Anonymity threat model

This is a conversation I had with a Freenet developer. Freenet as some might know is a project very similar to maidsafe. After some discussion I was enlightened about the anonymity threat model of maidsafe. If the below is true, I wonder what or even if maidsafe will create to countermeasure the threat freenet currently defends against.

Here is the convo:

Their routing scheme appears to be based on Kademlia. That’s not too different from what Freenet does.

[09:55] qwebirc51973: From what I read, I’m not sure of how Kademlia would provide anonymity, though.

[09:56] you should inquire

[09:56] they’re all really cool people

[09:58] and most know about the inner workings well

[09:58] i really think the information they provide could really help

[10:05] qwebirc51973: It’s hard to compare Maidsafe and Freenet. They clearly have different goals in mind.

[10:13] ?

[10:14] secure web platform

[10:14] that provide the above qualities

[10:14] qwebirc51973: For instance, Maidsafe only supports “self encryption” on blocks. That is similar to what we know as CHKs where the key is derived from the file data.

[10:15]
qwebirc51973: Those are unsafe, from our point of view: knowing the
plain text of a document to be inserted, allows pre-computation of which blocks will be inserted, allowing the publisher to be traced.

[10:16] Can you please present this to their team. I would really like to read their response.

[10:17] From what I understand they believe SAFE is really well thought out.

[10:17] As if they’re no weaknesses.

[10:18] So far eveyone who has presented them with supposed flaws have walked away assured.

[10:19] qwebirc51973: Maidsafe is a secure, redundant and decentralized filesystem based on quid pro quo. Freenet is a decentralized datastore where anonymity and censorship avoidance is the greatest goal (hence the existence of darknets and such), allowing safe and anonymous
communication.

[10:19] qwebirc51973: There are no security flaws in Maidsafe: they have no threat model, so there’s nothing to be secure against.

[10:20] So I it seems I’ve misunderstood

[10:20] qwebirc51973: Maybe you have, maybe I have misunderstood their documentation (or lack thereof).

[10:20] I thought anonymity was their goal as well

[10:22] qwebirc51973: Yeah, they do state so at least a few times.

[10:23] You being more knowledgeable on the matter; can you inquire on their forum please.

[10:24] If they claim anonymity then they should back it up

qwebirc51973: Their notion of anonymity seems to be: “If you don’t know what I’m doing, you can’t get to know it by monitoring me either”. Our notion of anonymity is more like “Even if you do know what I’m up to, you’ll have a hard time proving it”.

[10:27] I see

[10:28] qwebirc51973: So yes, maybe Maidsafe is anonymous. With self-encryption however, it’ll only be as anonymous as the user is unpredictable.

[10:29] Maybe you could suggest a better model or ask if they plan or have some solution to the attack.

[10:29] You guys might be able to help each other.

[10:30] They’re hundreds devs working on SAFE.

[10:30] qwebirc51973: I think I’ve spent enough time on Maidsafe already. We’ll see what comes from it - at least at some point they will need to state their threat model, and that would clarify a lot

Be great to get help from these guys, plenty of experience for sure. Anonymity is an essential effect of security in our eyes. i.e. how can we secure you if we know you (already leaked something). So yes it’s important. It’s always hard to see from the side who has read what though? In saying that it’s not a singular issue it requires Privacy, Security and then the Freedom to be anonymous or not.

Many times I feel in the position of guessing what folk know then answering so they do not need to read the docs and then it’s ping pong for hours/days to fill in the gaps.

Self encryption is pretty simple and a published lib GitHub - dirvine/self_encryption: file self encryptor with docs, there is a paper missing we keep meaning to update (4 hours work) but it’s a part of the solution. Here is a very bulletpoint overview of what is needed

1. Secure data (two types of security,
   a: logical :- some kind of encryption + obfuscation
   b: Physical security (If I can get at your stuff even encrypted and deny you access or worse destroy your data then it’s not secure)

2. A mechanism to allow all connected devices to share resources securely with no central control or reliance on any centralised resource (dns, servers, time servers, i.e. ANY centralised control).
   a: This quickly becomes an autonomous network, plenty of docs there, based on kademlia like routing table (but many differences) See README here GitHub - dirvine/routing: Routing - specialised storage DHT
   b : A mechanism where this network can update using code only that can provably improve the purpose of the network (something we are working on)

3. An ability to LOGIN and create accounts on such a system with zero authority required by any third party (a contract strictly between you and the network). This is critical and massively overlooked, imagine a fully decentralised system with no servers you log into, where do you do that ? How can you store stuff and get it back and keep it private? How can you share stuff in private?

i.e. how to take a secure anonymous system (say freenet) and allow people to login securely and get their private data? and do so where they create their own account etc. This is a big part of the puzzle and simple to ‘fix’ when you see it. Check the self authentication papers for detail, but simple and very powerful, like discovering a chassis and putting wheels on it, very simple, but just missed for years.

