betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

27 May 2006

Mixmaster Revisited

And the weather is fine

While Tor writes about the weather in England, and the OpenBSD developers freeze their butts off (at 4 degrees Celsius) at the hackathon in Canada, over here I sit in front of the computer in shorts and without a T-Shirt on. It's hot. I'm not so sure this this world needs all that heat, with all the global surveillance etc. going on already (NSA wiretappings, wiretappings in Greece, data retention in the EU, putting people who disclose security vulnerabilities into the "criminal" drawer, ...) So I'm reading up on your basic cypherpunk privacy tools. Having a look at mixmaster especially, the mixmaster anonymous remailer network, and the apparently dead or frozen anonymous blog platform...

There are better descriptions on how an anonymous remailer chain exactly is working, than anything I could give you in one paragraph. The short summary is that it allows you to send an email message with a certain degree of staying anonymous. The recipient can't deduce your email address, your provider, or even your IP number. This is done by sending your message through a "chain" of mixmaster servers, each one knowing only where the next hop is.

Why does any one want that? Imagine you found a security problem in the software from one of those companies who are too damn happy to sue even their pet rocks. Or imagine you work in some government office and discover that someone has got the finger in the cookie box. Imagine further on (yeah, that one's harder) that you would want these problems published, get known to the world. You wouldn't exactly be hot on revealing your identity. And these days the journalists aren't so hot either to go to jail to cover their sources (which is your butt in our example). Now you could send your mails out with mixmaster.

The dark side of anonymous mail is that those systems can be abused for, well... abusive mail. When abusers send out threats, the victims have zero chance to find the origins. Mixmaster operators and cypherpunks considered those points and decided that the choice is worth it.

But there is something else wrong with mixmaster, or rather a couple of points are wrong. These are mostly technical, starting with the technicality of the operation itself. It's damn hard to get running. You need to compile the software, download "statistics" files, experiment with settings. Even if your experimentation works out, there is still a chance that mails don't arrive.

My quest into the world of mixmaster led me to discover a lot of documents of the late 1990s vintage. Some of them are still valid, others refer to outdated stuff. Link rot is everywhere. The mixmaster network is still up and running, ready to be used by the daring with some technical ability. The network is pretty small, my downloaded stats list about 30 mixmaster servers, 10 of them with reported 100% reliability.

The small size of the mixmaster network is one of its biggest vulnerabilities. To follow one message through the mixmaster chain back to its sender, it is ultimately necessary to control all mixmaster servers. But with only 30 servers and the resources of organizations like the CIA (who can get away with e.g. building a network of secret prisons in eastern Europe), or the NSA (who can get away with spying on e.g. every phone call in Europe or building a database of every phone call in the USA), getting the upper hand on 30 machines shouldn't be too much of a problem. The only way to find out if Mixmaster operators are really pressed to reveal data would be to run your own server and find out the hard way - and then you probably couldn't tell. Maybe I'll elaborate on this thought a little bit more another time, there is someone knocking on my door...

While looking after the mixmaster thing, I came across, a blogging platform that promises truly anonymous blogs. Using the cryptographic gadgets of PGP signing messages and sending them through mixmaster chains, not even the invisiblog owners know who runs your blog there. Two observations with that: First seems to be either dead or frozen. No news, no new posts, no new blogs since October 20, 2005. The second observation: These blogs have a strange tone, anonymity bringing out strange things. The strangest post is this one who (if did not allow messing with publishing dates) warned about the London bombings of July 7, 2005... on June 26, 2005.

Posted by betabug at 23:57 | Comments (0) | Trackbacks (1)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< Winter-Traum, Sommer-Temperaturen | Main | Mix Some More... Mixminion >>
There are no comments.
You can trackback to:
Just this moment I envy Sasch

Sascha - at the moment it is hailing outside, really hard. The only upside I can see is that our new waterbutts will be filled to capacity. So in other words I envy you the weather!

While Tor writes about the weather in England, and th...

Read the linking post here: Tor's weblog at May 29,2006 11:15