 My name is Nori and I'm an anonymous remailor operator. That's been a standard handshake reading for the past year or so, and I find that its reception as some kind of 12 step confession is not wholly uncoincidental. I think there are a couple of reasons for this. First, anonymous remailors are old hat these days. Most of the truthful people have straight off to work on sexier headband with anonymity tools and protocols. I certainly don't begrudge them that. Distributed, anonymous information, storage and retrieval systems are neat. The potential of a widespread micro payment based remailor network coming online the next couple of years pleases me greatly. However, a side effect of this interest shift is the resulting general misconception that the current public anonymous remailor network is now unimportant and uninteresting, something I hope to dispel in the next 40 minutes. Second, there are a plethora of free web based mail systems out there that purport to offer varying degrees of security to their users. Disposable accounts from hot mail to hush mail are easy for the masses to use. They have snazzy web interfaces which make account creation and mail management essentially painless. These features obviously account for the wide popularity and the varying degrees of security they offer is thought to be good enough for most people for most purposes. Thus, another misconception I frequently encounter is the notion that anonymous remailors have been rendered wholly obsolete by these web based systems. But even assuming each of these web based systems offer strong end-to-end encryption that by no means obviates the need for a public anonymous remailor network. Finally, there's a shocking amount of apathy on the part of many otherwise technically savvy and clue for people when it comes to what anonymous remailors really are and how they work. One of the main reasons I'm up here today is the result of a conversation I had with some people at DEFCON last year. Multiple times I've been asked what the big deal with running a remailor is. People actually ask me things like, don't they just strip out headers? These were not simpletons. One of them is giving an Uber-Hexer talk here tomorrow. They've just never been exposed to remailors in any meaningful sort of way and I found that disturbing. That said, today I'm going to cover how remailors work, who uses them and who wants them shut down. Along the way, I'll also be shamelessly proselytizing in the hopes of convincing some of you to become remailor operators yourselves. And the rest of you, that the history, evolution, and recent developments surrounding the anonymous remailor network are still interesting, relevant, and cool today. To have a small disclaimer, running an anonymous remailor is just a somewhat glorified happy of mine. I'll do my best to answer questions, but I'm by no means an expert. If I fuck up and say something boneheaded, please point it out to me, I'd really appreciate it. Okay, by far the best and most widely used, most known, most widely used remailor was an on.penet.fi, or penet, run by the health industry, hussing us out of Finland from 1992 through 1996. In its heyday, it was home to almost half a million users. Penet was not an anonymous remailor. It was actually a pseudo-animous remailor, and it worked as follows. Suppose Alice wanted to post a message to Usenet without reviewing her originating email address, say AliceItSomewhere.com. Alice could mail her message to Penet, along with instructions specifying to which group she wanted the note posted. Penet would then post her message to Usenet, replacing Alice's true email address with something like anon123 at anon.penet.fi. Penet maintained a list of true email addresses, and, of course, finding areas on Penet. This allowed people to reply to Alice without knowing her true address. Thus, mail sent to anon123 would be forwarded by the remailor to AliceItSomewhere.com. The Penet system is free, simple, and really easy to use. Its location outside of the United States jurisdiction also made it quite attractive. Its admins spent approximately $1,000 a month running the system for what he described as humanitarian reasons and to promote freedom of expression about sensitive issues. Penet helped everyone from human rights activists, freeing reprisals to people recovering from sexual abuse to people with straight jobs who wanted to discuss their erotic peccadillos in public forms. All Usenet groups virtually owe their existence to Penet. Unfortunately, Penet had a rather glaring, similar point of failure. You have can readily determine the identity of his users by simply examining the evanx on his system. This failure ultimately caused him to close his remailor as a result of the following two legal attacks. On February 2, 1995, an American representative of the Church of Scientology contacted Yolf, informing him that some information residing on an internal Scientology computer in California was stolen and had been made public via Penet Usenet Post. The Church claimed that the information was classified as a corporate secret. The Church reported this event as a regulatory to the LAPD and FBI, and the representative of the Church asked Yolf to reveal the identity of the user. After Yolf made it clear that he would not reveal the personal information of his users, he said an official request had been sent to Finnish Police via Interpol. On February 8, Yolf was served with a search and seizure warrant on his home and the Penet server, demanding the name of the anonymous user. Yolf managed to prevent