On Wed, Oct 05, 2005 at 12:25:57PM -0400, jrandom at i2p.net wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Freenet can provide things which I2P cannot as regards security - > > specifically it can provide a non-harvestable, scalable darknet. > > Three points- > = regarding "scalable": As you later agree that "resource management > may well be a problem, especially with streams", perhaps claiming > that Freenet scales before working through the fundamental issue > of resource management is a bit premature
Well, I rather think it will scale for document retrieval, based on past experience and based on various reasons to think that it scales O(log^2) on an idealized darknet, and appears to work well on Orkut. Whether it will scale for multicast streams, 1:1 streams and so on, I do not know for sure. > = regarding "non-harvestable": we're talking at cross purposes here. > You're referring to how easy it is to discover the physical nodes on > which peers run, and I say its a matter of effort, not a matter of > capability. Yes, its more expensive to compromise one node at a > time, but in hostile regimes, where that person may be imprisoned or > summarily killed when they're compromised, its little comfort for them > to hear "well, it took them longer than it would have in I2P!" Read some books on security sometime. Most things are possible, it's a question of how much effort will be required. For example it is possible to almost completely eliminate free speech in a country, by putting 1/10th of the population covertly on the payroll, arresting anyone who there is a whisper of disloyalty against, and torturing them to death for some totally arbitrary crime. This is what happens in *REALLY* nasty regimes, such as Iraq under Saddam Hussein. If there is a death sentence for running a freenet node, free networks probably won't exist. No amount of IT will help you very much in such places. On the other hand, in moderate fascist states with some level of rule of law etc, which is prerequisite for economic progress, such as China, it may well be possible to help people technologically. > = regarding "darknet": there are a whole slew of issues involved in > offering strong anonymity, few of which have been discussed publicly > regarding the 0.7/dark. As you say later, traffic analysis attacks will > be possible against your peers - to what extent, and at what cost? Correlation attacks. Classically on splitfiles, with push/fetch, which will still be a very important part of the network. Possibly also easier attacks based on existence of keys in the store; in either case, if you know a lot of correlated content, and you see some fraction of it fetched, you can draw inferences from this. With enough correlated content, you can get a fairly good idea that the request is from the node or from a node with only one link which is connected to it. > There has been insufficient information made publicly available to > suggest that the darknet will offer more anonymity than Freenet 0.5, > but I look forward to hearing more as time progresses. Obvious things: - Routing table takeover is no longer possible. If I wanted to attack freenet now, in the sense of eliminating people's anonymity, I would make a big ubernode with a 100TB datastore and an OC-12. I would have it pretend to be 100,000 different nodes, and I would ensure that every node on the network ended up connected directly to me, many times over. Most traffic would go through my ubernode, and I could monitor it. This is simply not possible on a darknet - not without infiltrating the social network. Lots of powerful attacks rely on knowing all the nodes and being able to connect to them. One way to prevent these things is to have such a huge network that an attacker could not build such an ubernode. Another is to make it hard to find and connect to all nodes. - The network itself cannot be attacked anything like as easily, as we have discussed. - HOWEVER, you are probably more vulnerable to a single trusted node (out of maybe 10) than you are to a non-trusted node you meet in the opennet (out of maybe 100, but one attacker can pretend to be many nodes). That's the basic trade-off - network integrity and vulnerability to traitors, versus vulnerability to centralized, remote attackers. > > > > Yes, I know, "but people are using Freenet in China now!" I had a similar > > > discussion with some people working on anonymous blogging a few months > > > back. > > > Yes, you can do wonders when there are only a few people using it - > > > security > > > through obscurity *does* work - as long as its not popular enough for > > > them to > > > bother attacking. > > > Newsflash: They do attack it. The web site has been blocked for years, > > and the protocol is blocked as of now. Now, they don't spend much > > resources on it. > > That probably took what, 5 minutes to do, total? Thats not much of an attack. Well, they had to find the protocol bytes first. Which would probably involve running a node and tcpdump. Harvesting and blocking, on the other hand, would take an amount of actual work measured in hours, plus some ongoing computing power. It's still a trivial attack really. > > > But I don't see much point in building either Freenet or I2P if > > there is no hope to eventually evolve into something that can resist > > reasonable attacks. > > There are reasonable, and even real[1] attacks going on in the west right now. There are a number of reasons to think the Mixmaster network isn't secure any more... > Fuck filesharing, I don't care about those who are only concerned about IP > issues. If I thought that was the only thing I2P could help with, I wouldn't > bother. Agreed. Cool, we share essentially the same goals. But it is possible to get hold of most things right now, through the open web. The problem is that it is possible to get an injunction against Google blocking a given search term. Co$ managed it once, for example. Now, how does this affect our debate? The window "the state is oppressive enough to make it practically hard to find slanderous content, but is not oppressive enough to make it illegal or dangerous to run a freenet node" is very small IMHO. China et al have already gone past that point. They are the perfect testing ground for technologies that they need now, and we may need soon. People are not presently executed for running a node; I don't know that it is illegal as such; but they ARE imprisoned (theoretically they can be executed