot easier to counterfeit than a $100 bill. We live with this, for reasons I won't write about here.

With digital cash, as with so much crypto, "the best is the enemy of the good."

Chaum and Company could have had a better digital cash payment system out on the Web several years ago, but chose to concentrate on "true" digital cash with Mark Twain Bank and Deutsche Bank and such.

(And even then, the focus was not on the "true" uses of d.c., for illegal transactions, for buying and selling contraband, for digital espionage, and so on. The banks sought to distance themselves from such uses. So, why even bother with digital cash? And of course Chaum backpedalled from his earlier versions and made it a point to emphasize that his form of d.c. was "banker-friendly." True two-way anonymity, implicit in his earliest papers, and apparently available once "eveyone a mint" happens, as in true geodesic systems, got deemphasized. So, why bother?)

A true distributed mix system with no centralized nexus, just nodes communicating their readiness to "trade" with other nodes, is possible to do with anonymized tokens or coupons bought from a mint that will agree to redeem them for real money.

Why is ZKS increasing its exposure to the RCMP, FBI, Justice Department, and other agencies who want to "work with" you?

At the first _hint_ that you are cooperating with the FBI, your customer base shies away.

Yeah, the parent who wants to make sure little Suzie can operate under a stable nym when she orders Disney merchandise probably sticks with you, but the core business users for an anonymized digital economy get spooked [pun intended].

>(BTW - This ignores the practicality or business problems of having users
>pay per packet, or the differences in bandwidth pricing around the world
>which would cause your packet to only route through regions you could afford
>etc. etc.)

Actually, this is another advantage of local payment. Like the "Silk Road" (cf. paper by Tribble and Hardy, IIRC, on "Digital Silk Road"), the local transporters knew the costs of travelling over certain paths and communicated these costs in their pricing model. It was emphatically NOT the job of the Beijing or whatever origin point to know and manage all of the pricings of the various nodes.

Localized nodes are also best-equipped to haggle with their local ISPs or Postal monopolies to get better pricing.

>There are tons of questions about how each server operator would choose to
>connect to each other, under what conditions, what if a high bandwidth
>operator tries to connect to a low bandwidth operator and kills that
>operators backbone connection?, what if some operators don't want to connect
>to others?, how many interconnections will each operator be required to have
>to other nodes (1?, 3?, 5?) - What if that operator doesn't have enough
>bandwidth to dedicate to connect to that many nodes (let's say 1/2 a T1
>which with padding, etc. is really only useful for maybe 2 interconnects).
>Remember, that as opposed to Mixmaster/Type I remailers, these connections
>operate as constant IP overlay connections and must choose which nodes they
>connect to, and that information needs to be distributed to clients.

Well, while I have been a fan of PipeNet since Wei Dai proposed it several years ago, the plain fact is that _constant connections_ are expensive.

(I always envisioned a working PipeNet would start out in a laboratory, with N machines with dedicated connections, then expand outside the lab to other such machines. Many of the "Labyrinth" (my old name for mixes and remailers) advantages could be gotten just this way. Packets enter the PipeNet labyrinth, bounce around so many times that no one knows which is which, and various packet exit at various times.)

Implementing a PipeNet on the current Net may not be wise.

Scalability issues. If ZKS starts with 10 paying customers, the needs are dramatically less than when one has 10,000 paying customers. Or ten million.

>In reality this is a lot harder to implement. Any truly anonymous MIX
>style network includes in my mind the following difficulties to implement,

I certainly agree that it's a challenge to implement a good mix system. Most of the "remailers" have only implemented the original Chaumian e-mail system he first described 19 years ago, in 1981 (!!!).

(Sidenote: I devised a "shell game" store-and-forward system in 1987-88, and described it to a bunch of Bay Area folks in 1988. Including Eric Drexler, Marc Stiegler, Mark Miller, Dean Tribble, etc. When I saw Chaum later that year at Crypto-88 and described my system, he laughed, and then pointed me to his paper of seven years earlier, and to his just-published Dining Cryptographers paper. I was both chagrined, that he had already seen this (and analyzed it more completely than I had), and pleased, that my ideas were basically valid.)

