Slashdot Mirror
NymIP: Anonymity At The IP Layer
Eloquence writes: "NymIP is a new project that aims to set a standard for Internet anonymity at the IP level. It was started by Zero Knowledge Systems, but is now led by Harvard's Scott Bradner, an IETF member. Some of the biggest players in the field participate in the project, which will be introduced at the 49th IETF Meeting that starts today." Comments especially sought from anyone who attends that meeting.
Onion routing doesn't require every router to participate in the protocol, but it is not based on central proxies either. Sniffing in and out packets on onion routers doesn't work (you can't match packets because one side is encrypted). The proxy server closest to you does not know any more than that you're communicating; neither who you're talking to nor about what. The same is true for the other side of the connection. A single trustworthy onion routing hop is sufficient for privacy, more trustworthy hops add redundancy and thus overall trustworhtyness. The key feature of onion routing is that from an "attackers" point of view observing traffic, even all of it, gains you nothing unless you manage to compromise every single routing hop (the onion router itself, not the communication lines!).
You hit it right on the head.
Sometimes, the best practical anonymity comes from not making a big deal about encryption, etc., but from just doing things the way everyone else does so that ones traffic in the clear isn't particularly noticeable, anyway, and thus not logged or read. It's the difference between mailing a postcard and mailing a red envelope with a wax seal stamped TOP SECRET on the outside. One will arouse people's curiosity more than the other.
Unless using anonymous protcols is standard, it becomes like using encryption--waving a big red flag saying "investigate me." This puts the most ardent supporters of anonymity and encryption in the ironic position of having to be squeaky clean, because the gubmint will be looking for any reason to string them up as the battle for personal privacy against corporations and governments turns overtly nasty in the next few years.
P.S., I've always suspected that perhaps TPTB either have a mole in or are at least closely monitoring (i.e. capturing and logging all traffic to and from) anonymizer.com and similar services. The only thing saving people committing petty crimes (e.g. piracy, questionable porn, harassment) is that the government wouldn't tip its hand for something that small in open court.
CEE5210S The signal SIGHUP was received.
... they know they are doing something they shouldn't be doing. If no one was breaking the rules, then there'd be no problem. By that logic, when you shut your doors when going to toilet, you have something to hide, you must be doing something wrong. Why not let the well meaning authorities have cameras in your bathroom and your bedroom if you have nothing to hide? Why not let whole neighborhood watch you on the monitors as well? You are not breaking any rules, so why not?
nah, the porn server is *run* by big brother.
This allows big brother to both keep tabs on you, and to keep you occupied so that you do not have enough time to meddle in things where you might be actually be dangerous or get things done.
Big brother cherishes his control.
"It is a greater offense to steal men's labor, than their clothes"
You may know TCP/IP fairly well, but you don't know cryptography very well. It is possible for two parties to agree on a common random value without exchanging that value. This is the basic idea put forth in the Diffie-Hellman Key Exchange. Once you have a random number known to the two parties trying to communicate and no one else, you can use that number as an address to route the packets through the network. I don't know if this is what the research group has in mind but it is a possibility. Yes, there are some problems with this system, in particular the initial key exchange is not anonymous, but this makes it much harder to trace the actually data transfer.
The other thing too keep in mind is this: no matter what protocol you're using over the Internet, you can find out where the packets are coming from and going to. This includes ssh (Secure Shell), tunneling, normal TCP/UDP connections and even spoofed packets. This is done by running sniffers on each interface on a router (starting with the target that's being DoSed or whatever) and seeing which interface these packets came in on. You find out what that interface is connected to and start sniffing there. Repeat this process enough times, and you'll find out the source and destination of any packet.
In theory this will work, but once you cross an administrative domain, i.e. from one ISP's network to another ISP's network, you will find that they are so willing to co-operate. Read Cliff Stoll's Cuckoo's Egg for a real world example. It took him over two years to track someone, not because of technical problems, but because of adminstrative problems.
A company I used to work for had three different operating units with three different data centers in one building. To set up sniffers on the networks took two weeks of meeting and getting sign-off from data-center managers, since the managers didn't want their networks touched unless it was to fix a production problem in their network.
The Economics of Website Security
Well then I guess its up to the person I shoot in the head to duck the bullet.
So I guess its up to the guy I shoot in the head to duck the bullet then?