I had one guy that’s famous in crypto in the office telling me it was completely obvious, after we showed him it I have seen that reaction a few times and think it’s brilliant cause I could not care less who, but instead care more that it exists, we know it now so lets change this world.

Hope that does not come across as too brief, I am in code at the moment so trying to keep my attention on a particularly tricky algorithm at the moment (sentinel). Anyway I hope it helps a little and welcome to the freenet folks if they read this. Remember this is not our network it’s everyone’s and there is no ego just a search for the best way to provide Privacy Security and Freedom to everyone, if you can help and believe in this then please do. If you believe there are other ways then please also try that,

tl;dr ego banned here so dive in.

In response to bulletpoint 3.

If one uploads/inserts something into freenet without giving anyone else the keys to it, my understanding is that it will remain private, secure, and accessible without the need for account creation. It would just be a matter of keeping the keys. Or better yet creating a password protected freesite that contains the keys of all of your stuff. They have an easy site creation tool for that.

It would be really nice if the routing and file persistence were substantially improved though. From what I can tell at the moment, speeds are slow for the smaller files and files drop off a bit too quickly.

I know you guys are REALLY busy, but if you could find the time to casually read through some of their current issues during your down time; any suggestion that arise from that would be really helpful.

You can post it here if you’d like and I’d be happy relay any information. I really do believe these projects are two sides of the same coin.

This is a good place to start - Research Challenges · freenet/wiki Wiki · GitHub

Yes but not per file, for all your data, communications etc. This is what I mean when this is missed, it is vital to have your account and control everything of yours from there (or many accounts). It’s far beyond keeping a private key for a btc wallet type thing, although that’s the closest so far (but nowhere near secure in terms of privacy). Think deeply about the future and imagine, there are no servers, no central resources just you and the data.

It’s an easy answer but does require getting every single part decentralised (no shared databases etc.). Seems simple and it is but the ramifications and missing parts are significant, but soon to be remedied we hope and faster with more help for sure. More eyes will make us more secure for sure.

[Edit If I ever did get time I will read this (thx for link), but I have millions of PM’s DM’s emails etc. so makes time diminish fast, I long for a secluded place off grid and time to think again)

In response to your edit:

Lol. Sounds good. Thanks for your time. Good luck with all.

No network is totally secure. SAFE Network just has to be more secure than it’s competitors to be successful.

It should not promise total security. There are vulnerabilities some which are known and some which are unknown. Perfection shouldn’t be something the users of SAFE Network assume. It should not be assumed that if you use SAFE Network alone that you’ll be safe from the NSA because that is very unlikely to be true especially over the long term.

SAFE Network changes the game and the nature of the security threat but it doesn’t remove the threat. SAFE Network seems to exist mostly for privacy rather than anonymity but you can have anonymity rather easily if you have the right kind of privacy. If you don’t let everyone access your personal identifiable information then you can have privacy through access control and be pseudo-anonymous.

If someone wants to be totally anonymous that is entirely different because any interaction with a computer that you do has a specific digital signature. Each person interacts differently, so their digital signature will be different, and pattern recognition can identify people by how they interact with systems. In these cases if you use SAFE Network in a more interactive way it’s probably not going to be anonymous but if you just store your files in it then it’s private.

Agree it’s a journey, removing the servers is a huge step, there is much more to go. The end points are a critical part. I am less concerned about pattern matching though as I feel that is something much easier to defeat in true p2p, not that we should be complacent.

We use for instance NaCl libs, who is to say the NSA or similar do not go after those authors (we would hopefully know, but …) It is why we have several schemes interacting just in case. We can do better there to though.

There is a ton to consider, but simplifying everything is critical and then alertness of upgrades and ‘improvements’ is the next huge step. I am confident there to, but the end points are the Achilles heal for sure right now (well the obvious one). We cannot fix that ourselves but hopefully show others who can a way to interact. For instance black/red phone etc. with mesh and SAFE type networking could be improved a lot. There are others but the journey is only beginning. Servers are a terrible thing to removing these bottlenecks and concentration of eavesdropping points is great.

But as far as the anonymity needed now to an extent the act will be used to accuse and the result used to excuse. If the stuff people shine light on is valueable to society it will afford some degree of protection that will only be increased as monentum on coruption exposure increases. The wrong doers would love to make examples of those who stand in defiance but before long they are removed from power, become the example themselves and have little ability to retaliate. If this stuff picks Snowden for instance will likely be pardoned. I think if this is done right institutions like the NSA don’t survive. Our system of media which is based on people being paid to lie to us and convince us its the lies are the truth- that doesn’t survive either. This will allow us to replace the lies that bind broken societies together with truth or better and better approximations of it.