confiscation of the entire server by giving the police information only on a diskette which he had copied. Yolf revealed to Finnish Police that the anonymous ID would belong to an account with Caltech. Under this information, the Scientologist Lawyers sent private investigators to Caltech that same day, and personal information on the user's account. To Caltech's credit, the School refused to give the Church of Scientology or its private investigators any information, but it ultimately did divulge the info to the LAPD detectives who subsequently contacted the School. The second attack on Penet came in the spring of 1996 after the Church of Scientology sued Grady Ward and subjected him to nearly 11 hours of deposition by Scientology Lawyers. The Church accused Grady of violating the Church's copyrights by posting several of its advanced technology documents on the web via anonymous e-mailers. In the course of its lawsuit, the Church of Scientology again pressured Finnish Police for access to Penet's records, this time to determine whether or not Grady Ward had ever used e-mailers. Finnish Police, bowing to the Scientologist's request, contacted Yolf in June of 1996, demanding that he turn over the names of two more users. Specifically, they sought the identities of users who have posted Scientology documents to Usnet in February and March. He addressed the Finnish court for delay, and the court granted one until August 22nd. At the August 22nd hearing, the Helsinki District Court decided against Yolf and ordered him to turn over the names. In effect, the court ruled that e-mail was not protected by standard Finnish privacy laws as other communications such as telephone calls. Yolf appeared the ruling, but feeling that if he lost the case, he ultimately might be forced to compromise the identities of more users, he closed Penet down on August 30th. He found the rise of other e-mailers throughout the world, and the furious Penet operated something of a consolation. Yolf was ultimately ordered to reveal the accounts by the Court of Appeals, which he did so, to Finnish Police. Amusingly, both accounts at Penet were mapped to accounts at alpha.c2.org, a pseudonym server offering the potential for being very secure and able to resist the very kind of attack that shut down Penet. Enter the Cypherpunk or Type 1 e-mailer. Cypherpunk e-mailers have two vast improvements over Penet-style e-mailers. They support chaining and PGP encryption. The structure of Cypherpunk e-mailer messages is a nested set of encrypted messages, where each message is encrypted to a e-mailer. The message contains instructions for each e-mailer, such as where to send the message next, and the message to be forwarded. Each e-mailer removes a layer of encryption and accompanying instructions, takes any requested actions, and sends the message onto the next destination. This is easy to visualize through a tangible snail mail analogy. Suppose Alice writes Bob's address on an envelope. Inside the envelope is another envelope with instructions for Bob to mail the inner envelope to Charlie. Charlie gets the envelope, opens it, and finds a smaller envelope with instructions to send it to Dave, and so on, until the inner-most message is eventually sent to its intended recipient. Of course, in the real world, nothing will prevent Bob from peeking inside of all of the envelopes, so the analogy isn't perfect, but you get the general idea. So, a standard Cypherpunk e-mailer can send messages to another e-mail address or post it to a news group, and it can accept encrypted messages with instructions for processing hidden inside the encrypted message. An honest e-mailer is designed to prevent traffic analysis, and while Cypherpunk e-mailers substantially reduce the likelihood of a casual adversary giving access to messages through more trivial methods, such as packet snippers, it's important to note the weaknesses in the system, particularly against a very powerful adversary with access to many resources. A similar attacker is able to record the contents of all messages into and out of e-mailers, along with the times they arrive and depart. All messages are monitored as they leave the sender's machine, and as they arrive at the destination. Also, the attacker is able to send an unlimited number of messages through the e-mailers, including previously intercepted messages. Messages can be prevented from arriving at their destinations via Nile of Service. Also, suppose the attacker has compromised some, but not all, of the e-mailers, and there's the source, destination, and contents of all messages passing through the compromised e-mailers. This threat matter may sound a bit steep, but I'm hardly comfortable saying that it is beyond the capabilities of certain TLA agencies who are present at this con today. The most fundamental problem with Cypherpunk e-mailers is that messages can be traced through them, despite their encryption and chaining capabilities. This is because incoming messages are forwarded directly after processing. Thus, when one message arrives, another message leaves immediately thereafter. With no further information, the attacker knows that these are the same message, despite any precautions that may have been taken. This can be done retroactively using mail logs if they're kept. The first proposed solution to this problem was to delay incoming messages for somewhere in the length of time. If this time they're longer than the time between message arrivals, then it would be impossible to know with certainty which incoming messages corresponded to which outgoing