In the real world, people can do real harm. Like kill you, rape you, or just plain beat you up. Further, people only have finite memory, so if you walk down a crowded street, for all intents and purposes, you are _completely_ anonymous. It is only when you enter a shop, and talk to a shop assistant are you likely to lose that anonymity. Even then, their recollection is likely to be hazy.
In contrast, online, you can do no physical harm to another human being (short of life critical systems being interfered with). If you are having trouble with (cr|h)ackers, then secure your systems! And here is the _real_ contrast with the real world: computer memory is perfect, and can record (implicating) details that are accurate for months or years (not to mention essentially costless to transfer from one person to another). Frankly, this is unprecedented in human history, and I think it would be _extremely_ unwise to give up anonymity before people have understood the true implications of perfect recall.
Money will always be a useful concept whenever two or more people have resources worth trading.
The Fling project already does something like this. Fling protocol is only at the "nice idea" stage yet, and is hosted above the IP level, but it could be used to tunnel IP.
Fling works on a pass-the-parcel principle like Mixmaster, where the message is bounced from one host to another, with each host not knowing if they are the final one in the bounce chain, or from whence the message originated.
IP addresses allow remote servers and third parties to invade your privacy by linking your actions to that address. Even if you get a different address regularly it still is a way of linking actions within a certain timespan (typically a dailup session or a dhcp timeout). Also handing out your address to everyone makes you a target for hacking and DoS.
So trying to allow the user to control wether this privacy sensitive informartion is given away or obscured is a good thing.
However if you start looking at how you implement this you run into a number of interesting issues.
- we are talking about some form of address translation here.
- For certain applications this requires application-level awareness of the translation here. Please note that I am not calling it NAT, you simply rewrite the from address not alter anything in the packet. (Oh yeah, all of this breaks IP sec... So you need a seceure tunneling protocol to get to the translator.)
- You will need an organisation that will provide this for you. This could be your ISP, it could be someone else.
- At any rate you need to have a contract with those guys stating that they will keep the mapping between your real IP address and your apparent address very private and change it regularly, sometimes even for each packet you send out. (oops, you'd have to be able to select this behaviour per application, it breaks some of of the applications we have now that assume you stay on the same address during a session...)
- Yet the authoraties will soon catch up and governments will demand that this information will be made available for legal interception purposes. In some countries the government is already prepared for this because they stated that every telecommunication service shall be interceptable. This is not necessarily a bad thing. It is just something to keep in mind, you are not anonymous to everyone.
- In order to make yourself not immediately a suspect to legal investigation just by using it once. you'd have to use nymity all the time . It is a common misconception that only crooks require privacy. Everyone has the need for privacy! Wether it is about your bank transactions, religion, illnesses all people have things they'd like others not to know (or at least control to whom they communicate it).
If we would introduce nymity boxes we seem to have lost the transparency of the Internet. I'd not like to see this as unraveling of the Internet. I'd like to see this as a different kind of IP deployment. You could tunnel this over the Internet or have a new kind of network for it.Is this necessarily a bad thing? No! As long as the applications remain transparent this can work. Yet it requires some thought.
While you are breaking the Internet-model anyway you may just as well go all the way and include:
- QoS, the kind where you can reserve a path end-to-end (this implies authentication and billing per second)
- access control, so your wireless 3rd generation terminal does not suffer a DoS attack because someone burns up the bandwidth on its wireless link or your mobile phone gets hacked so someone can access your bank-account.
I know, this sounds like heresey at first, but after a while I could see the appeal of a world in which you can have privacy, QoS and access control . Especially if this not replaces the Internet but offers you more choice.Now let's see when Scott Bradner is going to have a BoF session on this.
--
I agree completely that we need to make privacy, security, and anonymity standard practices--to do otherwise draws attention to those of us who do use these tools consistently.
I also relish the thought of some three letter agency expending millions of CPU hours on my correspondence, only to find picayune (love that word--thanks) stuff :).
CEE5210S The signal SIGHUP was received.
The issues have indeed been dealt with quite effectiely to prevent even the middlemen from knowing what traffic is flowing thru them, where it is going and from whence it came.
Python
Python
Modern remailers, such as Type I and Type II remailers, as well as nym remailers (which allow for anonymous bi-directional traffic, without reply blocks being in the clear, and with the ability to chain the replies thru N Type I or Type II remailers) which have been in use for years, solve all of the problems that brought penet.
