----- Original Message -----
From: "Mr.Bad" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 27, 2000 1:04 AM
Subject: [Freenet-dev] Full Disclosure
> No matter what is decided about MediaEnforcer-style attacks, it seems
> unfair not to have a prominent notice about this on the Freenet site.
>
> I don't think any of us would think twice about criticizing a software
> company or project that had a known security risk, even if it was
> unproven and/or theoretical, and failed to inform users about
> it. (I use the term "security risk" under the broadest possible
> definition here, which might be, "Unplanned and unauthorized use of
> the software that causes the user a major pain in the ass." B-)
>
> It would be nice to say what we plan to do about the risk, even if we
> choose not to do anything and bank on the integrity and courage of
> ISPs and universities. But even if we haven't decided what we're going
> to do, we should point out the potential hazard.
Okay, but in the full disclosure we are going to have to make it fully
truthful. (Ian: this section can help stop the flames of FUD too...)
Basically, I think a new section on the front page would be most acceptable
at this time.
_Possible attacks_
There has been discussion of a flaw in the way networking in freenet is
acheieved. It is open for anyone with another freenet node/client to access.
This means that they can request things from your node. This was done
intentionally for the network becuase that is how information traverses
throught the network, but it means that questionable material may grace your
node from time to time. This questionable material cannot be figured out by
your node itself because of how freenet itself works. All information
passing on freenet is encrypted and there are no identifying marks about
what the actual content of the file is. The supposed flaw in freenet is
this: someone can request something from your node and then bring it up
against the gov't/isp asking for action. The way freenet works induces a
problem into this though, if your node doesn't have the offending file, it
will attempt file, it will attempt to retrieve it. Basically, in terms of
email, this is similar to someone sending you an email with some private
information and then asking your ISP to shut down your account for the
material you have in your email account. Unless the owner of the node
attempts to retrieve the file, he gets absolutly no use of it and it's
similar to him having it emailed to him and automatically filtered away. In
essence, entrapment.
This should keep both sides of the table happy becuase any competent admin
would read this and decide that mediaenforcer is crazy. Probably needs to be
reworded though becuase I've been told by those I talk to most often that I
never make any sense :)
Also, I think there is some information like this on the freenet webpage. It
says that freenet is there to keep the the two ends of the content chain
anonymous and freenet is supposed to be open. It also says that chinese
disedents shouldn't use freenet at this time.
> ~Mr. Bad
-Mathew
_______________________________________________
Freenet-dev mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/freenet-dev
