 Welcome to the annual DEFCON convention. This meeting was held in exciting Las Vegas, Nevada from July 9th through the 11th, 1999. This is videotape number 39, Zero Knowledge Networks Update. Drag yourselves either out of bed or just to hear straight from the parties at 10 a.m. Not the least so that I managed to do that. Okay, so my name is Ian Goldberg. I'm Chief Scientist and Head Cypherpunk for Zero Knowledge Systems, a company based out of Montreal. This is Austin Hill, the President of Zero Knowledge Systems. So first I want to ask how many people were either here last year and heard the talk about freedom last year or else just know about freedom from reading the website and stuff. Yeah, maybe a third. Okay, so a lot of you have no idea what I'm talking about. Okay, so... Zero Knowledge. Okay, so a tiny summary, Zero Knowledge Systems is putting out a product called Freedom whose goal it is is to be an identity system for the Internet. That is, it allows, yay, it allows pseudonymous use of the Internet. So, like a lot of other services which do this on a lesser degree, like remailers and the anonymizer and stuff, those are technologies in a similar space, but we jacked in the steroids and are really putting out a kick-ass system here. So, the way we're going to start this is Austin is going to start by talking about the company a little bit and then I'm going to do tech. Most of you are interested in or will have technical questions, so we'll basically just talk about it a bit and then open the floor up to questions and we'll just spew answers off the top of our heads. So, I'll turn the mic over now to Austin. Good morning or good evening, depending on how your night was. So, Zero Knowledge Systems had a really good year, despite the fact we didn't ship yet. We ended up having a lot harder problem doing this than we thought and Ian will help elaborate, but there's a lot of interest. We've had 45,000 people sign up as beta users for this right across the board. Everything from mothers who send us emails saying, I need this to protect my kids to, you know, people in certain countries, Chinese dissidents. We, when Australia passed the censorship law, we had a whole bunch of people who realized that this could make that type of law completely redundant by deploying fully anonymous infrastructures that allow you to choose your geographic location online where you can say, today, I'd like my IP address to be in California. Today, I'd like my IP address to be in the Caribbean. People are starting to get the implications of what that means. This means an internet where you have complete choice over where you exist, who can see what you're doing and where you're going. So something like the US Gambling Act that says ISPs have to block offshore gambling sites becomes redundant. You cannot enforce it with a system like Freedom Deployed because you can choose to say, today, I'm in the Caribbean and that's my IP address and the US government cannot tell that that's where you're going. So it brings some really interesting implications. The whole concept of identity has gotten a lot of press this year. We've seen companies like Raytheon, suing users who post on Yahoo to find out the identity. Church of Scientology recently did it with an AT&T. I don't think there's a lot of Scientologists in the crowd. But, you know, when you start looking at this issue, that the common response on the internet has been, sue someone. This person pissed me off. Let's sue him. You know, libel. We don't even have to prove it. We just get to find out who it is. We see a lot of demand and a lot of increased attention for what we're doing. So we were off hard at work. We had a core team of seven programmers trying to do something that was very, very hard. These guys were busting ass non-stop. They did around 350,000 lines of code, totally new protocol, all the administrative support systems, client, everything. And they did around 10 months with seven guys. So there's a lot of work there. And those guys really busted ass and did a good job. So we are now shipping the next beta of freedom. We're up to 50 employees now. Everything from admin, support, development. We're adding another 60 in the next couple of weeks. For those of you guys who are aware of what happens in Silicon Valley, we just got sucked into the vulture capital business. So there's a lot of people who believe this is not just a tool for hackers or cypher punks, that this is going to be deployed around the world. We have 60 servers deployed. Ian will talk about the servers. We have servers in six, sorry, I think eight different countries, but one on each continent. So you can right now, running the software, you can choose to be in the Netherlands. You can choose to be in a number of locations, and that's increasing pace. And we're going to deploy this, and it is going to be one of the most controversial launches of a product ever. Actually, funny story, we had a group come up from Fort Mead. I think some people recognize that address. The comment was, we are independent contractors for an unnamed agency. And I was like, huh, I'm not sure who that would be. And they were very, very well-versed in our technology. They knew more about it than I did. So they come in and explain to us why this is important for certain