|
Home > Archive > Anonymous Servers > August 2007 > does it make any difference
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
does it make any difference
|
|
|
| if you use the same final remailer for every post?
since the remailer cannot determine the true identity
of the poster what difference would it make, apart
from the remop assuming that it's the same person.
| |
| Father Mike 2007-07-29, 1:13 pm |
| On Sun, 29 Jul 2007 17:38:24 +0100 (BST), nobody@mixmin.net wrote:
> if you use the same final remailer for every post?
> since the remailer cannot determine the true identity
> of the poster what difference would it make, apart
> from the remop assuming that it's the same person.
No difference at all. I use banana as the last remailer for NG posting with
Omnimix and QS all the time.
Just as an aside, how would the remop assume it's the same person? If they
did it would not be truly anonymous, would it?
| |
| Anonymous 2007-07-30, 1:13 am |
| Father Mike wrote:
> On Sun, 29 Jul 2007 17:38:24 +0100 (BST), nobody@mixmin.net wrote:
>
>
> No difference at all. I use banana as the last remailer for NG
> posting with Omnimix and QS all the time.
"I haven't noticed any compromise, so it must be safe".
Idiot.
>
> Just as an aside, how would the remop assume it's the same person? If
> they did it would not be truly anonymous, would it?
If you're using the same exit node for every message an attacker
already has half of their problem solved for them. They have a common
denominator for all your anonymous messages. At that point figuring out
your true identity becomes a simple matter of replaying a volume of
messages and watching to see when those particular messages appear at
the other end. When that correlation is made, you are owned. And this
is somethign that can be easily accomplished by an evil entry node, or
any observer between you and *any* entry node.
| |
| Cyberiade.it Anonymous Remailer 2007-07-30, 1:13 am |
| nobody@mixmin.net wrote:
> if you use the same final remailer for every post?
> since the remailer cannot determine the true identity
> of the poster what difference would it make, apart
> from the remop assuming that it's the same person.
>
Yes, it absolutely makes a difference. If you're habitually using a
single exit node you've removed about half of the protection a random
chain of remailers provides. You've left yourself completely open to a
compromised entry note being used to attacks your anonymity by way of
traffic analysis.
| |
|
| On Mon, 30 Jul 2007 02:55:25 +0200 (CEST), Anonymous wrote in
Message-Id: <794984c078bdf08c46d00d8119be7d55@ecn.org>:
> If you're using the same exit node for every message an attacker
> already has half of their problem solved for them. They have a common
> denominator for all your anonymous messages. At that point figuring out
> your true identity becomes a simple matter of replaying a volume of
> messages and watching to see when those particular messages appear at
> the other end. When that correlation is made, you are owned. And this
> is somethign that can be easily accomplished by an evil entry node, or
> any observer between you and *any* entry node.
I don't entirely agree with this. Mixmaster messages cannot be replayed
due to protection within the protocol. If the originator posted lots of
messages then I suppose he is slightly partitioned as each post results
in something coming out of Banana. Then again if he always posted to
the same newsgroup, this would be true regardless of which exit was
used.
Maybe I'm missing something. Wouldn't be the first time. 
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Anonymous 2007-07-30, 7:13 am |
| Anonymous <cripto@ecn.org> wrote:
>Father Mike wrote:
>
>
>"I haven't noticed any compromise, so it must be safe".
>
>Idiot.
Pompous XXX.
>
>If you're using the same exit node for every message an attacker
>already has half of their problem solved for them. They have a common
>denominator for all your anonymous messages. At that point figuring out
>your true identity becomes a simple matter of replaying a volume of
>messages and watching to see when those particular messages appear at
>the other end. When that correlation is made, you are owned. And this
>is somethign that can be easily accomplished by an evil entry node, or
>any observer between you and *any* entry node.
That's unproven phantasy of an uninformed nitwit.
Type II remailers aren't susceptible to replay attacks. And if you
make a habit of producing dummy traffic, select chains of variable
length or vary overall latency otherwise even the correlation of real
messages to some remailer output doesn't offer relevant data.