You can have absolute privacy and absolute anonymity now. Just visit http://mixmaster.shinn.net or any of the other remailers websites for instructions. Heck, if you want ease of use, you can install ZKS' freedom software and abstract away all the work (at a little cost to security). Privacy is not that hard to do, and its really frustrating that people on slashdot have bought into the myth that privacy is not something you can have in this day and age. That is absolute bunk.
Python
Python
Shit like what happens on Slashdot! Other than the 1% of actual useful posts from anonymous cowards, the rest is plain garbage. SPAM, penis birds, first posts, flames... could you imagine if the entire internet was like that?
:P )
While no harm is done from any of this, it still goes to show what happens when people can't be held accountable for their actions. There needs to be some acountability on the internet. There are plenty of ways for there to be anonymity as well as accountability, they just need to be implemented.
(for instance, the option of having only ISP's have ANY information linked to your IP address. That way people must submit valid reasons to get at that information. That probably wouldnt work well, but its just a suggestion
But Slashdot does go to show that the only people who want to be anonymous are the ones that cause trouble.
I would be really suprised if Big Brother sits by and lets this project go through. It seems that there are many countries that would not allow this type of technology to be used within their boundaries.
The overview isn't much on gory details, so I'm speaking from a somewhat limited viewpoint here. Hopefully someone else will know more about this and be able to flesh it out a little more into reality.
This can only work if they intend to create what amounts to proxy-based co-operative subnets, which allocate, use, and discard IP addresses for sets of users. With a large enough number of users per group, it would tend to mask out individual users.
The problem as I see it is that you'd still have to have some identifying information, or there's no way to form a socket. Even if the identifying information is one of the sockets within a certain group, the accessed server will still log the connection as coming from a user within that group.
The group can't be infinitely large because that would be too much strain on the proxy routers. But they can't be too small, either, because information could be inferred from the time of the connection, etc.
And it doesn't stop people from tying together a username, biographical information, and the proxy-router pool of users the accesses are coming from. Then again, the article says it's 'controlled nymity', but it's a long way from paying in cash for a pr0n mag.
--sjd;
this is a sig.
Now no one can trace my mad fr1st postering sk1llz!!
B0mb-0mb hax0ring instructions are as follows:
Oh crap... forgot to czeck "Post Anonymously"
end communication
Seriously, I don't regard myself as an anarchist, but I don't think an established power should control the future, and noone should be able to escape and build something better. As a quite stretched example, how useful is money, and the concepts of "owning" music copyright to thousands of people travelling to a star system far away?
"Ten years from now, they could do it in a few seconds." -- The Racketeer of the Hellfire Club, 1993, Phrack 42
Comment removed based on user account deletion
This isn't really the same as yelling "Fire!" in a crowded theater. Anything posted anonymously will face a tough credibility problem. Would you really take something said anonymously serious without something to corroborate it?
Besides, I think it's a step we need to take. The world has already been moving in the opposite direction. We have less and less privacy all the time. There are bound to be people that decide to take steps to recover some privacy.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Isn't it ironic that just one week after Bill Clinton discussed the need for a "second internet" (and he wasn't talking about Internet-2) we have this technology that increases the anonymitiy of the already notoriously anonymous internet-1.
.gov will never allow this to happen IMHO.
What bubba was talking about was a second internet with restricted access, where in order to be a member of, one had to declare their identity. Personally I think this new internet is just asking for l337 h4x0rs to take advantage of. The
So again: You choose the route. ZK promises, the logging is completely turned off on any of the machines. The machines are modified RedHat distributions with their software running. It _HAS_ to be a standalone machine. So it's at least nice.
It also masks your email address and indent identity (the email anonymizing is working even nicer than anon.penet.fi -> it's completely transparent to you)
As to technical use of Freedom.net, it is now only available for Windows, which makes me sad, because I don't use Windows. It attaches itself to the IP layer, so no other application-specific changes have to be made. Even sending/receiving e-mails is done on the POP3/IMAP/SMTP layer, not in the user's email agent.
They were promising the Linux version from the beginning, but I can't see it, which makes me sad. This announcement makes me happy, because I hope more people will develop software based on this (very wonderful) standard.