government agencies to be anonymous online, so that they can do investigations, so that they can do intelligence gathering, so they have state employees who are in Israel who can't be spied on by an intelligence service in Israel because they're using regular internet accounts. So it was really interesting because these guys say, we want to deploy a bunch of servers and buy 100,000 copies for the government. So, I mean, it starts to show that this is something that's going to go across all the lines, and it's going to get a lot of attention and support. So Ian's going to be talking about some of the technical stuff. We're going to be giving out serial numbers, so everyone here can download the beta next week when we put it up online and activate it and start playing with it. And aside from that, I'll turn you over to Ian. Okay, so a system like this, obviously, although we haven't actually described the system yet, has a lot of tech in it, has a lot of politics in it. I'm going to mainly focus on the tech here. People want to ask political right questions, find me around somewhere, and we'll have it over a drink or something. Okay, so the tech of the freedom network. So how does this thing work? The basic idea is that we have a number of servers, as Austin mentioned, deployed worldwide. And each of these servers we call a freedom node. These servers are not run by zero-knowledge systems. They're run by random ISPs, privacy groups, and things like this. Basically, anyone who has a good monochrome bandwidth can sign up to run a server. The more servers we have, the subtler the network. So we encourage lots of people to run them. The idea is that you have some client software, sits on your computer. Right now it's available for Win95, 98. Yeah, yeah, I know. Other things are coming. Linux is like... We'll have clients eventually for lots of platforms. The beta is for 95, 98. The software sits on your machine and basically takes any packet that's about to leave your machine, multiply encrypts it in three or four layers of encryption, and then sends the packet to one of the freedom nodes. That freedom node then decrypts one layer of encryption and sends the packet to another freedom node. Decrypts the layer of encryption and so on. So many of you will be familiar with this type of operations, basically the same as what a remailer does with email. Only this is in real time. Now, that obviously brings up a few complications one of the things remailers do to avoid temporal correlations and things like this is it sits on email for an hour or two and mixes it up with other email. It adds delays to try to reduce the correlation between the time the email entered the system and the time the email exited the system. So that's obviously a problem if you have to send these packets around in real time. So we have to solve the correlation problems in another way. What we do is we use packet and link padding. So packet padding helps defend against size attacks. If someone watched a packet come from the client to one of the freedom nodes, they're just TCP dumping the network between the client and the rest of the world, say. They saw packets of varying sizes come out of the client and correlated packets coming out of the network somewhere of similar sizes, they could establish a link, a correlation between the client and what the client was doing. And that's exactly what we want to avoid. So what we do is we have things like packet padding and link padding that make packets one of a number of fixed sizes. We have link padding which makes packets go to constant rate or at least a data independent rate. You can think of it as constant even though it's not for reasons that have to do with performance. So an adversary TCP dumping any link in the system, whether it be between the client and some server or between two of the freedom nodes, all he'd see is to first approximation a constant stream of constant size packets. And that destroys any correlation between meta information encoded at the lower levels of the protocol way down at level one and the actual data flow going up at level seven. This is primary defense against passive attackers. Defenses against active attackers are more complicated. In fact, they're basically ongoing research. Freedom is basically my PhD thesis at UC Berkeley. And so there's got to be some research in here, right? So yeah, defense against active attacks is an ongoing research problem, but these kick-ass coders we've got here, as fast as I can invent something, they're like, ooh, code, code, code. So it's great having the little staff working for you. Okay, so one of the fundamental concepts we haven't yet described is the concept of a NIM. Who here is not familiar with the concept of a pseudonym? Okay, good. All right, so what happens is every client is given the ability to create a handful of pseudonyms. And the fact that it's more than one is actually key. It's very useful to be able to divide your online experience, as it were, into different identities. So you use one identity for searching for a job and one identity for searching for a date. And these two things shouldn't necessarily be correlatable. And identities, the fact that it's pseudonymous and not anonymous is also key. It allows people to gain what we call reputation capital. As I'm