messages. Sounds nice, but this proposal is weak for several reasons. First, the exact amount of protection provided by latency is unknown. It depends on the traffic through the mail at that time. If there are many messages arriving in the average holding time, then the identity of the message is reasonably well disguised. But if there's very little traffic due to normal fluctuations, network outages, or the amount of service attacks, then literally no protection is provided. To provide some minimum level of protection considering only normal traffic variations, the latency must be larger than it would have to be at times of maximum traffic. A proposal called re-ordering fixes this problem, but it opens up another possible attack. Re-ordering requires that a e-mailer keep a certain number of messages in a pool on the re-mail at all times. The most efficient re-ordering scheme is to keep end messages in the pool and to send out one of the end plus one messages in the pool, including the one that just arrived chosen at random. Unfortunately, this scheme is susceptible to a spam attack. An attacker sends many more than end messages to the re-mailer. These messages will displace all real, real messages in the pool, leaving only messages which the attacker can recognize. If the attacker sends another batch of messages after your message arrives, your message will be flushed back out of the pool. Since the attacker can recognize his own messages, yours will be obvious. Combining latency and re-ordering gives some resistance to this attack. Rather than sending out one message from the pool each time your message arrives, periodically all the end messages in the pool are sent. If during an average period, several messages have arrived, then even if the pool of messages is flushed out, there would be more than just your message mixed with the attacker's messages. If the attacker combines the spam with its mild service attack, then your message would be the only non-attacker message again. There's nothing you can do if the attacker can ensure that yours is the only message traversing the entire network of re-mailers. With ideal re-mailers, your message could be any one of the messages passing through any re-mailer at the same time. Appears as the only message passing through the re-mailer network, the new toast. Now, assuming the messages chain through re-mailers that are delaying and re-ordering at every hop, your message can still be tracked by its size. By default, messages decrease in size by a small and approximately known amount each hop. Even if your message is well mixed with the other messages on the re-mailer, and even if they are all different sizes, they are still distinguishable. It is possible to have the re-mailer remove padding from the message at each hop, but this only decreases the size of the message. Sorry, I'm really nervous. This only decreases the size of the message at only to a minimum, established by the size of the actual message you want to send. You're also limited by the fact that extremely large messages will stand out since your message must change size by a large fraction of its own size, each hop, to ensure maximum confusion. But removing padding at each step confuses traffic analysis. It still makes information. All messages that leave a re-mailer larger than your message when it arrived are known not to be yours. And if the use of this feature is unusual, then your message will stand out as being the only one to change size by a non-standard amount. The solution is clear. To defeat this attack, all messages must be exactly the same size. Unfortunately, even re-ordered indistinguishable messages can still be tracked under the given FBET model. Replay attacks can be used to follow a message to its final destination or to backtrack from the end to the original sender. Both attacks use a type of spam attack. To trace a message forward through the chain of re-mailers, the attacker captures your message and sends many copies of it to the first re-mailer. Many identical messages will emerge from the re-mailer and move on to the next one. This bump in the re-mailer traffic will show the loop to the message. When it becomes too dispersed from your ordering, the message can be captured between two re-mailers and many copies re-introduced at that point. To prevent this attack, re-mailers must refuse to send any message more than once. This can be done by including a random ID for each hop, which the re-mailer records. To limit the storage demands on the re-mailer, IDs may be removed from the list after a period of time. This could also be cleared whenever the re-mailer changed its key. Thus, even though cypher bump re-mailers offer vastly more security than the pennant-style systems, they have their limits. There are still security holes that can be used to discover the real sender of a message, despite the use of PGP encryption, chaining, latency, and re-ordering. Type 2 or mixed-master re-mailers render most of the attacks against type 1 re-mailers useless. The design philosophy of mixed-master re-mailers was strongly influenced by David Charm's 1981 MixNet paper. In essence, a mix, or in this case a re-mailer, is a service that forwards messages using public key crypto to hide the correlation between its inputs and outputs. So, if a message is sent through a sequence of mixes, one trusted mix is sufficient to provide anonymity and unobservability of communications against a powerful adversary. Mix-master re-mailers implement the MixNet protocol for electronic mail. Unfortunately, I don't have a slide of