Anonymous political speech is what it's all about. You need to be able to say things without dying for your cause... so much pain comes to those who speak out (ask Ken Sare We-wa (sp)).
Before you get into a tizzy, for 99% of us, the most intriguing thing we do online is buy things, and this is already tracked through our credit card numbers, so issues of IP tracing are irrelevant.
Unfortuntely, you have no privacy, deal with it.
Basically the only elements of society who want this are the ones furthest away from the decision making process.
Obviously this protocol will only serve to mask those with something to hide such as child molestors, crackers and federal building bombers.
Dear Sir,
As an agent of the federal government I am requesting entrace to your home to look around for illegal things of any type. If you do not allow me into your home, you MUST be hiding something, like child molesting, cracking, or bomb making.
See you soon...
Maybe some people do, but some people think Pro Wrestling and the Jerry Springer Show are real too. There will always be morons, but thankfully they are usually easy to spot, and we've grown accustomed to ignoring them.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Continuing on with the point above (which wasn't mine to begin with), I am posting as DoomHaven. So, what's that to you? A name - that's it. You have no idea who DoomHaven *really* is; whether that's me beside you, smiling that knowing smile, or if its a person you will never seen in your life. I am posting anonymously, even though you see my "nom de nette" on the posting, because, quite bluntly, you will probably never know who DoomHaven is.
:)
However:
The crew at Slashdot can track my IP. They could track it down to my provider, who could pop out a name and an address, which could mean that one night, I could get a knock at my door, and hear, "Open up DoomHaven, we know you are in there!"
However:
Taking the "nom de nette" as DoomHaven allows me a pretty big margin of anonymity). 99% of the people/crew of Slashdot only know me as "DoomHaven", and not as "K--------- G--------". The odds of someone tracking me down are remote; they are well within my acceptable levels of anonymity. Besides which, it has been my experience that even if person X finds my real address, they will never be able to find my address because of the idiots here who have done the street signs
The question now becomes: how much anonymity is necessary? Is it necessary for (to use an above poster's example) people who are reporting police brutality to be anonymous at the IP level? For rape counselling?
What about places that require accountability, like when using a credit card to buy online? Should they refuse business with people who have anonymous IP addresses?
And what about criminals/crackers, should they be allowed anonymous IP addresses? How will the IP addresses be allocated?
I have serious doubts that any use of anonymous IP couldn't be done with something else.
"Don't mind me cutting myself on Occam's Razor"
Since my wife is one of the persons on the list of people actually working on this, I may add a few words to it. Marit has a publications list online.
How does it work? Well, have a look at project anonymity and unobservability on the Internet. A MIX network is like a system of remailers, just for IP packets. There are several kinds of attacks against a MIX network ("nix the MIX") and they are categorized and discussed in that paper.
Specifically, the problem of cooperating MIX network node operators is being discussed. Have a look at the properties of ideal MIXes: It is sufficient for the MIX network to have a single trustworthy node in your path in order to protect your anonymity (section 1.2 of that paper).
Marit has a paper on anonymity terminology online, too (txt version of that paper). Have a look at it in order to get your vocabulary. Additionally, there is a web page on identity management on her server. This relates P3P and anonymity/pseudonymity.
© Copyright 2000 Kristian Köhntopp
All rights reserved.
Are you saying that the human rights workers who are "held accountable for their actions" in such places as Burba really deserve to be shot?
...but do you really want to force everyone who wants to protest do so in the open? That may not be very bad here and now, but in such places as Burma or China, it's not really an option unless one accepts a very high attrition rate of protestors. (Not that these protocols could be used there without using stenography to hide them in an audio stream or whatnot).
Anonymous contributors really do have effects -- Had it not been possible for Madison and Jay to publish their 85 thesis as Publius, the American Revolutionary War may not have picked up steam. Do you think that America would be a better place today if these two framers had been executed for their actions (and thus if all their later contributions had been lost)?
We may not need anonymity, but others do -- and perhaps one day we will too.
[WARNING: RAMBLING BELOW]
You think I'd have my MTA set up to accept NymIP connections? Hell, no! But if I were running a web site with content which might be illegal (or in violation of a ISP's TOS) *anywhere*, a download forum for crypto software, a support group for survivors of abuse or a web forum on the actions of an oppressive government, I most certainly would enable it there. And if I *were* setting up a MTA which accepted NymIP connections, I would be extremely careful about configuring it to prevent abuse. If your concern is SOMEONE ELSE setting up an MTA that does this because they like spam (or for whatever other neason), people can set up MTAs to serve as blind, anonymizing relays right now. That doesn't mean it happens.