sure you're all perfectly aware, when you go by a handle, you go by a NIM, if people can forge the handle, so if someone can come up and pretend to be a different person's handle, then they can besmudge their reputation. And we want to avoid that. So all of our pseudonyms are strongly digitally signed, and the software can check these signatures and all this. So you can verify that someone posting as Dark Knight is actually Dark Knight. Or at least, what does that mean? What it means is it's the same person who posted as Dark Knight last week. And that's all that's important. You have no clue who this person is, what their real name is, what the hell's a real name. But you know it's a consistent persona. And that's the most important part of reputation capital and not pseudonyms. I think at this point, the easiest thing to do is just open the floor up to questions for the last little while, and we'll just try to moderate here. So we'll just start. Go ahead. I think I understood my regular life paper. I understand how, that's correct, yeah. Ah, okay. So there are a couple issues in how do things get, how does information get back from the server to the original client machine? So there are really two issues here. One is real-time traffic. So how does the webpage that you requested get back to you? And one is email. The difference is with real-time traffic you have an existing connection to the server. And what happens is when you set up these pseudonymous or anonymous routes through the freedom network, they're set up bidirectionally. So the client connects to the server A, which connects to server B, which connects to server C, which connects to the eventual website. And server A knows who the client and server B is. Server B knows who server A and server C is, and server C knows who server B and the website is. And because of that, there's no information in both directions. So that's the easy one. The harder one is email. So there are a couple of ways to do this. The simplest way to understand, which is not the way we're doing it right now, but is a way we'll be migrating to, just think of it as there's a big mail storage facility in the sky. And it's just the MX for freedom.net. Someone sends mail to darkknightatfreedom.net and it goes to this magic thing in the sky and it's dropped in basically Darkknight's pop box. And then the client just pops it down from there using the freedom network and gets the mail. So that's the easiest way to understand it. It's in fact not how we're doing it now for various reasons, but we'll be migrating to a system like that, though even a bit more secure than that one. Yeah, I have a question there. You mentioned talking about the SOA connection in the divided direction. Is the connection from server A to server A aware of the client? Yes, yes it is. It has to do that for wing shaping and bandwidth reasons generally. It's also, is there any other really good reason? What's that? Okay, so there are technical issues in there that for some reasons the first hop, as we call it, the first server does know and needs to know that the person that's talking to is a client. The protocols turn out are slightly different. Each server in the chain then only has knowledge of the next server, the previous server, is that correct? That's correct. So that in theory it shouldn't be subject to any type of attack or compromise by someone learning to completely, maliciously act the previous server. So that's certainly the plan. It turns out it's a little more complicated than that. Statistics are a really powerful thing, but that is certainly the intent. So if it were the case that every server in the middle knew everything, then that wouldn't be true. Then hacking any one of the servers would tell you all the information. But as it is, you need to hack many, if not all of the servers in the chain to work out what's going on. In the back corner? Yeah, I heard a few weeks ago that one of the major antivirus software companies was going to instruct their product to recognize your product as a virus. Okay. Okay, that was a different thing entirely. Here, okay, awesome. Okay. We had a little tuffle with the company some of you guys might be familiar with called Intel. So Intel came up with a scheme that we're going to attach a serial number to every processor and that's going to be a great form to ID yourself. You know, what a great authentication scheme will attach serial numbers to PCs. Not incredibly well thought out, okay? Any hardware serial number needs to pack through software. Okay, obvious flaw. You know, the whole idea that my computer is my identity. Anyone stealing my computer can resemble me online. Bad idea. Various bad ideas throughout it. And originally they came out and said, it's authentication, it's good for asset tracking, it's good for e-commerce and every claim in the world. And then slowly as people like... Is Mr. Schneier in the room? Okay, so people like Bruce come out and say, hey, we have 17 years of knowledge of cryptography and secure systems. The social security number is a bad idea for this exact same reason and everyone knows this. Why are you going down this road? Intel kind of backed off and said, no, it's secure and if you want to be private you can use the software to make it private. A combination of a patch