too) for disseminating state secrets, and those people who have internet access (a large and rapidly rising number) are severely censored. I don't believe we should do nothing until we have perfection. I don't believe we will ever achieve perfection. And if people there are crazy enough to demand freedom, putting their livelihoods, limited liberties and lives on the line, I am happy to help them. > > [1] http://www.la.indymedia.org/news/2005/07/132174.php > > > I believe that Freenet's current architecture can evolve into something > > usable in many hostile regimes. > > Faith is great, and I hope you're right. I hope so too! :) > > > Well, the idea was simply that it's more efficient; we were going to use > > a combination of multicast and 1:1 streams to implement IRC. > > Neat. Back when I2P was starting up, nop and others were interested in > doing something similar for IIP. Perhaps it'd be worth looking at SILC [2] > for ideas and issues? Well, the design issue here is that streams will be fairly inefficient as they will have to be relayed through many nodes. Therefore we will have to impose severe limits (1kB/sec limit for one stream, 4kB/sec limit for all streams, perhaps); in order to make it efficient and to make it not rip up the network, we use both together. > > [2] http://silcnet.org/ > > > The problems that "real live users" face in "western" regimes are > > insignificant compared to the real goal. > > I'm sorry, helping real live users in western regimes *is* my goal. Or at > least, its a step on the path which I must cross before going further. Well, the reality is that most of the time censorship in the West isn't *that* bad (we wouldn't hear about it if it was!). But there is a trend towards the darkness. And if we do make a dent in it, it is likely we will be noticed, and some more narrow version of the recent filesharing technologies bill will pass. For example, one requiring all filesharing networks to cooperate with law enforcement in tracing posters, and to provide technical means to do so. And once this happens, it will be extremely easy to shut down either I2P or Freenet, without any expensive measures such as national firewalls, traffic flow analysis etc; all you have to do is run a node, find all the nodes, and write to their ISPs (on headed paper, in nice threatening legalese, citing the law). > > If I sincerely didn't care about western users, I'd be working on the wetware. > Technology is not a panacea. Technology is a tool. Wetware is more important, but technology can help things along in a big way. Why do you think the Chinese are now filtering mobile text messages? Information is important. > > > In which case China etc are the perfect model for the likely future state > > of the West. > > Over my dead body. Blood is the basic currency in the struggle for freedom. Banning anonymous P2P is likely to occur many years before we lose all our basic freedoms. > > > You can find nodes in other ways - compromizing nodes one at a time and > > global traffic flow analysis being the obvious things, as well as > > compromizing the social network. > > You don't even need global traffic flow analysis. A local passive ISP > wouldn't have any trouble detecting suspicious activity, enough to warrant > further investigation. Toss on active blending attacks and its as bright > as day. It doesn't need to be done against everyone all the time to catch > some of them some of the time, but again, how many dead users is OK with you? What's an active blending attack? And also, nobody is (yet) talking about executing people for running Freenet. Traffic analysis as you suggest would certainly be expensive, and right now in repressive regimes, there are a very limited range of options available. > > As I've said before, stegonography is useless for the masses. It will only > act as a big red flag for those who detect it, and if its open source, you can > be sure it'll be detected (and if its closed source, well, you shouldn't trust > it) The idea was to have plugins. I accept stego has problems, but what's the alternative? You really think Freenet will be legal indefinitely even in the West? And pluggable stego does let you do other things, such as wireless and sneakernet, which will be harder to stop. Eventually they could stop everything, but only if they are willing to turn the country into a concentration camp. > > > > These restricted routes sound pretty much exactly > > > like the proposed "hybrid" network, where the majority of peers are > > > reachable > > > but a few at the edges are behind trusted/restricted links. We've > > > discussed > > > this a few times, and your response to this has been that its pointless > > > unless > > > all peers operate on restricted routes. > > > Perhaps, but for it to be really useful you need a large darknet, not a > > few edge nodes. Otherwise you will end up with severe, and easy to deal > > with, bottlenecks on the borders. > > If everyone in the open area can operate as a border (aka be reachable by > someone behind a restricted route / trusted link), where is the bottleneck > again? They can't. It's optional. You can set your node to be open only, and give it some seednodes. Or you can set it to be closed only, and add some connections manually. Or you can set it to be both. The suggestion was that inside a hostile area, you would have a large pure darknet, and then you would have a number of links to the outside world (many people in the West know chinese folks). Having 10 links for 100 nodes gives better performance than 10 separate groups of 10 nodes off 1 link. > > > And tolerable browsing latency? > > Seems so. 2-15s page load, irc rtt @ 1-2s. I did some hacking last week on > a new HTTP transfer encoding to optimize things further, and there have been > some bugs there, but its not horrid. YMMV Cool. > > > even I2P can't work if the OS is insecure; that doesn't mean you shouldn't > > build I2P. > > Quite true. But it does mean I shouldn't tell people to install I2P on > compromized machines. True enough, but people will continue to install all sorts of things onto pirated, not-easily-updatable copies of Windows XP. The street will do as the street will do. :(. In a darknet, you choose your friends, so you can at least exert some influence. On an opennet, if 90% of nodes are on the aforementioned OS, then 90% of your connections will be. > > =jr -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20051006/b93c2862/attachment.pgp>
