Peek-a-Boo

Anemophilous Coward writes "Tom's Hardware has a story detailing cDc's new anonymity app, just demonstrated Sunday. Peek-A-Booty is designed to let surfers access sites blocked by government restrictions, and is essentially, a distributed proxy network. It uses a peer-to-peer model, masking the identity of each node. This means the user can route around censorship that blocks citizens' access to specific IP addresses, because the censor doesn't know they're going there. There is also a website dedicated to the project."

This still won't work!

[SMN]

Peacefire has been following Peek-A-Booty for a while, and we keep coming to the conclusion that a peer-to-peer anti-censorship system is impossible. There's a very basic problem that Peek-A-Booty still hasn't solved.

The problem: Say I'm a user who wants to connect to a Peek-A-Booty network. I need to get the address of a node to connect to. How do I get this? The obvious solution, and the one used for Gnutella and other peer-to-peer apps, is to publish a list of nodes (or at least one). But that won't work here -- because then the censors can use the same list to track down the nodes and block and/or disable them. This is especially problematic if you're using Peek-A-Booty as it claims it is meant to be: if you're in a country that filters access (say, China) and the government can track down the users trying to circumvent the filters, they can and will punish/torture/kill those people.

Peek-A-Booty has not solved this problem. Read what Tom's article has to say about it:

"For security, there's no attempt at initial discovery - you'll get sent details of a node by word of mouth, or from some other secure source. Baronowski and de Villa expect that citizens groups (NGOs) will become trusted servers."

That's right -- the only way to connect to a Peek-A-Booty network is word-of-mouth, which is horribly ineffective. Finding a node will be extremely difficult unless you know the right people, and then it's very easy for the censor to ruin it. Trust the wrong person, and your whole network is exposed. Government spies could give out addresses that the claim are Peek-A-Booty networks, then catch anyone who tries to connect to those. Worst of all, they could just offer some huge incentive to people for turning in their friends.

I hate to say it, but this system simply isn't ready yet. They have not come up with a technically sound solution.

Re:Good for some, nightmare for others

[YU+Nicks+NE+Way]

I agree that jpegs of naked cheerleaders with hairy eyebrows are not security issues in and of themselves.

That doesn't really matter, though. The most vulnerable part of any corporate network is its users, now. A user who's violating the acceptable use policies for his or her employer's network is an automatic security risk. First, such an employee becomes a possible blackmail target. In the case of porn, a network admin must bar porn on a professional network because of the possibility of a sexual harassment suit being filed against the company. That means that the AUP must make accessing such materials through the corporate site a disciplinable offense...hey, presto, instant blackmail. Second, though, any user who is actively subverting procedures put in place to prevent such abuse must believe that he or she "knows better than you do". Although the user's right in the vast bulk of cases, the cost in those rare cases where they're wrong is disastrous. What if the site is malicious? If they can get around your barriers, then what else are they downloading? Do they necessarily even know? How tight are the barriers around their machines?

Would you be willing to bet the company on their care?