The reason Eric Hughes, Hugh Daniel, and I talked in 1992 about actually building a primitive remailing system was because we realized "the best was the enemy of the good," and that so much theoretical work was being done on "topologies of adversaries" in the DC literature, but nothing was being done to build a basic "toy" system which could allow both demonstration of the reasons for building such networks and also allow explorations of some of the applications of such networks.

Gratifyingly, the public awareness of "anonymous remailers" is out there.

Not so gratifyingly, the basic core architecture is stuck at the 1981 level.

If ZKS can build a system which pushes us beyond 1981 levels, great. (I'm just not at all certain that a commercial company can persist at the next level. That is, the next level is not enough. Much more I could say on this poin...perhaps later.)

[much good discussion elided]

>If you look at the existing routing architecture of the net, it isn't that
>distributed.   (Or secure).     The routing management and topology design
>of a MIX style network needs to be more secure and better designed.
>
>I'm not saying that this is impossible to do with a distributed, non-central
>controlled system.    But it does pose a lot of challenges that ZKS hasn't
>solved yet.    (Both technical and business related challenges).

Agreed, these are very challenging.

However, Austin, what if these are the challenges which _need_ to be solved in order for a system to be trusted?

I guess it all depends on your business model and your target customer.

Not intended to be disparaging of your goals, but the security and nym needs are much different for these various potential customers:

-- the parent who wants little Suzie to have a nym when she cruises the Net looking for Pokemon sites
-- the teenager who wants a nym so he can say what he wants without his parents using DejaNews to catch him in newsgroups he shouldn't be in
-- the employee of a company who wants a nym for similar reasons, overlaid with concerns about how his insurance company might react to his comments in alt.support.aids or how future employers might use his tracks on the Net.
-- the Saudi Arabian woman who runs a birth control information site
-- the Chechen activist (terrorist/freedom fighter) organizing and fomenting
-- the American activist (terrorist/freedom fighter) organizing and fomenting
-- those trading and selling adult erotica images
-- those trading and selling child erotica images
-- and so on, for all of the "interesting" uses we have discussed so many times over the years (and which we've seen some use of remailers for)

What bothers a lot of people about the ZKS system has been the noise about "working with" U.S. law enforcement operations.

As I told you and Hammie at that meeting, once I get a ZKS account (as I expect to), I plan to "push the envelope" quickly. (As I did in 1992-3 when the first remailers appeared, offering the services of BlackNet to buy and sell stolen military information, corporate secrets, etc. A friend of mine whose wife worked at Oak Ridge National Laboratory said that a memo was posted that all employees were forbidden to send messages to BlackNet and were to report any contacts with them/it.)

The test of how robust ZKS is will be:

-- when the "Arabian Birth Control Network" is announced, and the Saudis approach the U.S. and Canada and tell them that a Canadian company is "hosting" it.
-- when nyms are in chat rooms talking a stock up or down and the SEC or the company wants to know who is doing this. [This is currently the situation where the greatest number of subpoenas are being filed, in numerous cases. AOL and other northern Virginia (how con-veeee-nient!) ISPs have acknowledged that they get so many subpoenas for true names that they have set up special liason offices just to handle the volume.]
-- when Neo-Nazis, authentic Nazis, Holocaust Deniers, Zundelsite people, etc. all begin using ZKS with nyms like "Himmler," "Barbie," and "Hitler52." Canada, having various oppressive laws against such thoughtcrimes, will do what?
-- when a threat to blow up CanadaAir Flight 142 is communicated via ZKS.
(Yeah, you'll "turn off" the nym. So? If nyms are cheap enough, and would-be threateners can afford to pay a thousand times what little Suzie's Dad will pay, then throwaway accounts will be common.)
-- when a child porn trading network is set up.
(And what if the users are ostensibly, or even provably (?) in countries where child porn is legal? Whose law? Canadian law? As run by Catherine MacKinnon and Andrea Dworkin?)