..
| |
| Cyberiade.it Anonymous Remailer 2007-07-30, 7:13 am |
| Anonymous wrote:
>
> That's unproven phantasy of an uninformed nitwit.
>
> Type II remailers aren't susceptible to replay attacks.
Yeahright! That's why Mixminion implemented rotating keys, message
expiration, and message hashing rather than unique "dog tags". Because
Mixmaster is so impervious to replay attacks.
<laughing>
Ironically, part of Mixmaster's resistance to replay attacks IS that
rotating exit node policy. The measures you're referring to expire
after a time and messages can, and ARE replayed through the network.
The fact that these messages decrypt precisely the same as the
original aside, if you're building chains with consistent exit nodes
your messages stand out with statistical significance to anyone
replaying messages in bulk. Mixminion addresses this known weakness by
keeping a hash of every processed message _until keys are rotated_ at
which time it becomes a moot issue because replayed messages can't be
processed anyway.
Here's what Roger Dingledine himself has to say about it in case you're
still confused.
"We can't afford to let even a single message be replayed. It isn't
just that an adversary can flood a mix with the same message and watch
where the flood goes. The problem is that if the adversary watches the
input and output batches of a mix, and then comes back a month later
(after the replay cache has expired) and replays a message, then *the
message's decryption will be exactly the same*.
Bye-bye forward anonymity."
Oh, and by the way, even Mixminion isn't impervious to replay attacks
because there's a "window of opportunity" around key rotation time
where some messages are encrypted with old keys and some with new keys.
It's made more difficult for an attacker, but it's still an imperfect
compromise between security and loosing mail due to latency in key
propagation.
I take it you were completely oblivious to these facts until now, so in
anticipation of the humble thanks you'll undoubtedly be replying to this
enlighteniong message with, I'll take this opportunity to say "you're
welcome".
| |
| Borked Pseudo Mailed 2007-07-30, 7:13 am |
| Zax wrote:
> On Mon, 30 Jul 2007 02:55:25 +0200 (CEST), Anonymous wrote in
> Message-Id: <794984c078bdf08c46d00d8119be7d55@ecn.org>:
>
>
> I don't entirely agree with this. Mixmaster messages cannot be
> replayed due to protection within the protocol. If the originator
Sure they can be replayed Zax. Type II is an improvement over Type I,
where there was virtually no protection at all, but in essence Type II
replay attack countermeasures evaporate in a month. And yes, I'm aware
that can be extended in a number of ways.
> posted lots of messages then I suppose he is slightly partitioned as
> each post results in something coming out of Banana. Then again if
> he always posted to the same newsgroup, this would be true regardless
> of which exit was used.
Can't dispute that fact. Indeed, it supports the "consistent exit nodes
are a BadThing(tm)" assertion. In effect, you're making that exit node
a permanent destination for your messages even if you don't always send
them on to the same newsgroup/email/whatever. There's issues of some
significance brought up by doing it that way, even if replay attacks
weren't a consideration at all.
> Maybe I'm missing something. Wouldn't be the first time.
>
Only the fact that Type II replay attack countermeasures are anything
but perfect. Type III is is another improvement over Type I/II, but
it's not perfect either. In my humble opinion it starts to cross the
line into impractical to replay attack Type III messages, where Type II
just requires determination and dedication, but there's still some
necessary weakness there which a knowledgeable attacker could exploit
without having to perform any real magic.
| |
|
| On Mon, 30 Jul 2007 05:30:21 -0600 (MDT), Borked Pseudo Mailed wrote in
Message-Id: <ac5b3cc321f2d5604b3f026669411658@pseudo.borked.net>:
>
> Sure they can be replayed Zax. Type II is an improvement over Type I,
> where there was virtually no protection at all, but in essence Type II
> replay attack countermeasures evaporate in a month. And yes, I'm aware
> that can be extended in a number of ways.
Point taken. Thanks for the clarification.
