On Mon, Jul 02, 2001 at 12:30:57AM -0700, Ian Clarke wrote:
<>
> The problem is that it might be possible to compromise even this
> arrangement (oskar made some vague suggestions although I am not yet
> convinced that it would be particularly easy, or couldn't be countered
> with one or two additional modifications). I am sure he will correct me
> if there is any inaccuracy, however Oskar's view was that each user
> should be responsible for securely finding out the address of another
> node in the network, without relying on any public list of trusted
> nodes.
I would like to clarify my position a little:
- A system like the current one would be disastorous. Nothing truly
stops anyone from simply inserting whatever addresses they want, and it
would be completely trivial to keep it nearly saturated with fake
address leading to nodes that simply MITM (man in the middle) proxies.
It is only a matter of time before such a system is attacked.
- The model of having us try to be everybody's trusted peer is not a lot
better. All our conjectures about the safety of our model are based on
the absense of centralized points in the network - any single node is
too easy to manipulate. Ian believes that the issues produced can be
solved by "modifications", but those modifications are wack-a-mole for
each attack that is brought up - the fact remains that the entire threat
model has to go out the window if we design around a central element.
Add to that the dubious topological effects of such a presence and you
have yourself a big headache.
However, the practical issues are not the center of my argument, the
most important thing is this:
Code speaks louder than words.
Everybody agrees that the right thing for users to do is to try to get
initial references from peers that are trusted through external
channels. Ian says that, whatever we do, people are not going to be
vigilent in this process anyways, and that they are better off turning
to us then whoever will run a centralized element if we do not. My point
however is this: if we put in code to automatically contact a
centralized element in our node, then we can spend the rest of lives on
Mount Sinai chopping the reasons why it is bad in the slabs of rock, and
we will still have condoned, encouraged and supported it. Regardless of
how loud we make warning messages and blinking lights, if we put in the
code, then we have said "do this", and _when_ it is used to attack
freenet users, it will reflect right on us. Consider the sort of
opinions people will hold of this project after an attack on the built
in central node at freenetproject.org (in our "completely decentralized"
network) is used to arrest a large number of users. You think this
project will survive that?
Freenet may need users, but it also needs minds. Condoning and
supporting this sort of behaviour in our design will doom us in the eyes
of almost anybody serious about security and decentralization that comes
accross it (it sure does in mine). If we support it, we will once and
for all have cast off even the very last appearance of being a serious
attempt to live up to the goals we boast about.
We cannot force users to be vigilant, no. We cannot stop people from
behaving carelessly and jeopardizing the resons to use this software in
the first place either. But we should not, can not, and must not, if we
have anything but the short term attraction of users and media attention
as a goal, condone such action by putting it in the software itself.
--
'DeCSS would be fine. Where is it?'
'Here,' Montag touched his head.
'Ah,' Granger smiled and nodded.
Oskar Sandberg
[EMAIL PROTECTED]
_______________________________________________
Devl mailing list
[EMAIL PROTECTED]
http://lists.freenetproject.org/mailman/listinfo/devl