Me personally, I'd probably enable NymIP on my more innocuous sites too -- not company sites, of course, but certainly my own personal repository of free software. Were clients widely enough available, I might offer services through it exclusively, so that it couldn't be presumed of all users of NymIP that they're doing something wrong ('why else would you use it, otherwise?'). Why? Because I would rather put up with 100 abusers than see one person with a legitimate use go to jail or be killed; that's my bottom line.
However, that's just me. Nobody's forcing you to accept this protocol on all ports, or to accept it at all.
NymIP is just a tool. There's nothing inherently good or evil about it. Claiming that a tool should not exist because it can be used for ill is a position I find offensive.
(I'm probably going to get flamed for this post) When you walk down the street you can't just put on a "Generic Pedestrian Mask" and be anonymous to the world. Same with online, even though your IP address is shown to the world, as long as you configure stuff right, that's all that is seen. Who can put an IP address to a name/face/identity unless they research through your ISP? No one does that anyways unless you give them a reason to. The only reason people strive for anonymity on the net is because they know they are doing something they shouldn't be doing. If no one was breaking the rules, then there'd be no problem. I understand that there are plenty of paranoid conspiracy theorists out there who believe that if they go to a site that contains literature on illegal activity, that the CIA is going to log that and continue to monitor everything that person does. I don't believe that because I think government organizations have better things to do than worry about what some joe schmoe is reading about. If you could go on the internet and have absolutely no worry about anyone ever finding out who you are, then you are free to do whatever you want, including hacking, denial of service and other things that get really annoying. One complaint I have about anonymizer.com is all the people using it to exploit IIS's Unicode exploit. Where I work, when that happens, we can't do anything about it. That is why I don't agree that people should be anonymous. Just don't do anything wrong.
This looks like a good cause, but the first thing I noticed is there aren't any technical details to be found, from links on the page referenced, or even in the mailing list archives.
The other thing that makes me wonder is "how can this thing actually work?".
I know TCP/IP fairly well, and this doesn't make sense to me. I want to establish a TCP connection to another host (packets are going both ways), so how can I stay anonymous when the remote host needs to send packets back to me? It has to go from router A, to router B, etc and then back to my computer.
The only way around this issue is if a proxy is used, and I don't think this will work because someone has to provide massive amounts of bandwidth for these anonymous connections, and whoever is in control (or can gain control) of the proxy server would see everything.
The other thing too keep in mind is this: no matter what protocol you're using over the Internet, you can find out where the packets are coming from and going to. This includes ssh (Secure Shell), tunneling, normal TCP/UDP connections and even spoofed packets. This is done by running sniffers on each interface on a router (starting with the target that's being DoSed or whatever) and seeing which interface these packets came in on. You find out what that interface is connected to and start sniffing there. Repeat this process enough times, and you'll find out the source and destination of any packet.
To get IP traffic the sender needs to know what IP you are at, if they can get your IP they can log it. Proxies can disguise this, but you still need to trust the person running the proxy.
Running an anonymiser is a great way to conduct man in the middle attacks, particularly since you know anyone using an anonymiser is doing something they don't want people to find out about.
--
enterfornone - logging in for a change
It is interesting to note the tradition anonymity has in American Politics. Tracts like Paine's Common Sense were originally published anonymously. And after the revolution, highly influential papers like those in the Anti-Federalist Papers were penned under names like "Centinel" and "Federal Farmer".
Anonymity can serve as a check on the power of government (not to mention the wraith of the masses). There is a compromise, of course. If one can speak anonymously, one is safe to publish lies and slander. And it's rapidly coming to mean that you can publish hard-core kiddy porn and nuclear weapon schematics too.
Oh, well. Nobody said freedom was perfect. The alternative is to place your trust in your government, and hope no utterance you make ever comes to be regarded as seditious.
Me? Well, I guess it's enough to note that my real name isn't "Skald" :-)
"The best we can hope for concerning the people at large is that they be properly armed." - Alexander Hamilton
this is the equivelant of giving everyone a ski mask.
Or pointy white hoods.