Slashdot Mirror

I wrote a discussion on how one might do anonymous/untraceable publishing on the internet:

http://jonathanclark.com/diary/anonpub/

I wasn't aware of freedom net at the time, but they use many of the same ideas. They do not do publishing (i.e. only outgoing connections) mainly for fear of legal problems.

Another method I've seen tossed around is to use redirecting proxy servers where URLs look like this:

http://site1.com/XXX
where XXX decrypts to -> http://site2.com/YYY and
YYY decrypts to http://site3.com/actual_content.html

The only trouble is getting people to run the proxy servers.

One other idea I have played around with is to use spoofied ping packets to transfer content semi-anonymously. It work by the connecting party somehow requesting the content and the posting their IP address. Then you, the server, send it to some random machine on the internet inside of a ping packet with a spoofed return address to them. This can be used to make the chain of computers between you and them very long - also making it travel through countries that are hard to get search warrents.
The main problem is making the initial request, but that could be done with a Gnutella like network.
The other problem here is the receiving computer needs to somehow specifiy which packets weren't received (because ping is lossy).

food for thought...

Of course Yahoo is going to roll over and give away user profiles - everyone does.

If you want to protect your privacy, change your isp.

www.zeroknowledge.com - the world's only encrypted anonymous ISP. There is NO WAY to trace you whatsoever. Zeroknowledge can't even trace you when you're using their servers - and you're encrypted and routed through 3 countries first. A legal nightmare.

I use zeroknowledge and I post with impunity.

They sell a total privacy solution too - complete with information on how to protect yourself from places like yahoo.

.. now that I wasn't aware of.. I see so many companies advertising shells for the sole perpose is to run an irc bouncer.. *shurg*

As for the bouncing/encrypting, Zero-Knowledge Systems wrote a piece of software called Freed0m, which does just that. Of course there is a free trial available.. it's quite cool -- it acts as a proxy.. only with a gazillion (I'm guessing at the exact number) layers of encryption. Check it out, it's definately worth a look.



.- CitizenC (User Info)

I don't understand why it's not possible for a man-in-the-middle attack. If point A transmits to B, and X is in the middle, what prevents X from simply decoding A's message, and passing it on to B with its own key. Each person at A & B would never know there signal was being intercepted; especially since its a one-time scratch key. There would be no verification between A & B directly, only between A & X; X & B.

You could argue that A could simply tell B in its message what its keys hash or CRC was. A protocol could be introduced to do it automatically, but X could simply modify the protocol to introduce its own scratch key for B to receive. This is no good either unless each party hand keys in there own hash or CRC at completely random spots, and in random ways, in each packet or message.

Zero Knowledge has there own 'Freedom' software package. I know there are other packages like it, but it is the one I have read the most documentation on. It uses DES encryption accross a line of servers wishing to run the Freedom Server Software.

It sort of works like this, though i'm not 100% accurate. The client encrypts there own message with the receivers public key. The first server on the internet encrypts the message a second time with the next servers public key. Each server after that removes a layer of encryption and adds its own to be removed by the next. The message always stays encrypted, but the second layer of encryption is to hide where the message was last sent from.

Somehow in that method, any fullscale attack on a router or servers packets will only give you the last hop of the message, nothing before it; and good luck using a word file to brute force a message encrypted twice.

This client - server - server . . . - client encryption routine could be used on a large scale with one-time scratch keys, but it still leaves the man in the middle attack open. All one has to do is implement packet forwarding on one of the servers, and the encryption routine, though repeated up to 20 times accross the internet is entirely useless.

With Freedom's DES routine however, a public key is used meaning the encrypted message can be double encrypted by each server and forwarded, so once it is unencrypted by each server to forward, it is still under a layer of encryption. (Believe that's the methodology).

By introducing encryption at the physical point-to-point transmission level, you lose the power of obscurity; your method for developing a key of any type is right there in the transmission itself. Encryption atleast requires the Obscurity of the decrypting key! That's why you don't pass someone a scratch-key encrypted message with the scratch-key at the same time.

It looks to me like the only real counter-measure in that paper is forcing a DNS lookup. Even that has gaping problems.

If the whole idea behind this counter-measure is adding extra servers to host this ultra-important website (there's a misnomer eh), then we can take examples from every site which has already been hacked and ask them, "Why didn't you just have more bandwidth? (or more servers, same deal though not the same thing)". I mean, Why not just have one site with a 100 T1s installed?

The computer industry today is founded on network experts who make money, and computer illiterates who pay money. No respectable company is going to bother telling its clients, "Hey, pay us for 3 servers instead of one, and we'll host them all". The bandwidth could be filled as easily as the servers.

In the recent attacks, a whole crapload of "zombie" (wired wording?) computers were used to perform the attacks. Well, if I were the guy who orchestrated the attacks: aside from caring if the computers which performed the attack were found (meaning, they could all do DNS lookups for all I care, they would not be shut down in any real time), I could prolong finding them by doing the DNS lookups from home myself, and sending the new IPs for attack to the systems. I could even post the new ips to a hotmail account, and the systems could get them from there.

Then the DNS access log would show me amongst thousands of other users, trying to legitimately access the page. Where is the connection between me, and the DDOS attempts?

The problem with HTTP is not something to analyze in a mechanical way. Information available in limited quantities / time can not be accessed reliably by anonymous persons.

This attack only strengthens the fight against "hackers" and gives even more power to "Clintons" war. If you want a secure system, you need to know every person using it, and what every person does.

Who let corporations on the internet anyways? Why do these high-powered idiots in the gov. always put sensitive material on the same networks they host there web pages on? Can they not afford a single, stand alone box and IP?