>
> Can't dispute that fact. Indeed, it supports the "consistent exit nodes
> are a BadThing(tm)" assertion. In effect, you're making that exit node
> a permanent destination for your messages even if you don't always send
> them on to the same newsgroup/email/whatever. There's issues of some
> significance brought up by doing it that way, even if replay attacks
> weren't a consideration at all.
True. This is also a good arguement for users not manually selecting
mail2news gateways, but rather to use a Post directive and let the exit
remailer take care of it. Less human choice is good for anonymity.
> Only the fact that Type II replay attack countermeasures are anything
> but perfect. Type III is is another improvement over Type I/II, but
> it's not perfect either. In my humble opinion it starts to cross the
> line into impractical to replay attack Type III messages, where Type II
> just requires determination and dedication, but there's still some
> necessary weakness there which a knowledgeable attacker could exploit
> without having to perform any real magic.
I assume ephemeral session keys must help in these circumstances but
that still leaves vulnerabilities if there's a bad remailer operator in
the chain.
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Borked Pseudo Mailed 2007-07-30, 1:13 pm |
| Why is the paranoia remailer removing my References header?
| |
| Anonymous 2007-07-30, 7:13 pm |
| >> Type II remailers aren't susceptible to replay attacks.
>
>Yeahright! That's why Mixminion implemented rotating keys, message
>expiration, and message hashing rather than unique "dog tags". Because
>Mixmaster is so impervious to replay attacks.
>
><laughing>
>
>Ironically, part of Mixmaster's resistance to replay attacks IS that
>rotating exit node policy. The measures you're referring to expire
>after a time and messages can, and ARE replayed through the network.
It's not only about the packet ID cache you build your theory upon.
Except for the earliest Mixmaster implementations packet headers also
carry a timestamp, so that even if an adversary waits until the packet
ID is removed from the remailer cache, the expired timestamp of a
replayed packet leads to its elimination.
..
| |
| Borked Pseudo Mailed 2007-07-30, 7:13 pm |
| In article <f8kmul$e8h$1@bananasplit.info>
Zax <admin@bananasplit.info> wrote:
>
>
> Point taken. Thanks for the clarification.
Its wrong. While the hash of the message gets removed from the
cache after one month, you still can't replay the messages.
They come with a timestamp in the encrypted headers, and the
timestamp has expired by that time.
| |
| Anonymous 2007-07-30, 7:13 pm |
| > Yes, it absolutely makes a difference. If you're habitually using a
> single exit node you've removed about half of the protection a random
> chain of remailers provides. You've left yourself completely open to a
> compromised entry note being used to attacks your anonymity by way of
> traffic analysis.
OK. What about habitually using the same Mail2news sites -
does that compromise anything?
| |
| Anonymous Sender 2007-07-30, 7:13 pm |
| Borked Pseudo Mailed wrote:
> In article <f8kmul$e8h$1@bananasplit.info>
> Zax <admin@bananasplit.info> wrote:
>
> Its wrong. While the hash of the message gets removed from the
> cache after one month, you still can't replay the messages.
>
> They come with a timestamp in the encrypted headers, and the
> timestamp has expired by that time.
That would be true if the message ID cache were actually stored for an
entire month as the spec misleads you to believing. I think the default
is something more on the order of 5 days, at which time message
absolutely can be replayed.
>
| |
| Nomen Nescio 2007-07-31, 1:13 am |
| Anonymous Sender <anonymous@remailer.metacolo.com> wrote:
> That would be true if the message ID cache were actually stored for an
> entire month as the spec misleads you to believing. I think the default
> is something more on the order of 5 days, at which time message
> absolutely can be replayed.
Will you kids ever do your homework?
IDEXP Mixmaster keeps a log of packet IDs to prevent replay attacks.
IDEXP specifies after which period of time old IDs are expired.