you can run which will disable the serial number as well as a BIOS fix. So you can disable it in the BIOS and they said, the software patch isn't the best but everyone's going to have it in the BIOS so don't worry. And they said, that's secure enough. We really didn't like this. Our entire company philosophy is about having you have the choice to identify yourself. The hardware you buy should not identify yourself tracking your activities and associating them. So we took one of our bright guys and said, take the weekend, here's a P3, see what you can do with it. And so he comes back on Monday and says, here, here's an ActiveX that automatically blue screens the computer which is not entirely uncommon for people running Windows 95, 98. And then when it reboots, it essentially installs a Trojan and bypasses and activates the PSN. So we put this on a web page and said, hey, we don't think this is secure. Intel's response is, that's a virus. Didn't really address the fact that, hey, our system isn't secure. The only response was, that's a virus. So they got all the virus manufacturers to list our web page as a virus. So people coming to our web page to read breaking news were warned, zoonologists trying to download a virus to your computer. They didn't say Trojan, they didn't say anything, they said virus. So it was digitally signed. It did exactly what it said it did. I didn't understand how this could be hostile code. So we got in a little bit of pissing contest. New York Times picked it up. And it's funny, it led a lot of users to say, hey, this is more important than we know. And at the same time, we said, you know what, we don't believe these claims about the BIOS. So we looked into it. The BIOS, every manufacturer is now shipping PSN off in the BIOS. Turns out that's not secure either. And we actually didn't release that code. But for those bright people in the crowd, I think we calculate checksum, flip it in CMOS. BIOS not secure. It's not that hard. So we've actually been working with Intel advising them on how to harden their BIOS security. So if you actually flip off the PSN, it stays off. So that's kind of the background on that. Okay, up here. Okay. Okay. So do the second question first. If one of the servers in the chain breaks down, obviously any client using that server at the time will notice, packets will stop flowing, and the system will generate a new route through the cloud. The route information as to what servers are up, what servers are down is updated pretty regularly and reflected in a database that clients can query and in order to figure out where good routes are. So basically it's a non-fatal problem at all. In fact, what we'd like eventually is for some servers to be totally ephemeral. They're up for like 20 minutes and then they're gone. That's the ideal situation. Imagine if you booted up your Windows box and you started running the software and you have a decent connection and you just wrote packets for other people. So packets go through you. In order to trace someone, you have to basically backtrack through all the servers in the net. What if one of the servers is one of these that was on for 20 minutes at the time and that was just totally gone? I mean, this is a great added feature for security. The first one is performance. It turns out the added latency of going through the network as compared to the latency of a modem is almost negligible. If you do have a fast connection like you're on a T1 or something like this, you do notice something of a performance hit. It's pretty unavoidable, unfortunately. We are doing funky things with your packet but there's knobs you can twist that say give me more security, i.e. more levels of indirection versus more speed. And it's up to you to set those knobs as fits your paranoia. Yeah, follow up that error zero. Oh, okay. There are technical questions about that. Yeah. Yeah, that was one of the major things that was plaguing beta one. It basically was a timeout problem. Yeah, it was basically a timeout waiting for a server response. Well, and it would only happen on certain ISPs with certain MSS and MQ sizes that were different. So there you go. It's a pretty technical problem and it's been resolved for beta two. Where exactly do you think the public keys and how do you measure the components for the clients connecting to the server? So there's a NIM database and in the best of all possible worlds this would be one of these cool nice distributed databases with replication and automatic failover and this. Right now it's not. For the beta it's basically... Well, it's a database but it's not distributed yet. So it will... Basically there's a server running which is the NIM server and you query a NIM and you get its public key out and the public key is signed in a PKI and the really cool thing about freedom, one of the absolute best things that always blows my mind is how much crypto there is in this product. There's so much crypto going on in all aspects of the crypto field. There's symmetric and public, there's PKI, keys, certificates, signing of email. Everything you might want to do with crypto pretty much is in this freedom product and the user sees none of it. Right, it's totally transparent to the user because users don't know from crypto. And that's the way it should be. The user