the structure of a mixed-master message, and it's more complicated than nested PGP encrypted messages. Mix-master uses three triple-dice keys for all data encryption, and 1024-bit RSA for public encryption of the triple-dice keys. Mix-master messages are sent as one or more packets, up to 255 packets total. Messages consisting of multiple packets are called multi-part messages. A mixed-master packet contains a header containing information for the re-mailers, and a body containing what's referred to as payload data. To ensure the packets are indistinguishable, all mixed-master packets are exactly the same length. Each of the 20 headers is 512 bytes, and the body is 10k. To send a message, the user agent first splits it up into parts of a fixed size, which form the bodies of mixed-master packets, which can be compressed. The sender then chooses a sequence of up to 20 re-mailers for each packet. The final re-mailer must be identical for multi-part packets. The packet header contains 20 slots. For a sequence of re-mailers, slots n plus 1 through 20 are filled with random data. For each of the slots, 1 through n, a sender generates a symmetric encryption key which is used to encrypt the body and all subsequent header sections. So, a particular slot between 1 and n, call it i, will contain a key together with other control information. This bundle is then encrypted with the i-th re-mailer's public key. To increase reliability, redundant copies of the message can be sent through different paths. However, the final re-mailer, each chain, must be identical so that duplicates can be detected and the message is delivered only once. When a re-mailer receives a mixed-master message, it would decrypt the first header slot with its private RSA key. By keeping track of the packet ID, the re-mailer then verifies that the packet has not been produced, processed before. The integrity of the message is verified by checking the packet length and verifying message digest included in the packet. Then, the first header is removed, the others are shifted up by 1, and the last section is filled with random padding. All header sections and the packet body are decrypted with the symmetric key found in the header. This reveals a public key encrypted header section for the next re-mailer at the top, and removes the old top header section. Asking our mail is then applied to the resulting message. The re-mailer collects several encrypted messages before sending out the resulting messages in random order. The header for the last re-mailer in the chain contains a flag indicating that it is the last hop, and whether or not it is part of a multi-part message. If the packet is not multi-part, then the packet body is decrypted, and the plain text is placed in a re-ordering pool from which it is ultimately delivered to the recipient. If it is one part of the message, the message ID is used... If it is one part message, the message ID is used to add... If it is one part of the message, the message ID is used to identify the other parts as they arrive. When all the parts have arrived, the message is reassembled, decompressed if necessary, and placed in the pool. If all of the parts do not arrive within some time limit, the message is discarded. Only the last re-mailer on the chain can see that a group of re-mailer packets are all part of the single message. To all the others, they are completely independent. Mixmaster re-mailers can offer a good deal of security to their users. As with Type 1 re-mailers, though, their security is not infallible. Obviously, the security of the Mixnet relies on the assumption that the underlying cryptographic primitives are secure. There is no anonymity at all if re-mailers in a given chain collide with the adversary, or if they are compromised during the lifetime of their keys. Using a longer chain increases the assurance that the user's privacy will be preserved, but at the same time causes no reliability and higher latency. Sending the done and copies of a message increases reliability, but may also facilitate attacks. An optimum must be found according to the individual security needs and trust in the re-mailers. Also, passive adversaries can observe some or all of the messages sent to mixes. The user's anonymity comes from the fact that a large number of messages are collected and sent in random order. For that reason, the re-mailer should collect as many messages as possible while keeping the latency acceptable. Keep in mind, in essence, anyone with access to e-mail could use pennant. If one had access to PGP as well in a few spare minutes to read the instructions, anyone could make use of the Cypher Plunk re-mailer without any additional software. Mixmaster is different. Unlike the other re-mailers, you can't just make your own message and send it. Mixmaster security comes in part from using a special message format. You need a Mixmaster client to create Mixmaster messages. I'm sure you're all aware that the steeper the learning curve, the fewer users you get. That said, who uses re-mailers anyway? I'll indulge my negative opinion for a moment and say, I do. And I have since the early 90s. Back then it was usually the post to assorted news groups, which were, coincidentally, young teenage girls are underrepresented. I posted them honestly for a number of reasons. First, you're a lot more likely to be taken seriously in a technical group if you're not a 12-year-old girl. Similarly, you're a lot less likely to get dismissed as a trolling mark or harassed in these groups with more interesting nature. Re-mailers are also a