The obvious beauty of a distributed system of fairly ephemeral nodes is that there is no point of attack. The Church of Scientology can get a warrant, after some legal effort and $$$, to shut down a site in Iowa, but others pop up all around. "Fire and forget" remailers is one name we used to have for these el cheapo nodes. Both as accounts on normal ISPs, or as el cheapo 486-based machines actually on the Net.

I think ZKS, being based in Canada, will enter a "world of hurt" once these kinds of users start using the ZKS system.

Once the President has been threatened, the "turning off" a nym will not be enough. They will demand that the nym be traced, that "barium" be added to packets to make tracing easier.

If ZKS says "it is not technically possible to trace nyms," they will force the Canadian government to force ZKS to either dumb-down the system (without announcing it) or to use special exponents supplied by the NSA (hey, I'm just giving a "fer instance" here...I have no idea if NSA could supply special exponents as back doors).

One way or another, if ZKS the Company and ZKS the Distributor of Freedom Software, is located in a known jurisdiction, it WILL be forced to compromise or, failing that, forced to shut down.

Or forced to reduce the software offerings to "weak nyms" only.

The _only_ hope for Chaumian mixes and distributed systems has, according to everything we have come up with in more than 10 years of thinking about this issue, been that they are so "headless" that cutting off any particular node does little or nothing to reduce the effectiveness of the network.

This reply is getting very long, longer than I usually write these days, so I'm going to make a greater effort to be brief.

>For instance....
>
>-Attacker, sets up high bandwidth NAPs and subscribes them or joins them to
>the MIX network, and sets them up a key routing points talking to other
>compromised nodes.
>
>-Attacker, uses a combination of DOS attacks and routing attacks to drop
>statistics and performance rating of non compromised servers.
>
>-Attacker sets up many nodes under different names and corporations and
>makes sure they all talk to each other in the topology so that any user
>using those nodes is compromised.
>
>Ultimately this system will have to incorporate reputation capital in the
>routing decisions and topology. Whereby a server with little or no
>reputation cannot become core routing points, and users can rate servers
>based on reputation and choose which routing points they prefer. Doing
>this right wasn't something we could accomplish for 1.0.

Reputations are indeed critical. This is something Chaum missed, as most of the crypto community misses. (Because they focus on mathematical proofs of robustness, where economic/market considerations are not taken into account. There's a great professional opportunity for someone to academically merge these topics. As Eric Hughes likes to say, "all crypto is economics.")

I've been talking recently to Mark Miller about Dempster-Shafer belief theory, which I think provides a core building block for such reputation networks, and he has alerted me to the work of Granovetter.

And there's a new book out, "Small Worlds: The Dynamics of Networks Between Order and Randomness," by Duncan Watts. It's about how networks form, how the connectivity affects dimensionality, local order, etc.

My strong hunch is that reputation "solves" a lot of theoretical spoofing and hacking attacks. (Preaching to the converted here.)

>I would say we've done a good job so far of getting something going, we've
>been honest about its problems and failings, and we are working hard (With
>various members of this group, and top crypto people in the world - Aside
>from just Ian & Adam) to deploy a better system on the next revision.
>
>I'll be pleased to see some time in the future, Tim, and others who have a
>higher security expectation for the system sign on once we've accomplished
>some of these things.

I plan to sign on sooner than that. Just to try to break the system. Some outrageous nyms, like "Boylover" and "Osama" and "Jewkiller." Just to see what happens.

Nothing personal, no intent to disrupt ZKS. But if ZKS cannot have a system where "Jewkiller" can post articles about how Jews need to be dealt with, then what's the point of a nym system?

That would provide even less security than the current, and free, remailer system offers.

Good luck, but it will not be easy.

--Tim May

Y2K: It's not the odds, it's the stakes.