should be able to get the security without having to have a degree in mathematics. I've been able to access the system by applying to a whole realm the network of press tables by the translation tables So denial of service attack is of course the hardest attack to defend against. What the best we can basically do is do rate limiting on clients so no one client can hog the whole network. Of course you can always just assemble a large team of hackers around the world and simultaneously flood the network. But that's really no different than just bringing the internet to its knees by doing a similar thing. We also do constant updates on servers so the network itself is low balance. So if a certain portion of the network is having performance problems the client is automatically streaming status update and information about which servers are up which are performing badly. So the client when it goes out and does a route create you can say of the best possible performing servers with my exit route in Israel please find me five routes and I'll randomly select one of those. So it's almost automatically self-correcting so unless the entire network of nodes which we anticipate over the next year maybe a thousand or two thousand nodes around the world unless you're able to bring down the entire network all at once you would have better routes available and it would just self-adjust. So the real question is are you using network address translation or is that technique available at certain times or sometimes close to that? Well it's not network address translation per se it's more like a more like mobile IP or IP and IP tunneling and so there are VCI tables if you're familiar with how ATM not the bank machine the network kind if you're familiar how that works it has virtual circuit identifiers that are used to create a circuit through the ATM cloud the structure of the freedom network takes a lot of cues from ATM. Right. Awesome one stancer technical question. Basically it's pretty easy because of the NIM server that we have revocation is simple if you're checking NIMs online. Well that's basically a database problem, right? That's just a database consistency problem and that's actually pretty easy to address it's easy to tell if you have out-of-date data or not. Sorry I want to add one point I think the one part of your question is what happens if you have a database problem? Well that's basically a database problem that's just a database consistency problem that's actually pretty easy to address and part of your question is what happens when I'm Dark Knight and then I kill pseudonym Dark Knight will we reuse names and recycle names? Right now no. So if Dark Knight is taken and then Dark Knight kills himself Dark Knight is dead, okay? No one else can assume the identity. In later revisions of the software we're looking at things like XML, metatags and incorporating some of the web of trust stuff that PGP has done in a very easy way so what you can automatically do is if we did decide to open up the name Dark Knight you could look and say how old is this Dark Knight? This Dark Knight has been Dark Knight for six months. It's absolutely unique but there was a previous Dark Knight that died a year ago and you could look at which reputation signatures this Dark Knight has accumulated so somewhat like if you look up a person's PGP key you can see webs of trust so this person may say this Dark Knight is friends with Dark Avenger and Spider-Man and Louis Free at Freedom.net and these are all pseudonyms and they've all signed his identity and so you can recognize this identity is different from the Dark Knight I was talking to before which is reinforcing this idea of persistence and reputation. And of course all this needs to be done in a way that the user has to know nothing about crypto so somewhat this work I've done previously in visual fingerprinting and being able to draw pictures representing public keys and hashes in a way that users that know nothing can recognize keys and tell when a public key has changed. Basically a NIM is a public key right? That's one of the at the bottom crypto layer that's what's going on the name associated with the NIM is basically a label for user's convenience if we can give it other labels that the user can use to check oh this is actually a different John Smith or maybe if you think about the problems not different from having a John Dash Smith and a John underscore Smith and a John Dot Smith right though you can have all three of those pseudonyms and they'd be different people so we anyways need some way to help the user differentiate between different similar looking NIMs. Okay that of course is the fundamental question right? So as the latter half no if you come to us with a subpoena the name of the company is zero knowledge for a reason we have no non-public information any information that zero knowledge has is basically in the NIM server that can be downloaded by anyone so there's basically zero point coming to our offices with a subpoena you can just use a web browser to get the same information as to the question of compromising servers obviously if all the servers are compromised you're toast by the same or colluding parties and if none of them are you're not so there's some value in between there where you're statistically