nice way to hurt individuals that have computer-related security risks. Today, I mainly use re-mailers to post any number of mailing lists to which I am subscribed. My concern now is not so much the immediate protection of my identity, so much just the way in the archives. Re-mailers as fast and casual as a voice phone call, but can be stored and retrieved with infinitely greater efficiency than paper letters or taped conversations. If the storage of that message is not protected, and it rarely is, it can be accessed by anyone who takes the trouble to rummage through any of the many archived computer records that may have received such a message. Think Deja News. I'm in law school. I'll have a real job someday. And 10 years from now, I'd rather not have my future opponents digging through archives to dig out my most recent political rants. Makes sense to me. So, why might you use a re-mailer? Maybe you're a computer engineer who wants to express opinions about computer products. Maybe they're opinions that your employer wouldn't like you to share. Maybe you work for Microsoft. Maybe you live in a community that's violently intolerant of your social, political, or religious views. A poster to ALT.privacy.non-server wrote, I consider myself to be a fairly good example of why anonymous re-mailers are needed on the net. To be blunt, I am bisexual, or pervert, and a rich. I also live in Alabama, where at least two of the three are illegal. In a worst case scenario, I could lose my job, have a career ruined, face prosecution, and possibly even have to deal with violence. Maybe you're seeking employment via the internet, and you don't want to jeopardize your present job. Maybe you're looking for some action in LA personals. I don't really care. Maybe you're a whistleblower afraid of retaliation. Hey, you might even be an honest bureaucrat seeking out these whistleblowers. Maybe you don't want people spanning the corporate address. Maybe your reverse engineer needs something you'd like to share with others, and you'd rather not be the subject of frivolous corporate lawsuits for your trouble. Bob's exploits and all sorts of interesting things are frequently reported this way. This first quote for CSS authentication is simply released via the anonymous female network. Yay. Maybe you feel that if you criticize your government, Big Brother will start monitoring you. Maybe you're living in Kosovo. In early 1999, the anonymous female network allowed ethnic Albanians to provide first-hand accounts of Serbian atrocities in Kosovo without fear of retribution. We noticed a big spike of usage during that time. As you have said, we know ours has made it possible for people to discuss very sensitive matters, such as domestic violence, school bullying, or human rights anonymously and confidentially on the internet. Using of a non-penet file will make it harder to discuss these matters. In short, there are many legitimate reasons why you, a law abiding citizen, might use re-mailers. This is here are the rights to freedom of speech and the rights to personal privacy. Having the right to free speech may work well in the case of verbal expression, but it may cease to have its intended purpose in face of retaliation that may take place decades later. In a system that theoretically can have infinitely large memory and infinitely long remembrance, the freedom of expression can become abused and pervaded by a government that does not respect individual rights. This brings me to my third topic of the afternoon. At any given time, there are usually 20 public Type 1 or Type 2 re-mailers in the world. Of these 20, usually only half offer sufficient reliability to be of actual use. This has been a trend for the past years. So you might be asking, if re-mailers are so great, why are there so few of them? The most benign reason, I think, is that running a re-mailer takes more time, energy and patience than most people would care to spend on a free service. I run my re-mailer off an old P90 box, which I have attached to my university's network. Financially, it doesn't cost me anything to run it. It's one of my hobbies, so I don't spend five weeks or so, five hours a week or so, to care and feed it. Other re-mailers actually pay to keep their re-mailers up and running. Everything from extra phone lines to co-location facilities frequently come out of their own pockets. If you've got some spare cash in your pocket, you might want to donate and help one of them out. Personal gratification and running a re-mailer can go a long way, but eventually, the headaches and expense one can incur can outweigh the fun. I think the average lifespan of a re-mailer these days is somewhere between three and six months for that reason. Another reason for this is the fact that it's a largely thankless job. Most satisfied re-mailers have no reason to praise their re-mailer operators. What would they say? Hey, I'm Jim and I used your service to come out of the closet. Thanks. Yeah, right. Instead, directly, you write a massive complaint and threats. Many of them are amusing. 