Default: 7d, minimum: 5d. If set to 0, no log is kept.
rem.c
idbuf.time = now - IDEXP;
fseek(f,0,SEEK_SET);
fwrite(&idbuf,1,sizeof(idlog_t),f);
First record in IDLOG stores oldest possible timestamp to be checked
against ID cache at time of last expire.
rem2.c
now = time(NULL);
if ((f = mix_openfile(IDLOG, "rb+")) != NULL) {
fread(&idbuf,1,sizeof(idlog_t),f);
old = idbuf.time;
Put in old here.
if (now - old < 5 * SECONDSPERDAY) /* never reject messages less than */
old = now - 5 * SECONDSPERDAY; /* 5 days old (== minimum IDEXP) */
if (timestamp > 0 && timestamp <= old) {
errlog(LOG, "Ignoring old message.\n");
ret = 0;
goto end;
}
Message with timestamps older than IDEXP get rejected to prevent replay
attacks with packets expired from IDLOG. Unless you manage to manipulate
the encrypted timestamp without destroying the encrypted headers.
i = lockfile(IDLOG);
while (fread(&idbuf, 1, sizeof(idlog_t), f) == sizeof(idlog_t)) {
if (!memcmp(idbuf.id, id->data, sizeof(idbuf.id))) {
char idstr[33];
id_encode(id->data, idstr);
errlog(LOG, "Ignoring redundant message: %s.\n", idstr);
ret = 0;
goto end;
}
}
All other messages checked against replay cache.
I'm sure there is some obscure way around these checks. It is just not as
easy as you think and very likely not to produce any useful results.
if (timestamp > now) {
errlog(LOG, "Ignoring message with future timestamp.\n");
ret = -1;
goto end;
}
And this just for show. timestamp rounded to start of day. Btw, I haven't
looked deeper but couldn't this cause message loss across timezones on the
date boundary?
chain2.c
timestamp = time(NULL) / SECONDSPERDAY - rnd_number(4);
Mixmaster fudges timestamps backwards by 0 to 3 days when sending, so it
shouldn't happen too often. It's just one of many points where remailed
messages can disappear on their way.
| |
| Peter Casserole 2007-08-01, 1:13 am |
| On Mon, 30 Jul 2007 02:55:25 +0200 (CEST), Anonymous wrote:
> Father Mike wrote:
>
>
> "I haven't noticed any compromise, so it must be safe".
>
> Idiot.
XXXX you sonny. Your mother was a $2 whore. Oh sorry, still is.
>
>
> If you're using the same exit node for every message an attacker
> already has half of their problem solved for them. They have a common
> denominator for all your anonymous messages. At that point figuring out
> your true identity becomes a simple matter of replaying a volume of
> messages and watching to see when those particular messages appear at
> the other end. When that correlation is made, you are owned. And this
> is somethign that can be easily accomplished by an evil entry node, or
> any observer between you and *any* entry node.
You're so full of shit your eyes are brown. We're talking everyday peoples'
posting, not some XXXXing CIA fantasy.
Your entry node is up your anus.
| |
| Borked Pseudo Mailed 2007-08-01, 1:13 am |
| In article <94ab5ca60024a6bfd1a23ace198dd98d@ecn.org>
Anonymous <cripto@ecn.org> wrote:
>
>
> OK. What about habitually using the same Mail2news sites -
> does that compromise anything?
Anything habitual makes you more vulnerable to tracking,
but realistically with a chain of 3-4 remailers it is not
going to happen.
With such paranoia, one would think that you could only use
the remailer system once in your lifetime. Anything more
would make you traceable.
This is my one message.
<phhtttt>
| |
| Non scrivetemi 2007-08-01, 7:13 pm |
| In article <c36063ed27ceb51ff06f53c2b6ffd5f3@pseudo.borked.net>
Borked Pseudo Mailed <nobody@pseudo.borked.net> wrote:
>
> With such paranoia, one would think that you could only use
> the remailer system once in your lifetime. Anything more
> would make you traceable.
>
> This is my one message.
>
> <phhtttt>
Dang, that was kind of a waste, wasn't it?
Oh, shit.
<phhtttt>
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.eu.org
for abuse and hashcash info.
|
|
|
|
|