toast one of the hard research problems is of course figuring out just what that number is it's going to be um if you look at other systems like crowds from um what are they now AT&T research I think is the part that now has crowds um so they went and proved some nice theorems that said it's a constant fraction of the total number of nodes so it's linear in the number of nodes which is an okay result right so basically answers reputation capital so when you sign up uh to run a server it's indicated in the network information database what organization is running it so I mean obviously if a hundred of them are say NSA you just don't do that but the question of course is well they're not going to say NSA they're going to say National Society of Audubon or something they won't be obvious that they're all run by the same people but conversely they're not run by anyone you trust right so ones run by VFF runs one by run by people you know toad.com or disc.org whatever um if you trust those people you uh can explicitly say I want to use that node and as long to first approximation as long as any one of the nodes in your chain is trusted you're okay it's not a hundred percent true because of active and statistical attacks but to first approximation and note that you don't have to actually trust them you just have to trust them not to collude right so so if I want to run sure if I want to run a route through both the US government running a node and the Iraqi government running a node I mean I would be more than happy with that oh that's an extremely good question okay so how do we build the clients this is so we something we haven't mentioned yet this is a service based model so you pay for NIMS basically you don't pay for the software right the software is free you can just download it off the website you pay for NIMS and what that means really is you pay zero knowledge to put their stamp of authenticity in the public key infrastructure on your on your key okay so well that would be awesome right and that's something we can think about later but what happens is this um when you get a the copy of the software and you want to buy NIMS you somehow get us money we prefer you use for this reason some anonymous way but credit cards is okay it turns out because what we do we don't give you NIMS we give you a serial number just like the ones we're going to hand out can I show some like a sample thing so this is a sample little serial number thing we'll be handing out a whole series shortly look how packed the room is it quarter to eleven in the morning um so on this thing there's this longest serial number on the back and what happens is the um credit card number basically is associated with the serial number and that serial number basically authorizes you to create say five NIMS okay and I'll get to that thing in a minute so you can imagine there's this stack of these things in a store even and you walk into a store you pay ten bucks and you get one of these things that would be great um question is now okay so now the credit card number is associated with this how do you how do you go on down the line um so as they say all problems in computer science can be solved with an extra level of indirection so what we do is now you have the serial number so serial numbers aren't exchanged for NIMS they're exchanged for tokens okay so when you cash in this serial number you'll get downloaded to the freedom client say five tokens where each token is good to create or extend the life of one NIM now in the ideal situation these tokens use digital cash technology that allows you to do things like create tokens that are unlinkable and untraceable basically anonymous electronic cash things there are a few problems with patents we're working out right now but um the fallback is basically auditing of our system to ensure people that we are not linking serial numbers and token numbers okay there's no reason for us to do it for various commerce rules reasons that have to do with accepting credit cards you have to record what thing it was you sold by a credit card so in particular the serial number um but we don't have to and in fact we explicitly do not link the serial number to any kind of identifier of the tokens and we hope to soon move to a way where it's just totally impossible for us to do that and verifiably so um and then of course the tokens are easily redeemable for NIMS there's actually some practical reasons why we want to know you as a customer but not your NIMS uh you install our software and god forbid you can't get online anymore um nothing went wrong you call up our customer service line uh you want patches sent to you you want some a new CD sent to you you're interacting with a customer service agent you know we can have on the call center please never disclose your NIMS to one of our agents we will never ask you but that is dependent on the fact that we can know you so Austin Hill is a user of freedom that's fine everyone can know that I can call up customer service I can interact but there is an absolute separation between my NIMS so if I'm trying to get support from my NIMS I just do it through the website if I'm trying to get support as a user I can call up and be Austin Hill yeah okay we'll take this one first and we'll go in sorry for retreading the analysis