99% of them are harmless. I enjoyed some of the more literate ones so much I've taped them up on my fridge. I've compiled everything from a communist to a neo-Nazi to a liberal for the simple act of running a re-mailer. I tend to laugh out loud picturing myself on any of these rules. I've also noticed that people like to give out legal advice when they're angry. One of my favorite complaints accused me of being an accessory to accomplice harassment, which I was informed was not looked upon favorably in Washington State. Right, I see. Sometimes complaints don't go directly to you. Sometimes people complain to your ISP or your DNS provider. I've become well acquainted with several university officials as a result of running my re-mailer. I'm sick. I actually look forward to dealing with them. It means I get to wax poetic on fun things like the Constitution, the First Amendment, and the school's acceptable use policy. Other re-mailer operators don't have it so easy. Their ISPs may terminate their service at will at the first sign of trouble. System administrators are often adamantly against the use of their sites for anonymity servers. They're afraid that they will be held responsible for acts such as terrorism or kidnapping, which could theoretically take place as a result of anonymous messages which pass through their system. Administrators would often rather shut down a re-mailer than deal with all of the politics that surround that re-mailer. This is one of the main reasons for the short lifespans of many re-mailers. One of the simple solutions to all of this is to run a re-mailer. In this mode, a re-mailer will not send messages directly to final recipients. Instead, it will only send messages to other re-mailers. Because it can never be used as the final hop in a message, the outside world never receives any re-mailed messages from the re-mailer. Voila, no complaints. The obvious drawback to re-mailers is that they reduce the number of possible chain permutations. As long as there are plenty of full featured re-mailers around, this doesn't matter much. But if only a handful of re-mailers were mailed to final recipients, this situation could escalate rapidly from a real best re-mailer network to a network with single points of failure. But having more middlemen re-mailers around is better than not having them at all. They provide a useful service. They run their link in the chain. If you're interested in running a re-mailer but you're genuinely concerned about your ISP's objection, middlemen are great and I hope you'll consider it. Now, wild speculation in my part suggests to me that a far less benign reason that there are so few re-mailers in the world is that lots of people in organizations, worldwide, recognize that the anonymous re-mailer network and are actively working toward that goal. Governments that violate human rights as well as organizations banning public and open discussion of their activities such as the Church of Scientology are among these. The Church of Scientology frequently threatens anonymous anonymity providers with lawsuits unless they curtail or terminate their services. They've been doing this for years and they're still doing it. I received a nasty grant from one of the lawyers just last month. Obviously, though, governments may also have a keen interest in anonymous re-mailer usage. Re-mailers are in operation all over the world and governmental attitudes toward them cover the whole spectrum. For example, a V&E's re-mailer operator recently pointed me to a webpage maintained by his local police department. The Austrian police actually recommend that citizens use re-mailers to post to Usenet as a method of privacy protection. In stark contrast, the operator of T2, a re-mailer meaning K, announced that he would be closing down his re-mailer this coming Monday because passage of the Regulation of Investigatory Powers, or WIPBIL, appears imminent. Fueled by fears of rampant anarchy, pornography, and digital black markets, the UK has pressed ahead with measures of intrusion into the internet far more suited to China. The WIPBIL would connect UK ISPs directly to MI5 headquarters by way of black boxes authorized to snoop, often without warrant, on email, or other British domestic internet activities. The main thing the agonists care to this is to call the Brits and tell them to use more encryption. Snoopers be damned. You'd be wrong. But there also contains a requirement that computer users and companies hand over their decryption keys to the government on demand of anyone as low as a constable. Moreover, the WIPBIL permits agorators surrounding these key requests with possible jail time for anyone revealing key requests and fulfillments. WIPBIL's network should encourage those of us outside Orwell's England to use encryption and to run more re-mailers. I asked the UK re-mailer for his thoughts on closing down T2, and this is what he had to say. I see myself at the moment as in a situation, as in a similar position to yours in 1996. First with a choice between continuing with an untrustworthy service or making an honest shutdown, it is fairly easy to see what is preferable. If I continued with the current config, people will rightly have suspicions that the key had leaked to any of the endless list of government bodies of any kind who are supposed to be able to demand decryption and also keys in an ill-defined circumstance. Contrary to what government spokesman have said, neither a court order nor criminal investigation into anything nor suspicion of a crime by a person receiving the demand is required before the demand is made. It has been pointed out often that the mechanics of public keys and the innocent people receiving messages from a suspect will be more likely to have notices served on them than the suspect himself. Thankfully, our own government has not yet succeeded in passing a similar bill. Additionally, we have a bill of rights which the UK does not have and a healthy body of history and case law supporting the right to anonymity. An honest discourse has been an integral part of American literary