18 February 2012

Social-network threat models

There have been a couple of comments on my peer-to-peer blogging post, both addressing different threat models than I was looking at.

My posts were looking at countermeasures to continue blogging in the event that public web hosting service providers are taken out by IP enforcement action. The aim of such enforcement action is to prevent distribution of copyrighted content: since I don't actually want to do that I am not trying to evade the enforcement as such, just trying to avoid being collateral damage.  The major challenges are to avoid conventional abuse, and to maintain sufficient availability, capacity and reliability without the resources of a centralised service with a proper data centre.

Sconzey mentioned DIASPORA*.  That is an interesting project, but it is motivated by a different threat model – the threat from the service providers themselves.  Social-networking providers like facebook or google, have, from their position, privileged access to the data people share, and are explicitly founded on the possibilities of profiting from that access. Diaspora aims to free social-networking data from those service providers, whose leverage is based on their ownership of the sophisticated server software and lock-in and network effects.  To use Diaspora effectively, you need a good-quality host.  Blogging software is already widespread – if you have the infrastructure you need to run Diaspora, you can already run wordpress.  The "community pods" that exist for Diaspora could be used for copyright infringement and would be vulnerable to the SOPA-like attacks.

James A. Donald says "we are going to need a fully militarized protocol, since it is going to come under state sponsored attack." That's another threat model again. Fundamentally, it should be impossible for open publication: if you publish something, the attacker can receive it. Having received it, he can trace back one step where it came from, and demand to know where they got it from.  If refused, or if the intermediate node is deliberately engineered so messages cannot be traced back further, then the attacker can threaten to shut down or isolate the node provider.

In practice it can be possible to evade that kind of attacker by piggy-backing on something the attacker cannot shut down, because he relies on it himself.  That is a moving target, because what is essential changes over time.

(One could avoid using fixed identifiable locations altogether – e.g. wimax repeaters in vehicles. That's not going to be cheap or easy).

James seems to be thinking more about private circles, where end-to-end encryption can be used. That's more tractable technically, but it's not useful to me. I don't have a circle of trusted friends to talk about this stuff with: I'm throwing ideas into the ether to see what happens. Any of you guys could be government agents for all I know, so carefully encrypting my communications with you doesn't achieve anything.

1 comment:

James A. Donald said...

> "Having received it, he can trace back one step where it came from, and demand to know where they got it from."

This might be hard if the US Government finds the step is located in Iran or China, or the Chinese government finds the step is located in the US.

Similarly, the way to do financial transactions the US finds difficult to trace is to do them through Russia.