On Sun, Oct 27, 2019 at 01:15:56PM +1100, Zenaan Harkness wrote: > Here's an obvious in hindsight thought: > > Use case: A (hidden, encrypted etc) ping circle (some combo of star > or token ring yet to be designed) amongst a group of friends who may > at random points in time, wish to send wheat txt sms in the chaff of > the regular circle ping. > > Usually the ping is chaff. > > Any particular ping can be wheat (an sms/txt/email). > > If the ping is clocked, and there is any leakage of the clocking, > then a GPA jamming my ISP link for say 5 seconds, right at the time > I'm about to send my regular ping, would expose the other node(s) I > am pinging.
Even the above statement is not necessarily true, may be not true at all: So I ping my 1st hop peer set, who have also these fixed low b/w ping links to their peers, etc, and some subset of all these are part of my ping circle of trusted friends. The earlier postulate (see OP email below) holds, namely that: "The b/w of the ping is so low, that there is little to incentive to not maintain such (virtual) links, even if an incoming ping fails to arrive; and the value of such hidden communications is far greater (and the anonymity of your circle), and so there is abundant incentive to maintain such low-cost links." So, even in the case of a clocked ping, the targets of my low b/w high latency ping are perhaps unlikely to be exposed, using active latency injection attacks. Notwithstanding this fact, the high latency nature of such ping circles suggests that statistically random clocking --within a specified window-- (e.g. 1hr ping, +/- 15 minutes window), would presumably not detract from the security of such links, and may well mitigate unforeseen future attacks. With a shout out to the pipe-net punks and others from ~1995. https://en.wikipedia.org/wiki/David_Chaum https://en.wikipedia.org/wiki/Mix_network > If the ping is not clocked, but is timed (clocked) to a statistically > random time within a configured window, the GPA cannot know when to > conduct their latency injection attack, and any dropout by me, would > be seen by those who failed to receive my ping or received a delayed > ping, as nothing but white noise, since every ping is randomly timed > anyway. The ability to hide ping recipients when I and or they are only intermittently connected (i.e., we all live on mobile phones), is in serious doubt. The reasonable (excepting further analysis) operating mode is to, at least, have a node which is permanently connected - but again, we need consider each use case in due course... > [To state what ought be obvious, the pings, though high priority when > they are sent at extreme high (compared to normal web traffic) > latency intervals, are still sent through 'regular' chaff-filled > links, and so except for my local links temporarily dropping out, a > GPA stalker should not be able to determine destination nodes for my > ping, with any latency injection attack. There is an unnamed assumption in the above - my ping circle includes only known friends. If my ping circle includes unknown destination nodes, detecting network dropout is trivial (I only have to be actively taken offline for a duration longer than the ping interval (+rand window), for the target to identify me. "Don't talk to strangers about highly important things." "Know your peer." "High value communications (and therefore network links/ routes) with unknown peers, exposes you to active stalker (e.g. government) attacks." > The reasons we can make such an assertion and believe this holds > true: > > - active latency injection attacks operate on the principle of > statistically modifying the distribution of packets across a > route (in time (for latency) or some other metric e.g. size) > > - in the case of extremely high latency packets (say, 1 hour > between packets) at least when sent between nodes trusting one > another or via nodes which, if they introduce a few seconds or > minutes of latency, cannot meaningfully impact the ping, the > relevant statistical "distribution of packets across time" is in > the order of (in this example) hours > > - the b/w consumed by such ping circles very low > - those in my ping circle, have little incentive to close such > low b/w "chaff filled links" on the outgoing side > - and in fact, those who want to see freedom of anonymous speech, > will actively support such links (again, due to their low > network costs) > - and so those nodes which do NOT maintain such links when > requested, naturally increase their stalker score (as viewed by > others). > ] > > > "Treat each use case for its unique snowflake characteristics, > and we provide for the possibility to optimize that particular > use case." >
