FC: Zero Knowledge replies to politech post on software sales, privacy

[Declan McCullagh <declan () well com>]

Austin Hill of Zero Knowledge has responded to Lucky Green's politech 
message that said "Freedom (TM) as shipping does not adequately protect the 
users' privacy". Lucky's message:
http://www.politechbot.com/p-01485.html

Here's an excerpt of a conversation from the cypherpunks list. You can read 
it in its entirety in the list archives:
http://www.inet-one.com/cypherpunks/

Austin also took issue with my Wired article that said his Freedom product 
appeared to be somewhat less than successful in the marketplace, but he 
provided no numbers to refute it. My article:
http://www.wired.com/news/business/0,1367,39895,00.html

Austin Hill writes:
> I actually believe that Lucky's false statements and accusations stem from
> Zero-Knowledge shipping a solution that does not include the solution to one
> of the original design goals, which was a traffic-analysis-resistant
> network. During our first attempt to build the FREEDOM infrastructure and an
> AnonymousIP protocol we also tried to build it to be resistant to traffic
> analysis and large statistical attacks.   (This remains a design goal, but
> we think there are open research issues to be solved before we (or anyone)
> can ship a system that meets this design goal).
>
> The techniques we attempted to use to facilitate this were:
>
> -Constant packet sizing
> -Link padding
> -Traffic shaping (introducing extra bogus traffic or limiting traffic to
> disguise the actual amount of traffic being sent through the network)
>
> During our tests of the first alpha versions of FREEDOM, we found a number
> of problems with this including:
>
> 1. Speed & performance degradation that made the system unusable
>
> 2. Huge costs increases in operating the backbone infrastructure (Packets
> were being sent with a huge increase in 'stuffed' payloads and there had to
> be constant traffic on the network)
>
> 3. Incomplete understanding of the effect in the security and resistances to
> these attacks (we found there was not enough research in the area of traffic
> analysis to determine if the extra delays and huge costs increased gained us
> anything in the protection from traffic analysis. In fact, upon review we
> found that since the costs of doing the bare minimum padding (full link
> padding from the client node to the first server node) could not be
> supported by what we felt users were willing to pay for privacy, we reviewed
> our threat model and lowered the bar on the what we were trying to
> accomplish.
>
> We consider traffic analysis to be an area in need of basic research. We
> have some information-theoretical and computationally secure proposals but
> minimal work on secure systems with work-factors less than computationally
> secure.  Simple things like how to define and discuss the work-factor of
> these systems are missing. We do not have equivalents of basic constructs
> like Feistel-networks, s-boxes, or chaining modes. We have easy attacks
> which seem very powerful, but can't judge if those attacks are the
> equivalent of statistical attacks on ceaser ciphers or something more
> powerful. We do not have powerful techniques such as differential or linear
> cryptanalysis, the impossible variants, or any sort of trade-off attacks.
>
> There's not a great deal of discussion of the case where flood the pipe is
> not an option, or where we want to limit delays.
>
> We think the situation is analogous to the state of our understanding of
> block cipher analysis in 1970.  We had an information-theoretically secure
> system.  But we had little or no knowledge of the Enigma breaks (Bletchly
> Park is not mentioned in the index of the 1967 ed. of the Codebreakers).
>
> When the NBS proposed the DES, many were at a loss as to how to critique it
> beyond asking for the design criteria to be published.  Compare and contrast
> this situation with the AES competition.
>
> Our Director of Technology, Adam Shostack raised this issue in a rump
> session talk at the 'Design Issues in Anonymity and Unobservability'
> workshop, and we're looking for other ways to bring the problem to the
> attention of the academic community.
>
> Our users are primarily Win 95/98 users who are worried about their privacy
> (i.e. email address; cookies; profiling by ad networks; pseudonyms for chat
> rooms and Usenet). They are not worried about the NSA doing traffic analysis
> on their communications. We were way too ambitious with that design goal and
> we decided it was not a 'must have' that would prevent us from shipping our
> current solution. More than that, we did so publicly (see our whitepapers)
> and we are also working on increasing academic research in this area (we
> have a few scientists working on it) so that if we decide to attack this
> problem in the future there will be more information available to us to
> review.
>
> Lucky claims that there is large market demand (in terms of $$ and/or
> people) for traffic-analysis-resistant, completely anonymous networking.  I
> disagree, but would invite him to take our source code and go out and build
> a business based on this. The published source code is the result of 3 years
> of engineering by more than 100 developers and we would invite him to take
> this start and improve on it. We would be interested in his results both
> technically (how to achieve traffic analysis resistant networking) and on
> the business side (how do you build a business to support fully traffic
> analysis resistant networking).
>
> We have 250+ people working very hard on privacy systems, and have taken
> huge steps in making sure we are accurate in our claims, transparent in our
> systems and are delivering privacy services that we can be very proud of.
>
> Lucky, by claiming that we are misleading our users or not protecting their
> privacy because of the lack of resistance to traffic analysis is
> irresponsible and is allowing the best to be the enemy of the good.*
>
> * For those who don't follow security debates, this refers to idealists who
> want to build great systems with really neat provable properties and other
> useful underpinnings. Unfortunately, none of those systems have ever
> shipped, and in the real world, we get by with good. Freedom is the
> strongest privacy system that's shipping. Is it as good as we would like it
> to be in an ideal world? Of course not. But there is a braintrust at
> Zero-Knowledge of really smart people who want to make it even better, so
> while we've decided to ship a strong and working system that offers
> consumers the best privacy available today, we also have 100 engineers
> working to continually make it better.

