Untraceable communication — guaranteed by Larry Hardesty.
From the post:
Anonymity networks, which sit on top of the public Internet, are designed to conceal people’s Web-browsing habits from prying eyes. The most popular of these, Tor, has been around for more than a decade and is used by millions of people every day.
Recent research, however, has shown that adversaries can infer a great deal about the sources of supposedly anonymous communications by monitoring data traffic though just a few well-chosen nodes in an anonymity network. At the Association for Computing Machinery Symposium on Operating Systems Principles in October, a team of MIT researchers presented a new, untraceable text-messaging system designed to thwart even the most powerful of adversaries.
The system provides a strong mathematical guarantee of user anonymity, while, according to experimental results, permitting the exchange of text messages once a minute or so.
“Tor operates under the assumption that there’s not a global adversary that’s paying attention to every single link in the world,” says Nickolai Zeldovich, an associate professor of computer science and engineering, whose group developed the new system. “Maybe these days this is not as good of an assumption. Tor also assumes that no single bad guy controls a large number of nodes in their system. We’re also now thinking, maybe there are people who can compromise half of your servers.”
Because the system confuses adversaries by drowning telltale traffic patterns in spurious information, or “noise,” its creators have dubbed it “Vuvuzela,” after the noisemakers favored by soccer fans at the 2010 World Cup in South Africa.
…
Pay particular attention to the generation of dummy messages as “noise.”
In topic map terms, I would say that the association between sender and a particular message, or between the receiver and a particular message, its identity has been obscured.
The reverse of the usual application of topic map principles. Which is a strong indication that the means to identify those associations, are also establishing associations and their identities. Perhaps not in traditional TMDM terms but they are associations with identities none the less.
For some unknown reason, the original post did not have a link to the article, Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis by Jelle van den Hooff, David Lazar, Matei Zaharia, and Nickolai Zeldovich.
The non-technical post concludes:
“The mechanism that [the MIT researchers] use for hiding communication patterns is a very insightful and interesting application of differential privacy,” says Michael Walfish, an associate professor of computer science at New York University. “Differential privacy is a very deep and sophisticated theory. The observation that you could use differential privacy to solve their problem, and the way they use it, is the coolest thing about the work. The result is a system that is not ready for deployment tomorrow but still, within this category of Tor-inspired academic systems, has the best results so far. It has major limitations, but it’s exciting, and it opens the door to something potentially derived from it in the not-too-distant future.”
It isn’t clear how such a system would defeat an adversary that has access to all the relevant nodes. Where “relevant nodes” is a manageable subset of all the possible nodes in the world. It’s unlikely that any adversary, aside from the NSA, CIA and other known money pits, would attempt to monitor all network traffic.
But monitoring all network traffic is both counter-productive and unnecessary. In general, one does not set out from the Washington Monument in the search of spies based in the United States. Or at least people who hope to catch spies don’t. I can’t speak for the NSA or CIA.
While you could search for messages between people unknown to you, that sounds like a very low-grade ore mining project. You could find a diamond in the rough, but its unlikely.
The robustness of this proposal should assume that both the sender and receiver have been identified and their network traffic is being monitored.
I think what I am groping towards is the notion that “noise” comes too late in this proposal. If either party is known, or suspected, it may be time consuming to complete the loop on the messages but adding noise at the servers is more of an annoyance than serious security.
At least when the adversary can effectively monitor the relevant nodes. Assuming that the adversary can’t perform such monitoring, seems like a risky proposition.
Thoughts?