InvisibleNet Presents IIP

An anonymous submitter writes: "A new and ever growing project has launched into the alternative network realm, changing the pace by focusing directly on speech, rather than file sharing. The Invisible Irc Project, a peer distributed secure and anonymous internet relay chat network has popped up at some of the recent conventions this past year. The creator, and project leader, known as 0x90, has been seen at CodeCon 2002 introducing it to the public, at that time in more of a primitive state, and today, almost a year later, the software has noticeably been more usable by the masses. 0x90 just gave a talk at ToorCon 2K2 on designing a robust & secure Peer-2-Peer framework, and their InvisibleNet site just released new software along with a two part interview that was taken in July. A good read that details the depths of their project, including the state it is in now, and the future vision of a privately distributed steganographical crypto-net. I have tried out the software and it is very easy to set up, and it supports the freenixes, OS X, and Win32 machines. You can use any irc client with it seemlessly, and the cryptography is handled transparently within your "IIP" node. It's GPL so peer review is welcome, as it also states this on their site. It appears to have a nice community of users with a range of discussions. So if you have a bit of time on your hands to engage in some chatting online, give this a try. It's alternative, creative, and possibly a standard setting step to securing IRC as we know it."

Re:Clever, 0x90, but I'm changing my name to 0x120

[craigeyb]

It's also gross in decimal, as in, a gross (144).

This sig is false.

Is this such a good thing?

[uq1]

/me prepares for flamebait ratings.

Is this really such a good idea, keeping in mind the terrorist attacks last year? Bare with me, I do have a point.

I'm one for privacy and also for secure ways of doing things on the internet, BUT, and its a BIG BUT, think of the other uses this could have, especially for terrorists. This sort of thing could give more fuel to the fire for governments to try to crack down on the internet and create more of a big brother state where they are able to monitor everything and encryprion is outlawed.

On the other hand, think about the earlier post today from Chris Tresco, where he says that encryption is only as strong as your weakest link. What if one of the machines along the way was compromised? Could it be used to monitor data and then be analysed to connect the dots so to speak?

None-the-less, I think it's an interesting project and wish them the best of luck.

Re:Is this such a good thing?

[jdclucidly]

I worked on the project for some time so I have some accedotal evidence to support IIP.

Some time ago, a very generous individual set up a #scientology channel for people who needed to find refuge from the cult and to critque it in a public forum. (Think censorship of xenu.net).

Other times it's been an excelent forum for discussion of topics such as this ... or a place for critque of the American government's actions post 9/11. I don't know about you, but if I were an American and I sympathized with the Middle-East view of the western world, due to the Patriot Act, speaking my mind in a public forum where I can be traced is the last thing I would want to do.

Scalability? Resistance to Attacks?

[billstewart]

How scalable is this system? The Codecon transcripts said you were just starting to work on the project at the time, and hadn't done much with it - but it's often hard to change scalability much past the beginning of a project. Unfortunately, the documentation on the web page is still pretty much bottom-up, not top-down, and having just heard about this today I haven't downloaded and played with it yet. Does every message on every channel go to every relay, or do relays only carry all channel creation announcements and then only carry user messages if they're on a path to somebody who wants to receive the channel? Are you doing flooding, or some kind of spanning tree, or some other way to minimize or maximize various traffic measures? If somebody's sending a big file, does it only go to one recipient, or are you multicasting it to a group, and does a recipient need to have acknowledged willingness to accept a file before you transfer it to him/her, or does it just go scream&leap its way across the network?

Resistance to Deliberate Attacks is often strongly related to scalability. Sure, there are other ways to attack systems - find bugs in the code, or do social engineering attacks like posting Scientology documents and Metallica songs and ratting out any identifiable network operators. But attacks on the network's scalability can be really hard to fix, because they abuse things the system _is_ supposed to do rather than things it isn't. Have you looked at what parts of the network are easy to overload with data volume or small-message quantity or CPU-burning public-key crypto calculations or other critical resources?

.

.

Oh, also, Invisibility is Cool, huh huh, huh huh, Invisible, yeah cool.

Re:All this encryption ...

[Xenographic]

The problem is, that with anonymous people, you don't know just who you're talking to.

Why do you think there's an old 'hacker proverb' of "every third one is a fed"?

Yes, they do still keep their eyes on the "hacker community"; even those who aren't doing anything illegal. Don't take my word for it; use FOIA to request your files--the addresses & instructions you need to do so can easily be located online.

Re:Clever, 0x90, but I'm changing my name to 0x120

[solferino]

0x90 is the instruction code for 'NOP' (No OPeration) on IA32.

yes, and this extract from the interview seems to confirm
that yours is the 'correct' decoding of the nick -

[interviewer] Okay, let's talk about authentication of identity next.

We know we are anonymous, but currently what measures are in place that can help ensure that I am really talking to nop or my other associates on IIP?

[0x90 does not correct the name substitution in his reply]

still like the 'gross' interpretation but...

I've been poking around the similar idea

[apankrat]

I've worked in VPN and P2P space for past few years and have been poking around the similar ideas for quite some time.

The basic idea is very simple - you create trusted network of anonymous -proxies- and if node sees the traffic coming from the peer it's just unable to tell if it belongs the peer or some proxied node behind it. Hense the anonymity is built into the infrastructure.

While looking at this, I got as far as putting together formal design document and protocol spec, and passed them around for the "peer review". The common problem everyone pointed out was the fact that this approach will not scale. It might be fine for IRC traffic, but it cannot and should not be applied to bulk data transfers. This is something InvisibleNet still has to realize.

It's good that they have a momentum, which may (or may not) allow them to overcome principal problems of the architecure.

Re:A few more reasons this is not secure -by 0x90

We have an option implemented called the steady protocol, this is a constant bandwidth mode, and is easily done by replacing the spurt in your node.ref to steady when acting as a relay. We are very familiar with this method, and are working similarly to a DC-Net in the future. Also, the study of onion-routing, and other methods are in consideration. This is a bold project admittedly, and any help is furthur welcome.

Thanx.
0x90

Re:A few more reasons this is secure - 0x90

Also, given world wide distribution of nodes, the high improbability of being able to gather and analyze that data (encrypted as such) as well, is rare, so as the network gets bigger, there is a lot of data to analyze, and this is highly unlikely to be able to trivially track.

0x90

Re:A few more reasons this is secure - 0x90

Your thoughts on Quantized Blocks of Messages, where they are timed message inputs and are displayed all at once on a channel? Would this be a good method to avoid time delay attacks. Also can you give me your email address. just get our email at the iip site.

THnx.
0x90