Greg Broiles (gbroiles () netbox com) replied:
> However, that doesn't mean that cypherpunk purchases and evaluations are
> unimportant, or can be dismissed.
>
> High tech marketing people discuss a "technology adoption life cycle" -
> Geoffrey Moore writes about this (in _Crossing the Chasm_, et al) but
> I don't know if he was the first person to do so.
>
> Briefly, this model suggests that new products or technology are adopted
> at a rate which describes a bell curve - at the left edge, there's a
> initially small adoption rate which represents the activity of
> "innovators", people who actively seek out new technologies and products,
> and who frequently provide valuable unofficial marketing and support
> for new products. Moving to the right, we find the "early adopters",
> who are not technologists themselves (versus the innovators, who are)
> but are willing to risk adoption of a technology or product not proven
> on a wide scale if they see a strong benefit. Moving further to the
> right, we find the "early majority" and "late majority" who make up
> the bulk of the adopters of the technology, who wait until the
> product/technology has been approved and proven by the innovators and
> early adopters. (Following the late majority are the "laggards",
> who are a small market and unimportant to this message).
>
> When you describe ZKS and Freedom as "consumers who are concerned with
> their privacy", I believe you are speaking of the middle of the
> bell curve - as you say, cypherpunks don't need freedom, but the
> non-technologists do.
>
> What your analysis seems to miss is the role that's played by the
> innovators and the early adopters in bringing a product or a
> technology to a maturity level where it's acceptable to the much
> larger middle market. For your product, cypherpunks, and wannabe-
> cypherpunks are the innovators or the early adopters, in large
> part - the people who will experiment with your product, and tell
> their friends and families and employers and user groups about it.
> If you don't meet the needs of the early people, you won't get
> a chance to meet the needs of the people in the middle.
>
> Comments on the cypherpunks list and at physical meetings seems
> to suggest that Freedom is not enjoying a good adoption rate
> within what's likely a big part of that adoption curve. I've only
> seen a few users of ZKS nyms on public mailing lists, which ought
> to be a popular use for them; a web search with Google and
> HotBot doesn't reveal any use of @freedom.net email addresses
> showing up in mailing list archives.
>
> If you can point to concrete numbers showing adoption rates, I'm
> sure that many people would be interested - but telling us
> that you (as a founder of the company) are happy with your sales
> doesn't do much to tell the rest of us about what's happening
> inside ZKS. My impression - from my own experience, from the
> lack of apparent adoption by others, and from ZKS' reframing of
> its business from stronger protection to weaker protection to
> the new "privacy consulting" stuff is that ZKS is searching
> for its niche in the marketplace, and hasn't found it yet.
>
> There's nothing wrong with that - look at AT&T, or the other
> long distance carriers moving away from consumer services, or
> the AOL/Time merger - but denying things which are readily
> apparent doesn't inspire confidence.
>
> > To further improve our security and privacy commitment and to ensure users
> > do not have to rely on or trust Zero-Knowledge's claims, we have also
> > published the source code for the system, which is available at,
> >
> > http://opensource.zeroknowledge.com
>
> As far as I can tell, only the Linux client software and the Linux
> kernel modules are available - but you said yourself that the
> real target market is Windows. When will the Windows client be made
> available for inspection? When will the other server-side software
> be made available?
>
> (Please don't get confused between licensing terms and source code
> inspection - it's very nice to make software available under GPL
> or other terms; and it might well be economically or strategically
> stupid to make your Windows client available under a free license -
> but that doesn't mean you can't allow open audits of it for
> security issues, or get an outside organization to publish the
> results of a code review.)
>
> [snip for length. --DBM]
>
> It would also be unfortunate if you confuse questions or concerns about
> ZKS with hostility towards ZKS. If I have a weird spot on my skin and I
> ask a doctor friend about it, I don't want them to tell me it's nothing
> to worry about, even if it's really malignant but they don't want me
> to feel bad. Similarly, if people in the cypherpunk community raise
> questions about ZKS, I think it's sensible to assume that they're doing
> it because they want to help ZKS, or because they want to help privacy
> generally and think you may be inadvertently harming it.
>
> > Lucky, by claiming that we are misleading our users or not protecting their
> > privacy because of the lack of resistance to traffic analysis is
> > irresponsible and is allowing the best to be the enemy of the good.*
>
> This may be true - but your message was the first one that I've seen which
> describes clearly the changes made in Freedom's design and implementation
> between v1 and v2, and I'm a customer. (Not an active one, due to
> configuration issues, but you've got some of my $, and didn't bother
> to tell me that the traffic-analysis resistance I thought I paid for
> has been eliminated because it turned out to be difficult.)
>
> While I greatly appreciate your candor - and am confident that your
> analysis of the economics of the bandwidth required to foil traffic
> analysis was correct - I do think there's perhaps some room for
> improvement re keeping people up-to-date on what sort of protection
> they can expect from Freedom and ZKS.
>
> If you are ever in the mood to update the Freedom FAQ, I suggest that
> the following questions would be helpful ones to answer -
>
> Q:      If I post a message critical of a big company using a Yahoo
> forum, and the Yahoo registration data points back to my Freedom
> account (email and source IP), will the big company be able to get
> my personal information from you with a subpoena?
>
> Q:      If I post a message to a mailing list which has some
> source code that a big company thinks violates the DMCA, and the
> big company calls the FBI, will the FBI be able to get my
> personal information from you with a subpoena?
>
> Q:      What happens if I make someone really, really angry and
> they come to your offices and point guns at your employees ..
> will they be able to get my personal information from you? Assume
> they shoot a few people to show they're serious. Then will
> you find a way to give them my personal information? What if they
> take your computer equipment away from you (or one of your
> participating ISP's) at gunpoint, and take it back to their
> hideout for analysis. How difficult will it be for them to
> get my personal information?

Neither Austin nor anyone at Zero Knowledge replied to the above message.

-Declan




-------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------