test but you were talking about the load balancing and I'm reminded of a certain AT&T crash years back that seems to be very vulnerable to that is there any defense against that or so the AT&T crash obviously had a very particular it had its own special problems in general though the problem as we see with the power outage in the south west a little while back you can have cascading failures if the total amount of throughput of the system is greater than the remaining throughput when one of the machines go the remaining available bandwidth when one of the machines goes down then obviously you have no choice but to have some kind of catastrophic failure because you have no choice you just have too much data flowing through the system so that's catastrophic for at least some people some people are cut off at this point so you just have to vastly over provision your bandwidth so one node failing does not cause this catastrophic side effect and hopefully you don't get some large I mean if power goes out in the US come Y2K well okay so our servers will go down but we have other problems what's that yeah of what we have no idea because they're still ramping up like crazy so that's something we're measuring in the beta period yeah I'm back use your friends alright so the answer is kind of yes and no at the sort of API level right at a protocol level the clients can obviously control explicitly what route he wants to take through the network I'm pretty sure the client does not or at least the current version even in the most advanced setting does not allow you to manually construct routes it can say go through these trusted nodes that I want to use but not particular stuff but if I mean the main question is can I if say I've owned like three servers out there and out of 2000 can I like have my friends bog down the other 1,997 servers so that everyone will load balance through us as soon as you've done that your 3 servers are going to be totally congested and no longer will be the 3 best servers oh it's in the code now do people code faster than I can invent things the client lists all available routes so when the client goes to construct a route depending on its settings it calculates what are the total number of routes so if they're and we have certain thresholds if there aren't a certain x amount of routes possible then warn the customer because everyone will be using the same route and it's essentially a security violation so we can define x and we haven't defined what x should be that's where he comes in okay how easy is it to to figure those routes that's one question the second question is about the collision issue it's not supposed to hack the last server and now you have access to okay I'll answer both those questions so all routes are dynamically created right when if fails for some reason a new one is dynamically generated I'm not sure exactly yeah yeah absolutely yeah yes in fact it does do that every half an hour now I think it does it but it's a tweakable knob the second question was what happens if you just compromise the last server so if you just compromise the last server basically that's one of the more useless servers to compromise because half the information it knows you already know the information between the last server and say the web the web server is already sent unencrypted because the web server has no special software running on it so all you'd get from that is if you totally could compromise it all you could get from it is the identity of the second of last server then of course you'd have to go compromise that and compromise that and back through the chain all while the connection is up right and of course since the connections change every half an hour you have half an hour to backtrack through this connection and this applies just as much to technical attacks like trying to own the servers one at a time as it does to political attacks trying to serve them with a subpoena so the second from last server is in Turkmenistan so yeah basically we give you a very limited amount of time to successfully perform your attack and if you fail you basically have to start all over again how can the dynamic route creation and recreation also for running around you know the server does now take place if in theory a ton of servers you know anything about anybody except the one server they're talking to the one server who's talking to them that's what we mean by that is in any one given route the servers only know which is the previous and next hops in the route as global states servers are exchanging information a lot manner of VGP it's figuring out trying to get a total picture of the network state so when one server goes down that information will propagate quickly and basically pretty soon the whole network will know server foo went away and and that information will be reflected back to the client so when the client notices oh my bandwidth stopped I should recreate a route it will have also received the information server foo went away so it shouldn't try to create a route through server foo that's right servers don't create routes clients create routes servers just are involved in propagating the information about who's up who's down and somewhat about how well they're performing yeah over there two questions first of all there are spammers