.

Why are we constantly beseiged on all sides by this kind of stupidity? Like, every day I come on here and see something just as dumb as this idea.

bah.

I don't really know where I'm going with this, I just wanted to bitch and moan a little.

I've danced the H1B and now the green card dance for a few years. I'm happy with the money I'm making, but as someone here said it's about freedom, not money. I've had enough of being anyone's indentured servant, highly paid or not. So I filed for Canadian permanent residency a couple of months ago, and we'll see how it goes. At the very least, having the option makes it easier to live with the crap the INS and my employer (consular processing? don't do that, it's scaaary - yeah, for you you SOBs cause I'd be a free agent a few years earlier) are throwing at me.

So, two points for fellow H1B victims:
- Investigate Canada
- Check out consular processing as an alternative to the adjustment of status hell.

Besides, there are cool employers outside the Silicon Valley :-)

The press release has more details, but it appears that Zero Knowledge is privacy company which promises the ability to post, browse and all those good things anonyomously.

APPARENTLY? There have been tons of stories about these guys ever since they began offering the beta and it should be no suprize at all to anybody that follows security just a little bit.

Check their own site for stories that go back for months, including ZDNET, the Wall Street Journal, CNNin, C|Net, Newsweek, InternetNews, The Village Voice, Wired, Time.com and the list goes on for 2 very long pages.

Yea, the new suit part might be news, but the what it "apparently" does part is old now.

Try Freedom . Looks like an interesting system. They've got a beta out for free I think.

This entire thing just smacks of a half-hearted attempt for W3C to get their hands on some of the money thats pouring through the web right now. Also, Cailliau really contradicts himself: he wants to track down racist websites and perverts, but at the same time, he wants things to be free of content governing rules? Make up your mind, buddy.

It's arguable that licensing people to use the internet would probably increase the level of clue out there among all the Joe Sixpacks on AOL. But I really doubt that any sort of licensing or registration will help in combatting stuff like warez, kiddie porn, or whatever the media is whipping the public into a frenzy about. And I'm certain that advertising companies are not going to go out of their way to make sure that these 'licensed' users see less ads while surfing, or get less spam in their mailbox.

Besides, with all the ways to be anonymous nowadays (remailers, Freedom, etc.) I seriously doubt that this would be easy to implement, so that it covers every person, anywhere. If this was thought about a few years ago, maybe it wouldn't sound so farfetched. But right now, its a case of closing the barn door after the horse has ran off.

The concepts behind Napster is almost identical to a #MP3 irc channel full of bots allowing dcc of each user's mp3 library. What Napster has done different is switch the method to a prioritary closed protocol and put a prittier interface in front of it all. And despite what capncook thinks, tracking down copyright violations should be easier than tracking down on IRC. If your goal is to put fear into the RIAA then discuss a privacy protocol such as ZeroKnowledge Systems instead of a protocol which consolidates violation information and makes it available to anyone.

www.zeroknowledge.com

I'm a beta tester...I like it!

Freedom(TM) wraps your computer's outgoing Internet traffic in several layers of powerful encryption and sends it through a series of detours (called the Freedom Network), so that the message, its sender and its destination remain completely private - even to computers in the Freedom Network. It's as if you were putting a scrambled letter into three or more envelopes, each with a different forwarding and return address.

ZKS is trying to solve this problem with a commercial service that crosses jurisdictional boundaries to keep the Feds (or any government) from shutting it down. Very cool technology.

I was there to see these guys announce their second beta at DEFCON and the software looks really sweet. In a nutshell, it allows you to create cryptographically secure pseudonyms that are mathematically impossible to trace to you. All packets you send are encrypted multiple times through five different servers in different countries, none of which know anything but the server before and the server after. When your packets leave this "cloud", they can come out in any country you choose: Netherlands, Mexico, Japan, wherever. REALLY controversial stuff, and very very cool!

The best part is that their client is about as easy to use as the AOL client and handles everything automatically, including a built-in "cookie jar" feature to capture all Web cookies and assign them to the appropriate pseudonym (so nobody can deduce connections between nyms through cookies) and an email service that works with your existing POP clients.

Unfortunately, the first version is only for Windows 95/98, but even that is part of their great business plan: get it out to that 95% of the computer community first, where it can do the most damage, then make the Linux/Mac/whatever versions later. At least we have VMware and Virtual PC to run it on other platforms in the meantime.

My only fear is that, even though Zero Knowledge Systems is in Canada, the US will somehow be able to shut these guys down as soon as they figure out what's going on.

Disclaimer: I'm not affiliated with ZKS in any way other than that I know the guy who drew their icons. :)

Encrypted networks just help against passive monitoring of all traffic. It doesn't do much to build a truly private society. Networks that implement anonymous IP infrastructures, and full strength crypto help to create a place where physical location on the 'net does not define your access or view of the Internet. Current proposed legislation like Internet Gambling Act, or the Australian Censorship Bill will continue to make cyberspace a place full of government intervention unless the actual network itself is anonymous, and geographically independent. This is the same stuff written about in Shockwave Rider, and Diamond Age (Remember the discussion about how the net worked anonymously).

There are actual projects doing this. Zero-Knowledge Systems, is the most notable. (Ian Goldberg who wrote the perl code in Cryptonomicon is the Chief Scientist).

These are the type of secure/private networks that should be build. This makes censorship, political filtering, network monitoring, and traffic analysis pointless and helps return the Internet to the individual.

(Anonymous networks are also the key requirement for data havens :)

Try zeroknowledge.com again.

zeroknowledge.com has a beta client out that supports encryption and anonymous remailing. These guys tend to get quoted in wired frequently when privacy issues come up.