[Remops] bomb threats

[Len Sassaman]

On Wed, 29 Aug 2007 remop at hermetix.org wrote:

> I made a point not to make any judgement about the above statement. I
> was interested in hearing what other remops think.

*nod*

My point was mainly that we need to separate this into two questions:

"is backdoored anonymity a good thing?"

and

"can we do it?"


> In light of what have been happening to hermetix (and others) it's hard
> not to wish for a way to defend yourself.

Sure. The biggest attack against remailer reliability has always been
"make the authorities pissed off at the remops by sending lots of bogus
death threats to important people in jurisdiction X, where X is the
location of the exit hop."

> Would it be bad ethics?

Doing so without disclosing it, certainly. I'm hard on the JAP group
because they did just that once already.

Putting in place a selective "back door" system that worked might be
considered by some to be fine, ethically, if it was known, and there was
oversight on how it worked. But that leads to the question of "can it be
done?" of course.

> It makes me try to define better where we, as a network, stand on those
> issues.

Agreed -- and I'm glad this discussion is coming up. Back in the late
90s, 2000 or so, the remops used to discuss ethics of being a remailer
operator regularly. That dropped off with the remop in-fighting and
mud-slinging a few years ago, so it's good to see people talking about
these issues again.

> In practice, the difference is in filtering out on content or not. I'm
> not even thinking of backdooring the software for reasons stated below.

[I'm glad you're not. Some people are, though -- and a few of them are
people who have done some notable things in the field of anonymity. The
issue of backdoored anonymity systems, "revocable anonymity", "identity
escrow", or whatever name it wants to hide under, *is* going to come to a
head in the not too distant future.]

> Mixmaster does some filtering out of the box for newsgroup and there is
> some efforts made to stop spam from coming out of our network.

All the anti-spam stuff is done on the MTA layer, or as anti-spam add-ins
for USENET, etc. (The duplicate detection in Mixmaster is actually there
for replay attack prevention, though it probably stops some spam.)

> What is considered legal changes from country to country as do values from
> individual to individual. Even inside the same legal code the legality of
> something can be debated.

Indeed -- which is where the problem of deploying a Big Brother
Approved anonymity system becomes intractable. You might pull it off for a
service in one jurisdiction, or even one country, but when you start
talking about coming up with rules to make the entire Internet-connected
nation-body happy, it's obviously absurd.

(And if some jurisdiction does embrace this idea, users will just switch
to a non-backdoored system, as they'll presumably have wide Internet
access.)

> Even if technically feasible, I don't think it could be done ethically.

I do agree with this -- I prefer to argue the technically infeasible
angle, though, since that one people tend to be able to remain more
objective about.

(I don't like getting dragged into debates about how many political
dissidents its okay to keep oppressed and silenced in the name of fighting
kiddie porn or online drug dealing or whatever the boogie-man of the
Internet is today. I do like to remind people, though, that no one has
ever been killed by an email.)

> I don't think it would be possible to revoke anonymity for only a subset
> of users so we would have to revoke it altogether and thus unknowingly
> from the users of the network for it to make sense. That might mean
> compomising a lot of legitimate users (maybe seriously) to stop another
> one from using us. This does not make sense either way.  Even if we
> didn't care about free speech.

You're right on the mark here. There do exist systems which attempt to
address the "selective revocation" problem, essentially by having every
user register their real identity in the beginning, and then keeping that
data secure until the revocation procedure is invoked, but as we know, in
an anonymity system there are network effects, and revoking the anonymity
of users within your anonymity-set reduces the anonymity-set.

[I'm working on a paper with some colleagues presently, on this topic -- I
will point the remops list at it when it's published. The issue is
actually a lot more complicated, but it boils down to essentially what's
been said here.]

...

All that said, it *would* be nice if someone picked up the torch for the
Remailer Abuse Blocklist (RAB) that Orange-Admin used to run (I think
that's who ran it. Apologies if I am wrong.)

Support for it is still in Mixmaster, and it might make handling abuse
easier for the network as a whole if users who wanted their email
addresses blocked only had to go to one place for that. Any takers?



--Len.