and social development. The responsibility of journalists not to reveal their sources is recognized almost universally. Many authors write independent names and there are still many cases where the true identity of such authors has yet to be discovered. Additionally, anonymous peer reviews of proposals and articles are common in academic circles. The intertwining of anonymous rhetoric and American social development is perhaps best evidenced by the Federalist Papers, arguing the greatest single work of political theory in history. The work we never have seen the light of day had authors James Madison and Alexander Hamilton, collectively known pseudonymously as Publius, been forced to reveal their true identities. Moreover, the Supreme Court has repeatedly confirmed the right to anonymity. Nevertheless, this has not stopped the US government from trying to deprive us of our rights. At the Court of Regulations a couple of days ago, FBI lab director Donald Care pulled out the usual FUD with much speculation and little and no supporting evidence. He said, as you know, the use of computers and the internet has grown rapidly and has been paralleled by the exploitation of computers, networks, and databases to commit crimes and to hide the safety, security, and privacy of others. criminals use computers to send child pornography to each other using anonymous encrypted communications. Hackers break into financial service company systems and steal customers' home addresses and credit card numbers. Criminals use the inexpensive and easy communications to commit large-scale fraud on victims all over the world and of course, you know, terrorist bombers plan their strikes using the internet. Investigating, and I'm not making this up. Investigating and deterring such wrongdoing requires tools and techniques designed to work with new and evolving computer network technologies. He continued to blather about striking balances between privacy interests, ISP interests, and of course, the duty of government investigators to protect public safety. My favorite line though from this testimony was, quote, I would like to discuss how the FBI is meeting this challenge in the area of electronic male interception, quote. A friend of mine pointed out yesterday that you know you've tweaked the FBI when they drag out child pornographers, terrorist bombers, hackers, and racial suspects. I think the whole carnivorous situation really underscores why we need more remellors and why we need more people out there using them. For the complimentary, tear-jerk purposes that lend credibility to anonymity and counter-government assertions that only criminals have any to hide their identities. It's important to show them that for every imaginary, bomb-toting, money-wandering child pornographer, there are 100 HIV-positive teens, abused women, or political dissidents out there looking for a way to communicate safely. It's time the deck is stacked in our favor. A couple months ago, the president's working group on Unlawful Contact on the Internet, chaired by Janet Reno, issued a 200k report which predictably expressed the need for government ability to determine, quote, the source of anonymous emails that contain bomb threats, quote. The Interagency Group was formed in August of 1999 by the president and includes such notaries as FBI Director Larry Free, Treasury Secretary Larry Summers, Commerce Secretary William Daly, and representatives from the Military DEA and Secret Service. The group has asked to address the issue of unlawful conduct involving the use of the Internet and to prepare a report with recommendations on the extent to which existing federal laws, this is a quote, provide a sufficient basis for effective investigation and prosecution of unlawful conduct that involves the use of the Internet, such as the illegal sale of guns, explosive controlled substances, and prescription drugs, as well as fraud and, of course, child pornography. The report stated that anonymous reviewers can be used to protect the privacy of dissidents in oppressive countries, but can also frustrate police who can't figure out the message. Of course, most abuses of online anonymity can be promulgated through traditional means. Death threats, for instance, can be equally hard to trace when delivered by phone or mail as when delivered through the Internet. Additionally, people sometimes feel that liberous material can be distributed anonymously, leaving them known to sue. This danger is the flip side of anonymous whistleblowing, which most people would agree is a socially valuable use of anonymity. But such misuses are almost effective as the goability of the recipient allows. All whistleblowing should be checked by an authoritative expert before the public believes the charges. Freedom of expression must be allowed. With this freedom comes a source of problems, but these types of problems are not unique to the Internet. Unpopular speech is a necessary consequence of free speech, and it was decided long ago during the drafting of the Constitution and the Bill of Rights that the advantages of free speech outweigh the disadvantages. This principle should hold on the Internet as well. An anonymous room marriage provided vital service with many benefits to the online community. Bennett's downfall was due less to its imperfect security than to its success. Because of the ubiquitous... Because of the ubiquitousness of the pennant header on files posted anonymously, tomorrow enlists some news groups who have got more than a share of unwanted attention. For example, the London Observer