who use throwaway email addresses and there are those who use electronic counter managers against those spammers how we do with that and secondly how is freedom better than online so two really good questions do the first one first spam I'm surprised no one has said the word spam yet in fact we have actually a great answer so there are two problems with spam one is keeping people from sending spam and the second is keeping spam from arriving in your mailbox the first one is actually pretty easy spammers you just have to send some huge number of emails in order for it to be worth their while right 18,000 an hour is what I hear mumbling over in the corner here mumble so the simplest solution is since all outgoing email has to be anonymized through our system anyway we just cap the number of emails you can send sure yeah so but spammers wouldn't be able to use freedom NIM in order to send spam you're talking about draw boxes so in the area of spam if you actually look at all the techniques spammers use sometimes they use draw boxes they'll use an open mail relay to send 20,000 emails in an hour with a totally different draw box on the other end so now the problem with that is I can use a draw box that I don't know because the other system has no authentication so we can't by default flip off that draw box because we have no way of knowing if that's actually owned by the spam or if it's a denial service attack to that NIM so there's a couple thresholds in things we can do one is the other part of Ian's response which is we give users the ability to block all spam from ever entering their email address so we can kill spam to a NIM 99.9% so you can use your NIM out in a news group and that's the reason we've done it without getting bombarded by spam because if you're trying to build a persistent identity and relation and reputation you don't want to have to abandon that email address a year out because of so much spam so our spam filtering is very high so if someone were to do that you could essentially block out all the counter measures that you're talking about but we also do a header verification and digitally signed headers so that we can verify if an email message actually ever came from our network and if it did we can shut down that NIM we don't know who it is but we can either shut them down or lower their spam count threshold so if someone is allowed normally to send 300 messages a day and we start getting tons of complaints about spam with legitimate digitally signed headers we can just threshold them down to 20 emails a day so that it's very hard for him to continue using that mailbox for spam so in fact that can happen automatically if someone tries to send more than 300 emails a day that number can just automatically go down without having complaints complaints I think should probably cut off the NIM entirely if it's an actual verifiable spam so Austin's answered the second half of the first question about about the spam so we protect people from receiving spam using means that some really techno savvy people are using today using an automated challenge response type system if the user really wants to turn it on but so that's a pretty good spam protection mechanism is it's really complicated to use users have no idea how to use this luckily we're mediating their email right so we can add these complicated technical countermeasures to spam and users just get it for free so now the second question anonymizer so what's the difference between freedom and the anonymizer so the anonymizer if you're not familiar whoa people just keep filing them so the difference between freedom and the anonymizer the anonymizer basically is a way to anonymize your web web surfing and in a nutshell basically it's you connect to the anonymizer and the anonymizer connects to the website and then the website doesn't learn any information about you okay so there are for all these privacy enhancing technologies as it's so called there are a couple of axes you can you can plot their positions on one is their utility what kinds of things do they help you anonymize so the anonymizer is basically for web surfing it does a bit of email now but that's it freedom on the other hand is at the IP level so basically any IP based protocol it can or potentially can make pseudonymous and the other axes is how resistant is it to attack so if you have a single proxy in the middle where everything's going through if once the guy who runs it is compromised then basically all information is lost so if he is subpoenaed he can certainly give out information about who is talking to whom a third difference is that the anonymizer is an anonymous service whereas freedom is a pseudonymous service and the pseudonymity allows you to do things like reputation capital and things like this although the anonymizer's new mail subsection does a lot of use of persistent pseudonyms so it's getting to 11 o'clock and I think people will be like really interested in getting these serial numbers and shirts and cool stuff like that one or two last questions so everyone's getting up is going to storm us so seeing as how there's another talk in here like very soon I think the best thing would be to take the chachkas out like into the hallway and that way I'm going to do a really fast throw up alright go ready laser