in a rabid scare piece on the Imagine Scourge of Kitty porn on the Net accused him by name as being a, quote, key link in the international pedophile chain, quote. Of course, you know, the investigation turned out none of this was true, but hey, you know, the media printed it. Other critics have simply cited the ease with which anonymous room marriage can be used to harass people illegally distribute classified information or spread bootleg graphics or music. True enough, except that these same problems plagued the phone system and the U.S. Post-A Service, and no one...they're like, I'm sorry, and there haven't been many proposals to shut them down. My final type of good day is where the renown network is headed. As I said at the top of our, I've heard numerous times that the need for a free, publicly renown network is gone. I have strong personal reasons to disagree with that statement, but hey, let's suppose it's true for a second. Diversity is important. Even if hushmail and freedom and whatnot provide everything the publicly renown network does with all sorts of bells and whistles, so what? I keep a flashlight next to my bed in case the power goes out. I back up my files. I'd rather have the renown network out there and not need it, than need it and not have it. That said, development on the renown network is hardly dead. Proposals for Mixmaster Version 3 have been floating around for a while. You can grab the most recent Mixmaster Tarball via anonymous FTP from Mixmaster.anonymizer.com. Additionally, many of the renown operators have their own side projects and improving services and providing entire renewments. The limited thread of the Ripple has spawned a flow of new interest in modifying renown protocols. The coding project Angel would make use of session keys that could never be accessible to the renown operator. Follow-up memory patches may also achieve the same effect. Ryan Fordham's radio clash is in pre-beta. It's a distributed communication system aimed at implementing R-processes whose on-first protocol. Whose on-first works as follows. When renown Alice wishes to send a message to node Bob, Alice connects to Bob and sends him a session key. All for the traffic between Alice and Bob is encrypted with the session key, which is used only one time. How do I exchange session keys? Each node has a signing key good for, say, two weeks, and a general encryption key good for a much shorter period, one day or maybe less. When Alice wants to send a message to or through Bob, she gets Bob's current encryption key and verifies the signature against Bob's current signing key. She then creates a session ID and session key, signs it with her own signing key, encrypts it with Bob's public key, and sends it to him. Bob decrypts the message, verifies the signature, and, if all is well, uses the session key and ID for all further messages in that session. Session keys are discarded after use. So, if a session key is compromised, only that current session is in danger. If the general key is compromised, all traffic for that day or however long the key is good for is in danger. Another thing about who's on first is that all traffic is encrypted and to end, meaning that, if a world node operator recorded all traffic through his node, he wouldn't know the previous and next hop. He would know the previous and next hop, but nothing more. He wouldn't even know if the previous hop was the first or the next was the final. My favorite pet project, though, is the concept of so-called stealth remuners. I admit the million women of itself is part of my attraction to the idea, but the concept's pretty cool, too. Stealth remuners, I've seen, make use of two scripts which wrap Mixmaster. One is for sending and one is for receiving. Essentially, the remuner works in a specified use-night group for messages with subjects like attention-stealth remuner Alice. It yokes copies down, processes them in a big batch, then sends them off via something like send.nim.alice.net. Stealth remuners are great for operators without a 24-7 connection. Message processing can be done whenever the operator feels like connecting to the network. Because the remuner is itself making use of a pseudonym, the operator is effectively side-stepping complaints and many other headaches which can come with wanting a standard 24-7 remuner. Finally, I would applaud on why I run my remuner. I've used remuners for a long time, and the general fear behind remuner security is that as long as at least one of the remuners you use has not been compromised by nefarious types, then you're pretty safe. Trust no one, that's certainly the creator of the remuner network. Anyway, I figured the best way to make sure at least one of the remuners I used was known by the NSA was to run one myself. Of course, you have no reason to suspect I'm not in league with the NSA. If you're concerned about that, it wouldn't hurt you to open up your own public remuner. There's a substantial amount of window software out there that makes running and using anonymous remuners painless. I don't know much about it, I don't limit. As I said earlier, you can grab Mixmaster Tarball at Mixmaster.anonymizer.com. The rest of the Unix remuner tools are pretty old and can use them to be working. They're at many of us remops and we could use some help. Remuners are neat. They encourage you to examine source code and write scripts. They support Big Brother. They improve your diplomacy skills. I don't know whether or not they're rich or chicks, but hey, run your own and find out. All right, that's all I've got. Questions?